Metasploit Wrap-Up 12/12/2025

src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md

@@ -384,6 +384,23 @@ You can see how to use these tools in:
 ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
 {{#endref}}
 
+#### SMB→MSSQL NTLM relay with TLS-aware listeners
+
+Metasploit 6.4.102 ships `auxiliary/server/relay/smb_to_mssql`, a malicious SMB service that relays captured NTLM authentication to one or more SQL Servers. When a coerced host hits the listener (via printer spooler, WebDAV, UNC injection, etc.) the module harvests the challenge/response, dials every configured MSSQL target, and opens an interactive SQL console if the credentials are accepted. The SQL client now honors servers that advertise or enforce `Encrypt=True`, so the relay works inside environments where TLS is mandatory.
+
+Typical workflow:
+
+```text
+msf6 > use auxiliary/server/relay/smb_to_mssql
+msf6 auxiliary(smb_to_mssql) > set SRVHOST 0.0.0.0
+msf6 auxiliary(smb_to_mssql) > set RELAY_TARGETS 10.10.120.15,10.10.120.20
+msf6 auxiliary(smb_to_mssql) > run -j
+# Coerce SMB auth (PetitPotam, dfscoerce, printerbug, etc.)
+# Successful relays spawn interactive SQL shells with the relayed identity
+```
+
+Because the TLS stack was uplifted in the MSSQL client library, modules such as `auxiliary/scanner/mssql/mssql_login` and the new relay automatically negotiate encryption when the server requires it. This closes a common gap where brute-force or relay tooling would fail once DBAs flipped the “Force Encryption” flag in SQL Server Configuration Manager.
+
 ### Abusing MSSQL trusted Links
 
 [**Read this post**](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature:**
@@ -709,6 +726,7 @@ You probably will be able to **escalate to Administrator** following one of thes
 
 ## References
 
+- [Rapid7 – Metasploit Wrap-Up 12/12/2025](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-12-2025)
 - [Unit 42 – Phantom Taurus: WMI-driven direct SQL collection via batch/sqlcmd](https://unit42.paloaltonetworks.com/phantom-taurus/)
 - [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
 - [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
@@ -721,15 +739,6 @@ You probably will be able to **escalate to Administrator** following one of thes
 - [https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp](https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp)
 
 
-- [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
-- [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
-- [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
-- [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
-- [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/)
-- [https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/](https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/)
-- [https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)
-- [https://mayfly277.github.io/posts/GOADv2-pwning-part12/](https://mayfly277.github.io/posts/GOADv2-pwning-part12/)
-- [https://exploit7-tr.translate.goog/posts/sqlserver/?\_x_tr_sl=es&\_x_tr_tl=en&\_x_tr_hl=en&\_x_tr_pto=wapp](https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp)
 
 ## HackTricks Automatic Commands
 

src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md

@@ -372,6 +372,24 @@ requests.post(TARGET_URL + '/vulnerable', json = {
 requests.get(TARGET_URL)
 ```
 
+### React Server Components Flight prototype pollution (CVE-2025-55182)
+
+React Server Components (RSC) backends that expose the Flight protocol in React 18/Next.js 14 parse attacker-controlled multipart chunks into a plain JavaScript object that maps module identifiers to loader metadata. Using reserved keys such as `proto`, `constructor`, or `prototype` in the chunk name writes directly into `Object.prototype` during deserialization, so the next request that instantiates a component inherits the polluted prototype and executes attacker logic.
+
+1. **Find the Flight endpoint** (`/_rsc`, `/_next/data/<build>.json?__flight__=1`, etc.) and confirm it accepts `multipart/mixed` uploads.
+2. **Craft a malicious Flight stream** where the JSON tuple for the module sets `"proto"` (or `"constructor"`) to an object whose `constructor.prototype` exposes `globalThis.process`. When the runtime evaluates the chunk, the pollution reaches Node’s internals.
+3. **Trigger gadget evaluation** by overriding helpers that React executes (e.g., `prepareStackTrace`, `Symbol.toPrimitive`, or `toJSON`) so they spawn a child process.
+
+Example PoC payload (shortened for clarity):
+
+```bash
+curl -sk -X POST https://rsc.target/_rsc \
+  -H 'Content-Type: multipart/mixed; boundary=----hacktricks' \
+  --data-binary $'------hacktricks\r\nContent-Type: application/json; charset=utf-8\r\n\r\n["I","proto","server",{"constructor":{"prototype":{"prepareStackTrace":"return process.mainModule.require(\\"child_process\\").execSync(\\"id\\").toString()"}}}]\r\n------hacktricks--'
+```
+
+Metasploit automates the entire unauthenticated chain via `multi/http/react2shell_unauth_rce_cve_2025_55182` (and an alternate implementation from PR #20747). The module discovers the Flight endpoint, builds the malicious multipart request with the dangerous keys, and drops a payload even when the target requires HTTPS/TLS.
+
 ### Preventive Measures
 
 To reduce the risk of prototype pollution, the strategies listed below can be employed:
@@ -394,5 +412,6 @@ To reduce the risk of prototype pollution, the strategies listed below can be em
 - [https://dev.to/caffiendkitten/prototype-inheritance-pollution-2o5l](https://dev.to/caffiendkitten/prototype-inheritance-pollution-2o5l)
 - [https://itnext.io/prototype-pollution-attack-on-nodejs-applications-94a8582373e7](https://itnext.io/prototype-pollution-attack-on-nodejs-applications-94a8582373e7)
 - [https://blog.p6.is/AST-Injection/](https://blog.p6.is/AST-Injection/)
+- [Rapid7 – Metasploit Wrap-Up 12/12/2025](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-12-2025)
 
 {{#include ../../../banners/hacktricks-training.md}}

src/pentesting-web/file-upload/README.md

@@ -517,6 +517,20 @@ Despite their adaptability, polyglots do encounter limitations. For instance, wh
 
 More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
 
+### Magento SessionReaper nested deserialization + unauth upload (CVE-2025-54236)
+
+Adobe Commerce/Magento’s SessionReaper payment workflow deserializes nested attacker-controlled structures before a shopper is authenticated. The cart payment handler blindly calls `unserialize()` on arrays that include metadata for the `\Magento\MediaStorage\Model\File\Uploader` helper, so a guest can populate keys such as `tmp_name`, `name`, and the destination path. That polluted state is later consumed by an unauthenticated upload endpoint that copies files from the temporary path into the public media directory.
+
+Attack chain outline:
+
+1. Reach any guest checkout endpoint that accepts serialized `payment[additional_data]` blobs (SessionReaper creates them automatically for saved payment methods).
+2. Embed a second serialized payload that defines upload options (target path, filename, and the payload body encoded as base64). Because the platform unwraps the object twice, your data survives every validation layer.
+3. Call the exposed SessionReaper upload endpoint to drop your PHP payload (e.g., under `pub/media/tmp/sessionreaper/`).
+4. Request the uploaded file directly to execute arbitrary code as the PHP-FPM/web server user.
+
+Metasploit’s `multi/http/magento_sessionreaper` module chains the nested deserialization bug and the unauthenticated uploader: it forges the serialized payment gadget, smuggles a PHP stager onto disk, and then triggers it automatically.
+
+
 ### Upload valid JSONs like if it was PDF
 
 How to avoid file type detections by uploading a valid JSON file even if not allowed by faking a PDF file (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
@@ -527,6 +541,7 @@ How to avoid file type detections by uploading a valid JSON file even if not all
 
 ## References
 
+- [Rapid7 – Metasploit Wrap-Up 12/12/2025](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-12-2025)
 - [When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise](https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/)
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)

src/pentesting-web/registration-vulnerabilities.md

@@ -362,8 +362,19 @@ Content-Type: application/json
 
 Impact: Full Account Takeover (ATO) without any reset token, OTP, or email verification.
 
+## Role parameter abuse – WordPress King Addons (CVE-2025-8489)
+
+The King Addons for Elementor plugin (24.12.92–51.1.14) exposes a public AJAX handler that consumes a `user_role` parameter during signup. The handler never validates the requested role against WordPress’ role registry and forwards the string straight into `wp_insert_user`, so unauthenticated callers can create fully privileged identities.
+
+1. Send `POST /wp-admin/admin-ajax.php` with the plugin’s registration `action`, attacker‑controlled credentials, and `user_role=administrator` (any higher capability such as `editor` or custom roles also works).
+2. WordPress writes the account with the supplied role and immediately returns the activation payload; no email verification or CSRF token is required.
+3. Log into `/wp-admin/` with the new account and leverage native features—uploading a ZIP plugin containing a PHP payload, editing theme files, or installing arbitrary extensions—to execute code on the server.
+
+Metasploit’s `multi/http/wp_king_addons_privilege_escalation` module automates the chain: it registers the rogue admin, uploads a trojanized plugin, and drops a session/command payload.
+
 ## References
 
+- [Rapid7 – Metasploit Wrap-Up 12/12/2025](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-12-2025)
 - [How I Found a Critical Password Reset Bug (Registration upsert ATO)](https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1)
 - [Microsoft MSRC – Pre‑hijacking attacks on web user accounts (May 2022)](https://msrc.microsoft.com/blog/2022/05/pre-hijacking-attacks/)
 - [https://salmonsec.com/cheatsheet/account_takeover](https://salmonsec.com/cheatsheet/account_takeover)

src/windows-hardening/ntlm/README.md

@@ -342,7 +342,20 @@ krbrelayx.py -t TARGET.DOMAIN.LOCAL -smb2support
 * Kerberos AP-REQ containing a subsession key and a client principal equal to the hostname.
 * Windows Event 4624/4648 SYSTEM logons immediately followed by remote SMB writes from the same host.
 
+## SMB-to-MSSQL NTLM relay with TLS-required SQL Servers
+
+Enterprise SQL clusters often require TLS (`Encrypt=True`) on port 1433, which historically broke many relay workflows. Metasploit 6.4.102 adds `auxiliary/server/relay/smb_to_mssql`, a coercion-friendly SMB listener that forwards captured NTLM authentications into TLS-capable MSSQL sessions. Once a workstation authenticates to the rogue SMB share, the module negotiates encryption with each configured SQL host and spawns an interactive SQL shell under the relayed identity.
+
+Typical use:
+
+1. Launch the listener and define targets: `use auxiliary/server/relay/smb_to_mssql`, set the local `SRVHOST`/`SRVPORT`, and list SQL hosts in `RELAY_TARGETS`.
+2. Trigger SMB authentication from the victim (PrinterBug, DFSCoerce, UNC path injection, etc.).
+3. When the relay succeeds, issue Transact-SQL commands (enumeration, `xp_cmdshell`, data theft) through the interactive prompt that Metasploit opens, even if the SQL Server enforces TLS.
+
+The same TLS uplift also lands in `auxiliary/scanner/mssql/mssql_login`, so brute-force or password spraying campaigns can talk to hardened SQL Servers without falling back to plaintext.
+
 ## References
+* [Rapid7 – Metasploit Wrap-Up 12/12/2025](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-12-2025)
 * [NTLM Reflection is Dead, Long Live NTLM Reflection!](https://www.synacktiv.com/en/publications/la-reflexion-ntlm-est-morte-vive-la-reflexion-ntlm-analyse-approfondie-de-la-cve-2025.html)
 * [MSRC – CVE-2025-33073](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073)