Skip to content
Menu
Mr.KaaLi's JARV!$
  • WhoAmI
Mr.KaaLi's JARV!$

OSCP Prep Box 72 – BillyBoss – Proving Grounds Practice

Posted on July 7, 2026

Hi everyone

Today we are going to look for a Box called BillyBoss which is rated as intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.

Difficulty – Intermediate

Operating System – Windows

Focus Areas

  • Sonatype Nexus Repository Manager Remote Code Execution (RCE).
  • Windows privilege enumeration.
  • Privilege escalation via SeImpersonatePrivilege.

In this writeup, I exploit an authenticated Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager after identifying valid credentials. I leverage the vulnerability to gain an initial foothold on the Windows host, enumerate local privileges, and abuse SeImpersonatePrivilege to escalate privileges to NT AUTHORITY\SYSTEM, ultimately achieving full system compromise.

Table of Contents
  • Recon & Enumeration
  • Exploitation
  • Privilege Escalation
  • Key Takeaways

Recon & Enumeration

Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.

First, we will check whether target is reachable or not with ping command:

ping Target_IP

With ping command output we found that the target is reachable.

Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:

nmap -sC -sV -O -oA nmap/initial 192.168.246.61

nmap -sC -sV -O -p- -oA nmap/full -T4 192.168.246.61

nmap -sU -O -oA nmap/udp 192.168.246.61 -T4

I discovered these ports are open:

  • 21/tcp FTP service running Microsoft ftpd
  • 80/tcp HTTP service running Microsoft IIS 10.0 (BaGet)
  • 135/tcp Microsoft RPC (MSRPC) service
  • 139/tcp NetBIOS Session Service (SMB)
  • 445/tcp Microsoft Directory Services (SMB)
  • 5040/tcp Unknown service exposed
  • 8081/tcp HTTP service running Nexus Repository Manager 3.21.0-05 (Jetty 9.4.18.v20190429)
  • 49664/tcp Microsoft RPC (MSRPC) service
  • 49665/tcp Microsoft RPC (MSRPC) service
  • 49666/tcp Microsoft RPC (MSRPC) service
  • 49667/tcp Microsoft RPC (MSRPC) service
  • 49668/tcp Microsoft RPC (MSRPC) service
  • 49669/tcp Microsoft RPC (MSRPC) service
  • OS: Microsoft Windows (likely Windows Server 2008 R2 / Windows Server 2012 / Windows 7 / Windows 8.1 family)

Then I went ahead and checked the IP in the web browser on port 8080 and I found a web page which talks about packages, upload and Documentation:

Accessing the port number 8081 shows that Sonatype Nexus Repository Manager 3.21.0-0.5 is running:

I tried logging in with nexus as both username and password and it worked:

I started looking for the exploits related to Sonatype Nexus Repository Manager and I found Authenticated RCE: Sonatype Nexus 3.21.1 – Remote Code Execution (Authenticated) – Java webapps Exploit

Exploitation

I modified the exploit with the username and password as admin:

The exploit worked and it shows logged in successfully:

I have modified the exploit.

At first I hosted a copy of nc.exe on the Kali machine using a Python HTTP server. After that I have leverage the remote code execution (RCE) vulnerability to download the binary onto the target system. This version of nc.exe supports the -e option, which enables it to launch a specified executable after establishing a TCP connection, allowing for an interactive command shell.

I was able to get initial foothold as nathan user:

I found the local.txt flag

Privilege Escalation

Now it was a time for escalating the privileges.

I quickly checked the privileges assinged to the nathan user using whoami /priv command:

SeImpersonatePrivilege enables a process to impersonate authenticated users. If available to a low-privileged service account, it may be leveraged to elevate privileges to NT AUTHORITY\SYSTEM on vulnerable or misconfigured systems.

As the SeImpersonatePrivilege was enabled I thought of moving ahead with GodPotato exploit:

https://github.com/BeichenDream/GodPotato

The GodPotato exploit was downloaded to the target machine:

The exploit ran successfully and I obtained the admin access:

The above image shows the proof.txt file.

Key Takeaways

  • Default or weak credentials on administrative applications can provide an easy entry point for attackers.
  • Authenticated vulnerabilities should be assessed with the same rigor as unauthenticated ones, as they often lead to complete system compromise.
  • Web application enumeration is essential for identifying exposed services, technologies, and potential attack vectors.
  • Gaining an initial foothold is only the beginning; thorough post-exploitation enumeration is equally important.
  • Enumerating Windows privileges using whoami /priv can quickly identify viable privilege escalation paths.
  • The presence of SeImpersonatePrivilege on a compromised service account can significantly increase the impact of an initial compromise.
  • Understanding how web application exploitation and Windows privilege escalation complement each other is crucial for successful penetration testing.
  • A systematic approach to enumeration and exploitation is often more effective than relying on automated tools alone.

If you enjoyed this post, share it with your friends and colleagues!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Search

©2026 Mr.KaaLi's JARV!$ | Powered by SuperbThemes