Introduction
In this walkthrough, I’ll explain how I successfully rooted the machine by exploiting the recently published EvilCUPS vulnerabilities (CVE-2024–47176, CVE-2024–47076, CVE-2024–47175, and CVE-2024–47177).
After obtaining a reverse shell, I discovered a print job containing the root password, leading to system access. Along the way, I’ll reference useful sources, and I highly recommend exploring them. Remember, it’s not just about submitting flags—understanding the process is key!
Let’s Begin
Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on X.
Let’s Hack Evilcups HTB 😌
https://twitter.com/HacklikeHacker
Nmap
I started with a classic nmap scan. I could see that the ssh port 22 and the ipp port (internet printer protocol) 631 were open. I also saw from the “http-title” that there must be a web interface.
Web Enumeration
In the browser it looked like this:
I clicked on “Printers” and discovered an existing printer job. This will be important later in order to become root as a normal user.
To get a reverse shell through CUPS 2.4.2, I used the python code from ippsec. This is simply structured and can be easily modified.
I installed the things needed to run the python script.
Python Script
For an explanation of the script, I can recommend the video from ippsec.
This source shows the various vulnerabilities and backgrounds:
I executed the evilcups.py file, entered my attacker ip, the target ip and a command, which in this case was a reverse shell.
After exactly 60 seconds I was connected to the target and the payload was sent. Under “Printers” I could now also see the created printer job. The name of this job is the default name from the script, as I have not changed it.
The function shown below spoofs a printer and sends a crafted UDP packet to make the target interact with the fake IPP server.
This is only a small part of the script. But you should understand the complete one.
To get a reverse shell, I clicked on “Print Test Page”. Before that, I provided a listener.
So I successfully got a reverse shell.
Reverse Shell
I had the problem that I lost my reverse shell after a certain time. Under the executed evilcups.py file it looked like this.
The reverse shell dies because it is directly linked to the process being used (e.g. the printer service). As soon as this service has processed the request or is cleaned up, it also terminates my reverse shell.
By using nohub and background execution (&), the shell is decoupled from the higher-level process and continues to run independently.
After a little research I found out that the print jobs are located in /var/spool/cups. But I don’t have read permissions on the /cups directory, only execute permissions.
Due to the lack of read permissions, I needed to know the name of the print job that already exists on the machine. The name consists of two parts: job data and job instance
In the screenshot below, the 1 is underlined for the job I was interested in. The print job must therefore have the name d00001–001.
- d: This is the data file of the print job that contains the information to be printed.
- 00001: This is the first print job in the current queue.
- 001: This is the instance of this print job.
I was right with my assumption:
I then downloaded d00001–001 to my attacker machine.
Then I converted the file into a pdf file so that I can open and read it.
The root password was contained in this file.
Root
And that’s it 😁
Happy Hacking!!!
Also Read: techyrick HTB