All posts by Spencer McIntyre

Congrats to the winners of the 2021 Metasploit community CTF

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/12/06/congrats-to-the-winners-of-the-2021-metasploit-community-ctf/

Congrats to the winners of the 2021 Metasploit community CTF

Thanks to everyone that participated in this year’s Metasploit community CTF! Like last year, this CTF ran over the past 4 days and invited community members to solve a series of challenges. This year saw 1,501 users registered across 727 teams. If you participated in the CTF, we have a feedback survey up here:

https://forms.gle/YmMR6Rrk9LCcrXzi8

Congrats to the winners of the 2021 Metasploit community CTF

Place Team Score
1 average ctf enjoyers 1800
2 deadastronauts 1800
3 LeukeTeamNaam 1800
4 PoSTLTimes 1800
5 EvilBunnyWrote 1700
6 BisonSquad 1700
7 Social Engineering Experts 1700
8 B47Sec 1700
9 AlphaSeal 1700
10 L1T 1600
11 APT593 1500
12 IML-SEC 1500
13 NYUSEC 1500
14 Neutrino_Cannon 1500
15 just use bloodhound 1500

We’ll be contacting the captains of the winning teams this week to arrange prize delivery. We want to thank CTFd again for providing the scoreboard software. We also want to thank our partners at TryHackMe for sponsoring prizes for the top 3 teams. Finally, we want to give a huge thank you to everyone that participated in this year’s CTF!

CTF Statistics

  • This year there were 18 total challenges for a maximum possible score of 1800
  • Four teams solved and captured all possible flags
  • The 4-of-hearts challenge had the most solves with 260, while the 7-of-hearts had the fewest at 6 (2.3% of registered teams)
  • A total of 265 teams made it onto the scoreboard
  • There were 1,264 correct challenge submissions and 1,524 incorrect challenge submissions
Challenge Solves
4 of Hearts 260
9 of Diamonds 201
2 of Spades 163
10 of Clubs 92
5 of Diamonds 70
4 of Diamonds 68
Jack of Hearts 61
9 of Spades 59
Ace of Hearts 56
2 of Clubs 48
8 of Clubs 43
3 of Hearts 29
Black Joker 29
5 of Clubs 27
4 of Clubs 18
Ace of Diamonds 18
3 of Clubs 16
7 of Hearts 6

As always, we’re excited to see the different approaches the hacker community took to solve our challenges as detailed in their writeups. There’s a #write-up-links channel dedicated for this in the public Slack workspace that we encourage users to check out.

Metasploit Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/12/03/metasploit-wrap-up-141/

Metasploit CTF 2021 starts today

Metasploit Wrap-Up

It’s that time of year again! Time for the 2021 Metasploit Community CTF. Earlier today over 1,100 users in more than 530 teams were registered and opened for participation to solve this year’s 18 challenges. Next week a recap and the winners will be announced, so stay tuned for more information.

Overlayfs LPE

This week Metasploit shipped an exploit for the recent Overlayfs vulnerability in Ubuntu Linux. The exploit works on Ubuntu 14.04 through 20.10, for both the x64 and aarch64 architectures making it very accessible. The vulnerability leverages a lack of verification within the Overlayfs implementation and can be exploited reliably.

Older Exploit Improvements

Community member bcoles made a number of improvements to some older Windows exploits this week. The exploit for MS-03-026 now includes a check method along with modules docs. MS-05-039 was tested and found to be reliable regardless of the target language pack so the target was updated to reflect this. Additionally, MS-07-029 has 13 new targets for different Server 2000 and Server 2003 language packs. This set of improvements will go a long way in helping users test these critical vulnerabilities in older versions of Windows.

New module content (1)

  • 2021 Ubuntu Overlayfs LPE by bwatters-r7 and ssd-disclosure, which exploits CVE-2021-3493 – Adds a module for the CVE-2021-3493 overlay fs local privilege escalation for Ubuntu versions 14.04 – 20.10.

Enhancements and features

  • #15914 from bcoles – This improves upon the exploit/windows/dcerpc/ms03_026_dcom module by adding a check method, documentation, and cleaning up the code.
  • #15915 from bcoles – This renames the Windows 2000 SP4 Languages targets in thems05_039_pnp exploit to Windows 2000 SP4 Universal. It has been tested and was determined to not be language pack dependent.
  • #15918 from bcoles – This adds 13 new language pack-specific targets to the ms07_029_msdns_zonename exploit.
  • #15920 from smashery – This adds tab completion support to the powershell_import command.
  • #15928 from jmartin-r7 – This updates Metasploit Framework’s default Ruby version from 2.7 to 3. There should be no end-user impact.

Bugs fixed

  • #15897 from timwr – This fixes modules that check the return value of write_file() calls by returning a boolean value instead of nil.
  • #15913 from timwr – This fixes handling for shellwords parsing of malformed user-supplied input, such as unmatched quotes, when interacting with command shell sessions.
  • #15917 from smashery – This fixes a tab completion bug in Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/11/05/metasploit-wrap-up-137/

GitLab RCE

Metasploit Wrap-Up

New Rapid7 team member jbaines-r7 wrote an exploit targeting GitLab via the ExifTool command. Exploiting this vulnerability results in unauthenticated remote code execution as the git user. What makes this module extra neat is the fact that it chains two vulnerabilities together to achieve this desired effect. The first vulnerability is in GitLab itself that can be leveraged to pass invalid image files to the ExifTool parser which contained the second vulnerability whereby a specially-constructed image could be used to execute code. For even more information on these vulnerabilities, check out Rapid7’s post.

Less Than BulletProof

This week community member h00die submitted another WordPress module. This one leverages an information disclosure vulnerability in the WordPress BulletProof Security plugin that can disclose user credentials from a backup file. These credentials could then be used by a malicious attacker to login to WordPress if the hashed password is able to be cracked in an offline attack.

Metasploit Masterfully Manages Meterpreter Metadata

Each Meterpreter implementation is a unique snowflake that often incorporates API commands that others may not. A great example of this are all the missing Kiwi commands in the Linux Meterpreter. Metasploit now has much better support for modules to identify the functionality they require a Meterpreter session to have in order to run. This will help alleviate frustration encountered by users when they try to run a post module with a Meterpreter type that doesn’t offer functionality that is needed. This furthers the Metasploit project goal of providing more meaningful error information regarding post module incompatibilities which has been an ongoing effort this year.

New module content (3)

  • WordPress BulletProof Security Backup Disclosure by Ron Jost (Hacker5preme) and h00die, which exploits CVE-2021-39327 – This adds an auxiliary module that leverages an information disclosure vulnerability in the BulletproofSecurity plugin for WordPress. This vulnerability is identified as CVE-2021-39327. The module retrieves a backup file, which is publicly accessible, and extracts user credentials from the database backup.
  • GitLab Unauthenticated Remote ExifTool Command Injection by William Bowling and jbaines-r7, which exploits CVE-2021-22204 and CVE-2021-22205 – This adds an exploit for an unauthenticated remote command injection in GitLab via a separate vulnerability within ExifTool. The vulnerabilities are identified as CVE-2021-22204 and CVE-2021-22205.
  • WordPress Plugin Pie Register Auth Bypass to RCE by Lotfi13-DZ and h00die – This exploits an authentication bypass which leads to arbitrary code execution in versions 3.7.1.4 and below of the WordPress plugin, pie-register. Supplying a valid admin id to the user_id_social_site parameter in a POST request now returns a valid session cookie. With that session cookie, a PHP payload as a plugin is uploaded and requested, resulting in code execution.

Enhancements and features

  • #15665 from adfoster-r7 – This adds additional metadata to exploit modules to specify Meterpreter command requirements. Metadata information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn’t support the required command functionality.
  • #15782 from k0pak4 – This updates the iis_internal_ip module to include coverage for the PROPFIND internal IP address disclosure as described by CVE-2002-0422.

Bugs fixed

  • #15805 from timwr – This bumps the metasploit-payloads version to include two bug fixes for the Python Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/03/05/metasploit-wrap-up-101/

FortiOS Path Traversal

Metasploit Wrap-Up

Returning community contributor mekhalleh submitted a module targeting a path traversal vulnerability within the SSL VPN web portal in multiple versions of FortiOS. The flaw is leveraged to read the usernames and passwords of currently logged in users which are stored in plaintext on the file system. This vulnerability is identified as CVE-2018-13379 and can be reliably exploited remotely, without any authentication. Despite the fact that the vulnerability is several years old, CVE-2018-13379 is still known to be exploited in the wild, including in state-sponsored attacks targeting U.S. government agencies and infrastructure.

Additional Module Updates

Two modules received improvements to their targeting capabilities. The ever-popular exploit for MS17-010 was updated by zerosum0x0 (one of the original authors) with an updated fingerprint for properly targeting Windows Storage Server 2008. This allows the exploit module to be used against affected versions of that Server 2008 variant. Additionally, a KarjaSoft Sami FTP exploit was updated by long-time community contributor bcoles who made a number of improvements to it but notably updated the exploit to only rely on an offset within a DLL that is distributed with the vulnerable software. When memory corruption exploits need the address of a POP, POP, RET instruction (as this one does for the SEH overwrite), they are more reliable when referencing one that is distributed with the software and won’t change, unlike libraries that come with the host operating system and are regularly updated.

New Modules (1)

  • FortiOS Path Traversal Credential Gatherer by lynx (Carlos Vieira) and mekhalleh (RAMELLA Sébastien), which exploits a directory traversal vulnerability (CVE-2018-13379) in the SSL VPN web portal of FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 to grab the /dev/cmdb/sslvpn_websession file, containing the plaintext list of currently connected usernames and their associated passwords. These credentials can then be saved to the creds database for use in future attacks.

Enhancements and features

  • #14783 from bcoles The KarjaSoft Sami FTP Server v2.0.2 USER Overflow module has been updated with documentation, RuboCop updates, support for the AutoCheck mixin to automatically check if a target is vulnerable, an updated list of authors, as well as improvements to its exploit strategy that allow it to use only one offset within a DLL shipped with the target for exploitation, instead of relying on an Windows OS DLL whose offsets could change as the OS was updated.
  • #14838 from zerosum0x0 The psexec_ms17_010.rb library has been updated to support additionally fingerprinting Windows Storage Server 2008 R2 targets as potentially exploitable targets, thereby allowing users to exploit Windows Storage Server 2008 R2 targets vulnerable to MS17-010.

Bugs Fixed

  • #14816 from dwelch-r7 Ensures that the Faker library is always available for use within modules when generating fake data for bypassing WAF etc.
  • #14821 from space-r7 The search command within Meterpreter has had its logic updated to support searches that start at the root directory, aka /. These types of searches were previously not returning any results due to a logic bug within the code, which has now been fixed.
  • #14840 from dwelch-r7 Removes require rex/ui statement that prevented execution of msfrpc.
  • #14843 from dwelch-r7 With the upgrade to zeitwerk in Metasploit, PseudoShell was not being picked up appropriately, resulting in some modules and tools not being able to load it when needed. A fix has now been applied to make sure that PseudoShell can be appropriately loaded by zeitwerk to prevent missing dependency issues.
  • #14853 from adfoster-r7 Fixes an edge case when upgrading from an older version of Metasploit to Metasploit 6.0.32 when using the Mac Metasploit Omnibus installer directly or indirectly via Brew

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit 2020 Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2020/12/30/metasploit-2020-wrap-up/

Metasploit 2020 Wrap-Up

2020 was certainly an interesting year. There were quite a few newsworthy events and some fantastic exploit content released. Let’s take a look at what 2020 meant for Metasploit.

Quick stats

Some quick statistics for Metasploit’s year.

  • 737 pull requests merged (and counting)
  • A net gain of +179 non-payload modules
  • 50 new Auxiliary modules
  • 134 new Exploit modules
  • 23 new Post modules
  • 2 CTFs hosted
  • 1 new version

Metasploit 6

The Metasploit team released version 6.0 of the framework over the summer. This major change brought quite a few improvements on two fronts: the Meterpreter transport protocol and SMBv3 support for client connections. Both of these offered transport encryption for common operations performed by Metasploit, providing better security for the users. Additionally, to showcase the SMBv3 support, Metasploit added a new module to perform agentless dumping of SAM hashes and LSA secrets (including cached creds) from remote Windows targets. The technique employed by this module has become very popular due to its reliability, and the native integration into the Metasploit Framework makes it easily accessible for users with all the related benefits like database and pivoting support.

CTFs

There were not one but two open CTFs hosted by the Metasploit team in 2020. These events invited the community to solve challenges in a fun and competitive environment. The most recent event included 1,903 users registered across 874 teams.

New module highlights

  • exploit/windows/local/anyconnect_lpe (CVE-2020-3153 & CVE-2020-3433) – This exploit module was an excellent example of a trend of patch bypasses this year. The module is capable of leveraging both the original vulnerability along with the bypass for maximum coverage.
  • exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move (CVE-2020-0787) – This exploit targeted Windows BITS to overwrite a DLL. Exploiting native services included on Windows is always useful, and the technique leveraged here to use the file system operation to obtain code execution was an interesting case.
  • post/multi/gather/enum_software_versions – It’s often important for users to know what is on a system they have compromised. This new module helps make that process simple by enumerating the installed software and their versions, allowing the user to identify interesting entries for exploitation or living-off-the-land techniques.
  • exploit/multi/misc/weblogic_deserialize_badattrval (CVE-2020-2555) – WebLogic is always a valuable target and deserialization vulnerabilities are quite reliable by nature. That combination makes this module particularly useful.
  • exploit/multi/misc/weblogic_deserialize_badattr_extcomp (CVE-2020-2883) – Another more recent WebLogic RCE that makes use of deserialization. Similar to CVE-2020-2555, this module is equally useful.
  • exploit/windows/local/cve_2020_0668_service_tracing (CVE-2020-0668) – Users can never have enough Windows LPE exploits, and this module offered another reliable vector. This module uses a simple DLL-based technique to obtain code execution from a file system operation.

SharePoint

Metasploit added its first exploits for the popular SharePoint platform since 2010. Four exploit modules were added, three leverage XML injection flaws while the fourth targets a server side include. These exploits leverage .NET deserialization to execute operating system commands, avoiding any kind of memory corruption and making exploitation relatively reliable. The .NET deserialization gadgets leveraged by these modules were also new in 2020. This functionality came in the form of a new library that even includes a command line tool for generating gadget chains for researchers.

Over the course of the year, there were some interesting patterns that were observable. In general, there seemed to have been an increase in vulnerabilities that were disclosed and related to an insufficient remediation for a previous vulnerability. These so-called patch bypasses seem to be indicative of the increasing complexity of vulnerabilities and their respective solutions. Additionally, there were multiple exploits added to Metasploit that leveraged vulnerable file system operations to obtain code execution on Windows. These LPEs used a combination of techniques that are becoming increasingly common including op-locks and junctions. Metasploit is working on better support for these primitives to facilitate exploitation of vulnerabilities that use them.

With all that the project accomplished in 2020, the team looks forward to what 2021 will hold. New features are being discussed, and as always, the module pipeline continues to flow. Our sincere gratitude goes to all the members of the community that contributed to the project this year.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

More HaXmas blogs