Billyboss_Web_8081

Web

---

Nmap discovered a Web server on the target port 8081 The running service is Jetty 9.4.18.v20190429

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/billyboss]
└─$ curl -I http://$IP:8081/           
HTTP/1.1 200 OK
Date: Sat, 01 Mar 2025 18:27:09 GMT
Server: Nexus/3.21.0-05 (OSS)
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Type: text/html
Last-Modified: Sat, 01 Mar 2025 18:27:09 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0
Expires: 0
Content-Length: 10196

Checking the Server header reveals that the server is hosting Nexus instance 3.21.0-05 (OSS)

Sonatype Nexus Repository is a software repository manager, available under both an open-source license and a proprietary license. It can combine repositories for various programming languages, so that a single server can be used as a source for building software. The open source version uses the H2 database.

After several trials and errors, I was able to authenticate using a default credential; nexus:nexus

Vulnerabilities

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/billyboss]
└─$ searchsploit Sonatype Nexus
------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                    |  Path
------------------------------------------------------------------ ---------------------------------
Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)     | java/webapps/49385.py
------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

Checking for vulnerabilities revealed that there is an authenticated RCE exploit available for the version 3.21.1 Given the target instance is 3.21.0-05 (OSS), it should work.