HTB: Wander Writeup

Wander is an easy level challenge and the third in the Printer exploitation track on HackTheBox

---

Challenge Description
My uncle isn’t allowing me to print documents. He’s off to vacation, and I need a PIN to unlock this printer. All I found is a web server where this printer is managed from. Can you help me with this situation?

Investigating the Web Interface
As suggested in the challenge description, I started by exploring the web interface of the printer.

The interface includes an input field for PJL commands. PJL (Printer Job Language) is a language used to control printers, often providing advanced functionality such as file system access, configuration changes, and even debugging capabilities.

To test the input field, I tried the example command provided in the interface. It worked, confirming that the input is properly processed by the printer.

Understanding PJL Command Exploitation
After confirming that the input field accepts PJL commands, I began researching how PJL commands can be exploited. and I spent a really long time reading through diffrent websites and trying diffrent methodes before I finally landed on the perfect article for our case.

Rooting a Printer: From Security Bulletin to Remote Code Execution

Great , now let’s hack into it !

Directory Enumeration
starting off by listing directories of the printer with @PJL FSDIRLIST NAME=”0:/“

Using directory traversal, I moved up one level by adding ../ to the path
@PJL FSDIRLIST NAME="0:/../”

We’re solwely getting there , let’s check the home directory because that’s usually where the flag is at

In /home, I found a subdirectory named default. Navigating into this directory revealed a file named readyjob, which seemed like a potential target.

Extracting the File
To extract the contents of the readyjob file, I used the FSUPLOAD command, which allows uploading the file’s content in binary format like so :
@PJL FSUPLOAD FORMAT=BINARY NAME="0:/../../home/default/readyjob”

& Voilaaa :D.