HTB : Antique writeup
Antique machine HTB
Antique is an easy level machine and the second challenge in the printer exploitation track.
Enumeration
Starting with the usual nmap scan we get the following
1 |
|
The Telnet service is accessible, but it requires further investigation.
Next, let’s perform a UDP scan to check for any open UDP services.
1 |
|
The Simple Network Management Protocol (SNMP) is running on the target machine. This protocol is often used for network monitoring and device management. let’s go ahead and enumerate that !
SNMP Enumeration
Let’s enumerate the SNMP service for useful information using Metasploit. Fire up msfconsole and search for SNMP enumeration modules:
From the list, I chose module 7 (auxiliary/scanner/snmp/snmp_enum) to proceed but unfortunately, no significant information was retrieved from scan. So, I will go back to investigate the open telnet port.
Investigating Telnet
Since the SNMP scan didn’t yield results, we return to the Telnet service.
Using Telnet to connect reveals that a password is required. However, we also observe the following device information, its name HP JetDirect
.
This indicates the target is likely a printer device. A quick search for known vulnerabilities related to HP JetDirect reveals several CVEs.
Clicking the first link of CVEDetails.com and going through CVEs, this one matches our case.
I looked it up on exploit db and found a description of the attack vector.
However the tool used in this example is an exe and it’s written in java for linux aswell.
This blog is not a safe place for java.
Exploiting SNMP for Password Retrieval
A quick search for ‘SNMP tools that send get requests’ I came across snmpget
which is pre built in kali linux.
And we did recieve the encoded device password, we can quickly decode that in out terminal !
1 |
|
Connecting via Telnet
Now that we have the password, we connect to the Telnet service
After logging in, we can execute commands using the exec syntax. To gain shell access, I used a reverse shell payload:
Payload:
1 |
|
But before we do that we have to set up our listener by simply typing rlwrap nc -lvnp 4444
& that’s it! we’re in!
Before getting into PrvEsc let us upgrade our shell with python for better interactivity.
Privilege Escalation
At first I tried putting a rev-shell in the telnet.py
file in a hope of it getting executed as root, it didn’t.
I also ran < $ ps aux > to display all running processes but I didn’t find anything interesting aswell.
Then I went to check that are running on the server with < $ netstat -nat >
As we can see there is a listener running locally on port 631, let’s curl that and see what we get.
Hm, our target server is running on CUPS/1.6, another quick search for CUPS/1.6 cve the first link was a github repo for the exploit of https://github.com/p1ckzi/CVE-2012-5519.
We’re almost there yay!
Next I got cloned the repo and started my python server so I can upload the sh file.
1 |
|
now let’s give the file excution permession with < $ chmod +x cups.sh > and then run it.
That’s it :) we owned the box yay! :D.