Hack The Box - HTB Paperwork Writeup - Easy - Weekly - July 11th, 2026

Hack The Box -  HTB Paperwork Writeup - Easy - Weekly - July 11th, 2026

1. Enumeration

1.1 Port scan

nmap -p- --min-rate 5000 -T4 <TARGET> -oN nmap_allports.txt
nmap -sC -sV -p22,80,1515 <TARGET> -oN nmap_services.txt
22/tcp   open  ssh      OpenSSH 10.0p2 Ubuntu 5ubuntu5.4
80/tcp   open  http     nginx 1.28.0 (Ubuntu)          -> 301 http://paperwork.htb/
1515/tcp open  ifor-protocol?
|   fingerprint: "Archive_Printer is ready and printing."

Port 80 redirects to a vhost, and 1515 is a custom line-printer-daemon whose banner literally says it's a printer. Register the hostname:

echo "<TARGET> paperwork.htb" | sudo tee -a /etc/hosts
Env note (HTB VPN): this box negotiates the large post-quantum mlkem768x25519 SSH key
exchange, whose oversized KEX packet gets black-holed by the VPN's default MTU. Set
sudo ip link set dev tun0 mtu 1300 now โ€” and see ยง3.5 for the SSH-specific workaround.

1.2 The web app documents its own attack surface

curl -s http://paperwork.htb/ | sed 's/<[^>]*>//g' | grep -v '^\s*$'

Key lines:

Maintenance Advisory: Backend spooler PRN-ARCHIVE-01 management console is currently offline.
                      Manual ingestion remains active via the legacy gateway.
Compliance Level: RFC 1179          <- LPD protocol
Target Queue:     archive_intake    <- the queue name we must use
Internal Processor: paperwork-archive-v1.02   -> links to /download/archive

/download/archive is not a binary โ€” it's a zip of the processor's source code:

curl -s -o archive.zip http://paperwork.htb/download/archive
file archive.zip          # Zip archive data
unzip archive.zip -d src  # -> src/server.py

2. Foothold

2.1 Reading the source

src/server.py is the port-1515 daemon โ€” a hand-rolled RFC 1179 receiver. Trimmed to the essentials: