Rapid 7 - Pentales: Red Team vs. N-Day (and How We Won)

Pentales: Red Team vs. N-Day (and How We Won)

During a recent Vector Command operation, I had the chance to sit down with one of our red teamers to hear firsthand how they identified and exploited an N-Day vulnerability in a customer’s environment. It’s a clear example of how continuous red teaming can uncover and validate real-world risks before attackers do.

While the organization involved remains anonymous, the events described are real. This story reflects how our always-on testing approach closely mirrors the creativity and persistence of actual threat actors.

Initial Recon: Spotting an N-Day in the Wild

Vector Command engagements begin with one core question: If someone wanted to break in, where would they start? That’s the mindset our red team brings to every operation.

A red team is a group of security professionals who simulate real-world adversaries. Their goal isn't to check boxes or run automated scans, but to think and act like attackers—uncovering weaknesses that traditional assessments often miss. They combine technical skill with creativity, adapting to the environment they’re targeting and exploring how far a real compromise could go.

In this case, as part of Vector Command’s continuous reconnaissance, the red team identified a subdomain hosting a vulnerable web application. The vulnerability, already publicly disclosed, classified the exposure as an N-Day. While the issue was known in the broader security community, it hadn’t yet been patched in this environment.

Using a publicly available proof-of-concept exploit, the team compromised the application and underlying host. From there, they found credentials stored in the file system, granting access to services deeper within the internal network.

From Exploit to Expansion: Breaching the Perimeter and Moving Laterally

As part of our recon, we zeroed in on a subdomain running a web app that was just begging to be poked. It was tied to a recently disclosed N-Day vulnerability—publicly known, actively discussed, and in this case, still unpatched.

We ran a proof-of-concept exploit and landed a shell. From there, we had access to the underlying host, and it didn’t take long to find something useful: credentials stashed away on the file system. Those creds gave us our next step into the internal network.

With the perimeter breached, we started exploring. There was little in the way of segmentation, which made internal discovery a breeze. We quickly found an internal SMTP server and realized we could send emails that appeared completely legit—from the inside, to the inside.

We used that to spin up a phishing campaign. The bait? A cloned version of the company’s actual login portal, hosted on the compromised subdomain. From the user’s perspective, everything looked familiar. The URL checked out. The branding was perfect. And people clicked.

We captured multiple sets of credentials, including an admin account. From there, we confirmed a misconfiguration on a critical internal system. That allowed us to escalate privileges and prepare for full domain takeover.

Classic attack chain: exploit, phish, pivot, escalate. All real. All tested safely under Vector Command.

From Attack Chain to Action Plan

You may be forgiven for thinking an organization would not be happy with this. However, it is exactly the opposite and our Vector Command customer was delighted we found and exploited this vulnerability. We proved the value of our continuous red teaming, mimicking what a real external threat actor would do to breach a network.

The sub-domain we compromised was prioritized for remediation and now has security controls in place. We then re-tested the customer’s environment to ensure their patches actually worked and this particular security gap was closed.

From PoC’s to Happy SOC’s

In our previous blogs, we’ve explored the human side of continuous red teaming—through opportunistic phishing stories, external network assessments, and a deep dive into the TTPs behind post-compromise simulations.

Security Operations Centers (SOCs) are often relieved—not rattled—when we uncover these risks. It gives them proof, insight, and time to act.

As part of Vector Command, this engagement was fully documented—summarized for executive stakeholders and detailed for security practitioners. Reports live in the Vector Command portal, accessible whenever teams need to revisit findings or track remediation progress.

Customers also have the opportunity to debrief directly with the red teamer behind the operation. Whether it's to dig deeper into the attack chain or walk through lessons learned, we’re here to help strengthen defenses—because at the end of the day, we’re all working toward the same goal.

If you or your security team want to explore how continuous red teaming can support your program, let’s talk.

Ready for Your Own Red Team Reality Check?

If you're curious what an attacker might find in your environment, Vector Command can help you find out before someone else does.

Learn More about Rapid7's Vector Command Service ▶︎

Ready to see how continuous red team managed services can ensure your potential attack pathways are remediated before they can ever be exploited?



from Rapid7 Cybersecurity Blog https://blog.rapid7.com/2025/04/04/pentales-red-team-vs-n-day-and-how-we-won/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The d...
Read more

Krebs - U.S. Army Soldier Arrested in AT&T, Verizon Extortions

Image
Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m , a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon . As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea. One of several selfies on the Facebook page of Cameron Wagenius. Cameron John Wagenius , 20, was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records. The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native Alicia Roen — filled in the gaps. Roen said that prior to her son’s arrest he’d acknowledged being associated with Connor Riley Moucka ...
Read more