Posts by Brendan Watters

2 min Metasploit

Metasploit Weekly Wrap-Up 01/19/24

Unicode your way to a php payload and three modules to add to your playbook for Ansible Our own jheysel-r7 added an exploit leveraging the fascinating tool of php filter chaining to prepend a payload using encoding conversion characters and h00die et. al. have come through and added 3 new Ansible post modules to gather configuration information, read files, and deploy payloads. While none offer instantaneous answers across the universe, they will certainly help in red team exercises. New module

3 min Metasploit

Metasploit Weekly Wrap-Up: Dec. 15, 2023

Continuing the 12th Labor of Metasploit Metasploit continues its Herculean task of increasing our toolset to tame Kerberos by adding support for AS_REP Roasting, which allows retrieving the password hashes of users who have Do not require Kerberos preauthentication set on the domain controller. The setting is disabled by default, but it is enabled in some environments. Attackers can request the hash for any user with that option enabled, and worse (or better?) you can query the DC to determine

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up 12/8/2023

New this week: An OwnCloud gather module and a Docker cgroups container escape. Plus, an early feature that allows users to search module actions, targets, and aliases.

3 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up 11/10/23

Apache MQ and Three Cisco Modules in a Trenchcoat This week’s release has a lot of new content and features modules targeting two major recent vulnerabilities that got a great deal of attention: CVE-2023-46604 targeting Apache MQ [https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/] resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS [https://www.rapid7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitati

4 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 19, 2023

That Privilege Escalation Escalated Quickly This release features a module leveraging CVE-2023-22515 [https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/] , a vulnerability in Atlassian’s on-premises Confluence Server first listed as a privilege escalation, but quickly recategorized as a “broken access control” with a CVSS score of 10. The exploit itself is very simple and easy to use so there was little surprise when

2 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 1, 2023

Pumpkin Spice Modules Here in the northern hemisphere, fall is on the way: leaves changing, the air growing crisp and cool, and some hackers changing the flavor of their caffeine. This release features a new exploit module targeting Apache NiFi as well as a new and improved library to interact with it. New module content (1) Apache NiFi H2 Connection String Remote Code Execution Authors: Matei "Mal" Badanoiu and h00die Type: Exploit Pull request: #18257 [https://github.com/rapid7/metasploit-fra

3 min Metasploit

Metasploit Weekly Wrap-Up: Aug. 25, 2023

Power[shell]Point This week’s new features and improvements start with two new exploit modules leveraging CVE-2023-34960 [https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960?referrer=blog] Chamilo versions 1.11.18 and below and CVE-2023-26469 [https://attackerkb.com/topics/RT7G6Vyw1L/cve-2023-26469?referrer=blog] in Jorani 1.0.0. Like CVE-2023-34960 [https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960?referrer=blog], I too, feel attacked by PowerPoint sometimes. We also have several impr

2 min Metasploit

Metasploit Weekly Wrap-Up: 6/30/23

Nothing but .NET? Smashery continues to… smash it by updating our .NET assembly execution module. The original module allowed users to run a .NET exe as a thread within a process they created on a remote host. Smashery’s improvements let users run the executable within a thread of the process hosting Meterpreter and also changed the I/O for the executing thread to support pipes, allowing interaction with the spawned .NET thread, even when the other process has control over STDIN and STDOUT. The

3 min Metasploit

Metasploit Weekly Wrap-Up: Jun. 9, 2023

MOVEit It has been a busy few weeks in the security space; the MOVEit [https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/?utm_campaign=sm-blog&utm_source=twitter&utm_medium=organic-social] vulnerability filling our news feeds with dancing lemurs and a Barracuda [https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/?utm_campaign=sm-ETR&utm_source=twitter,linkedin&utm_me

6 min Metasploit

Fetch Payloads: A Shorter Path from Command Injection to Metasploit Session

Rapid7 is pleased to announce the availability of Metasploit fetch payloads, which increase efficiency and user control over the commands executed.

3 min Metasploit

Metasploit Weekly Wrap-Up: May 5, 2023

Throw another log [file] on the fire Our own Stephen Fewer authored a module targeting CVE-2023-26360 [https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360?referrer=blog] affecting ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier. The vulnerability allows multiple paths to code execution, but our module works by leveraging a request that will result in the server evaluating the ColdFusion Markup language on an arbitrary file on the remote system. This all

3 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up: Jan. 1, 2023

Back from a quiet holiday season Thankfully, it was a relatively quiet holiday break for security this year, so we hope everyone had a relaxing time while they could. This wrapup covers the last three Metasploit releases, and contains three new modules, two updates, and five bug fixes. Make sure that your OpenTSDB isn’t too open Of particular note in this release is a new module from community contributors Erik Wynter [https://github.com/ErikWynter] and Shai rod [https://github.com/nightrang3r

4 min Metasploit

Metasploit Weekly Wrap-Up: 12/16/22

A sack full of cheer from the Hacking Elves of Metasploit It is clear that the Metasploit elves have been busy this season: Five new modules, six new enhancements, nine new bug fixes, and a partridge in a pear tree are headed out this week! (Partridge nor pear tree included.) In this sack of goodies, we have a gift that keeps on giving: Shelby’s [https://github.com/space-r7] Acronis TrueImage Privilege Escalation [https://github.com/rapid7/metasploit-framework/pull/17265] works wonderfully, even

3 min Metasploit

Metasploit Weekly Wrap-Up: 11/4/22

C is for cookie And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel [https://github.com/jheysel-r7] added an exploit module based on CVE-2022-24706 targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie that allows users to run OS commands. This fake computer I just made says I’m an Admin Metasploit’s zeroSteiner [https://github.com/zeroSteiner] added a module to perform Role-based Constrained Delegation (RBCD) on an Active Directory network.

2 min Metasploit

Metasploit Weekly Wrap-Up: 6/10/22

A Confluence of High-Profile Modules This release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we’re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you’d like to read more about these vulnerabilities, Rapid7 has AttackerKB analy