So this is one of the easy rated boxes from HTB, lets dive in and add the IP to the /etc/hosts file:
sudo nano /etc/hosts
Now a good nmap scan for a start:
nmap -sC -sV -sT -p- -v antiquehtb
sudo nmap -sC -sV -sT -sU -v antique.htbThis will take a looooooong time, so we’ll come back to it later.
The nmap shows us some interesting things, the name “HP Jetdirect” comes up alot, the telnet port is also pretty interesting.
That would mean we have a printer, but theres no IPP port open.
Lets check searchsploit for JetDirect:
A few good finds, but I like the look of SNMP password disclosure, SNMP is usually pretty open. Lets search on exploit-db.
Okay lets have a play.
First lets do a walk while nmap is still being slow.
snmpwalk -v 2c -c public antique.htb
Well that was disappointing, but it is listening
Can we run the exploit?
Ergh that would be a no.
I did try and find out how to install snmputil, but it didn’t show on apt, and nor did net-snmp or net-snmp-util.
Maybe we can help along the snmpwalk command..
Okay that’s better.
I think that’s Hex coded, lets take a look:
Although this is not the nicest of shells..
Actually hang on lets read that again, we can use the “exec command” to send system commands.
So what does id give us?
exec id
Okay that’s better, any cheeky flag for us?
Yes that is a cheeky flag!
so we can use the cat command and id, can we use python?
I think that is a kind of?
python3?
So this hung on me, but we must have it something.
Lets try some more examples.