Proxy
Given the target Squid HTTP Proxy instance is a proxy itself, it can be leveraged to access internal services.
Web Proxy
Using the target Squid HTTP Proxy instance as a proxy to access internal web services
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/squid]
└─$ curl -s --proxy http://$IP:3128 http://$IP | html2markdown
# ERROR
## The requested URL could not be retrieved
* * *
The following error was encountered while trying to retrieve the URL:
<http://192.168.135.189/>
> **Connection to 192.168.135.189 failed.**
The system returned: _(111) Connection refused_
The remote host or network may be down. Please try the request again.
Your cache administrator is
[webmaster](mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_CONNECT_FAIL&body=CacheHost%3A%20SQUID%0D%0AErrPage%3A%20ERR_CONNECT_FAIL%0D%0AErr%3A%20\(111\)%20Connection%20refused%0D%0ATimeStamp%3A%20Thu,%2010%20Apr%202025%2010%3A39%3A39%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.45.157%0D%0AServerIP%3A%20192.168.135.189%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-
Agent%3A%20curl%2F8.12.1%0D%0AAccept%3A%20*%2F*%0D%0AProxy-
Connection%3A%20Keep-Alive%0D%0AHost%3A%20192.168.135.189%0D%0A%0D%0A%0D%0A).
* * *
Generated Thu, 10 Apr 2025 10:39:39 GMT by SQUID (squid/4.14)Nothing running on the port 80
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/squid]
└─$ curl -s --proxy http://$IP:3128 http://$IP:8080 | html2markdown
# Wampserver
* Apache 2.4
* -
* MySQL 5 & 8
* -
* MariaDB 10
* -
* PHP 5 & 7
* Version 3.2.3 - 64bit
* czech english french hellenic macedonian portuguese romanian spanish turkish classic modern no-style simple
## Server Configuration
Apache Version:
2.4.46 - [Documentation](http://httpd.apache.org/docs/2.4/en/)
Server Software:
Apache/2.4.46 (Win64) PHP/7.3.21 - Port defined for Apache:
PHP Version:
7.3.21 - [Documentation](http://www.php.net/manual/en/)
Loaded Extensions :
* apache2handler
* bcmath
* bz2
* calendar
* com_dotnet
* Core
* ctype
* date
* dom
* exif
* fileinfo
* filter
* gd
* gettext
* gmp
* hash
* iconv
* imap
* intl
* json
* ldap
* libxml
* mbstring
* mysqli
* mysqlnd
* openssl
* pcre
* PDO
* pdo_mysql
* pdo_sqlite
* Phar
* readline
* Reflection
* session
* SimpleXML
* soap
* sockets
* SPL
* sqlite3
* standard
* tokenizer
* wddx
* xdebug
* xml
* xmlreader
* xmlrpc
* xmlwriter
* xsl
* Zend OPcache
* zip
* zlib
MySQL Version:
5.7.31 - Port defined for MySQL: 3306 - default DBMS - [Documentation MySQL](http://dev.mysql.com/doc/index.html)
MariaDB Version:
10.4.13 - Port defined for MariaDB: 3307 - [Documentation MariaDB](http://mariadb.com/kb/en/mariadb/documentation) \- MySQL - MariaDBHow to use MySQL and/or MariaDB?
What is a default DBMS?
How to change the default DBMS?
Go to the related help: Right-click Wampmanager icon -> Help -> MariaDB -
MySQL
## Tools
* [phpinfo()](?phpinfo=-1)
* [phpmyadmin](phpmyadmin/)
* [Add a Virtual Host](add_vhost.php?lang=english)
## Your Projects
* No projects yet.
To create a new one, just create a directory in 'www'.
## Your Aliases
* [adminer](adminer/)
* [phpmyadmin](phpmyadmin/)
* [phpsysinfo](phpsysinfo/)
## Your VirtualHost
* localhost - _Not a Listen port_
* _Error(s)_ See below
Port used for the VirtualHost is not an Apache Listen port
The file: C:/Windows/system32/drivers/etc/hosts is not writable
Impossible to modify the file C:/Windows/system32/drivers/etc/hosts to be
writable
The file C:/Windows/system32/drivers/etc/hosts is not writable
* [Wampserver Forum](http://forum.wampserver.com/list.php?2)
*[W]: Windows
*[a]: Apache
*[m]: MySQL/MariaDB
*[p]: PHP
*[server]: server WEB localThis appears to be a default Wampserver installation page on the target port 8080
WampServer
/Practice/Squid/3-Exploitation/attachments/{FCD528BF-C361-48C5-AD9B-6EA4FBB75F4D}.png)
/Practice/Squid/3-Exploitation/attachments/{856A3792-3BC4-40D7-A790-78E1C065E12D}.png)
Setting up a proxy
/Practice/Squid/3-Exploitation/attachments/{0CA36B00-777D-446B-A675-A7F72D799178}.png)
There is a WampServer instance on the target internal port 8080
/Practice/Squid/3-Exploitation/attachments/{6315BAA9-73E3-4670-9808-39BE55360BF9}.png)
The installation page reveals all the enabled software and their versions
phpinfo
/Practice/Squid/3-Exploitation/attachments/{092FB27A-DD00-4021-9036-F216DD309D84}.png)
phpinfo is available
Web Root Directory
/Practice/Squid/3-Exploitation/attachments/{543C7515-A467-4E34-85DD-3350B33E1392}.png)
C:\wamp\www is the web root directory for the target WampServer instance.
adminer
/Practice/Squid/3-Exploitation/attachments/{5AF4E47C-D56D-4A37-80D4-4B40A9FC94FB}.png)
adminer 4.7.7 at the /adminer/ endpoint
Default credentials do not work
phpSysInfo
/Practice/Squid/3-Exploitation/attachments/{8010B278-6745-4413-987A-F5B26657F804}.png)
phpSysInfo is also available
/Practice/Squid/3-Exploitation/attachments/{EE2DC65C-C771-43DB-A9FC-A8C7682188B3}.png)
The version is 3.3.2
phpMyAdmin
/Practice/Squid/3-Exploitation/attachments/{7DD3040F-9759-44A3-804E-A5EA0298A1E0}.png)
phpMyAdmin is also available
Default Credential
/Practice/Squid/3-Exploitation/attachments/{21E29EB8-C3D9-40D9-9832-BEFF126F3149}.png)
/Practice/Squid/3-Exploitation/attachments/{D398E79E-E38E-4261-9F0F-FF64F6539257}.png)
Successfully authenticated using the default credential; root:
It’s connected to the local MySQL instance.
Execute SQL Query
/Practice/Squid/3-Exploitation/attachments/{8C1EB3C3-2B45-4801-B4E9-F04A4BF9B7B2}.png)
Since I can execute SQL query with the highest privileges as the root account, I could write a PHP shell to the web root directory to get foothold
Moving on to the Exploitation phase