Squid
Source: Proving Grounds OS: Windows Community Rating: Hard
Enumeration & Reconnaissance
Again, autorecon bombarded me with open ports: 135, 139, 445, 3128, 49666, 49667
Port HTTP (3128) was running Squid, which turned out to be a proxy. After some (loads and loads of) searching, I found a CVE but no working PoC. Instead, Haktricks pointed me to
spose.py, a Squid pivoting scanner. Running it revealed two additional open ports: 3306 and 8080.
Gaining Initial Access
To interact with them, I configured my browser proxy and started investigating.
3306 was a MySQL service that just downloaded a dummy file.
8080 was where things got interesting, phpMyAdmin was exposed!
Tried
rootwith an empty password, and it worked. After checking the tables, nothing valuable popped up, so I decided to upload a shell using SQL.
First, I needed the web root directory.
phpinfo()check came in handy and gave me the path. Now, I could upload my shell:
With that, I now had a web shell. Time to get a full reverse shell:
Privilege Escalation
After getting a foothold, I checked user privileges, uploaded
WinPeas, and looked around, but nothing obvious stood out. Then after searching online, I found a trick that lets Service accounts regain their old privileges.Downloaded and ran the PoC,
FullPowers.exe, which enabled SeImpersonatePrivilege alongside other privileges.
With this, I could use GodPotato to escalate to SYSTEM:
And just like that, I was SYSTEM.
Lessons Learned
Default creds still work in 2024.
Sometimes, searching for a working PoC is a waste of time, pivoting to alternative tools (like
spose.py) can be faster.phpMyAdmin + empty root password = instant win. Upload a web shell right away!
Web shells are still one of the easiest ways to pivot into a full reverse shell.
When you get a service account with limited privileges, service account privilege restoration can be a path to explore.
Last updated