search

person-half-dressBILLYBOSS

hashtag
1-Nmap

hashtag
2-Port 8081

There are two web pages, one on port 80 and the other on port 8081. On port 80 we found nothing that caught our attention, so we went to port 8081 and found a Sonatype Nexus Repository Manager dashboard:

Sonatype Nexus Dashboard

hashtag
3-Log in

Looking for information we found that this version of Nexus is vulnerable to RCE CVE: 2020-10199, but you have to be authenticated, so looking in the documentation we found that the default credentials are either admin/admin123 , nexus/nexus123 or nexus/nexus, after trying all three the only one that works is the last one:

Log in as nexus

hashtag
4-Revshell

We can now execute commands with the exploit CVE: 2020-10199`, we are going to execute a reverse shell directly, we will use the rev shell web page (https://www.revshells.com/arrow-up-right) to generate a base64 PowerShell:

Generate a reverse shell

hashtag
5-Exploit

Next, modify the exploit to change the target ip and the payload:

Modify the exploit

Execute the exploit:

Run the exploit

And listening at the same time with nc on port 443 we get the reverse shell as nathan:

Get the reverse shell as nathan

hashtag
6-Privilege Escalation

After a long enumeration, I googled the Windows build number and found this Windows 10 version history on Wikipedia. Windows 10 build 18362 translates to version 1903. The user we are running with nathan has SeImpersonatePrivilege enabled, which would make him the perfect candidate for a Potato attack. There is a recent Potato privilege escalation exploit that works on newer versions of Windows. So you have to transfer the exploit to the victim machine and then run a reverse shell. (https://github.com/BeichenDream/GodPotatoarrow-up-right)

Reverse Shell with GodPotato

As we can see, a new process is created with the user NT AUTHORITY SYSTEM, and we get the shell:

PreviousAUTHBYNextESCAPE

Last updated