HackTheBox - EvilCUPS

00:00 - Introduction 01:00 - Start of nmap 01:45 - Examining the CUPS Management Interface on TCP Port 631 04:40 - EvilSocket's blog, explaining the four CVE's and how they are utilized in our attack chain 11:00 - Showing the GHSA Advisory that had the initial POC that I had trouble getting working 14:50 - Talking about the Cups-Browsed packet (UDP) we send, which causes CUPS to make an HTTP/IPP Request to our server to install the printer 16:00 - Talking about the attributes we send, and where the exploit begins. We will inject an extra attribute in the print-more-info attribute 18:15 - Running the exploit to send us a reverse shell, talking about the cups browsed packet while we wait 20:45 - Going back to the CUPS Management Page and we can see a new printer, printing a test page to get a shell on the box 21:35 - Showing there was a print job we didn't create, starting CUPS locally so we can see how CUPS Stores print jobs 23:15 - Seeing cups stores our jobs in /var/spool/cups/d(5 digit print job)-(3 digit page num). 24:25 - Going back to our shell, discovering it got killed, getting another shell with nohup so we fork out of the process 27:30 - Having trouble reading the cached print job because dont have read permission on /var/spool/cups, but we do have execute so we can go into the directory and read files that we have access to 28:40 - Converting the Postscript file to pdf so we can see the page that was printed and get the root password 30:00 - Showing what a PPD File looks like 39:10 - Going over all the CVE's again to summarize what we did