Professional Penetration Testing & Red Team Operations
How a simple JavaScript reconnaissance led to complete infrastructure compromise
HackTeam.RED successfully demonstrated a complete infrastructure compromise of andromeda.lab (The all original names has been changed for ethical reasons) environment, escalating from exposed API keys to full system access including:
- β Database dumps containing 2.7GB of sensitive data
- β AIX system snapshot with complete OS configuration
- β S3 bucket enumeration revealing internal infrastructure
- β Security database extraction with user credentials
- β Network infrastructure mapping of internal services
Total Time: 4 hours | Critical Findings: 15+ | Systems Compromised: 3
Our engagement began with a web application assessment of terminal.andromeda.lab, where modern reconnaissance techniques revealed exposed API configurations in JS-script:
// Discovered in client-side JavaScript
const keys = {
DEDATA_KEY: '31151cd87af40e5-------------------',
YM_COUNTER_KEY: '8----------',
AMPLITUDE_API_KEY: '0227beb540------------------',
AMPLITUDE_AGENT_API_KEY: 'f588db0-----------------',
CAPTCHA_CLIENT_KEY: 'ysc1_BrgRYcMK4mtVLR------------------------------------'
};Severity: π΄ HIGH - Exposed API keys in production
Our team immediately recognized the potential impact:
- Amplitude keys - User analytics and behavioral data access
- Dedata integration - Personal data enrichment service
- Yandex services - Traffic analytics and user tracking
- SmartCaptcha keys - Domain verification bypass
Finding: Dual API key architecture discovered
AMPLITUDE_API_KEY- Server-side data exportAMPLITUDE_AGENT_API_KEY- Client-side event injection
# HackTeam.red Custom Exploitation
curl -X POST "https://api2.amplitude.com/2/httpapi" \
-H "Content-Type: application/json" \
-d '{
"api_key": "f588db0a4d77--------------------",
"events": [{
"user_id": "recon_agent",
"event_type": "session_extract"
}]
}'
# Result: {"code":200,"events_ingested":1} β
CONFIRMED ACCESSImpact: Direct ability to inject tracking events and potentially extract user behavioral patterns.
Advanced analysis revealed internal infrastructure through Yandex SmartCaptcha configuration:
https://smartcaptcha.yandexcloud.net/backend.636bb879d1085041b.html
?sitekey=ysc1_BrgRYcMK4mtVLRhi-------------------------------------
&host=terminal.andromeda.lab
Our reconnaissance revealed critical infrastructure details:
- Domain:
buckets.cloud.venus.local - Architecture: S3-compatible object storage
- Access Level: Public enumeration possible
We deployed our proprietary S3 enumeration framework, discovering:
<ListBucketResult>
<Name>logs</Name>
<Contents>
<Key>dump.BZ</Key>
<Size>2726426112</Size>
<Owner>
<DisplayName>user1234@soc.venus.local</DisplayName>
</Owner>
</Contents>
<Contents>
<Key>snap.pax</Key>
<Size>22155776000</Size>
</Contents>
</ListBucketResult>Severity: π΄ CRITICAL - Complete system dumps accessible
- Size: 2.7GB encrypted/compressed database dump
- Format: Custom AIX firmware-assisted dump
- Content: Complete system state including memory contents
- Size: 22GB complete AIX system snapshot
- Contains: Full filesystem, configurations, user data
- Extracted: 1,120 files successfully recovered
# HackTeam.RED Analysis Results
π CRITICAL SYSTEM FILES RECOVERED:
βββ π privkey.pag - Private keys database
βββ π pwdhist.pag - Password history
βββ π₯ passwd.etc - System users
βββ π hosts - Internal infrastructure map
βββ π ssh_config - SSH configurations
βββ π 9x DBM security databasesSystem Profile:
AIX inferno-p870lp1 2 7 00CA41C74C00
Dump Date: Tue Dec 10 18:12:53 US 2024
Infrastructure: Enterprise AIX 7.2
Role: Production database server
HackTeam.RED developed custom Python framework for firmware-assisted dump analysis:
- Pattern Recognition: Driven string extraction
- Credential Detection: Automated password/key discovery
- Network Mapping: Infrastructure relationship analysis
- Context Analysis: Behavioral pattern recognition
Categories Analyzed:
- π Credentials: 50+ potential authentication secrets
- π― Andromeda.lab References: Direct domain and service mentions
- π Network Intelligence: Internal service mapping
- ποΈ Database Strings: Connection patterns and schemas
- π§ Email Harvesting: User account enumeration
- Impact: Data exfiltration, user tracking, service abuse
- Recommendation: Immediate key rotation and server-side validation
- Impact: Complete infrastructure exposure
- Recommendation: Access control implementation and audit
- Impact: Full system compromise, credential exposure
- Recommendation: Emergency incident response required
- Impact: Network mapping, lateral movement opportunities
- Recommendation: Network segmentation and monitoring
- Rotate all exposed API keys
- Secure S3 bucket access controls
- Remove sensitive dumps from accessible storage
- Audit system access logs
- Implement API key server-side validation
- Deploy S3 bucket monitoring
- Conduct full credential audit
- Network segmentation assessment
- Security architecture review
- Penetration testing program
- Security awareness training
- Incident response plan testing
| Area | Risk Level | Potential Impact |
|---|---|---|
| Data Security | π΄ Critical | Customer PII exposure |
| Compliance | π High | Regulatory violations |
| Reputation | π High | Brand damage potential |
| Operations | π‘ Medium | Service disruption risk |
Estimated Cost of Breach: $500K - $2M+ (based on industry standards)
- Custom tool development for unique scenarios
- AI-powered analysis frameworks
- Enterprise-grade reporting and remediation
- AIX/Unix system forensics
- Cloud infrastructure security
- API security assessment
- Memory dump analysis
- Clear risk quantification
- Actionable remediation plans
- Compliance-ready documentation
- Executive-level reporting
HackTeam.RED offers comprehensive penetration testing and red team services:
- β Web Application Security Assessment
- β API Security Testing
- β Cloud Infrastructure Penetration Testing
- β Social Engineering & Phishing
- β Red Team Operations
HackTeam.RED - Where Red Team Meets Real Results
![Made with β€οΈ by HackTeam.RED] (https://img.shields.io/badge/Made%20with%20β€οΈ%20by-HackTeam.red-red?style=for-the-badge)
- OWASP Testing Guide v4.2
- NIST Cybersecurity Framework
- SANS Penetration Testing Methodology
- MITRE ATT&CK Framework
- Custom HackTeam.red Playbooks
This assessment was carried out for our customer with his written consent and in an industrial environment based on the Blackbox principle. All vulnerabilities have already been fixed by the customer, but for ethical reasons we do not disclose it, so all names have been replaced, and the real artifacts that can be used have been removed. The material is presented for educational purposes and for security research. The HackTeam.RED development conducts all tests with explicit written permission and adheres to the principles of responsible disclosure of information.# π HackTeam.red Case Study: From API Keys to Full Infrastructure Compromise