Post

HTB Linux Easy: Antique

Antique is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Antique

Nmap

TCP Pasted image 20240715103121.png

UDP Pasted image 20240715103117.png

Initial Foothold

Enumerating SNMP (port 161)

As a result of the password disclosure vulnerability, the extracted hex string decodes to the plaintext password P@ssw0rd@123!!123. Pasted image 20240715103113.png

Enumerating telnet (port 23)

Following the SNMP information disclosure, we were able to use the password to authenticate to the Telnet service. Pasted image 20240715103103.png

Looks like we are able to execute system commands. Pasted image 20240715103058.png

Execute a reverse shell using the following payload: Pasted image 20240715103053.png

Shell as the lp user: Pasted image 20240715103049.png

Priv Esc

Linpeas discovers a service that is running on port 631 that can only be accessed from the localhost. Pasted image 20240715103045.png

By curling the page, we identified a CUPS server running version 1.6.1, which is vulnerable and may allow access to root-owned files. Pasted image 20240715103040.png

The flag can be obtained without needing to become root

User.txt

Pasted image 20240715103034.png

Root.txt

Pasted image 20240715103025.png

You have PWNED

Pasted image 20240715103015.png

Sources

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.