Introduction
We covered a difficult scenario of printer exploitation. We first interacted with the printer HP JetDirect running on port 9100 through the printer exploitation framework pret.py. We discovered an encrypted print job file with AES-CBC for which we found the decryption key using nvram dump in pret.py. The decrypted version was a PDF file documenting a service running on port 9000 named Feed Engine. To interact with the service, we used grpc tools and created a client script that sends requests through HTTP to the feed engine server. We used the client we created to probe for other internally opened ports and we discovered an Apache solr installation for we which we found an exploit and had the first shell. Privilege escalation was achieved by exploiting a periodically running service that exposes the SSH password and copies files from the machine into a docker container. This was part of HackTheBox Laser
