GSM operator Pulse Connect VPN intrusion · BloodHound 4-hop DA path · 11 critical findings
One of Turkey's top 3 GSM operators requested an authorized red team from DSET. Target: external intrusion → VPN exploit → AD lateral → the core OSS system. Rule: impact on the production OSS system is FORBIDDEN. DSET reported a BloodHound 4-hop DA path + 11 critical findings, with no production impact; BTK gave its appreciation and a 3-year contract was signed.
01 The Challenge
A VPN .pfx certificate was leaked on Pastebin 3 months earlier. Pulse Connect Secure 9.0.3 unpatched (CVE-2019-11510). DMARC records weak, high phishing potential. The final target the core OSS system (GSM call routing); IMPACT IS ABSOLUTELY FORBIDDEN. Within Turkey's "critical infrastructure" scope, requested after a BTK audit.
02 DSET's Approach
T+0 · External reconnaissance
OSINT: a Pastebin VPN cert + Pulse CVE-2019-11510 + DMARC weakness detected. An attack surface map was drawn.
T+1 week · VPN exploit
Authenticated bypass with CVE-2019-11510 + the leaked cert. Arbitrary file read + auth bypass on the VPN gateway succeeded, with full access to the internal network.
T+2 weeks · AD enumeration
BloodHound: the DA path 4 hops, 12 escalation routes. Kerberoast 14 SPN accounts, 8 hashes cracked (weak passwords). SCCM PXE boot misconfig: arbitrary OS install.