Squid Proving Grounds Write-Up
SUMMARY
This write-up covers the Squid machine from Offsec’s Proving Grounds, a Windows machine where an open proxy service enabled discovery and exploitation of internally-exposed services.
A Squid proxy was running on port 3128. Using ffuf with proxy routing, internal ports 3306 (MySQL) and 8080 (WAMP) were discovered. Configuring FoxyProxy to route traffic through the Squid proxy allowed browser access to the WAMP server panel on port 8080, which exposed the phpinfo page and revealed the web root path. The internal MySQL port was then accessed via phpMyAdmin, where the root user had no password.
With root SQL access and write permissions to the WAMP web root, a PHP webshell was written directly using SELECT ... INTO OUTFILE. Accessing the file through the proxied browser confirmed command execution, and a reverse shell was sent, landing directly as NT AUTHORITY\SYSTEM.
PATH TO FOLLOW
- Reconnaissance & Squid Proxy Discovery on Port 3128
- Internal Port Enumeration via Proxy
- WAMP Panel & Web Root Discovery
- phpMyAdmin Access as Root (No Password)
- PHP Webshell Write via SQL FILE Injection
- Command Execution & Reverse Shell as NT AUTHORITY\SYSTEM
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.