Open in app

Sign in

Write

Sign in

PaperCut: CVE-2023–27350 TryHackMe Writeup

Ansul Kotadia
2 min readAug 25, 2024

--

PaperCut: CVE-2023–27350 THM

On 8 March 2023, a patch for CVE-2023–27350 was released. The CVE details an authentication bypass in the PaperCut NG/MF application, a web-based software used by enterprise organisations to manage their printers and printing processes. The vulnerability allows any threat actor to remotely gain admin access to the web application and abuse the legitimate scripting functionality in the application to achieve remote code execution as SYSTEM on the server.

Task 1: Introduction

I am ready to learn about CVE-2023–27350!

No answer needed.

Task 2: Understanding PaperCut and CVE-2023–27350

#2.1 What is the name for the logic vulnerability that occurs when session and authentication functions are used for multiple purposes?

Answer: Session Puzzling

#2.2 What is the name of the Java class containing the authentication bypass vulnerability?

Answer: SetupCompleted

Task 3: Exploiting CVE-2023–27350

#3.1 If the vulnerable host has a hostname of PRINT.TRYHACKME.LOC, what would be the URL that you could use to perform the authentication bypass?

Answer: http://PRINT.TRYHACKME.LOC:9191/app?service=page/SetupCompleted

#3.2 What would be the one-liner added to the Script Manager to execute calc.exe?

Answer: java.lang.Runtime.getRuntime().exec(‘calc.exe’);

#3.3 What is the value of the flag stored in the Administrator’s Desktop folder?

Answer: THM{PaperCuts.Can.Hurt.Even.Computers}

#3.4 What text is the automated exploit searching for to tell it that the exploitation was successful?

Answer: Saved successfully

Task 4: Detection and Mitigation

#4.1 Based on the application logs in the first image, what is the name of the printer for which the “print script” has been updated?

Answer: [Template printer]

#4.2 What is the executable name of the PaperCut process on Windows?

Answer: pc-app.exe

#4.3 What is the flag you receive after detecting the indicators of compromise within Inktrail’s network?

Answer: THM{PAPER.JAM.DETECTED}

Task 5: Conclusion

I understand the vulnerability, how it is easy to make this mistake, and how to better protect myself in the future!

No answer needed.

Tryhackme
Tryhackme Writeup
Ethical Hacking
Tryhackme Papercut Cve

--

--

Ansul Kotadia
Ansul Kotadia

Written by Ansul Kotadia

75 Followers
90 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams