Posts tagged Metasploit Weekly Wrapup

2 min Metasploit

Metasploit Wrap-up

In the week after our CTF, we hope the players had a good time and got back to their loved ones, jobs, lives, studies, and most importantly, back to their beds (and you can find out who the winners were here [/2020/02/03/congrats-to-the-winners-of-the-2020-metasploit-community-ctf/]!). For the Metasploit team, we went back to baking up fresh, hot modules and improvements that remind us in this flu season to not just wash your hands, but also, sanitize your inputs! SOHOwabout a Shell? Several [h

5 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Happy CTF week, folks! If you haven't already been following along with (or competing in) Metasploit's global community CTF [/2020/01/15/announcing-the-2020-metasploit-community-ctf/], it started yesterday and runs through Monday morning U.S. Eastern Time. Registration has been full for a while, but you can join the #metasploit-ctf channel on Slack [https://metasploit.com/slack] to participate in the joy and frustration vicariously. This week's Metasploit wrap-up takes a look back at work done

3 min Metasploit

Metasploit Wrap-up

Transgressive Traversal Contributor Dhiraj Mishra [https://github.com/RootUp] authored a neat Directory Traversal module [https://github.com/rapid7/metasploit-framework/pull/12773] targeted at NVMS-1000 Network Surveillance Management Software developed by TVT Digital Technology. Permitting the arbitrary downloading of files stored on a machine running compromised software [https://www.exploit-db.com/exploits/47774] , this module becomes all the more attractive when you consider it's providing

2 min Metasploit

Metasploit Wrap-Up

Silly admin, Citrix is for script kiddies A hot, new module [https://github.com/rapid7/metasploit-framework/pull/12816] has landed in Metasploit Framework this week. It takes advantage of CVE-2019-19781 which is a directory traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway. This exploit takes advantage of unsanitized input within the URL structure of one of the API endpoints to access specified directories. Conveniently there is a directory available that house

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

A new OpenBSD local exploit Community contributor bcoles [http://github.com/bcoles] brings us a new exploit module for CVE-2019-19726, a vulnerability originally discovered by Qualys [https://blog.qualys.com/laws-of-vulnerabilities/2019/12/11/openbsd-local-privilege-escalation-vulnerability-cve-2019-19726] in OpenBSD. This vulnerability is pretty interesting in the sense that it leverages a bug in the _dl_getenv function that can be triggered to load libutil.so from an attacker controlled loca

2 min Metasploit

Metasploit Wrap-Up

With 2019 almost wrapped up, we’ve been left wondering where the time went! It’s been a busy year for Metasploit, and we’re going out on a reptile-themed note this wrap-up... Python gets compatible With the clock quickly ticking down on Python 2 support [https://pythonclock.org/], contributor xmunoz [https://github.com/xmunoz] came through with some changes [https://github.com/rapid7/metasploit-framework/pull/12524] to help ensure most of Framework works with Python 3. While Python 3’s adoption

2 min Metasploit

Metasploit Wrap-Up

It’s beginning to look a lot like HaXmas [/tag/haxmas/], everywhere you go! We have a great selection of gift-wrapped modules this holiday season, sure to have you entertained from one to eight nights, depending on your preference! On a personal note, we here at the Metasploit workshop would like to welcome our newest elf, Spencer McIntyre [https://github.com/smcintyre-r7]. Spencer has been a long-time contributor to the project, and we’re thrilled to have him on the team! In the spirit of givi

3 min Metasploit

Metasploit Wrap-Up

Powershell Express Delivery The web_delivery module [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/script/web_delivery.rb] is often used to deliver a payload during post exploitation by quickly firing up a local web server. Since it does not write anything on target’s disk, payloads are less likely to be caught by anti-virus protections. However, since Microsoft added Antimalware Scan Interface (AMSI) [https://docs.microsoft.com/en-us/windows/win32/amsi/antim

3 min Metasploit

Metasploit Wrap-Up

Management delegation of shells Onur ER [https://github.com/onurer] contributed the Ajenti auth username command injection [https://github.com/rapid7/metasploit-framework/pull/12503] exploit module for the vulnerability Jeremy Brown discovered and published a PoC for on 2019-10-13 (EDB 47497) against Ajenti version 2.1.31. Ajenti is an open-source web-based server admin panel written in Python and JS. The application allows admins to remotely perform a variety of server management tasks. The ex

3 min Metasploit

Metasploit Wrap-Up

Payload payday As we blogged about yesterday [/2019/11/21/metasploit-shellcode-grows-up-encrypted-and-authenticated-c-shells/] , a new form of payload that is compiled directly from C when generated was added by space-7 [https://github.com/space-r7]. We hope this is only the first step in a journey of applying the myriad tools that obfuscate C programs to our core payloads, so be sure to check out all the nifty workings of the code! If that wasn't enough, we also got a pair of payloads written f

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Pulse Secure VPN exploit modules, a notable BlueKeep exploit reliability improvement, and an overhaul of MSF's password cracking integration, including new support for hashcat.

2 min Metasploit

Metasploit Wrap-Up

Config R Us Many versions of network management tool rConfig are vulnerable to unauthenticated command injection, and contributor bcoles [https://github.com/bcoles] added a new exploit module [https://github.com/rapid7/metasploit-framework/pull/12507] for targeting those versions. Present in v3.9.2 and prior, this vulnerability centers around the install directory not being automatically cleaned up following software installation, leaving behind a PHP file that can be utilized to execute arbitr

1 min Metasploit

Metasploit Wrap-Up

This week's Metasploit wrap-up ships a new exploit module against Nostromo, a directory traversal vulnerability that allows system commands to be executed remotely. Also, improvements have been made for the grub_creds module for better post exploitation experience against Unix-like machines. Plus a few bugs that have been addressed, including the -s option for NOPs generation, the meterpreter prompt, and reverse_tcp hanging due to newer Ruby versions. New modules (1) * Nostromo Directory Trave

2 min Metasploit

Metasploit Wrap-Up

Is URGENT/11 urgent to your world? Metasploit now has a scanner module to help find the systems that need URGENT attention. Be sure to check the options on this one; RPORTS is a list to test multiple services on each target. Thanks Ben Seri [https://twitter.com/benseri87] for the PoC that lead off this work. Everyone likes creds, a new post module [https://github.com/rapid7/metasploit-framework/pull/12462] landed this week from Taeber Rapczak [https://github.com/taeber] that brings back credent

2 min Metasploit

Metasploit Wrap-up

Nagios XI post module Nagios XI may store the credentials of the hosts it monitors, and with the new post module [https://github.com/rapid7/metasploit-framework/pull/12136] by Cale Smith [https://github.com/caleBot], we're now able to extract the Nagios database content along with its SSH keys and dump them into the MSF database. With the addition of this new post module, we can conveniently increase the opportunities for lateral movement. Environment-based API token authentication Our own ekel