55 Penetration Tester Jokes Every Red Team Pro Has Lived

The printer had default credentials, an SMB share, and a stored scan-to-email account with domain admin. I closed the laptop before the coffee got cold.

Got domain admin through a printer. The post-engagement debrief spent forty minutes on the printer.

The kickoff call established that the network was fully segmented. Hour two of the engagement, segmented meant the printer could talk to everything.

I asked for the in-scope IP ranges. They sent me the whole /16 and a sentence that said please be careful.

The scope document said do not touch production. The production label was on the dev box. The dev label was on the production box. I went home for the day.

We have a strict change window, said the client, on day one of a two-week engagement, after I had already touched everything.

I dropped four USB sticks in the parking lot. Three were picked up within an hour. The fourth came back a week later in interoffice mail with a note that read I think this is yours.

The receptionist held the door for me. I was wearing a hi-vis vest and carrying a clipboard. The clipboard was empty. The vest was from a costume shop.

I called the helpdesk and said I forgot my password. They asked for my employee ID. I read out the last four of someone else's ID from a LinkedIn photo. The helpdesk reset the wrong account and apologized for the inconvenience.

Phishing simulation click rate, twenty-two percent. Credential submission rate, eleven percent. Reports to security, two. Both were the same user, both reporting the same email, both forwarding it as an attachment with the credentials filled in.

I sent the phish at 4:55 on a Friday. By Monday, the inbox had ninety-three out-of-office replies, four sets of credentials, and one HR complaint about phishing during off hours.

The wifi guest network bridged to corporate through a forgotten access point in the conference room. The conference room was named Innovation.

Found a wired jack in the lobby. Plugged in. Got DHCP on the management VLAN. The lobby was where executives took video calls.

The IP camera ran an admin web panel on port 80 with the credentials admin and admin. The camera was watching the server room door.

The badge reader was a HID Prox card running 26-bit format. I cloned a badge through a vest pocket while standing in the elevator. The badge belonged to the CFO.

Tailgated through three doors holding a box of donuts. Nobody opens a door for an empty-handed stranger. Everyone opens a door for donuts.

The data center had a mantrap. The mantrap had a window. The window opened from the outside.

The server room key was under the mat. I am not making this up. There was a mat. The mat had a key under it. The key opened the server room. The server room had a label on the door that read Authorized Personnel Only.

Found a sticky note on the server rack. The sticky note had the root password. The root password was the company name plus the year the company was founded plus an exclamation point. I added the exclamation point in the report.

EDR caught my Cobalt Strike beacon in forty seconds. EDR did not catch the same payload renamed to MSTeamsUpdate.exe and dropped in the user's AppData. The difference was the filename.

The web app sanitized single quotes. It did not sanitize backticks. The login form was a SQL playground after one curious afternoon.

Found SQL injection in the search box. The search box was the only sanitized field on the entire site. The search box was sanitized by the developer who had since left the company.

The login form rejected SQL injection. The forgot-password form did not. The forgot-password form returned the password hash in a JSON response. The password hash was unsalted MD5.

The IDOR was on the invoice endpoint. Incrementing the invoice ID returned every customer's billing history. The endpoint was called /invoice and the parameter was called id. I will not pretend that took skill.

The API returned a JWT signed with HS256. The HS256 secret was the string secret. The secret was the string secret.

The mobile app pinned the certificate. The mobile app also accepted self-signed certificates if the user tapped Continue. The user always taps Continue.

Reverse-engineered the Android APK. Found a hard-coded AWS access key in a constants file. The constants file was named Constants.

The S3 bucket was public. The S3 bucket contained the database backups. The database backups were not encrypted. The README in the bucket explained the schema.

Subdomain enumeration found a forgotten staging site. The staging site had no auth. The staging site had a copy of production data, rotated nightly.

The internal Confluence had a page titled DO NOT SHARE EXTERNALLY. The page contained the production database credentials. The page was indexed by an internal search bot that exposed results to the unauthenticated REST API.

The Kerberoasting attack returned eighteen service accounts. Twelve had passwords from a 2014 wordlist. Two had the company name as the password. One had the password Password123. Hashcat finished before I made coffee.

Found a service account with the password set to never expire. The password was set in 2009. The password was the name of a TV show that was cancelled in 2010.

Domain admin to enterprise admin took fourteen minutes. Most of that was renaming the file.

Found unconstrained delegation on a print server. The print server. The print server delegated for the domain controller. I wrote in the report that the printer kept being the answer.

The Active Directory pentest report had two findings on page three that the client read. The other eighty-six findings were on pages four through forty-one. Those pages did not get read.

Wrote a critical finding. Got it downgraded to high by the client. Got it downgraded to medium by the client's manager. Got it downgraded to low by procurement. The next engagement had it back as critical.

Submitted the report on Friday. Got a Monday email asking if any of the findings were exploitable in the real world. Spent the week explaining what real world meant in an engagement that was already real.

The retest was scheduled for six months later. The retest found every original finding plus four new ones. The four new ones were added by the team that had read the original report.

Final readout meeting. Twenty-eight people on the call. Two of them muted themselves so they could speak. None of them were the people who would fix the findings.

The CISO opened the readout by asking what color we were. I said red. The CISO asked what red meant. I said it meant I got in.

We have compensating controls, said the client about the finding I had bypassed using the compensating control.

The finding was that the helpdesk would reset any password over the phone. The remediation was a training email. The retest was a phone call. The phone call took ninety seconds.

The remediation plan had a target date of next quarter. The next quarter was the same quarter the audit was due.

The client asked if we could leave the findings out of the executive summary. The executive summary was the only part the executives read.

Got asked at a party what I do. I said I break into companies for a living. The party went quiet. I said legally and the party stayed quiet anyway.

TSA found the lockpicks. TSA also found the badge cloner, the rubber ducky, the LAN turtle, the wifi pineapple, and the can of compressed air. TSA confiscated the compressed air.

Showed up to the physical engagement with a backpack of tools. Forgot the engagement letter. Spent twenty minutes in a security office explaining myself to a guard who was, on paper, doing his job correctly for the first time that month.

The physical pentest went so well I was given an employee discount card at the cafeteria. I used it. The discount was applied to my lunch. The lunch was added to the report as evidence of access.

The Wi-Fi pineapple caught fourteen client probes in the parking lot. Three of them auto-connected to a network named CorpGuest. There was no CorpGuest. There is now.

The MITM on the open conference Wi-Fi caught a vendor logging into their CRM, their email, their bank, and a dating site, in that order, in the first forty minutes.

Plugged the LAN turtle into the back of a desk in an open-plan office. Came back four hours later. The turtle was gone. The user had taken it home thinking it was theirs. The turtle had been beaconing the whole drive.

Asked for a copy of the previous year's pentest report. Was told it was confidential. Was told this by the engineer whose laptop the report was open on, in a coffee shop, behind me, in the reflection of the window.

Found a credential in a public GitHub repo. The repo belonged to a developer who had left the company two years ago. The credential still worked. The developer was now working at a competitor.

The bug bounty program said no automated scanning. The bug bounty program also had a hall of fame full of researchers who had submitted findings from automated scans. The hall of fame had its own subdomain. The subdomain had a finding.

I submitted a critical to the bug bounty. The triager closed it as informational. I submitted it again with a working exploit. The triager closed it as a duplicate of a finding from 2019 that had never been fixed.

Spent six weeks on a complex chain of vulnerabilities that turned a low-impact CSRF into full account takeover. The fix took four lines of code. The four lines of code had a typo. The typo was the next finding.