7) Printer Exploitation
The terminal challenge for this objective is the terminal "Shellcode Primer" offered by Ruby Cyster. Solving this terminal challenge provides additional hints for this objective. To view the hints use the menu on the left.
To start this objective click on the "Printer Exploitation" terminal in Jack's Office.
Firmware Update and
Download current firmware (Download Link).
The downloaded firmware is called
firmware-export.json. The content of the firmware is shown below:
firmware: firmware BASE64 blob
Copy and paste the firmware BASE64 blob to a new text file,
Use the following command to decode the BASE64 file:
base64 -d firmware.b64 > file.
Using the command
file file will display that the decoded BASE64 blob is a Zip archive.
Rename this file to
firmware.zip and make a copy of it,
new_firmware.zip by running the following commands:
firmware.zip contains a file called
firmware.bin (which is a ELF binary).
Create a new script file and call it
firmware.bin. This script should contain the following:
firmware.bin executable by running
chmod +x firmware.bin.
This script copies the file
/app/lib/public/incoming/ folder. This will allow you to download
printer.log through the URL
Add the new
firmware.bin script to the
new_firmware.zip overwriting the old
At this point, you should have the original
new_firmware.zip which contains the
firmware-export.json, we know the Secret_length, Algorithm, and Signature for the original
Now need to use Hash Extension Attacks to append
firmware.zip and generate a valid signature.
Did you know?
If you append multiple zip files the last one is processed by the printer?
Download and install Hash Extender using the following commands:
Run the following
hash_extender command to generate a valid signature:
Part of the output is shown below:
The new valid
SHA256 signature is
Copy the HEX output from
hash_extender and paste it to cyberchef. Convert the HEX to BASE64 in cyberchef.
new-firmware-export.json file that includes the BASE64 blob from cyberchef as the
firmware, the new valid Signature, Secret_length, and Algorithm.
On the printer Website, update the firmware using the newly created
new-firmware-export.json. This file has a valid firmware signature and contains a bash script that will copy
printer.log to the
incoming folder that can be accessed through
After a few minutes visit
https://printer.kringlecastle.com/incoming/printer.log. The content of the
printer.log file is as follow:
Documents queued for printing ============================= Biggering.pdf Size Chart from https://clothing.north.pole/shop/items/TheBigMansCoat.pdf LowEarthOrbitFreqUsage.txt Best Winter Songs Ever List.doc Win People and Influence Friends.pdf Q4 Game Floor Earnings.xlsx Fwd: Fwd: [EXTERNAL] Re: Fwd: [EXTERNAL] LOLLLL!!!.eml Troll_Pay_Chart.xlsx