Fortuna

Ready to strengthen your defenses?

Let's discuss your next
security milestone
CONTACT
CASE STUDIES
CONFIDENTIAL

Demonstrating total AD takeover from low privilege VPN access

CLIENT

Confidential

SERVICE

Penetration Testing

INDUSTRY

Consulting

YEAR

2025

A mid-sized consulting firm engaged Fortuna to conduct an internal network penetration test. The objective was to evaluate whether an attacker with limited VPN access could exploit weaknesses in internal web applications and escalate privileges into the Active Directory domain.

Problem

The client relied heavily on internal collaboration tools—Jira, Confluence, and related Atlassian services—and maintained a traditional Active Directory environment powering most internal authentication flows. They lacked visibility into whether outdated services, weak segmentation, or unpatched application vulnerabilities could create a privilege-escalation path. Leadership wanted an adversarial assessment that simulated a real attacker entering through VPN access and attempting full domain compromise.

Solution

Fortuna began by obtaining initial internal access through the client's VPN—mirroring the level of access available to a low-privilege contractor or compromised employee account. From there, we performed targeted reconnaissance and identified Jira and Confluence instances running inside the network.

Our assessment revealed that Confluence was still vulnerable to CVE-2022-26134, a widely exploited remote code execution flaw. Fortuna exploited the vulnerability to obtain a local account on the host. Even though the account did not have root privileges, we identified a previously unseen method for sniffing Confluence credentials in transit (using strace to monitor memory usage of the confluence process, and capture cleartext enterprise passwords in transit to the LDAP server). This technique enabled us to recover the domain administrator's password.

Using the compromised credentials, we escalated privileges and achieved full administrative access to the client's Active Directory domain controller, demonstrating complete compromise of identity infrastructure.

Key results

01

Validated attack path beginning from basic VPN access

02

Identified and exploited Confluence RCE (CVE-2022-26134)

03

Discovered a novel internal technique for credential sniffing

04

Recovered domain administrator credentials

05

Achieved full domain controller compromise, proving risk of total internal takeover

Explore related
case studies

Client: Confidential

SERVICE

Penetration Testing

YEAR

2025

Real-world office penetration test reveals IoT to enterprise attack path

Fortuna conducted an on-site office penetration test to see if an attacker could access the client's enterprise network via physical or wireless weaknesses.

EXPLOREEXPLORE

Client: Confidential

SERVICE

Penetration Testing

YEAR

2024

How a single office device led to full domain compromise

Fortuna ran a red-team assessment of the firm's office, simulating an attacker via device exploitation and privilege escalation.

EXPLOREEXPLORE

Let's discuss your next security or compliance milestone

Scale with securityScale with security