Weeks go by and the engagement has concluded. You’ve been able to meet your objectives and have the screenshots and loot to prove it.
At the debrief, when it’s your turn to present your findings to the RisottoCorp leadership, you stand up and proudly proclaim how you managed to execute code for initial access. Your slide for this section includes some great screenshots of the web shell:
“My team identified a web shell that was already present on the Wordpress site of dmz.risottocorp.lan. We leveraged this web shell to gain access to the container that was running on the DMZ server. We then used-”
“Hold on, hold on. One moment please,” says the RisottoCorp CISO. They scratch their head. “Did you say there was a pre-existing web shell that was already on the web server when you got there?”
“Yes, that is correct,” you reply.
“As in, that wasn’t something your team added. It was already there.”
“Yes.”
“Um… well, this is our first red team engagement and… I mean, thinking out loud here, that means that was probably there because of an…. actual adversary.”
You start to feel sweat beading on your forehead.
“And you didn’t think it would be pertinent to tell us that…?”
You look at your team lead and her eyes are as wide as dinner plates.
The CISO exhales and says “Ok, I think we should break here for a moment. Can I speak to you and your team lead out in the hallway?”