Wander is an easy hardware challenge created by MrR3boot on Hack The Box. It’s part of the Intro To Printer Exploitation track. As I’ve just completed Gawk, I thought I’d give it a go. The description of the challenge explains that someone is trying to print documents. However, their uncle has password protected their printer with a pin. They’ve identified a webserver running on the printer but have come to us for help. Hello world, welcome to Haxez where today I will explain how I hacked Wander.
Wander Enumeration
Granted, there isn’t much to enumerate on these challenges. It’s a Docker container with a single port to attack. With that said, after spawning the container and connecting to the lab VPN, I navigated to the provided IP in my browser. Once the page loaded, there was some information about the printer and then several links. With the exception of the Job Controls link, none of the links worked. The input box on the Job Controls page had template text saying @PJL INFO ID.
Printer Job Language
In order to become more familiar with our future AI overlords, I asked ChatGPT what PJL commands were. While I feel like using ChatGPT is cheating, let’s be honest, It’s better than Google at providing quick explanations for specific topics. ChatGPT explained the following, PJL stands for Printer Job Language. It is a language used to control various aspects of printing jobs in printers that support the Printer Control Language (PCL) or PostScript. PJL commands are typically used to set printer-specific parameters, manage printer resources, and control printing processes.
The syntax for PRET that I used on the Gawk challenge is starting to make sense. ChatGPT was also kind enough to provide a few examples of PJL commands. I ran the info status command and sure enough, the printer returned its status. Next, I thought I would try asking for help and ran @PJL HELP but unfortunately, that didn’t work.
@PJL INFO STATUS
Wandering The File System
After performing a few Google searches for Printer Job Language examples, I stumbled upon a HP PDF document. The document provided some good examples of the various commands including the FSDIRLIST command and syntax used for browsing the file system. Honestly, I hate the syntax and the format of the results it returns. It doesn’t seem intuitive at all. I asked the printer to list out the contents of what I thought was the root directory. As a result, the printer returned a number of directories including PostScript, saveDevice, and webServer.
@PJL FSDIRLIST NAME="0:" ENTRY=1
Reviewing the syntax, I thought that the NAME=”0:” value would have listed the root directory of the system. However, that wasn’t the case as I had to navigate up a directory before I could find the file required for the challenge. As you can see below, I moved up a directory to what seemed to be the root directory of the system.
@PJL FSDIRLIST NAME="0:/../home" ENTRY=1
It seems that the initial directory I was in was the printer directory. Although I haven’t investigated further, logic tells me that “0:” symbolizes the default directory, not the root directory. While working on Gawk, I thought that “0:” symbolized the system disk, like “C:” would on Windows… guess not.
Capturing The Wander Flag
Anyway back to the task at hand, I navigated through the different directories until I found the flag. The location of the flag can be found in the /../home/default/readyjob directory. Once you input the PJL command to list out the contents, the flag will be there amongst the output.
@PJL FSDIRLIST NAME="0:/../home/default/readyjob" ENTRY=1
Wander Learnings
Following on from Gawk, this was another great challenge that introduced me to Printer Job Language. It helped make the syntax for PRET from the Gawk challenge make more sense. Even though I dislike the syntax of PJL, the challenge was still fun. It wasn’t too difficult once I understood the basics. I don’t have much more to say about it honestly other than to ask why PJL syntax is the way it is.