Squid
Last updated
Last updated
Nmap scan:
Only one port is open.
The port was a Squid Proxy instance. When visited in a browser, this is all we see:
Since this is a proxy service, it might be the gateway that we need to access the services running on the machine itself. To scan the machine, we can include this line in our /etc/proxychains4.conf
file:
Afterwards, we can use proxychains
to scan the machine again to find more ports that are open, but this takes far too long. Instead, we can use FoxyProxy to attempt to view some interesting ports. I tried with a few ports like 80, 443 and 8080 for websites, and found a service on port 8080.
There's a PHPMyAdmin instance present on the page, and we can login using root
as the username with no password.
Since this is already the administrative interface, we can get a shell by creating a database and then executing some SQL commands in it via the web SQL interpreter.
Afterwards, we can select this database and head to the QUERY tab:
We can test it with any query and see that it is indeed processing SQL queries:
Since we can submit queries, we can also write files into the file system of the machine. I wanted to write a basic PHP webshell, but this means we need to know the webroot file. Very conveniently, there's a phpinfo
page on the main Wampserver page.
There, we can find the DOCUMENT_ROOT
:
We can then use this query to write a webshell onto the machine:
Afterwards, we can test our RCE:
Great! No all we need to do is get a reverse shell as the user. By setting up a SMB server on our machine with nc64.exe
within the directory, we can send this to get a shell:
There is no privilege escalation, because we have successfully gotten a SYSTEM shell.
This machine was changed since I last did it in 2022. My older writeups show that the machine was running as LOCAL SYSTEM instead of the SYSTEM user.
The old box would give us intial access with the LOCAL SYSTEM user without any privileges, and we had to use either schtasks or FullPowers.exe to give us a shell with the full privileges of a LOCAL SYSTEM user that includes SeImpersonatePrivilege, which we can then use PrintSpoofer.exe or JuicyPotato.exe to get a SYSTEM shell.