Gawk is an easy retired hardware challenge created by MrR3boot on Hack The Box. It is the first box in the Intro to Printer Exploitation track so I thought I would give it a go. The challenge description explains that the client has lost access to their computer. Furthermore, the client urgently needs a document that got stuck in their printer. They have asked whether we are able to recover the document. Hello world, welcome to Haxez where today I will attempt to hack Gawk.
Gawk Service Enumeration
First things first, I spawned the instance and connected to the Hack The Box VPN. I had absolutely no idea where to start. Unfortunately, at the time of writing, there weren’t any writeups for this challenge. I checked on the Academy for related material but came up short. I tried to Nmap the box and connect to the open port with NetCat but didn’t receive anything back. As a result, I headed to the forum where someone recommended looking for a Printer Exploit Framework.
After a quick Google search, I found PRET the Printer Exploitation Framework on GitHub. I’ve never used this tool before or attempted any printer exploitation. Therefore, my explanations and terminologies may be incorrect. I can only apologise in advance but we all have to start somewhere. I cloned the repository and read through the read me file. There were some requirements that I needed to install for Python 2.7 so I used pip2.7 to install them.
Next, I started playing with the tool. I ran the help argument to determine the correct syntax and after a few attempts, I was able to connect to the printer. I’m not sure yet whether the information that was printed back was correct but at least I was connected. Pret reported back that the printer was an HP LaserJet 4200.
python2.7 /opt/PRET/pret.py 134.209.180.248:30887 pjl
Printer Option Exploration
Once connected to the printer, I ran the help command to see what options were available. Stating the obvious but asking for help is always a good idea when you don’t know what to do. I’m not sure if it’s just me but pride (or something) can sometimes rule my emotions and decisions. If I feel like I should already know something then I will waste time going down rabbit holes trying to understand it. Eventually, I will find the answer but it would have been far quicker to have asked someone who already knows the answer.
Anyway, the help command reported back that I had a number of commands at my disposal. I ran the info command with the various sub-commands but didn’t learn much. After that, I listed the current working directory which reported back 0:/. Next, I used the ls command to see what was in the current working directory. As a result, I learned that there were 4 directories. Navigating through these directories I found the lost document in the 0:/saveDevice/SavedJobs/InProgress named HR_Policies.pdf. I checked the other directories but there were no other files.
The Gawk Document
I thought I was done but I should have known better. Attempting to open the PDF document resulted in an error that it couldn’t be read. I used the head tool to show me the first few lines of the document and sure enough, it didn’t look like a PDF. Then, I ran the file tool on the HR_Policies.pdf document and learned that it was an ASCII text document. Fortunately, I used the cat tool to view the entire contents of the document. My logic was that I thought the flag could be hiding somewhere inside it. However, I noticed that the file ended with two equal symbols.
Immediately, I recognized it as base64 and used cat to pipe the base64 to base64 decode. Once decoded, I appended the output to a new file called hr. Finally, I ran Ghostscript against the new file, and to my delight, I received the flag. I submitted the flag to Hack The Box and completed the challenge.
cat HR_Policies.pdf | base64 -d > hrdocghostscript hrdoc
Gawk Learnings
I looked at this challenge a few weeks ago but didn’t get anywhere with it. Whether I was tired or just not in the mood, I gave up but promised I would come back to it later. I’m glad I did as this was a fun easy challenge. To me, challenges and boxes tend to seem impossible when I first look at them. For some reason, I always assume that it requires some secret forbidden knowledge to complete it. I love learning to use new tools but the thought of learning new tools can sometimes make me anxious.
This challenge was a perfect example of why you should just dive in and get on with it. Once you have a rough idea of what to do, the rest is fairly trivial. Granted, I barely scratched the surface of the capabilities of the whole framework but I feel confident moving forward on to the next challenge. Thanks for this challenge, it was genuinely fun and reminded me that sometimes I should just get stuck in and give it ago.