Hack The Box - HTB Paperwork Writeup - Easy - Weekly - July 11th, 2026
1. Enumeration
1.1 Port scan
nmap -p- --min-rate 5000 -T4 <TARGET> -oN nmap_allports.txt
nmap -sC -sV -p22,80,1515 <TARGET> -oN nmap_services.txt
22/tcp open ssh OpenSSH 10.0p2 Ubuntu 5ubuntu5.4
80/tcp open http nginx 1.28.0 (Ubuntu) -> 301 http://paperwork.htb/
1515/tcp open ifor-protocol?
| fingerprint: "Archive_Printer is ready and printing."
Port 80 redirects to a vhost, and 1515 is a custom line-printer-daemon whose banner literally says it's a printer. Register the hostname:
echo "<TARGET> paperwork.htb" | sudo tee -a /etc/hosts
Env note (HTB VPN): this box negotiates the large post-quantummlkem768x25519SSH key
exchange, whose oversized KEX packet gets black-holed by the VPN's default MTU. Setsudo ip link set dev tun0 mtu 1300now โ and see ยง3.5 for the SSH-specific workaround.
1.2 The web app documents its own attack surface
curl -s http://paperwork.htb/ | sed 's/<[^>]*>//g' | grep -v '^\s*$'
Key lines:
Maintenance Advisory: Backend spooler PRN-ARCHIVE-01 management console is currently offline.
Manual ingestion remains active via the legacy gateway.
Compliance Level: RFC 1179 <- LPD protocol
Target Queue: archive_intake <- the queue name we must use
Internal Processor: paperwork-archive-v1.02 -> links to /download/archive
/download/archive is not a binary โ it's a zip of the processor's source code:
curl -s -o archive.zip http://paperwork.htb/download/archive
file archive.zip # Zip archive data
unzip archive.zip -d src # -> src/server.py
2. Foothold
2.1 Reading the source
src/server.py is the port-1515 daemon โ a hand-rolled RFC 1179 receiver. Trimmed to the essentials: