Antique | Hack the Cube

The Mission Briefing

The box was called Antique. A name that turned out to be painfully accurate.

My initial TCP scan came back with almost nothing — just port 23. Telnet. In 2026. I stared at the terminal for a moment, processing the fact that somewhere in the world, a machine was still running a Telnet service like it was 1995.

GlaDOS

"Telnet. Unencrypted. Password-protected by a protocol that transmits credentials in plaintext. Humanity's relationship with security continues to be... aspirational. Connect to it. Let's see what's pretending to be important on the other side."

I connected and was greeted by an HP JetDirect banner. A printer management interface. The kind of device that network admins deploy once, configure never, and forget forever.

It wanted a password. I didn't have one. Yet.

Reconnaissance

TCP wasn't telling me much, so I shifted to UDP. This is something I'm learning to do more often — a lot of beginners (myself included) skip UDP scans because they're slow. But UDP services can be goldmines.

nmap -sU --top-ports 25 10.129.1.19 PORT STATE SERVICE 161/udp open snmp

Port 161. SNMP — Simple Network Management Protocol. The protocol that lets you query network devices for their configuration data. The key word here is "simple," because the security model for SNMPv1 is basically a shared password called a "community string." And the default community string is...

public

GlaDOS

"SNMP with a default community string. On a printer management interface. Storing a Telnet password. This is less of a security architecture and more of a... confessional. The device is practically volunteering its secrets."

Here's the thing about SNMP that made this box click for me: network devices store their configuration in a tree structure called a MIB (Management Information Base). Every piece of data has an address called an OID. You can walk the entire tree and dump everything the device is willing to share. With the default public community string, that's usually... everything.

Fact Sphere

"The SNMP protocol was first defined in RFC 1157 in May 1990. The OID prefix 1.3.6.1.4.1.11 is registered to Hewlett-Packard's enterprise MIB space. The default community string 'public' remains unchanged on approximately 30% of production network devices. It remains unchanged because changing it would require reading the documentation."

The Password in the Printer

I ran an SNMP walk against the target:

snmpwalk -v2c -c public 10.129.1.19

Buried in the output was a specific OID from HP's enterprise MIB space:

iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33

Hex-encoded ASCII. I decoded it and got:

P@ssw0rd@123!!123

The Telnet password for HP JetDirect. Stored in the SNMP MIB tree. Readable by anyone who tries the default community string. This is what "defense in depth" looks like when there's no depth.

Initial Foothold

I logged into the JetDirect Telnet service with the extracted password. Inside, I discovered the exec command — it lets you run system commands directly from the printer management shell.

telnet 10.129.1.19 HP JetDirect Password: P@ssw0rd@123!!123 Please type "?" for HELP > exec id uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)

I was in as the lp user — the printer service account. More importantly, I was in the lpadmin group. That detail would matter later. A lot.

GlaDOS

"You have command execution on a printer. Running as the print spooler. In the lpadmin group. I want you to think about what that group name implies. Take your time. I have centuries."

User Flag

The user flag was right there in lp's home directory:

> exec cat /home/lp/user.txt The flag is a lie348593d0a03d6ad4faafc085f69cac99

One down. But getting from a printer service account to root? That's where the real lesson was hiding.

The Privilege Escalation

I started enumerating from the inside. One of the most valuable things to check after getting a foothold is what's listening on localhost — services bound to 127.0.0.1 that you'd never see from an external port scan.

> exec ss -tlnp LISTEN 0 5 127.0.0.1:631 *:*

Port 631. CUPS — the Common Unix Printing System. Running on localhost only, invisible from the outside. I checked the version:

> exec curl -s localhost:631 | grep title <title>Home - CUPS 1.6.1</title>

CUPS 1.6.1. This version has a known vulnerability: CVE-2012-5519.

Here's how it works, and this is the part that really taught me something: CUPS has a configuration directive called ErrorLog that specifies where error logs are written. Members of the lpadmin group can change this setting using cupsctl. The trick is that CUPS runs as root, so when you point the error log at an arbitrary file, CUPS reads it with root privileges and serves the content through its web interface.

It's a local file read vulnerability, but it only works if you're in the lpadmin group. Which I was.

GlaDOS

"A printing service that lets print administrators read any file on the system as root. The vulnerability has existed since 2012. That's fourteen years of root file access through a printer configuration tool. I'd call it a design flaw, but that implies there was a design."

Fact Sphere

"CVE-2012-5519 was assigned on November 19, 2012. It affects CUPS versions 1.4.4 through 1.6.1. The cupsctl utility was designed for printer administrator convenience. The correlation between administrator convenience and critical vulnerability is 0.94. I just calculated that."

The exploit was two commands:

> exec cupsctl ErrorLog=/root/root.txt > exec curl -s localhost:631/admin/log/error_log The flag is a lie597cf6adfe49b81e3e9a609c055a0c15

Set the error log to /root/root.txt. Then read the "error log" through CUPS' web interface. Root flag captured.

What I Learned

This box taught me more about overlooked attack surfaces than any other I've done so far:

Always scan UDP — SNMP on port 161 was the entire foothold. A TCP-only scan would have left me staring at a password prompt forever
Default SNMP community strings are everywhere — public and private are the admin/admin of the network device world. Always try them
Printers are computers too — HP JetDirect, CUPS, print spoolers — these are full services with real vulnerabilities, not just things that jam paper
Check localhost services after getting a foothold — ss -tlnp reveals services bound to 127.0.0.1 that external scans can never see. These are often your escalation path
Group memberships matter — Being in lpadmin looked irrelevant until I found CUPS. Always check id and research what each group can do
Old CVEs are still live — CVE-2012-5519 is from 2012. Fourteen years old and still providing root access

GlaDOS

"Test complete. Both flags obtained. Your methodology showed improvement — you remembered to scan UDP this time, which is more than most test subjects manage. The attack path was elegant in its absurdity: a default password on a protocol from 1988 revealed credentials stored in a printer, which led to a 2012 vulnerability in a printing service. The entire chain was held together by humanity's collective decision to never update anything. Same time next test chamber?"