In Beyond Root, I’ll look at two more CVEs, another CUPS one that didn’t work because no actual printers were attached, and PwnKit, which does work.
#POTATO MUSH CLIENT SPAWN WINDOWS HELP SOFTWARE#
To escalate, I’ll abuse an old instance of CUPS print manager software to get file read as root, and get the root flag. I’ll start by leaking a password over SNMP, and then use that over telnet to connect to the printer, where there’s an exec command to run commands on the system. Htb-antique hackthebox ctf printer nmap jetdirect telnet python snmp snmpwalk tunnel chisel cups cve-2012-5519 hashcat shadow cve-2015-1158 pwnkit shared-object cve-2021-4034Īntique released non-competitively as part of HackTheBox’s Printer track. I’ll abuse this to get a shell as SYSTEM. The account is in the Server Operators group, which allows it to modify, start, and stop services. This time I’ll abuse a printer web admin panel to get LDAP credentials, which can also be used for WinRM. Return was a straight forward box released for the HackTheBox printer track.
To escalate, there’s some parameter injection in a PyInstaller-built ELF file.Ĭtf hackthebox htb-return nmap windows crackmapexec printer feroxbuster ldap wireshark evil-winrm server-operators service service-hijack windows-service htb-fuse htb-blackfield There’s also some neat JWT abuse, targeting the RSA signed versions and using an open redirect to trick the server into trusting a public key I host. Unicode’s name reflects the need to bypass web filtering of input by abusing unicode characters, and how they are normalized to abuse a directory traversal bug.
Ctf htb-unicode hackthebox nmap flask python jwt-io feroxbuster jwt-rsa open-redirect filter waf unicode unicode-normalization directory-traversal credentials share pyinstaller pyinstxtractor uncompyle6 parameter-injection htb-backdoor
0 kommentar(er)
