https://stream.echo6.co/videos/watch/558200b3-7b3e-4633-ae28-666f405d8b8c 00:00 - Introduction 01:00 - Start of nmap 01:45 - Examining the CUPS Management Interface on TCP Port 631 04:40 - EvilSocket's blog, explaining the four CVE's and how they are utilized in our attack chain 11:00 - Showing the GHSA Advisory that had the initial POC that I had trouble getting working 14:50 - Talking about the Cups-Browsed packet (UDP) we send, which causes CUPS to make an HTTP/IPP Request to our server to install the printer 16:00 - Talking about the attributes we send, and where the exploit begins. We will inject an extra attribute in the print-more-info attribute 18:15 - Running the exploit to send us a reverse shell, talking about the cups browsed packet while we wait 20:45 - Going back to the CUPS Management Page and we can see a new printer, printing a test page to get a shell on the box 21:35 - Showing there was a print job we didn't create, starting CUPS locally so we can see how CUPS Stores print jobs 23:15 - Seeing cups stores our jobs in /var/spool/cups/d(5 digit print job)-(3 digit page num). 24:25 - Going back to our shell, discovering it got killed, getting another shell with nohup so we fork out of the process 27:30 - Having trouble reading the cached print job because dont have read permission on /var/spool/cups, but we do have execute so we can go into the directory and read files that we have access to 28:40 - Converting the Postscript file to pdf so we can see the page that was printed and get the root password 30:00 - Showing what a PPD File looks like 39:10 - Going over all the CVE's again to summarize what we did Wed, 15 Apr 2026 09:56:10 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/558200b3-7b3e-4633-ae28-666f405d8b8c All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.