Squid
Last updated
Last updated
Source: Proving Grounds OS: Windows Community Rating: Hard
Again, autorecon bombarded me with open ports: 135, 139, 445, 3128, 49666, 49667
Port HTTP (3128) was running Squid, which turned out to be a proxy. After some (loads and loads of) searching, I found a CVE but no working PoC. Instead, Haktricks pointed me to spose.py
, a Squid pivoting scanner. Running it revealed two additional open ports: 3306 and 8080.
To interact with them, I configured my browser proxy and started investigating.
3306 was a MySQL service that just downloaded a dummy file.
8080 was where things got interesting, phpMyAdmin was exposed!
Tried root
with an empty password, and it worked. After checking the tables, nothing valuable popped up, so I decided to upload a shell using SQL.
First, I needed the web root directory. phpinfo()
check came in handy and gave me the path. Now, I could upload my shell:
With that, I now had a web shell. Time to get a full reverse shell:
After getting a foothold, I checked user privileges, uploaded WinPeas
, and looked around, but nothing obvious stood out. Then after searching online, I found a trick that lets Service accounts regain their old privileges.
Downloaded and ran the PoC, FullPowers.exe
, which enabled SeImpersonatePrivilege alongside other privileges.
With this, I could use GodPotato to escalate to SYSTEM:
And just like that, I was SYSTEM.
Default creds still work in 2024.
Sometimes, searching for a working PoC is a waste of time, pivoting to alternative tools (like spose.py
) can be faster.
phpMyAdmin + empty root password = instant win. Upload a web shell right away!
Web shells are still one of the easiest ways to pivot into a full reverse shell.
When you get a service account with limited privileges, service account privilege restoration can be a path to explore.