Compromised Network Printer

Level: Easy

Challenge : Compromised Network Printer

Q1: Identify the port scan activity performed by the attacker on the network. What was the NAT IP Address(Internal IP Address) assigned to the machine being used by the attacker on the internal network?

Image 1

The pcap file reveals numerous SYN packets originating from the IP address 172.31.35.23. This activity resembles port scanning behavior.

Q2: Which ports were open on the network printer? Identify the port used for printer exploitation.

Image 2

Upon analyzing the pcap file, we observed communication between the attacker and the device with the IP address 172.31.40.241 on port 9100. By following the TCP stream, we identified that the device is a printer.

Image 3

Q3: Based on the abused port number, which printer language/method was being abused by the attacker for unattended malicious activity on the network printer?

As shown in the image above, the syntax includes "@PJL," which indicates the use of PJL (Printer Job Language).

Printer Job Language (PJL) is a command language developed by Hewlett-Packard (HP) for managing and controlling printers. It allows for communication between printers and computers, enabling features such as printer configuration, job control, and status reporting.

Q4: Which Printer Name/Model was attacked?

As seen in the image above, the name of the printer was displayed.

Q5: The attacker has discovered a scheduled print job that is associated with an employee who is suspected of being an insider threat. What is the full path of the print job file?

Image 4

By analyzing the TCP stream, we can observe a query from the attacker to the file system.

Q6: What is the name of the targeted organization?

By reading the content of the "scheduled.ps" file, we can uncover the name of the targeted organization.

Q7: The attacker found information about RDP within the internal network. What is the directory path where this sensitive information was located?

Using the hint from the question, we discovered a file named .rdp.

Image 5

Image 6

By simply searching in the search bar, we can easily find information related to internal.rdp. Following the TCP stream, we can uncover more details, as mentioned in the previous question.

Image 7

Q8: What is the IP address of the Jumphost?

Image 8

By reading the content of the internal.rdp file, the IP address of the target system is revealed.

Q9: What is the filename of the PowerShell script used by admins which was also found by the attacker?

Image 9

At the end of stream 65623, a new .ps file is revealed.