- Difficulty – Easy
- Platform – Proving Grounds Practice
- Operating System – Windows
- Focus Areas
- Squid Proxy Enumeration
- MySQL INTO OUTFILE Abuse
- Windows Privilege Escalation
- FullPowers Privilege Recovery
- SeImpersonatePrivilege Abuse
- PrintSpoofer Exploitation
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP
With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 192.168.179.189
nmap -sC -sV -O -p- -oA nmap/full -T4 192.168.179.189
I discovered these ports are open:
- 135/tcp – MSRPC service running Microsoft Windows RPC
- 139/tcp – NetBIOS Session Service running Microsoft Windows NetBIOS-SSN
- 445/tcp – SMB service (Microsoft-DS) exposed
- 3128/tcp – HTTP Proxy service running Squid Proxy 4.14
- 49666/tcp – MSRPC service running Microsoft Windows RPC
- 49667/tcp – MSRPC service running Microsoft Windows RPC
- OS: Microsoft Windows Server 2019 / Windows 10 (likely Windows Server 2019)
Then I went ahead and checked the IP in the web browser with 3128 port, and I found an error page which says the requested URL could not be retrieved:
The above error caught my attention, and I started searching more about Squid proxy and I found Squid Pivoting Open Port Scanner called spose on GitHub.
Using spose scanner it was discovered that port 8080 is open:
I used foxy proxy and configured it:
After that the page loaded and it was about WAMP Server:
Also, it was having link to PHPinfo which tells us the Document Root path:
I quickly visited to phpmyadmin and tried couple of credentials and found that root as username and an empty password worked:
I executed a query through SQL tab to write a PHP web shell to the target server using MySQL’s INTO OUTFILE functionality.
The INTO OUTFILE functionality was abused to write a PHP web shell into the web root directory. Once written, the shell allowed command execution through the cmd parameter, leading to remote code execution on the target system.
I tried executing whoami command and I got the response:
Exploitation
So I went ahead and used msfvenom and generated a shell:
The shell was uploaded successfully:
I started a netcat listener and accessed the shell and got an initial foothold:
The local.txt file was found.
Privilege Escalation
Now it was a time for escalating the privileges. So I started checking the privileges the user had:
SeImpersonatePrivilege allows a process to impersonate another user’s security token. When assigned to service accounts, it can often be abused to escalate privileges to NT AUTHORITY\SYSTEM using tools such as PrintSpoofer.
I needed to recover full privileges, so I used a tool called FullPowers. FullPowers is a Windows privilege recovery tool. Since the shell lacked the default service account privileges, FullPowers was used to restore them before proceeding with privilege escalation.
I downloaded the fullpowers exe and uploaded using certutul and executed it:
FullPowers spawned a new shell under C:\Windows\System32 with the recovered token privileges.
After that I used PrintSpoofer is a Windows privilege escalation tool that abuses the SeImpersonatePrivilege privilege to escalate:
Since SeImpersonatePrivilege was available, PrintSpoofer was used to obtain a SYSTEM shell.
The above image shows the proof.txt file.
Key Takeaways
- Proxy services can expose unexpected attack surfaces
- SQL Injection may lead directly to Remote Code Execution through file write abuse
- Knowing the web root directory is critical for successful web shell deployment
- Restricted Windows service shells may require privilege recovery before escalation
- FullPowers and PrintSpoofer work effectively together for Windows privilege escalation
SeImpersonatePrivilegeoften results in full SYSTEM compromise
If you enjoyed this post, share it with your friends and colleagues!