Tutorial

OU.edu Red Team Hunt: 6 CVE Validations

A walkthrough of a full-scope .edu red team engagement: 6 validated vulnerabilities discovered, chained, and reported with proof-of-concept exploits.

  • #red-team
  • #cve
  • #pentesting
  • #edu
  • #poc

Overview

A red team engagement against a major .edu domain (OU.edu) yielded 6 validated vulnerabilities across web application, network, and infrastructure surfaces. This writeup covers the methodology, the findings, and the chain that connected them.

Recon

Starting with passive reconnaissance via certificate transparency logs (crt.sh) and DNS enumeration:

Subdomains discovered: 47
Live HTTP services: 23
Unique technologies: WordPress, Drupal, Custom PHP, Tomcat, IIS

The attack surface was narrowed to 7 high-value targets based on technology version and public CVE history.

Finding chain

The 6 findings were not isolated. They formed a chain:

Finding 1: Exposed Grafana (no auth)

A Grafana dashboard on a subdomain had no authentication. It exposed internal service names and IP addresses.

Finding 2: Grafana → Internal API

The Grafana data source configuration revealed an internal API endpoint with default credentials.

GET /api/internal/v1/users
Authorization: admin:admin
→ 200 JSON dump of 12,000+ user records

Finding 3: Internal API → SQLi

The internal API had an unprotected search parameter vulnerable to SQL injection. Extracted: database name, table structure, and 40k+ rows of PII.

Finding 4: SQLi → File read

The database user had LOAD_FILE privileges, enabling read access to /etc/passwd, application config files, and SSH keys.

Finding 5: SSH key → Lateral movement

A exposed SSH key in a config file had password-less sudo access to a jump-box server. From the jump-box, internal network scans revealed an unpatched Tomcat server.

Finding 6: Tomcat → RCE

The Tomcat server ran version 8.5.x with Ghostcat (CVE-2020-1938), a file include / RCE via AJP. Full remote code execution achieved.

Proof chain

Grafana (no auth)
  → Internal API (default creds)
    → SQL injection (PII exfil)
      → LOAD_FILE (SSH key)
        → Lateral movement (jump-box)
          → Ghostcat RCE (Tomcat)

Each link in the chain was independently validated with a PoC script.

Remediation priorities

  1. Authentication on Grafana — breaks the chain at the first link
  2. WAF on internal API — blocks SQLi at finding 3
  3. Patch Tomcat — removes the RCE at finding 6

References