Tampering the PAC — Post exploit windows — Metasploit

PAC: Proxy auto config.
→ It is very important in enterprises to assign proxies based on policies.
→ A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for fetching a given URL.
→ File is written is JavaScript and only certain no of functions are allowed and runs within a sand box**.
• *A sandbox is a type of software testing environment that enables the isolated execution of software or programs for independent evaluation, monitoring or testing.

http://findproxyforurl.com/pac-functions/

Image for post
Image for post

Let’s create a fresh directory named PAC (you can name whatever you want), and create a file named proxy.pac(you can name whatever you want, but normally it’s proxy.pac)

Image for post
Image for post

Now we need to create a PAC file written on Javascript.

Image for post
Image for post

Here our Kali Machine’s IP is 192.168.1.35
The browser is going to contact the given proxy(192.168.1.5:80) to get the URL asked by the user.

Image for post
Image for post

Now I am assuming we already have compromised a windows machine and got system on it using UAC bypass.

At first a quick compromise of Windows followed by UAC bypass

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Now on the kali machine let’s fire up apache2 server.

Now lets put the pac file in the /var/www/html

Image for post
Image for post

Now we need to use a metasploit script named ie_proxypac.

Lets run the exploit:

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Let’s check if the proxy settings have been changed or not.

Image for post
Image for post

Okay, Great it has been changed.

Now let’s go and check in the internet explorer.

Image for post
Image for post

Here we are trying to access any website but it is serving us out index.php
Let’s check the Apache logs.

Image for post
Image for post
Image for post
Image for post

Security researcher, Blogger, Bug Bounty hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store