Metasploit Wrap-Up 02/27/2026

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-02-27-2026
• Blog Title: Metasploit Wrap-Up 02/27/2026
• Suggested Section: Pentesting Web -> File Inclusion/Path traversal (add: artifact pull/install flows -> arbitrary file write -> .so library-load RCE) AND Windows Hardening -> Windows Local Privilege Escalation / Persistence (add: Active Setup persistence) AND Linux Hardening -> Linux Post-Exploitation (add: WSL -> Windows Startup folder persistence bridge)

🎯 Content Summary

Title / context
Rapid7 Metasploit Framework Weekly Wrap-Up dated Feb 27, 2026 (Metasploit 6.4.115 → 6.4.116) highlights newly merged modules plus reliability/UX fixes. The post is primarily actionable for operators because it names the exact Metasploit module paths, upstream pull requests, and the core exploitation primitives each new module leverages (path traversal → arbitrary file write → library-load RCE; unauth command injection; stack overflow RCE on VoIP endpoints), plus...

🔧 Technical Details

1. Path traversal in artifact “pull/install” flows → arbitrary file write → RCE via shared library loading
   If a service downloads artifacts (models/packages/images) and writes them to disk based on a path that can be influenced by the user, and that path accepts traversal sequences (e.g., ../), the attacker can turn a normal “pull” into an arbitrary file write. A common escalation is to write a malicious .so and then trigger a new process spawn (or a code path that loads libraries) so the dynamic loader maps the attacker’s library, yielding RCE. This is the core technique behind the Ollama chain (CVE-2024-37032): rogue registry + traversal-based writes + library-load-on-process-start behavior.
   
   2) Pre-auth command injection in web-managed appliances → immediate RCE
   Where a web endpoint concatenates attacker-controlled input into a shell command (or equivalent command execution primitive) without authentication...

🤖 Agent Actions

Summary:

1. Added artifact pull/install traversal → arbitrary file write → .so load RCE chain to file inclusion/path traversal guidance.
2. Added Active Setup persistence caveats (user context, one-time execution) to autorun binaries section.
3. Added WSL → Windows Startup folder persistence technique to Linux post-exploitation.

Files updated:

• src/pentesting-web/file-inclusion/README.md
• src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
• src/linux-hardening/linux-post-exploitation/README.md

Tests: Not run (docs-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-02-27-2026

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> File Inclusion/Path traversal (add: artifact pull/install flows -> arbitrary file write -> .so library-load RCE) AND Windows Hardening -> Windows Local Privilege Escalation / Persistence (add: Active Setup persistence) AND Linux Hardening -> Linux Post-Exploitation (add: WSL -> Windows Startup folder persistence bridge)".

Repository Maintenance:

• MD Files Formatting: 949 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0