Metasploit Wrap-Up 03/06/2026

src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md

@@ -354,13 +354,26 @@ Read the request in the file, PAYLOADreplace it with the actual payload and subm
 The request will be urlencoded by default according to the HTTP format, which can be --urlencode-payload 0turned off.
 ```
 
+
+## Authenticated Template Preview SSTI (Jinja2)
+
+Some apps let authenticated users preview reporting/email templates. If the preview endpoint evaluates user-supplied Jinja2 without a sandbox, the preview becomes an SSTI sink and can reach RCE.
+
+Typical exploitation workflow:
+1. Authenticate to the app API (often a token-based API).
+2. Discover the API base URL from a client-side config (for example `/env-config.js`).
+3. Submit a malicious template to the preview endpoint to trigger server-side execution.
+
+Metasploit example: `linux/http/tacticalrmm_ssti_rce_cve_2025_69516` automates auth + API discovery + preview exploitation for a Tactical RMM deployment.
+
+
 ## References
 
+- [https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-03-06-2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-03-06-2026)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
 - Check [attr trick to bypass blacklisted chars in here](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#python3).
 - [https://twitter.com/SecGus/status/1198976764351066113](https://twitter.com/SecGus/status/1198976764351066113)
 - [https://hackmd.io/@Chivato/HyWsJ31dI](https://hackmd.io/@Chivato/HyWsJ31dI)
 
 {{#include ../../banners/hacktricks-training.md}}
 
-