00:00 - Introduction
01:00 - Start of nmap
01:45 - Examining the CUPS Management Interface on TCP Port 631
04:40 - EvilSocket's blog, explaining the four CVE's and how they are utilized in our attack chain
11:00 - Showing the GHSA Advisory that had the initial POC that I had trouble getting working
14:50 - Talking about the Cups-Browsed packet (UDP) we send, which causes CUPS to make an HTTP/IPP Request to our server to install the printer
16:00 - Talking about the attributes we send, and where the exploit begins. We will inject an extra attribute in the print-more-info attribute
18:15 - Running the exploit to send us a reverse shell, talking about the cups browsed packet while we wait
20:45 - Going back to the CUPS Management Page and we can see a new printer, printing a test page to get a shell on the box
21:35 - Showing there was a print job we didn't create, starting CUPS locally so we can see how CUPS Stores print jobs
23:15 - Seeing cups stores our jobs in /var/spool/cups/d(5 digit print job)-(3 digit page num).
24:25 - Going back to our shell, discovering it got killed, getting another shell with nohup so we fork out of the process
27:30 - Having trouble reading the cached print job because dont have read permission on /var/spool/cups, but we do have execute so we can go into the directory and read files that we have access to
28:40 - Converting the Postscript file to pdf so we can see the page that was printed and get the root password
30:00 - Showing what a PPD File looks like
39:10 - Going over all the CVE's again to summarize what we did
Support the originator by clicking the read the rest link below.
