Hi everyone
Today we are going to look for a Box called BillyBoss which is rated as intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.
Difficulty – Intermediate
Operating System – Windows
Focus Areas
- Sonatype Nexus Repository Manager Remote Code Execution (RCE).
- Windows privilege enumeration.
- Privilege escalation via SeImpersonatePrivilege.
In this writeup, I exploit an authenticated Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager after identifying valid credentials. I leverage the vulnerability to gain an initial foothold on the Windows host, enumerate local privileges, and abuse SeImpersonatePrivilege to escalate privileges to NT AUTHORITY\SYSTEM, ultimately achieving full system compromise.
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP

With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 192.168.246.61
nmap -sC -sV -O -p- -oA nmap/full -T4 192.168.246.61
nmap -sU -O -oA nmap/udp 192.168.246.61 -T4




I discovered these ports are open:
- 21/tcp FTP service running Microsoft ftpd
- 80/tcp HTTP service running Microsoft IIS 10.0 (BaGet)
- 135/tcp Microsoft RPC (MSRPC) service
- 139/tcp NetBIOS Session Service (SMB)
- 445/tcp Microsoft Directory Services (SMB)
- 5040/tcp Unknown service exposed
- 8081/tcp HTTP service running Nexus Repository Manager 3.21.0-05 (Jetty 9.4.18.v20190429)
- 49664/tcp Microsoft RPC (MSRPC) service
- 49665/tcp Microsoft RPC (MSRPC) service
- 49666/tcp Microsoft RPC (MSRPC) service
- 49667/tcp Microsoft RPC (MSRPC) service
- 49668/tcp Microsoft RPC (MSRPC) service
- 49669/tcp Microsoft RPC (MSRPC) service
- OS: Microsoft Windows (likely Windows Server 2008 R2 / Windows Server 2012 / Windows 7 / Windows 8.1 family)
Then I went ahead and checked the IP in the web browser on port 8080 and I found a web page which talks about packages, upload and Documentation:


Accessing the port number 8081 shows that Sonatype Nexus Repository Manager 3.21.0-0.5 is running:

I tried logging in with nexus as both username and password and it worked:

I started looking for the exploits related to Sonatype Nexus Repository Manager and I found Authenticated RCE: Sonatype Nexus 3.21.1 – Remote Code Execution (Authenticated) – Java webapps Exploit
Exploitation
I modified the exploit with the username and password as admin:

The exploit worked and it shows logged in successfully:

I have modified the exploit.
At first I hosted a copy of nc.exe on the Kali machine using a Python HTTP server. After that I have leverage the remote code execution (RCE) vulnerability to download the binary onto the target system. This version of nc.exe supports the -e option, which enables it to launch a specified executable after establishing a TCP connection, allowing for an interactive command shell.



I was able to get initial foothold as nathan user:


I found the local.txt flag
Privilege Escalation
Now it was a time for escalating the privileges.
I quickly checked the privileges assinged to the nathan user using whoami /priv command:

SeImpersonatePrivilege enables a process to impersonate authenticated users. If available to a low-privileged service account, it may be leveraged to elevate privileges to NT AUTHORITY\SYSTEM on vulnerable or misconfigured systems.
As the SeImpersonatePrivilege was enabled I thought of moving ahead with GodPotato exploit:
https://github.com/BeichenDream/GodPotato


The GodPotato exploit was downloaded to the target machine:

The exploit ran successfully and I obtained the admin access:


The above image shows the proof.txt file.
Key Takeaways
- Default or weak credentials on administrative applications can provide an easy entry point for attackers.
- Authenticated vulnerabilities should be assessed with the same rigor as unauthenticated ones, as they often lead to complete system compromise.
- Web application enumeration is essential for identifying exposed services, technologies, and potential attack vectors.
- Gaining an initial foothold is only the beginning; thorough post-exploitation enumeration is equally important.
- Enumerating Windows privileges using whoami /priv can quickly identify viable privilege escalation paths.
- The presence of SeImpersonatePrivilege on a compromised service account can significantly increase the impact of an initial compromise.
- Understanding how web application exploitation and Windows privilege escalation complement each other is crucial for successful penetration testing.
- A systematic approach to enumeration and exploitation is often more effective than relying on automated tools alone.
If you enjoyed this post, share it with your friends and colleagues!