BillyBoss Proving Grounds Write-Up
SUMMARY
This write-up covers the BillyBoss machine from Offsec’s Proving Grounds, a Windows machine where a software repository manager led to remote code execution.
Port enumeration revealed Sonatype Nexus Repository Manager 3.21.0 on port 8081. A searchsploit search identified an authenticated RCE exploit for this version. No credentials were known initially, and the default online credentials were invalid. Credentials from SecLists (nexus:nexus) provided access to the admin panel. The RCE script was modified to download netcat to the victim machine and execute it, returning a reverse shell as user nathan.
The compromised user held SeImpersonatePrivilege. GodPotato was used to escalate, but the resulting shell was unstable and missing command output. A SAM and SYSTEM hive backup was performed, transferred via SMB, and dumped with secretsdump to extract the Administrator hash. psexec then provided a stable shell as NT AUTHORITY\SYSTEM.
PATH TO FOLLOW
- Reconnaissance & Nexus Repository Manager Discovery on Port 8081
- Authenticated RCE Exploit Identification
- Default Credential Discovery via SecLists
- RCE Script Modification & Reverse Shell as
nathan - SeImpersonatePrivilege Identification & GodPotato Execution
- SAM/SYSTEM Dump & Administrator Hash Extraction
- Shell as NT AUTHORITY\SYSTEM via psexec
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.