Antique HTB Writeup

4 min readApr 22, 2023

Firstly i search the IP with nmap and i found a telnet port which seemed interesting then i logged in there and found
HP Direct Jet

After that i searched about it on the google and found something

I understood that i need to use snmpwalk instead of snmputil command then i opened the web page with the example and command and formulated this command

>snmpwalk -c public -v 2c 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0

Got this output :

iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135

Then runned it thorugh cyber chef(hex) and found this

Then used this pass in the telnet and logged in then i put in ? in there and saw exec which seemed useful for me to use

I got the user from here only by typing
> exec cat user.txt

Then afterwords i searched for the rev shell command and got a rev shell on my machine by listening using nc
after a lot of trial and error i did this:

Afte this i ran linpeas.sh and saw port 631 open in its output and then searched online for any kind of exploit, i stumbled upon

But it was of no use as i couldn’t get any of them to work.

Then i thought of one trick known as port forwarding that i used in eJPT exam as well, So i got chisel on my system then and also sent it to the machine.