Simon Lacasse works as a pentester at Desjardins, with a focus on company-wide objective-oriented security tests. He has a strong interest in web application and infrastructure security. With a background in software engineering, he enjoys making his own tools to solve the different problems at hand. When possible, he likes to give back to the community by making his tools public and open source. He is an alumni of the PolyHack/PolyHx cybersecurity club from Polytechnique Montreal.
Weaponizing and auditing secret servers for further compromise
Applications use secret servers to store the credentials required for their day-to-day operations. Their usage increases as businesses improve application security and follow best practices. When permissions given to an application are too broad, the secret server becomes a central point of failure that can represent a new kind of weak link for an organization. It may be used as a stepping stone to further compromise the network.
As an attacker, when you compromise an application that can access a secret server and leak its credentials, the next logical step is to remotely access the secrets contained in the secret server. However, it can be tedious to thoroughly abuse secret servers within the duration of a security assessment. Even more so when credentials obtained in the secret server can connect to the secret server themselves, and recursivity comes into play. Recursive extraction of credentials is useful to get the full potential out of your obtained accesses. A tool to tackle the issue will be released and detailed.