Metasploit Wrap-Up 11/28/2025

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025
• Blog Title: Metasploit Wrap-Up 11/28/2025
• Suggested Section: Multiple sections:
• "Active Directory Methodology" / "Lateral Movement" / "NTLM" for the SMB → MSSQL NTLM relay pattern (add under NTLM relay and lateral movement examples).
• "Network Services Pentesting" → "80,443 - Pentesting Web Methodology" → vendor-specific subsection for "Fortinet Fortiweb" (update/extend existing Fortinet Fortiweb content or add a FortiWeb RCE chain example).
• "Linux Hardening" → "Linux Privilege Escalation" (new IGEL OS-specific local privesc example) and "Linux Post-Exploitation" / persistence for IGEL registry startup persistence and SUID-based file exfiltration patterns.
• "Pentesting Web" / "Web Vulnerabilities Methodology" for Flowise RCE via custom MCP handling and JS injection (as concrete examples of RCE in AI/LLM orchestration platforms, potentially cross-linked from "AI Security").
• "Windows Hardening" → "Windows Local Privilege Escalation" / "Privilege Escalation with Autoruns" or a dedicated "Application-based Persistence" subsection for Notepad++ plugin DLL persistence.
• "Binary Exploitation" → payloads / architecture notes (or a short note under "Linux Hardening" → "Bypass FS protections" or similar) for Linux RISC‑V chmod syscall payloads as minimal post-exploitation helpers.

🎯 Content Summary

This Metasploit Weekly Wrap-Up describes changes between Metasploit Framework 6.4.99 and 6.4.100, highlighting 10 new modules and 3 bug fixes. The focus is on new exploit and post-exploitation capabilities (NTLM relay, unauthenticated Fortinet RCE, IGEL OS privesc and persistence, Flowise RCE, Notepad++ persistence) plus new RISC‑V payload coverage.

Microsoft Windows SMB → MSSQL NTLM Relay (auxiliary/server/relay/smb_to_mssql)
Path: server/relay/smb_to_mssql🔧 Technical Details

SMB → MSSQL NTLM Relay
Run an SMB server that accepts and validates NTLM authentication from coerced or opportunistic SMB clients. When credentials are received, immediately relay the NTLM authentication to a target MSSQL server. If the relay succeeds, open an MSSQL session and execute arbitrary SQL or additional Metasploit MSSQL modules. This technique turns SMB authentication exposure into direct database access and can be combined with name‑resolution attacks or printer/coercion attacks to harvest and reuse domain or local credentials.

FortiWeb Unauthenticated HTTP RCE via CVE Chain
Use a chain of FortiWeb vulnerabilities (CVE-20205-64446 and CVE-2025-58034) against the HTTP management interface. First, exploit the initial bug to reach privileged internal functionality or bypass normal authorization, then leverage the second bug to inject or execute OS‑level code. Because the chain is unauthenticated, any exposed FortiWe...

🤖 Agent Actions

Summary:

• Expanded AI-MCP-Servers.md with a deep-dive into the new Flowise attack surface, covering both the JavaScript evaluation bug (CVE-2025-59528) and the unsandboxed command/args launcher (CVE-2025-8943).
• Documented precisely how the /api/v1/node-load-method/customMCP endpoint processes attacker-controlled mcpServerConfig values, including ready-to-use cURL/JSON payloads that mirror the new Metasploit modules.
• Added concrete detection ideas and hardening steps (patch levels, config flags, network protections, secret rotation) plus an updated references section citing the Rapid7 blog and the upstream advisories that describe these flaws.

Tests: Not run (documentation-only change).

Note: Additional techniques from the wrap-up would require touching other files, but current instructions limit changes to a single file, so the update focused on the Flowise AI/MCP content.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025

Content Categories: Based on the analysis, this content was categorized under "Multiple sections:

• "Active Directory Methodology" / "Lateral Movement" / "NTLM" for the SMB → MSSQL NTLM relay pattern (add under NTLM relay and lateral movement examples).
• "Network Services Pentesting" → "80,443 - Pentesting Web Methodology" → vendor-specific subsection for "Fortinet Fortiweb" (update/extend existing Fortinet Fortiweb content or add a FortiWeb RCE chain example).
• "Linux Hardening" → "Linux Privilege Escalation" (new IGEL OS-specific local privesc example) and "Linux Post-Exploitation" / persistence for IGEL registry startup persistence and SUID-based file exfiltration patterns.
• "Pentesting Web" / "Web Vulnerabilities Methodology" for Flowise RCE via custom MCP handling and JS injection (as concrete examples of RCE in AI/LLM orchestration platforms, potentially cross-linked from "AI Security").
• "Windows Hardening" → "Windows Local Privilege Escalation" / "Privilege Escalation with Autoruns" or a dedicated "Application-based Persistence" subsection for Notepad++ plugin DLL persistence.
• "Binary Exploitation" → payloads / architecture notes (or a short note under "Linux Hardening" → "Bypass FS protections" or similar) for Linux RISC‑V chmod syscall payloads as minimal post-exploitation helpers.".

Repository Maintenance:

• MD Files Formatting: 913 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0