Post-exploitation can be one of the most time-consuming but worthwhile tasks that an offensive security professional engages in. Fundamentally, it is where you are able to demonstrate what an adversary may do if they compromise a business. A big component of this is trying to get as far as you can without alerting the defenders to what you’re doing. The best way to do this is to “live off of the land,” to use tools and services that are part of everyday activities so that your actions blend into the background noise. With the proliferation of cloud and the DevOps tools that have become a big part of modern computing, there are new ways for an attacker to move across a network. Configuration management (CM) servers are one of those cases.

CM servers are used to provision systems in a consistent manner as well as automate tasks such as patching, updates, and fixing downed services. They also can be used to manage secrets that are used across multiple systems. CM servers are not only useful in the context of day-to-day operations, but they can also be used by an attacker. When wielded properly, an attacker can use them to run arbitrary commands or scripts on any connected system.

Because there are several different configuration management tools on the market, there is no guarantee that a given target will be using one that a security professional on an engagement is familiar with. Each tool has its own language and process for doing things. Subsequently, it can be incredibly time-consuming to figure out how to use these systems to do whatever the security professional intends to do. Given that time is always a massive constraint, the barrier to entry can be costly, and subsequently, the attack scenario can be overlooked or (Read more...)