Welcome to this first Spring Edition of metasploit wrapup for 2019. We’ve brought in some great modules for you as we sit here in Texas and await the arrival of bluebonnets, allergies, and attack junebugs!

New modules (4)

Jenkins is a hugely popular developer toolkit for developing and testing automation, and it allows you to do many cool things like kick off tests and builds. It turns out that on versions 2.137 and earlier, it also allows you to bypass the access controls and reprogram Groovy documents to download and run JAR files, like you know, Metasploit’s Java Meterpreter. Please check your versions and update if you need to do so!

An interesting authentication method in BMC patrol agent allows remote execution of commands as system or even domain administrator after only authenticating locally as a regular user. If you are running BMC Patrol agent, explore the option of engaging ‘Restrictive Mode’ to help prevent this privilege escalation.

In another remote privilege escalation, the webmin service runs as root on the host computer, yet allows lower-privileged users to run commands as the root user on the host computer.

Despite only being the start of summer, it appears we are already preparing for the harvest! Some IBM BigFix servers can be used for data exfiltration if they are not set to require authentication when used as an external relay. If you run one of these, check out HD’s blog in the PR and make hackers sad. If you find one on a pen test, we’ve got you covered!

Enhancements and features

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

We recently-announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).