Game tips

Mastering HackTheBox EvilCUPS: A Comprehensive Guide to Exploitation Techniques

hoinhanh
Mastering HackTheBox EvilCUPS: A Comprehensive Guide to Exploitation Techniques

Mastering HackTheBox EvilCUPS: A Comprehensive Guide to Exploitation Techniques

Mastering HackTheBox EvilCUPS: A Comprehensive Guide to Exploitation Techniques

In this guide, we will delve into the exploitation techniques used to tackle the HackTheBox machine EvilCUPS. This write-up will detail the essential steps, tools, and methodologies needed for successfully exploiting the Common Unix Printing System (CUPS). By following these instructions, you’ll learn how to navigate each phase of the exploitation process, helping to broaden your understanding of CUPS vulnerabilities.

0000 Introduction

The journey begins with reconnaissance. Understanding the target is crucial before performing any attack. In our case, the target operates on CUPS, which is known for its management interface that can potentially expose vulnerabilities.

0100 Start of nmap

Using Nmap, we initiate a scan on the target’s IP to identify open ports and services. Running Nmap with the command nmap -sV -p- <target_ip> will reveal that TCP port 631 is open, which is the default port for CUPS. Analyzing the services running on this port gives us essential information for further exploitation.

0145 Examining the CUPS Management Interface on TCP Port 631

After discovering that port 631 is open, the next step is to examine the CUPS Management interface. Accessing http://<target_ip>:631 allows us to visualize the CUPS interface, where we can manage printers and print jobs. Understanding the interface can unveil potential attack vectors that we can exploit.

0440 Exploring EvilSockets Blog

At this point, refer to the EvilSockets blog, which elaborates on four critical CVEs related to CUPS. These vulnerabilities form the backbone of our exploitation strategy. Familiarizing yourself with these CVEs will provide insight into how they can be chained together to execute our attack.

1100 Understanding the GHSA Advisory

The GHSA Advisory included a Proof of Concept (PoC) that we can leverage. However, there may be challenges when trying to get the PoC to work correctly. Reviewing this advisory ensures that we don’t miss any key steps necessary for our exploitation.

1450 Sending CupsBrowsed Packet via UDP

We will utilize the CupsBrowsed service by sending a UDP packet that forces CUPS to make an HTTPIPP request to our server. This is done to trick CUPS into installing a printer that points to our malicious server. This tactic will play a pivotal role in gaining a foothold.

1600 Exploiting the Printmoreinfo Attribute

Now, we will analyze the attributes sent to CUPS during the exploit. The crucial part of our attack initiates when we inject an extra attribute into the printmoreinfo attribute. This injection grants us control over CUPS’s response behavior.

1815 Executing the Exploit

Once we have crafted our payload, we send it to trigger a reverse shell. While waiting for the shell, we keep an eye on the CupsBrowsed packet, ensuring that we maintain a steady connection to our server.

2045 Verifying the Print Job

As we inspect the CUPS Management Page, we can confirm the installation of a new printer. By printing a test page, we can verify that we have successfully received a shell on the target box.

2135 Observing Print Jobs

It’s essential to recognize print jobs not initiated by us. Starting the CUPS locally reveals how it manages and stores print jobs, which can be vital for understanding later cleanup or further attacks.

2315 Locating Stored Print Jobs

CUPS retains print jobs in the directory /var/spool/cups/, where each job is stored as a files with a five-digit job number and a three-digit page number. Navigating to this directory allows us to explore and interact with print jobs.

2425 Reviving the Shell

After discovering that our initial shell has fallen, we must secure a new connection. Utilizing nohup, we can fork out of the terminated process, creating resilience in our connection.

2730 Accessing Print Job Data

Although we encounter permission issues when trying to read cached print jobs due to the lack of read permissions, we can still execute. This constraint allows us to traverse to the directory and identify readable files.

2840 Converting Postscript to PDF

To visualize the content of a print job, we can convert the Postscript file into a PDF format. This conversion aids in uncovering the root password, which is the ultimate goal.

3000 Understanding PPD Files

As we explore the files related to our findings, understanding what a Printer Description (PPD) File looks like is crucial. These files define printer capabilities and configurations, giving us further insight into the environment.

3910 Summarizing the Exploits

To wrap up our exploration, it is beneficial to go over all the CVEs discussed to recap what techniques were executed. This summary reinforces our understanding of how we orchestrated the exploit chain and the significance of each vulnerability leveraged throughout the process.

By following these steps and understanding the intricacies of CUPS and its vulnerabilities, you will develop a solid foundation in mastering EvilCUPS on HackTheBox. Remember, continuous learning and ethical hacking practices are essential in this field. Happy hacking!