Bamboo offers a Squid HTTP proxy through which I’ll access a PaperCut NG instance. I’ll use Spose to scan through the proxy and discover the print management application. I’ll exploit an authentication bypass vulnerability in PaperCut and use application access to enabling print scripting to get code execution. For privilege escalation, I’ll abuse a root process that runs a script from the papercut user’s home directory.

0xdf hacks stuff

A walkthrough of exploiting a HackTheBox machine running PaperCut NG 22.0 behind a Squid HTTP proxy. The attack chain involves using Spose to scan through the proxy, exploiting CVE-2023-27350 (an authentication bypass vulnerability) to gain access to the PaperCut admin interface, enabling print scripting to achieve code execution as the papercut user, and finally escalating to root by hijacking a binary executed by a privileged process that runs from the papercut user's home directory.

HTB: Bamboo