Operation Switchboard
Five machines hidden inside a corporate network hub. Each one exposes a misconfigured service leaking credentials over the wire — FTP, SMTP, Redis, rsync, and SNMP. Enumerate, intercept, escalate.
The Machines
Five services. Five credential leaks. One network to own.
Anonymous FTP left enabled post-migration. Browse the share, find credentials.txt, and use those SSH creds to log in. Classic misconfiguration, still everywhere.
The Flask status endpoint helpfully returns os.environ as JSON. SSH_PASS is right there. SMTP VRFY confirms valid usernames. Enumerate, then exploit.
Redis bound to 0.0.0.0 with no password. CONFIG SET dir to write files anywhere the process owner can reach — including authorized_keys.
An anonymous rsync module leaks the entire backup directory. Somewhere inside is /home/user/.ssh/id_rsa. List, pull, authenticate.
SNMPv2 with community string "public". An extend OID runs a script whose process args appear in the MIB walk output — including SSH credentials.
Attack Chain
Recommended order of attack.
Ready to intercept?
Five misconfigured services. Five credential leaks. Full network enumeration practice in one series.
Launching 20 June 2026 — network enumeration series for OSCP prep and real-world service hardening.