Open ports
Discovery port 8080 via the Squid proxy (port 3128)
Hacktricks article suggests to use this tool to enumerate ports accessible via the Squid proxy
Setup Firefox to use the Squid proxy to access port 8080
FoxyProxy
Navigate to port 8080 via port 3128
Discover phpMyAdmin on port 8080 and login with default creds
Feroxbuster scan via the proxy on port 3128
MyPHPAdmin index page
Login with default credentials (root:
<no password>)
Use SQL to upload a php file with a command inject vulnerability at the web root
Find the web root (C:/wamp/www) via phpinfo
Create a new file to the document root
Use the command injection vulnerability with the new file
Local Service shell
Use command injection to obtain a reverse shell
Upload nc.exe
Export cmd.exe via nc.exe
Catch the reverse shell
Obtain local.txt
Privileged shell
Regain full privileges for the current Local Service account
Create an execute a scheduled task
Catch the reverse shell from the scheduled task
Regain SeImpersonatePrivilege via FullPowers.exe
root shell
Exploit SeImpersonatePrivilege to execute a reverse shell with GodPotato
Execute the reverse shell
Catch the reverse shell
Obtain proof.txt
