2 min
Metasploit
Metasploit Weekly Wrap-Up 01/19/24
Unicode your way to a php payload and three modules to add to your playbook for
Ansible
Our own jheysel-r7 added an exploit leveraging the fascinating tool of php
filter chaining to prepend a payload using encoding conversion characters and
h00die et. al. have come through and added 3 new Ansible post modules to gather
configuration information, read files, and deploy payloads. While none offer
instantaneous answers across the universe, they will certainly help in red team
exercises.
New module
2 min
Metasploit
Metasploit Weekly Wrap-Up 01/12/24
New module content (1)
Windows Gather Mikrotik Winbox "Keep Password" Credentials Extractor
Author: Pasquale 'sid' Fiorillo
Type: Post
Pull request: #18604 [https://github.com/rapid7/metasploit-framework/pull/18604]
contributed by siddolo [https://github.com/siddolo]
Path: windows/gather/credentials/winbox_settings
Description: This pull request introduces a new post module to extract the
Mikrotik Winbox credentials, which are saved in the settings.cfg.viw file when
the "Keep Password" option
2 min
Metasploit
Metasploit Weekly Wrap-Up 1/05/2024
New module content (2)
Splunk __raw Server Info Disclosure
Authors: KOF2002, h00die, and n00bhaxor
Type: Auxiliary
Pull request: #18635 [https://github.com/rapid7/metasploit-framework/pull/18635]
contributed by n00bhaxor [https://github.com/n00bhaxor]
Path: gather/splunk_raw_server_info
Description: This PR adds a module for an authenticated Splunk information
disclosure vulnerability. This module gathers information about the host machine
and the Splunk install including OS version, build, CP
8 min
Metasploit
Metasploit 2023 Annual Wrap-Up: Dec. 29, 2023
As 2023 winds down, we’re taking another look back at all the changes and
improvements to the Metasploit Framework. This year marked the 20th anniversary
since Metasploit version 1.0 was committed and the project is still actively
maintained and improved thanks to a thriving community.
Version 6.3
Early this year in January, Metasploit version 6.3
[https://www.rapid7.com/blog/post/2023/01/30/metasploit-framework-6-3-released/]
was released with a number of improvements for targeting Active Dir
2 min
Metasploit
Metasploit Weekly Wrap-Up: Dec. 22, 2023
Metasploit has added exploit content for the glibc LPE CVE-2023-4911 (AKA Looney Tunables) and RCE exploits for Confluence and Vinchin Backup and Recovery.
3 min
Metasploit
Metasploit Weekly Wrap-Up: Dec. 15, 2023
Continuing the 12th Labor of Metasploit
Metasploit continues its Herculean task of increasing our toolset to tame
Kerberos by adding support for AS_REP Roasting, which allows retrieving the
password hashes of users who have Do not require Kerberos preauthentication set
on the domain controller. The setting is disabled by default, but it is enabled
in some environments.
Attackers can request the hash for any user with that option enabled, and worse
(or better?) you can query the DC to determine
3 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up 12/8/2023
New this week: An OwnCloud gather module and a Docker cgroups container escape. Plus, an early feature that allows users to search module actions, targets, and aliases.
4 min
Metasploit
Metasploit Weekly Wrap-Up: Dec. 1, 2023
Customizable DNS resolution
Contributor smashery [https://github.com/smashery] added a new dns command to
Metasploit console, which allows the user to customize the behavior of DNS
resolution. Similarly to the route command, it is now possible to specify where
DNS requests should be sent to avoid any information leak. Before these changes,
the Framework was using the default local system configuration. Now, it is
possible to specify which DNS server should be queried based on rules that match
sp
1 min
Metasploit
Metasploit Wrap-Up: Nov. 23, 2023
Metasploit 6.3.44 released with stability improvements and module fixes
1 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up: Nov. 17, 2023
Possible Web Service Removal
Metasploit has support for running with a local database, or from a remote web
service which can be initialized with msfdb init --component webservice. Future
versions of Metasploit Framework may remove the msfdb remote webservice. Users
that leverage this functionality are invited to react on an issue currently on
GitHub [https://github.com/rapid7/metasploit-framework/issues/18439] to inform
the maintainers that the feature is used.
New module content (1)
ZoneMind
3 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up 11/10/23
Apache MQ and Three Cisco Modules in a Trenchcoat
This week’s release has a lot of new content and features modules targeting two
major recent vulnerabilities that got a great deal of attention: CVE-2023-46604
targeting Apache MQ
[https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/]
resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS
[https://www.rapid7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitati
2 min
Metasploit
Metasploit Weekly Wrap-Up: Nov. 3, 2023
PTT for DCSync
This week, community member smashery [https://github.com/smashery] made an
improvement to the windows_secrets_dump module to enable it to dump domain
hashes using the DCSync method after having authenticated with a Kerberos
ticket. Now, if a user has a valid Kerberos ticket for a privileged account,
they can run the windows_secrets_dump module with the DOMAIN action and obtain
the desired information. No password required. This is particularly useful in
workflows involving the exp
2 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 27, 2023
New module content (4)
Atlassian Confluence Data Center and Server Authentication Bypass via Broken
Access Control
Authors: Emir Polat and Unknown
Type: Auxiliary
Pull request: #18447 [https://github.com/rapid7/metasploit-framework/pull/18447]
contributed by emirpolatt [https://github.com/emirpolatt]
Path: admin/http/atlassian_confluence_auth_bypass
AttackerKB reference: CVE-2023-22515
[https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515?referrer=blog]
Description: This adds an exploit for
4 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 19, 2023
That Privilege Escalation Escalated Quickly
This release features a module leveraging CVE-2023-22515
[https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/]
, a vulnerability in Atlassian’s on-premises Confluence Server first listed as a
privilege escalation, but quickly recategorized as a “broken access control”
with a CVSS score of 10. The exploit itself is very simple and easy to use so
there was little surprise when
3 min
Metasploit
Metasploit Weekly Wrap-Up: Oct. 13, 2023
Pollution in Kibana
This week, contributor h00die [https://github.com/h00die] added a module that
leverages a prototype pollution bug in Kibana prior to version 7.6.3.
Particularly, this issue is within the Upgrade Assistant and enables an attacker
to execute arbitrary code. This vulnerability can be triggered by sending a
queries that sets a new constructor.prototype.sourceURL directly to Elastic or
by using Kibana to submit the same queries. Note that Kibana needs to be
restarted or wait for c