A great example of how continuous penetration testing provides benefits. OccamSec was able to obtain root access on a system using several vulnerabilities that were identified over time. This gave our team (and would have given attackers) full access to a variety of sensitive data.
By combining information disclosure, WAF bypassing, local file inclusion, and a pkexec vulnerability, OSec was able to obtain access to a system and enumerate hosts, file shares, credentials, and establish persistence.
One of the key vulnerabilities had not been identified initially, and it was only with the release of a new CVE that allowed OccamSec to complete this attack chain. This exploit chain carries a critical risk rating as it allows an unauthenticated user access to a significant amount of sensitive data.
