search

windowsSquid

hashtag
Enumeration:

hashtag
Port Scanning:

As always I am going to start with nmap to scan all open ports:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Squid]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.115.189
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-09 23:24 EST
Nmap scan report for 192.168.115.189
Host is up, received echo-reply ttl 125 (0.11s latency).
Scanned at 2025-11-09 23:24:36 EST for 129s
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON          VERSION
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
3128/tcp  open  http-proxy    syn-ack ttl 125 Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We have smb running on port 445, and some ports related to rpc, and squid proxy on port 3128.

Squid proxy is a server proxy, that resides between the internet and the organization, and it provides a lot of features for example load balancing, etc.

hashtag
HTTP (3128):

If we browsed to that port:

We can use curl to try to reach to any open port behind that proxy, if it was configured improperly.

If it was configured properly, there should be rules that prevent us to access those ports or IPs.

Lets test out:

We can see, when I tried to access a non-existence port, I got that access denied, but when valid port, we will reach to it and get the source code.

I searched online to automate this process, and came across this blog:

LogoSquid - Port 3128 | VeryLazyTechwww.verylazytech.comchevron-right

It mentions a tool called spose, that can automate port scanning behind the squid proxy:

LogoGitHub - aancw/spose: Squid Pivoting Open Port ScannerGitHubchevron-right

Clone it:

Run it:

We will find two open ports behind the squid proxy. If I get stuck I will go back to this and scan all ports.

We can access that port either with the localhost IP of the target, or the target IP itself, we will get the same result:

Now we can easily configure foxyproxy with our squid proxy, to proxy the traffic through it, and access that port:

Go to extensions, and enable squid profile, then navigate to that port:

As shown in curl output, we have wampserver running.

hashtag
Exploitation:

Lets go and open phpmyadmin:

We have a login page, I will try default credentials like root:password or root:''.

Root as the username and with not password we successfully logged in:

Click on the SQL tab to move to it:

Here we can write queries, and it will be executed by the backend mysql dbms.

We can inject a php malicious simple script to allow us execute code on the underlying operating system, but we need to know the structure of wamp so we can place our payload in the right place.

I searched online for wamp file structure, and get that response from the search integrated ai:

PhpMyAdmin usually resides under www, so I will use some query to write a simple php script to that directory, and specify a name:

Now lets go to that file in our browser, and see if we can execute some code:

Indeed we can, I will set up a netcat listener, and get a reverse shell:

hashtag
Post-Exploitation:

Here we have a shell, I ran whoami /all and found we have SeImpersonatePrivilege Privilege, I will upload godpotato, but we can use any such a tool like other potatos, or printspoofer, etc.

Start another netcat listener:

Get the flags:

PreviousKevinNextSlort

Last updated