Tools

Tools: How Yuri Semetsky Became a Vice President of Kingdom-Bank

2026-03-18 0 views admin
Tools: How Yuri Semetsky Became a Vice President of Kingdom-Bank

How Yuri Semetsky Became a Vice President of Kingdom-Bank (https://github.com/toxy4ny/semetsky---VP) Or why the most dangerous weapon isn't an exploit, but the conviction that "we have everything under control"* Prologue: The Rules of the Game We arrived — the red team — at a certain Kingdom-State, a bank ranked within the top hundred by size. The King set harsh conditions, like winter ice: "Here is an iron chest — bring nothing of your own. Everything you do will be recorded in the SOC chronicles. Try to break in, and we'll see if we notice." The chest turned out to be cunning: not a Windows machine like everyone else, but Ubuntu, forged by local blacksmiths. And not just any — an overlay distribution, booting from the magical PXE tree straight into the heart of the hardware (BIOS). A minimal image plus a window where the servant enters the secret word — and gets transported to Virtual Windows-land, where they toil all day. This Linux — like a shadow: identical for everyone, from the coffee lady to the vice president. The only difference is the name and password from AD. And crucially — the SOC only watches Windows-land. It pays no attention to the shadow. Chapter One: The Shadow They Don't See I sat at the chest, opened the terminal of shadows, and summoned the spirit of LinPEAS — not a magic wand, but a simple script that surveys the surroundings. I learned many interesting things: But here's the trouble: the local blacksmiths had removed GCC — you see, why should simple servants compile things? Protection, they call it. No matter. I took my own chest (the one not under prohibition), compiled a .so file from the official exploit spell there. Brought it on a flash drive (and flash drives were allowed, for convenience!), modified the spell — let it load the ready-made file instead of compiling. The exploit fired. Root obtained. But root on an overlay Linux — like a king in exile: long is his shadow, but powerless is his authority. Reboot — and you are no more. Chapter Two: The History They Didn't Erase But shadows remember everything. I dug into bash_history — the chronicle of root's commands. And what do I see? Login and password of the system noble-admin. In plain text. Just a string in history, as if password vaults had never been invented. I entered these secret words into the RDP window — and found myself on the noble's desktop. What was there, my friends... Chapter Three: The Desktop of the IT-Noble I went through all the RDP paths, found the Main Chest — the one that curates AD. But here the SOC is vigilant! Going into Active Directory directly — suicide for a quiet pentest. Chapter Four: The Rise of Yuri Semetsky But the noble-admin turned out to be a creator of groups as well. I checked who his account could spawn: And so a new noble was born — Yuri Semetsky. The name taken from the tale of "STALKER", so he'd look like a regular employee in the SOC chronicles (who checks if such a person is on staff?). We loaded Yuri up with everything possible: Yuri Semetsky became the most powerful noble of the Kingdom — and no one noticed. Chapter Five: The Silence of the SOC And where were the guards? Where was the SOC that was supposed to see everything? Nothing illegitimate happened. All actions — within granted rights, all accounts — existing (well, except Yuri, but he looked legitimate). Overlay Linux? Not monitored.Bash history? Who reads that?Password in plaintext? "Well, happens, for debugging." Epilogue: Why We Stopped But we stopped. Because: The goal of red team isn't to break, but to show what breaks. The CISO (Chief Guardian of the Kingdom) turned pale enough when he saw Yuri Semetsky in the vice president list. Further would just be cruelty. The Moral of This Fable What "protected" them | What actually was "We have a SOC that monitors everything" SOC only monitors what's configured. Overlay Linux is invisible - We have least privilegeAdmins create custom groups with maximum rights "for convenience""We don't have passwords in plain text" What about command history? Screenshots on the desktop?"We have updates" 2023 distribution, sudo with CVE-2025-32463"Contractors are isolated in DMZ" Access data lies in "My Documents" Yuri Semetsky was deleted from AD an hour after our report. But here's what's interesting: no one knew how many such "Yuris" had been created before us, and whether another screenshot with a password lies somewhere. The tale is a lie, yet hints within: check your overlay Linuxes, read the bash_history of your admins, and remember — the scariest exploit requires no Metasploit. Sometimes sudo -l and attentive eyes are enough. P.S. If you think "we don't have this" — check if something boots via PXE, and when your "minimal image" was last updated. Perhaps you too have your own Yuri Semetsky, he just hasn't announced himself yet? For Professionals: Technical Deep-Dive & Recommendations "Minimal Linux image = secure" Unmonitored infrastructure = blind spot "SOC monitors everything" SOC sees only what's configured to see "Least privilege is enforced" Admins create "convenience" backdoors "No plaintext passwords" bash_history, screenshots, sticky notes "Contractors are isolated" Access data lives in "My Documents" Attack Timeline| Time | Phase | Technique | Detection Gap ||------|-------|-----------|---------------|| 0:00 | Setup | PXE-boot Ubuntu, terminal access | Linux overlay not monitored by SOC || 0:30 | Recon | LinPEAS execution | No EDR on host OS || 1:00 | Exploitation | CVE-2025-32463 via custom .so | Sudo vulnerability unpatched since 2023 || 1:30 | Privilege Escalation | Root on overlay FS | Temporary root dismissed as "non-persistent" || 2:00 | Credential Access | bash_history analysis | No DLP on admin workstations || 2:30 | Lateral Movement | RDP with found credentials | Legitimate admin login — no alert || 4:00 | Discovery | Desktop shortcuts, screenshots | No data classification on shares || 6:00 | Privilege Abuse | Custom VP group creation | No HR-AD correlation for executive accounts || 8:00 | Impact | Full AD delegation, infrastructure control | Anomaly detection absent for delegated rights | Why This Worked: Root Causes Mitigations (By Priority) Immediate (0-30 days) Short-term (1-3 months) Strategic (3-12 months) Detection Opportunities for Blue Team Why We Stopped

"The goal of red team is not to break, but to show what breaks." We stopped because CISO turned pale seeing Yuri Semetsky in the VP list. Further action would be cruelty, not professional testing. The chain was proven; the lesson was delivered. For Red Teamers: Methodology Notes What worked under constraints: What would elevate to A+: "The tale is a lie, yet hints within: check your overlay Linuxes, read the bash_history of your admins, and remember — the scariest exploit requires no Metasploit. Sometimes sudo -l and attentive eyes are enough." If you think "we don't have this" — check if something boots via PXE, and when your "minimal image" was last updated. Perhaps you too have your own Yuri Semetsky, he just hasn't announced himself yet. Templates let you quickly answer FAQs or store snippets for re-use. This is soooo cool! 💯🦄 A masterclass in storytelling and security. The Yuri Semetsky twist was a stroke of genius—a ghost in the machine that became a Vice President while the SOC was busy guarding the front gate. Thank you for turning a high-level Red Team report into a legendary tale. we also thought with the team that we need to move away from the usual dry reports for the customer on the red team and turn them into a comic book, this will be a breakthrough in the history of information security))) Thank you for your warm comment! Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Code Block

Copy

Anomaly: Linux overlay root activity Data Source: Kernel audit logs, systemd journal Query: uid=0 AND tty!=unknown AND parent_process NOT IN (cron, systemd) Alert: Immediate (this should never happen in production) Anomaly: Admin credentials in command history Data Source: /root/.bash_history, /home/*/.bash_history Pattern: (password|pwd|pass)=[^\s]+ OR ssh .*@.* followed by clear-text string Alert: High (credential exposure) Anomaly: New executive account outside business hours Data Source: Windows Event ID 4720 (user created), 4728 (added to group) Correlation: HR system API — active hiring ticket? Time: NOT 09:00-18:00 weekdays Alert: Critical if no HR correlation Anomaly: Delegated rights expansion for new account Data Source: AD audit, custom LDAP queries Pattern: Account created + added to 5+ privileged groups within 1 hour Alert: Critical (privilege escalation pattern) Anomaly: Linux overlay root activity Data Source: Kernel audit logs, systemd journal Query: uid=0 AND tty!=unknown AND parent_process NOT IN (cron, systemd) Alert: Immediate (this should never happen in production) Anomaly: Admin credentials in command history Data Source: /root/.bash_history, /home/*/.bash_history Pattern: (password|pwd|pass)=[^\s]+ OR ssh .*@.* followed by clear-text string Alert: High (credential exposure) Anomaly: New executive account outside business hours Data Source: Windows Event ID 4720 (user created), 4728 (added to group) Correlation: HR system API — active hiring ticket? Time: NOT 09:00-18:00 weekdays Alert: Critical if no HR correlation Anomaly: Delegated rights expansion for new account Data Source: AD audit, custom LDAP queries Pattern: Account created + added to 5+ privileged groups within 1 hour Alert: Critical (privilege escalation pattern) Anomaly: Linux overlay root activity Data Source: Kernel audit logs, systemd journal Query: uid=0 AND tty!=unknown AND parent_process NOT IN (cron, systemd) Alert: Immediate (this should never happen in production) Anomaly: Admin credentials in command history Data Source: /root/.bash_history, /home/*/.bash_history Pattern: (password|pwd|pass)=[^\s]+ OR ssh .*@.* followed by clear-text string Alert: High (credential exposure) Anomaly: New executive account outside business hours Data Source: Windows Event ID 4720 (user created), 4728 (added to group) Correlation: HR system API — active hiring ticket? Time: NOT 09:00-18:00 weekdays Alert: Critical if no HR correlation Anomaly: Delegated rights expansion for new account Data Source: AD audit, custom LDAP queries Pattern: Account created + added to 5+ privileged groups within 1 hour Alert: Critical (privilege escalation pattern) - The distribution was forged in 2023 and has lain like treasure in a swamp ever since — untouched, unupdated - Sudo turned out to be ancient, with the hole CVE-2025-32463 — a key to the root kingdom - 20-30 shortcuts to other chest-servers, each a direct path to treasure vaults - Screenshots of logins and passwords, arranged in folders "for convenience" - A text file: "Contractor access via VPN to DMZ" — lying in "My Documents" like a family album - And not just a servant, but a vice president! - And endow with custom rights: Windows, Linux, virtualization — whatever the heart desires - Rights to all iron chests - Access to virtual worlds - AD management (through custom delegations, not direct admin access — quiet, unnoticed) - A legitimate login by the noble-admin (I used his credentials, after all!) - The creation of a new vice president (standard procedure, rights exist) - The expansion of privileges (within delegated capabilities) - Entered AD as Yuri and done whatever we wanted - Dug through Shares, searching for client gold - Compromised every server one by one - CISOs — understanding why "we have SOC" fails - Red teamers — learning constraint-based methodology - System architects — designing zero-trust boot environments - Blue teamers — detection opportunities from real attack chain - Architectural debt — PXE-boot Linux as "temporary" solution became permanent - Monitoring gaps — SOC built for Windows, blind to Linux attack surface - Credential hygiene — single admin account with omnipotent rights + no vault - Process failure — no workflow correlation between HR hiring and AD account creation - Assumption of trust — "internal" equals "safe" in threat model - [ ] Full EDR coverage on all boot environments, including overlay Linux - [ ] Automated patching for critical vulnerabilities (sudo, kernel) - [ ] Credential vault deployment (HashiCorp Vault, CyberArk, etc.) - [ ] Disable or monitor bash_history for patterns matching password regex - [ ] Privileged Access Workstations (PAW) for admins — no internet, no USB, no shortcuts - [ ] HR-AD integration: executive account creation requires ticket correlation - [ ] DLP on all admin workstations: screenshot detection, clipboard monitoring - [ ] Regular "assumed breach" exercises with your red team - [ ] Zero-trust boot: attestation for PXE images, signed kernels only - [ ] Behavior analytics: time-based anomalies, impossible travel for admin accounts - [ ] Just-in-time (JIT) access: admin rights expire, require approval - [ ] Purple team program: red defines attack, blue builds detection, repeat - Extracted client databases - Deployed persistence across all servers - Created additional backdoor accounts - Exfiltrated data to external infrastructure - Speed tool (LinPEAS) justified by 1-day engagement window - Manual adaptation when environment lacked expected tools (no GCC) - Pivot through "legitimate" channels rather than noisy exploitation - Documentation prioritized over additional compromise - Canary token deployment to test detection latency - Manual enum of critical paths parallel to automated scanning - Alternative pretext: "temp migration specialist" vs "VP" (less visibility, same rights) - Persistence testing on overlay FS: systemd service, cron, rc.local — would SOC notice reboot? - Engagement type: Internal infrastructure red team, assumed breach model - Constraints: 8-hour window, single provided workstation, no external tools, no C2/persistence per SLA - Team size: 2 operators - Reporting: Real-time documentation, same-day executive briefing - Location Dallas, TX - Joined Aug 24, 2024 - Email [email protected] - Work RedTeamer - Joined Mar 20, 2025

🏷️ Tags

toolsutilitiessecurity toolssemetskybecamepresidentkingdomgithub

More from Tools

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

2026-03-30 0
Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

2026-03-30 0
Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

2026-03-30 0
Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

2026-03-30 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views