Printer Exploitation | Part one | HackTheBox Gawk

We covered the concept of printer exploitation using printer exploitation framework. The scenario involved a printer running on a port to which we connected using the PRET framework. We connected to the printer using the pjl language and enumerated the saved jobs which got us access to a sensitive document. This was part of HackTheBox Intro to printer exploitation track.

My Methodology

I plan to alternate between creating videos for Hack The Box (focusing on offensive security) and TryHackMe (focusing on defensive security). The goal for this specific challenge is to retrieve a document that got stuck in a printer.

Printer Exploitation Overview

Printers are devices on a network and can be part of a penetration testing scope. The objectives when testing a printer can include:

• Extracting saved or in-progress print jobs.
• Accessing the printer’s file system.
• Potentially causing physical damage (though this is a black hat objective and not typically part of a professional engagement).

I introduce a framework called PRET (Printer Exploitation Toolkit) found on GitHub. This framework uses common printer communication languages like PostScript (PS), PJL (Printer Job Language), and PCL to interact with printers. It aims to facilitate communication to capture/manipulate print jobs, access the file system, or interact with memory.

Challenge Walkthrough

1. I am given an IP address and a port for the target printer.
2. I attempt to use the PRET tool to connect to the printer.
3. Initially, I try to determine the printer’s language using the -s (safe) option with different languages (PS, PJL, PCL), but this doesn’t yield clear results.
4. I then try to connect directly using each language:
   • PS (PostScript): Connection seems to establish, but commands like ls fail, indicating it’s not the correct language.
   • PJL (Printer Job Language): Connection is successful, and the ls command works, showing directories.
5. I navigate the printer’s file system:
   • I go into the save device directory and then save jobs.
   • Inside save jobs, I find an in progress directory which contains a file named HR_policies.pdf.
6. I download the HR_policies.pdf file using the get command.
7. The downloaded file’s content is Base64 encoded.
8. I decode the file using the base64 -d command and save the output to a new file called HR_decoded.
9. Opening HR_decoded reveals the flag and other document contents, successfully completing the challenge.

Technical Commands Used on the Terminal

• pr80 -h (or pret -h): To display the help menu for the PRET tool.
• pr80 <IP_ADDRESS> <PORT> -s -l PS: Attempting to safely check if the printer supports the PostScript language.
• pr80 <IP_ADDRESS> <PORT> -l PJL -s: Attempting to safely check PJL support.
• pr80 <IP_ADDRESS> <PORT> -l PCL -s: Attempting to safely check PCL support.
• pr80 <IP_ADDRESS> <PORT> PS: Attempting to connect to the printer using PostScript.
• ls (within the PRET shell): To list directory contents on the printer.
• exit (within the PRET shell): To exit the current PRET session.
• pr80 <IP_ADDRESS> <PORT> PJL: Attempting to connect to the printer using Printer Job Language.
• cd save device: To change directory to “save device” on the printer.
• cd save jobs: To change directory to “save jobs” on the printer.
• cd in progress: To change directory to “in progress” on the printer.
• cd ..: To go back a directory.
• get HR_policies.pdf: To download the file from the printer.
• ls (on the local machine’s terminal): To list files in the current local directory.
• cat HR_policies.pdf: To display the content of the downloaded file.
• cat HR_policies.pdf | base64 -d > HR_decoded: To decode the Base64 content of HR_policies.pdf and save it to HR_decoded.

This video serves as an introduction to printer exploitation, highlighting one method to retrieve files.

Video Walkthrough