Posts by Dean Welch

2 min Metasploit

Metasploit Weekly Wrap-Up: Nov. 3, 2023

PTT for DCSync This week, community member smashery [] made an improvement to the windows_secrets_dump module to enable it to dump domain hashes using the DCSync method after having authenticated with a Kerberos ticket. Now, if a user has a valid Kerberos ticket for a privileged account, they can run the windows_secrets_dump module with the DOMAIN action and obtain the desired information. No password required. This is particularly useful in workflows involving the exp

2 min Metasploit

Metasploit Weekly Wrap-Up: 7/7/23

Apache RocketMQ We saw some great teamwork this week from jheysel-r7 [] and h00die [] to bring you an exploit module for CVE-2023-33246 []. In Apache RocketMQ version 5.1.0 and under, there is an access control issue which the module leverages to update the broker's configuration file without authentication. From here we can gain remote code execution as whichever user is ru

3 min Metasploit

Metasploit Weekly Wrap-Up: 4/21/23

VMware Workspace ONE Access exploit chain A new module contributed by jheysel-r7 [] exploits two vulnerabilities in VMware Workspace ONE Access to attain Remote Code Execution as the horizon user. First being CVE-2022-22956 [], which is an authentication bypass and the second being a JDBC injection in the form of CVE-2022-22957 [] ultimately granting us RCE. The module

4 min Metasploit

Metasploit Weekly Wrap-Up: 2/2/23

Metasploit 6.3 is out! Earlier this week we announced the release of Metasploit 6.3 which came with a tonne of new modules and improvements. The whole team worked super hard on this and we're very excited that everyone can now get their hands on it and all of the new features it has to offer! I won't go over everything we did here because we have a whole separate blog post [] dedicated to the 6.3 release that you shou

2 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 30, 2022

Veritas Backup Exec Agent RCE This module kindly provided by c0rs [] targets the Veritas Backup Exec Agent in order to gain RCE as the system/root user. The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive. While you're patching, why not take the time to test your backups too. Hikvision IP Camera user impersonation This vulnerability has been present in Hikvision products since 20

3 min Metasploit

Metasploit Weekly Wrap-Up: 7/8/22

DFSCoerce - Distributing more than just files DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to Spencer McIntyre [] with a new auxiliary/scanner/dcerpc/dfscoerce module that is similar to PetitPotam in how it functions. Note that unlike PetitPotam, this technique does require a normal domain user’s credentials to work. The following shows the workflow for targeting a 64-bit Windows Server 2019 domain controller. Metasploit is hostin

3 min Metasploit

Metasploit Weekly Wrap-Up: 4/22/22

ManageEngine ADSelfService Plus Authenticated RCE This module is pretty exciting for us because it's for a vulnerability discovered by our very own Rapid7 researchers Jake Baines [], Hernan Diaz, Andrew Iwamaye, and Dan Kelly. The vulnerability allowed for attackers to leverage the "custom script" functionality to execute arbitrary operating system commands whenever domain users reset their passwords. I won't go into too much depth though because we have a whole blog

3 min Metasploit

Metasploit Weekly Wrap-Up: Jan. 28, 2022

A new Log4Shell module for unauthenticated RCE on Ubiquiti UniFi devices, getsystem improvements, and more!

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 10/22/21

Metasploit's first modules targeting Kubernetes, plus Windows support for exploiting Confluence Server CVE-2021-26084.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 4/9/21

Spilling the (Gi)tea We have two modules coming in from cdelafuente-r7 targeting CVE-2020-14144 for both the Gitea and Gogs self-hosted Git services. Both modules are similar: they take advantage of a user's ability to create Git hooks by authenticating with the web interface, creating a dummy repos

3 min Metasploit

Metasploit Wrap-Up: 1/22/21

A new Microsoft Windows Spooler privesc module, along with some fixes and improvements!

5 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 8/7/20

Metasploit 6 initial features and active development, the 2020 open-source security meetup (OSSM), four new modules, and the longest list of enhancements and fixes we've ever written in one sitting.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 3/13/20

Four new modules and lots of productivity enhancements. You can now run `rubocop -a` to automatically fix most formatting issues when developing modules. Plus, try the new `tip` command in MSF for Framework usage tips!

1 min Metasploit

Metasploit Wrap-Up 10/4/19

Command and Control with DOUBLEPULSAR We now have a DOUBLEPULSAR exploit module [] thanks to some amazing work by our own wvu [], Jacob Robles, and some significant contributions from the wider community. The module allows you to check for the DOUBLEPULSAR implant, disable it, or even load your own payloads as well; it really deserves its own blog post… [