Antique
https://app.hackthebox.com/machines/400
Nmap
With minimal nmap results returned we also scan UDP ports for any open ports.
Checking out telnet on port 23 we see when connecting we are informed of a HP JetDirect printer.
A few default passwords prove unsuccessful. Researching on Google for JetDirect exploits we find a great article from IronGeek: http://www.irongeek.com/i.php?page=security/networkprinterhacking
As per the article we try the same exploit.
The resulting BITS value can be taken over to CyberChef and decoded from Hex to a plaintext value.
CyberChef: https://gchq.github.io/CyberChef
We now have the password P@ssw0rd@123!!123 which can be used to authenticate over telnet.
From the ? output above we see the exec command can be used to perform system commands.
Running the following command shows nc is installed on the target system.
a nc listener is set up on the attacking system and the following command is executed on the target telnet session to receive a reverse shell.
Which we receive a shell on our nc listener.
After grabbing the user flag, we perform some basic enumeration against the target system. Looking through the CUPS configuration files we notice we are running CUPS 1.6.1
Research against Google shows this version of CUPS can perform root file reads.
URL: https://www.rapid7.com/db/modules/post/multi/escalate/cups_root_file_read/
As this is a metasploit module we will need to get a meterpreter shell.
Firstly, an x86 elf payload was generated.
A meterpreter listener was then setup
The payload as then downloaded onto the target system and executed.
This will then catch a command shell within meterpreter.
After this the following metasploit mode was used to upgrade the command shell to a meterpreter shell.
The following mode was then used for the CUPS root read module.
The root.txt was set as a parameter for the file to read and executed. Successfully reading the root.txt flag.
Last updated
