Wander

Technical Walkthrough

Writeup

Challenge

• Name: Wander
• Category: Hardware
• Difficulty: Easy
• Mode: remote

Summary

The web app exposed a PJL command form at /jobs and proxied those commands to a simulated printer. Standard INFO commands confirmed the PJL interface, but the useful issue was filesystem traversal through PJL file commands. Listing 0:/../../ escaped the printer web content root and exposed /home/default/readyjob; uploading that file revealed the print job metadata containing the challenge flag.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

• Remote-only challenge; no ZIP or firmware artifact was provided.
• analysis/http-jobs-initial.txt records the /jobs form with name="pjl".
• analysis/pjl-targeted-probe.txt records live INFO and root filesystem behavior.
• analysis/pjl-fs-recursive.txt records the normal exposed printer filesystem.
• analysis/pjl-path-traversal-readyjob.txt records the validated traversal path, with the raw flag redacted.

Analysis

1. /jobs exposes a POST form to /printer with a PJL command field.
2. @PJL INFO ID returned HTB Printer, proving the form forwards PJL to the backend.
3. @PJL <secret redacted> NAME="0:" ENTRY=1 COUNT=50 listed printer directories such as PJL, PostScript, saveDevice, and webServer.
4. Normal recursive listing only exposed firmware-like web content and empty key/security files.
5. The path 0:/../../ escaped that root and listed host-like directories including home.
6. 0:/../../home/default contained readyjob, a 457-byte file.
7. @PJL FSUPLOAD NAME="0:/../../home/default/readyjob" OFFSET=0 SIZE=1000 returned the print job, including a PJL flag comment and a hold key.

Solve

Run:

python3 Hardware/Wander/solve/solve.py --base-url http://<TARGET>:30391

The solver sends one FSUPLOAD command for 0:/../../home/default/readyjob, extracts the FLAG = "..." comment, and prints the flag for harness capture.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• PJL filesystem commands can expose a printer's virtual filesystem and, in this challenge, allowed traversal outside the normal printer web root.
• External writeups or research should be treated as hints only; the decisive evidence here was the current-instance transcript in analysis/pjl-path-traversal-readyjob.txt.
• Avoid stripping HTML blindly from FSUPLOAD results, because uploaded files may legitimately contain HTML-like content.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Wander
• Category: Hardware
• Difficulty: Easy
• Mode: remote
• Remote instance: none
• Start time: 2026-06-10T10:01:41Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• /jobs exposes a PJL command form that posts to /printer.
• @PJL INFO ID returns HTB Printer, confirming live PJL forwarding.
• Normal PJL filesystem enumeration exposes PJL, PostScript, saveDevice, and webServer.
• PJL path traversal using 0:/../../ escapes the normal printer content root.
• 0:/../../home/default/readyjob is readable via FSUPLOAD and contains the challenge flag marker.
• Repro solver: solve/solve.py.
• Raw flag is stored only in loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Hardware
• Challenge: Wander
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Identify the web-exposed PJL command form at /jobs.
2. Validate PJL forwarding with harmless INFO commands.
3. Enumerate the normal printer filesystem with <secret redacted>.
4. Use PJL filesystem path traversal from 0:/../../ to escape the printer content root.
5. List 0:/../../home/default and find readyjob.
6. Read readyjob with FSUPLOAD; the print job metadata contains the flag marker and a printer hold key.

Reusable Lessons

• For printer/PJL challenges, test INFO ID and INFO STATUS first to prove transport, then move to <secret redacted>, FSQUERY, and FSUPLOAD.
• Path traversal may work inside PJL filesystem names even when normal HTTP routes are not useful.
• Preserve raw FSUPLOAD content carefully; generic HTML stripping can hide useful file contents.
• Treat public challenge research as advisory and require live validation before accepting it.

Dead Ends

• Direct HTTP paths such as /pin, /unlock, /flag, and ChaiServer dispatcher routes returned 404.
• Broad INFO <secret redacted>, INFO CONFIG, and direct INQUIRE PIN/PASSWORD style commands did not disclose useful state.
• Normal webServer files exposed firmware-like content but no flag until traversal into /home/default/readyjob.

Tool Quirks

• The web app embeds PJL responses inside the HTML page under the printer form.
• 0:/path works as a PJL filesystem syntax; 0:path and 0:\path failed in this instance.
• FSUPLOAD output can include HTML or PJL control markers, so extraction should slice from @PJL FSUPLOAD and stop at the page wrapper.

Evidence Paths

• analysis/http-jobs-initial.txt
• analysis/pjl-targeted-probe.txt
• analysis/pjl-fs-recursive.txt
• analysis/pjl-path-traversal-readyjob.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Hardware
• Challenge: Wander
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Identify the web-exposed PJL command form at /jobs.
2. Validate PJL forwarding with harmless INFO commands.
3. Enumerate the normal printer filesystem with <secret redacted>.
4. Use PJL filesystem path traversal from 0:/../../ to escape the printer content root.
5. List 0:/../../home/default and find readyjob.
6. Read readyjob with FSUPLOAD; the print job metadata contains the flag marker and a printer hold key.

Reusable Lessons

• For printer/PJL challenges, test INFO ID and INFO STATUS first to prove transport, then move to <secret redacted>, FSQUERY, and FSUPLOAD.
• Path traversal may work inside PJL filesystem names even when normal HTTP routes are not useful.
• Preserve raw FSUPLOAD content carefully; generic HTML stripping can hide useful file contents.
• Treat public challenge research as advisory and require live validation before accepting it.

Dead Ends

• Direct HTTP paths such as /pin, /unlock, /flag, and ChaiServer dispatcher routes returned 404.
• Broad INFO <secret redacted>, INFO CONFIG, and direct INQUIRE PIN/PASSWORD style commands did not disclose useful state.
• Normal webServer files exposed firmware-like content but no flag until traversal into /home/default/readyjob.

Tool Quirks

• The web app embeds PJL responses inside the HTML page under the printer form.
• 0:/path works as a PJL filesystem syntax; 0:path and 0:\path failed in this instance.
• FSUPLOAD output can include HTML or PJL control markers, so extraction should slice from @PJL FSUPLOAD and stop at the page wrapper.

Evidence Paths

• analysis/http-jobs-initial.txt
• analysis/pjl-targeted-probe.txt
• analysis/pjl-fs-recursive.txt
• analysis/pjl-path-traversal-readyjob.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Wander
• Category: Hardware
• Difficulty: Easy
• Mode: remote
• Remote instance: none
• Start time: 2026-06-10T10:01:41Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• /jobs exposes a PJL command form that posts to /printer.
• @PJL INFO ID returns HTB Printer, confirming live PJL forwarding.
• Normal PJL filesystem enumeration exposes PJL, PostScript, saveDevice, and webServer.
• PJL path traversal using 0:/../../ escapes the normal printer content root.
• `0: <REDACTED>
• Repro solver: solve/solve.py.
• Raw flag is stored only in loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.