How Yuri Semetsky Became a Vice President of Kingdom-Bank
(https://github.com/toxy4ny/semetsky---VP)
Or why the most dangerous weapon isn't an exploit, but the conviction that "we have everything under control"*
Prologue: The Rules of the Game
We arrived — the red team — at a certain Kingdom-State, a bank ranked within the top hundred by size. The King set harsh conditions, like winter ice:
"Here is an iron chest — bring nothing of your own. Everything you do will be recorded in the SOC chronicles. Try to break in, and we'll see if we notice."
The chest turned out to be cunning: not a Windows machine like everyone else, but Ubuntu, forged by local blacksmiths. And not just any — an overlay distribution, booting from the magical PXE tree straight into the heart of the hardware (BIOS). A minimal image plus a window where the servant enters the secret word — and gets transported to Virtual Windows-land, where they toil all day.
This Linux — like a shadow: identical for everyone, from the coffee lady to the vice president. The only difference is the name and password from AD. And crucially — the SOC only watches Windows-land. It pays no attention to the shadow.
Chapter One: The Shadow They Don't See
I sat at the chest, opened the terminal of shadows, and summoned the spirit of LinPEAS — not a magic wand, but a simple script that surveys the surroundings.
I learned many interesting things:
- The distribution was forged in 2023 and has lain like treasure in a swamp ever since — untouched, unupdated
- Sudo turned out to be ancient, with the hole CVE-2025-32463 — a key to the root kingdom
But here's the trouble: the local blacksmiths had removed GCC — you see, why should simple servants compile things? Protection, they call it.
No matter. I took my own chest (the one not under prohibition), compiled a .so file from the official exploit spell there. Brought it on a flash drive (and flash drives were allowed, for convenience!), modified the spell — let it load the ready-made file instead of compiling.
The exploit fired. Root obtained.
But root on an overlay Linux — like a king in exile: long is his shadow, but powerless is his authority. Reboot — and you are no more.
Chapter Two: The History They Didn't Erase
But shadows remember everything. I dug into bash_history — the chronicle of root's commands. And what do I see?
Login and password of the system noble-admin. In plain text. Just a string in history, as if password vaults had never been invented.
I entered these secret words into the RDP window — and found myself on the noble's desktop. What was there, my friends...
Chapter Three: The Desktop of the IT-Noble
Picture this:
- 20-30 shortcuts to other chest-servers, each a direct path to treasure vaults
- Screenshots of logins and passwords, arranged in folders "for convenience"
- A text file: "Contractor access via VPN to DMZ" — lying in "My Documents" like a family album
I went through all the RDP paths, found the Main Chest — the one that curates AD. But here the SOC is vigilant! Going into Active Directory directly — suicide for a quiet pentest.
Chapter Four: The Rise of Yuri Semetsky
But the noble-admin turned out to be a creator of groups as well. I checked who his account could spawn:
- It could!
- And not just a servant, but a vice president!
- And endow with custom rights: Windows, Linux, virtualization — whatever the heart desires
And so a new noble was born — Yuri Semetsky. The name taken from the tale of "STALKER", so he'd look like a regular employee in the SOC chronicles (who checks if such a person is on staff?).
We loaded Yuri up with everything possible:
- Rights to all iron chests
- Access to virtual worlds
- AD management (through custom delegations, not direct admin access — quiet, unnoticed)
Yuri Semetsky became the most powerful noble of the Kingdom — and no one noticed.
Chapter Five: The Silence of the SOC
And where were the guards? Where was the SOC that was supposed to see everything?
The SOC saw:
- A legitimate login by the noble-admin (I used his credentials, after all!)
- The creation of a new vice president (standard procedure, rights exist)
- The expansion of privileges (within delegated capabilities)
Nothing illegitimate happened. All actions — within granted rights, all accounts — existing (well, except Yuri, but he looked legitimate).
Overlay Linux? Not monitored.
Bash history? Who reads that?
Password in plaintext? "Well, happens, for debugging."
Epilogue: Why We Stopped
We could have:
- Entered AD as Yuri and done whatever we wanted
- Dug through Shares, searching for client gold
- Compromised every server one by one
But we stopped. Because:
The goal of red team isn't to break, but to show what breaks.
The CISO (Chief Guardian of the Kingdom) turned pale enough when he saw Yuri Semetsky in the vice president list. Further would just be cruelty.
The Moral of This Fable
What "protected" them | What actually was
"We have a SOC that monitors everything" SOC only monitors what's configured.
Overlay Linux is invisible - We have least privilege
Admins create custom groups with maximum rights "for convenience"
"We don't have passwords in plain text" What about command history? Screenshots on the desktop?
"We have updates" 2023 distribution, sudo with CVE-2025-32463
"Contractors are isolated in DMZ" Access data lies in "My Documents"
Postscript
Yuri Semetsky was deleted from AD an hour after our report. But here's what's interesting: no one knew how many such "Yuris" had been created before us, and whether another screenshot with a password lies somewhere.
The tale is a lie, yet hints within: check your overlay Linuxes, read the bash_history of your admins, and remember — the scariest exploit requires no Metasploit. Sometimes sudo -l and attentive eyes are enough.
P.S. If you think "we don't have this" — check if something boots via PXE, and when your "minimal image" was last updated. Perhaps you too have your own Yuri Semetsky, he just hasn't announced himself yet?
For Professionals: Technical Deep-Dive & Recommendations
Target Audience
- CISOs — understanding why "we have SOC" fails
- Red teamers — learning constraint-based methodology
- System architects — designing zero-trust boot environments
- Blue teamers — detection opportunities from real attack chain
Key Takeaways
"Minimal Linux image = secure" Unmonitored infrastructure = blind spot
"SOC monitors everything" SOC sees only what's configured to see
"Least privilege is enforced" Admins create "convenience" backdoors
"No plaintext passwords" bash_history, screenshots, sticky notes
"Contractors are isolated" Access data lives in "My Documents"
Attack Timeline
| Time | Phase | Technique | Detection Gap |
|------|-------|-----------|---------------|
| 0:00 | Setup | PXE-boot Ubuntu, terminal access | Linux overlay not monitored by SOC |
| 0:30 | Recon | LinPEAS execution | No EDR on host OS |
| 1:00 | Exploitation | CVE-2025-32463 via custom .so | Sudo vulnerability unpatched since 2023 |
| 1:30 | Privilege Escalation | Root on overlay FS | Temporary root dismissed as "non-persistent" |
| 2:00 | Credential Access | bash_history analysis | No DLP on admin workstations |
| 2:30 | Lateral Movement | RDP with found credentials | Legitimate admin login — no alert |
| 4:00 | Discovery | Desktop shortcuts, screenshots | No data classification on shares |
| 6:00 | Privilege Abuse | Custom VP group creation | No HR-AD correlation for executive accounts |
| 8:00 | Impact | Full AD delegation, infrastructure control | Anomaly detection absent for delegated rights |
Why This Worked: Root Causes
- Architectural debt — PXE-boot Linux as "temporary" solution became permanent
- Monitoring gaps — SOC built for Windows, blind to Linux attack surface
- Credential hygiene — single admin account with omnipotent rights + no vault
- Process failure — no workflow correlation between HR hiring and AD account creation
- Assumption of trust — "internal" equals "safe" in threat model
Mitigations (By Priority)
Immediate (0-30 days)
- [ ] Full EDR coverage on all boot environments, including overlay Linux
- [ ] Automated patching for critical vulnerabilities (sudo, kernel)
- [ ] Credential vault deployment (HashiCorp Vault, CyberArk, etc.)
- [ ] Disable or monitor
bash_historyfor patterns matching password regex
Short-term (1-3 months)
- [ ] Privileged Access Workstations (PAW) for admins — no internet, no USB, no shortcuts
- [ ] HR-AD integration: executive account creation requires ticket correlation
- [ ] DLP on all admin workstations: screenshot detection, clipboard monitoring
- [ ] Regular "assumed breach" exercises with your red team
Strategic (3-12 months)
- [ ] Zero-trust boot: attestation for PXE images, signed kernels only
- [ ] Behavior analytics: time-based anomalies, impossible travel for admin accounts
- [ ] Just-in-time (JIT) access: admin rights expire, require approval
- [ ] Purple team program: red defines attack, blue builds detection, repeat
Detection Opportunities for Blue Team
Anomaly: Linux overlay root activity
Data Source: Kernel audit logs, systemd journal
Query: uid=0 AND tty!=unknown AND parent_process NOT IN (cron, systemd)
Alert: Immediate (this should never happen in production)
Anomaly: Admin credentials in command history
Data Source: /root/.bash_history, /home/*/.bash_history
Pattern: (password|pwd|pass)=[^\s]+ OR ssh .*@.* followed by clear-text string
Alert: High (credential exposure)
Anomaly: New executive account outside business hours
Data Source: Windows Event ID 4720 (user created), 4728 (added to group)
Correlation: HR system API — active hiring ticket?
Time: NOT 09:00-18:00 weekdays
Alert: Critical if no HR correlation
Anomaly: Delegated rights expansion for new account
Data Source: AD audit, custom LDAP queries
Pattern: Account created + added to 5+ privileged groups within 1 hour
Alert: Critical (privilege escalation pattern)
Why We Stopped
"The goal of red team is not to break, but to show what breaks."
We could have:
- Extracted client databases
- Deployed persistence across all servers
- Created additional backdoor accounts
- Exfiltrated data to external infrastructure
We stopped because CISO turned pale seeing Yuri Semetsky in the VP list. Further action would be cruelty, not professional testing. The chain was proven; the lesson was delivered.
For Red Teamers: Methodology Notes
What worked under constraints:
- Speed tool (LinPEAS) justified by 1-day engagement window
- Manual adaptation when environment lacked expected tools (no GCC)
- Pivot through "legitimate" channels rather than noisy exploitation
- Documentation prioritized over additional compromise
What would elevate to A+:
- Canary token deployment to test detection latency
- Manual enum of critical paths parallel to automated scanning
- Alternative pretext: "temp migration specialist" vs "VP" (less visibility, same rights)
- Persistence testing on overlay FS: systemd service, cron, rc.local — would SOC notice reboot?
Credits & Context
- Engagement type: Internal infrastructure red team, assumed breach model
- Constraints: 8-hour window, single provided workstation, no external tools, no C2/persistence per SLA
- Team size: 2 operators
- Reporting: Real-time documentation, same-day executive briefing
"The tale is a lie, yet hints within: check your overlay Linuxes, read the bash_history of your admins, and remember — the scariest exploit requires no Metasploit. Sometimes sudo -l and attentive eyes are enough."
If you think "we don't have this" — check if something boots via PXE, and when your "minimal image" was last updated. Perhaps you too have your own Yuri Semetsky, he just hasn't announced himself yet.
Top comments (2)
This is soooo cool! 💯🦄
A masterclass in storytelling and security. The Yuri Semetsky twist was a stroke of genius—a ghost in the machine that became a Vice President while the SOC was busy guarding the front gate.
Thank you for turning a high-level Red Team report into a legendary tale.
More please!
we also thought with the team that we need to move away from the usual dry reports for the customer on the red team and turn them into a comic book, this will be a breakthrough in the history of information security))) Thank you for your warm comment!