This week we added a pair of new post-exploitation modules from community contributor timb-machine. Both modules target UNIX machines running SSSD or One Identityβs Vintela Authentication Services (VAS) as Active Directory integration solutions. The new UNIX Gather Cached AD Hashes module can be used on a UNIX target to obtain all cached Active Directory hashes, which can then be cracked using John the Ripper. The second module is UNIX Gather Kerberos Tickets, which as the name suggests, can similarly be used on a vulnerable target to obtain cached Kerberos tickets.
Thanks to pedrib for two new pull requests related to Micro Focus Operations Bridge Manager and Bridge Reporter. Pedrib contributed a new Micro Focus Operations Bridge Reporter Unauthenticated Command Injection module, which exploits an unauthenticated command injection vulnerability on Linux, versions 10.40 and below (CVE-2021-22502). Pedrib also updated the existing Micro Focus Operations Bridge Manager Local Privilege Escalation module to also support Operations Bridge Reporter.
Congratulations to pingport80, who snagged PR #15,000! This enhancement replaces existing usages of which
in Msf::Sessions::CommandShell.binary_exists
with command -v
β a more portable solution that works consistently across different shells.
Set-Cookie
header responses when using the send_request_cgi
keep_cookies
optionwhich
command with command -v
giving us a more portable solutionexploit/windows/local/microfocus_operations_privesc
module now supports both vulnerable Operations Bridge Manager installations and vulnerable Operations Bridge Reporter installations, with the new additional target being Operations Bridge Reporter.post/windows/gather/checkvm
module. This also notably adds cross-platform support for getting a list of running processes using shell and Meterpreter sessions.exploit/multi/http/microfocus_ucmdb_unauth_deser
module default Linux payload from cmd/unix/generic
to cmd/unix/reverse_python
.auxiliary/scanner/http/dell_idrac
module by cleaning up the code, adding the last_attempted_at
field to create_credential_login
to prevent a crash, and adding documentation for the module.sessions -c
.tools/modules/module_author.rb
so that it runs without crashingmsftidy_docs.rb
now doesnβt double warn on optional (and missing) Options
headers.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).