Try โ€‚โ€‰HackMD

Hello hackers am back again with printer exploitation, actually today i thought maybe I can share with you guys about printer hacking dispite i haven't write any post coz school is becoming really hot men and at the same time it sucks for sure. I was interested to see how printers are being hacked after listerning to one of the podcast from darknet diaries from my spofity, and after moving around with HTB tracks I found a track which deals with printer hacking and i was interested to see how i can hack the printer, lets get started.

Hacking printer is quite easy coz in many organization you will find they are using default creds on the printers which is very risk on one side or the other, i remember two month back i was just moving online and decide to take a look at shodan and see if i can find any printers open online and i was like "holy shit there many printer out there open and there using default credentials men"

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

With this challenge we were give just a printer port and an ip address

challenge description

My uncle isn't allowing me to print documents.He's off to vacation and I need a PIN to unlock this printer. 
All I found is a web server where this printer is managed from. 
Can you help me with this situation ?

With this challenge is that it seems that the printer was also accessible via a web server as the challenge descibe and seems that it does not allow to print anything until we have the pin to unlock,lets check it first copy the ip:port and paste it to the browser and see what we get.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Upon moving around it seems that we have job control panel where it prompt something like command or something else

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

SOLUTION

if we take a close look you will observe that the nature of command being type here starts with "@PJL INFO ID"

where by

PJL stands for print job language

PJL REFERENCE

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

so i started to type the command and see what I can get

command: @PJL INFO ID

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

And we can see the OUTPUT 'HTB Printer'

But since i dont know much a PJL command i decide to google and see what i can get about PJL command

NB: After googling much i found this articles here and decided to play with it and see what i can get

PJL FILE SYSTEM

command: > @PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535

The command above is used to list files

NOTE: At first if you input the command it gives you an error, the error means that it is not a backward slash(\), it needs a forward slash(/)

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Now lets make some small changes to the command we have from here

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

command: @PJL FSDIRLIST NAME="0:/" ENTRY=1 COUNT=65535

OUTPUT

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

finding the flag

At first time i struggled finding the flag but let me make it simple here, there the flag is located at the home directory so we need to find the home directory here

command:@PJL FSDIRLIST NAME="0:/../" ENTRY=1 COUNT=65535

OUTPUT

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

lets get inside the home directory and see what we have here

command: @PJL FSDIRLIST NAME="0:/../home" ENTRY=1 COUNT=65535

OUTPUT

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

we get another directory lets get into it and see what we can see inside

command: @PJL FSDIRLIST NAME="0:/../home/default" ENTRY=1 COUNT=65535

OUTPUT

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Now we get a file(readyjob) so here we cant use a FSDIRLIST we can use a command like FSUPLOAD command

PoC
lets try to get the content of /etc/passwd using the FSUPLOAD command

command:  @PJL FSUPLOAD NAME="0:/../../etc/passwd" OFFSET=0 SIZE=23

OUTPUT

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

As you can see it worked so we can use this to get the content of the readyjob coz its a file

command:@PJL FSUPLOAD NAME="0:/../home/default/readyjob" ENTRY=1 COUNT=65535

OUTPUT

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

flag: HTB{print_like_@_b@tm@n}

Really fun men with printer, shodan.io can help with really world hacking printers Happy hacking