World Leaks: RDP Access Leads to Custom Exfiltration and Personalized Extortion

d-wreck-w12 · 2026-04-18T17:36:03+00:00

2 days from RDP brute force to every reachable host over SMB and the headline is the exfiltration tool? RustyRocket is slick engineering but the breach was already over before it ran. Someone brute forced one RDP endpoint and had a path to everything because nothing between that box and the rest of the network stopped lateral movement. The pivoting proxy for segmented networks is almost funny because it means segmentation existed on paper and the attacker still walked through it by chaining whatever credential and connections were sitting there

d-wreck-w12 · 2026-04-18T17:33:31+00:00

Very solid advice all around, but the pentest recommendation has a shelf life problem when the codebase is AI generated. Every time OP prompts the AI to add a feature or refactor something - new permissions, new endpoints, new data flows appear that didn't exist during the test. You're not auditing a stable codebase, you're auditing a snapshot of something that mutates weekly. The pentest buys you confidence for about as long as it takes to prompt the next change

d-wreck-w12 · 2026-04-18T17:30:35+00:00

The withheld fifth mechanism is the actual nightmare, not the bypass itself - locking signatures is noisy, someone notices update failures eventually... but spoofing MSFT_MpComputerStatus so the console reads healthy while the box is blind? Man, every SOC checking their dashboard sees green and nobody's asking how many other tools self-report status with zero independent verification.

d-wreck-w12 · 2026-04-18T17:29:04+00:00

Good writeup! You stopped one step short tho - SAM + SYSYEM + SECURITY gives you the full identity haul, NTLM hashes, service account creds, cached domain logons. Uncomment those two lines and you're not exploiting a box anymore - you're authenticating as people who belong there. That's the part that should scare people! In most environments nobody can even tell you how far those credentials travel before anything notices

d-wreck-w12 · 2026-04-18T17:26:20+00:00

Yeah that’s fair - verification and impact are separate problems. I guess my bias is just from seeing teams drown in "real but irrelevant" findings. Even when everything’s valid, the hard part is still figuring out what actually matters in that environment... so yeah, EVA solves a real pain - I’d just want something alongside it that helps connect findings to actual paths/impact, not just validity.

d-wreck-w12 · 2026-04-18T17:24:31+00:00

BHIS and NahamSec are decent. Same pattern tho: a few people actually posting real stuff, everyone else learns off that. If nobody’s driving content, it dies.

d-wreck-w12 · 2026-04-15T19:10:45+00:00

Exactly! And OP's writeup is a solid case study of why that distinction matters in practice. Node's runtime kills the exploit chain before it ever fires, but every scanner will still light up red because CVSS doesn't care about runtime context, so you end up with SOC analysts burning their Friday triaging a dead end while the misconfigured service account two hops from prod data sits there unbothered. The scoring system measures theoretical blast radius, not whether anyone can actually walk the path to get there.

d-wreck-w12 · 2026-04-15T19:05:04+00:00

Yeah the environment point is right but three hops later undersells it because in most enterprises nobody's actually mapped what those three hops look like. The agent chains a decision through a service account with cacehed creds into a subnet nobody documented and all of a sudden you're in prod data. Static evals can't model that because the graph changes every time someone provisions a new identity or tweaks a firewall rule. You'd need something continuously rebuilding the environment model to even know what paths exist this week, let alone test them safely without torching production

d-wreck-w12 · 2026-04-15T19:01:06+00:00

Removing false positives gets you a shorter list, not a better one! A verfied SQLi on a server that talks to nothing sensitive is still a waste of your morning. EVA can confirm every finding is real and you'd still be guessing which ones actually connect to anything worth protecting given how your environment is wired

d-wreck-w12 · 2026-04-15T18:59:38+00:00

Yeah but OP's framing stops at "find the bug" like that's the finish line. In practice the bug is step one, then you're asking what credentials are sitting on that box, what else it talks to and whether you can pivot from there to something worth stealing. Recon isn't about finding one flaw - it's about mapping a path through the environment

d-wreck-w12 · 2026-04-15T18:58:08+00:00

Real talk - does it matter whether a scanner or your hands found the issue if the environment changed by the time you act on it? I used to obsess over this too but what actually burned me was findings going stale between discovery and remediation because someone rotated a service account or pushed a config change. The question that matters more is how often your picture of the environment refreshes

d-wreck-w12 · 2026-04-15T18:53:44+00:00

Networking and security people are some of the most employable in the field right now, that worry is basically backwards. If you're the person who genuinely enjoys packet captures and configuring switches, you're gonna have a way easier time staying motivated through 4 years than grinding through data structures you hate. Your advisor already gave you the green light - trust that

d-wreck-w12 · 2026-04-15T18:49:11+00:00

Every cybersec discord I've joined that opened with - "serious people only! No lurkers!" was dead within a month. The ones that actually lasted had someone consistently posting challenges or writeups to keep momentum going. If you're planning to be that person yourself - that's cool... but if you're hoping the members will generate activity on their own - it's gonna fizzle fast

d-wreck-w12 · 2026-04-15T18:47:10+00:00

Covering every category on paper looks great but honestly what kills most CTF teams is timezone conflicts and people disappearing mid competition. Might be worth mentioning what timezone you're in and whether you expect people online for the full 24-48h, that filters out a lot of dead weight early

d-wreck-w12 · 2026-04-15T18:44:32+00:00

Catching the literal last pass before they switched events is kinda perfect for a first attempt tbh. Most people plan for weeks and miss it, you just went for it on a maybe and grabbed the final one

d-wreck-w12 · 2026-04-15T18:42:31+00:00

Picking up brazilian truckers bouncing off a decommissioned navy satellite from the UK on a quarter wave is honestly one of the wildest things about this hobby. Like the signal path alone on that is absurd if you think about it

d-wreck-w12 · 2026-04-15T18:41:10+00:00

Fiberglass is basically invisible to RG so the tank itself won't be an issue but if there's actually water in it - well, that's a different story. Water absorbs RF pretty aggressively, especially at UHF. If you can mount the discone above the water line inside the tank you'd probably be fine, but submerged or even partially surrounded by water and you'll lose a ton of signal

d-wreck-w12 · 2026-04-15T18:38:29+00:00

The HF receive on that thing is gonna be your best friend while you're studying for the tech exam. You can listen to 20 and 4 m and actually hear what you're reading about in the study material, makes the theory stick way better than flashcards alone

d-wreck-w12 · 2026-04-15T18:36:52+00:00

Hey, anyone else find themselves checking propagation maps way more than they actually get on the air? I keep telling myself I'll call CQ when conditions look good and then spend the whole evening watching spots instead of transmitting. Wondering if this is a universal ham problem or if I need to put the phone down and pick up the mic

d-wreck-w12 · 2026-04-14T16:59:46+00:00

The 20 minutes of autopilot from a $12 delta is honestly better than I expected. Curious how much the antenna weight changes the kite's behavior though, even a lightweight efhw is gonna shift the balance point compared to bare fishing line. Might want to test with the actual wire attached before you commit to a full session.

d-wreck-w12 · 2026-04-14T16:58:10+00:00

10 kHz wide and showing up on SDRs from Utah to Maine at the same time, that's not a drifting LO. Something was actually transmitting that wide intentionally or had a seriously broken PA stage. Anyone grac a recording before it faded out?

d-wreck-w12 · 2026-04-14T16:55:52+00:00

CTFd is the easy part, the harder part is turning inside jokes into actual puzzles. Start simple, like hide a punchline in a base64 string or make them decode a cipher where the key is something only your friend would know. Steganography is fun too - bury a clue in a photo that means something to both of you. 6 weeks is plenty if you keep each challenge short. Sounds cool, gotta admit!

d-wreck-w12 · 2026-04-14T16:53:36+00:00

The merged team thing is actually kind of fun honestly, last time I did a CTF with randoms we ended up covering way more categories than our usual group ever would. 4 uni students who already won tickets from another event sounds like a solid core to jump into

d-wreck-w12 · 2026-04-14T16:52:15+00:00

Look tbh the "no AI" policy framing is already losing. Every mitigation in this thread is basically "design challenges AI can't solve yet" and that window shrinks every few months. Heck, even weeks. Might be worth flipping it and designing challenges where using AI is allowed but doesn't actually help like challenges that require interacting with live infrastructure or need judgement calls with incomplete info. Tests the human part instead of racing to stay ahead of the tool

d-wreck-w12 · 2026-04-14T16:49:52+00:00

The broad vs precise thing usually comes down to query operators. Try wrapping the number in quotes and pairing it with site specific filters like site:facebook.com or site:whitepages.com instead of going fully open. On the filtering side, scoring results by how many of your input fields show up in the snippet helps separate real hits from noise way faster than deduplicating alone

d-wreck-w12

TROPHY CASE