<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Pentesting on Prepakis Georgios | Kernelstub | Security Researcher</title><link>https://blog.kernelstub.dev/tags/pentesting/</link><description>Recent content in Pentesting on Prepakis Georgios | Kernelstub | Security Researcher</description><generator>Hugo</generator><language>en-US</language><lastBuildDate>Mon, 16 Feb 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://blog.kernelstub.dev/tags/pentesting/index.xml" rel="self" type="application/rss+xml"/><item><title>A Full Infrastructure Takeover on GSIS.GR</title><link>https://blog.kernelstub.dev/posts/a-full-infrastructure-takeover-on-gsis.gr/</link><pubDate>Mon, 16 Feb 2026 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/a-full-infrastructure-takeover-on-gsis.gr/</guid><description>&lt;p&gt;&lt;strong&gt;Table of Contents&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#phase-1-massive-reconnaissance-with-skuntscan"&gt;Phase 1: Massive Reconnaissance with SkuntScan&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-2-the-exposed-configuration-that-broke-everything"&gt;Phase 2: The Exposed Configuration That Broke Everything&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-3-ftp-and-the-forgotten-server"&gt;Phase 3: FTP and the Forgotten Server&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-4-oracle-webcenter-leaks-and-ldap-access"&gt;Phase 4: Oracle webCenter Leaks and LDAP Access&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-5-hardcoded-jwt-private-key"&gt;Phase 5: Hardcoded JWT Private Key&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-6-server-status-as-a-network-mapping-tool"&gt;Phase 6: Server-Statme as a Network Mapping Tool&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-7-iis-short-names-and-aspnet-backend"&gt;Phase 7: IIS Short Names and ASP.NET Backend&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-8-domibus-424--finding-the-zero-day"&gt;Phase 8: Domibme 4.2.4 – Finding the Zero-Day&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-9-from-xxe-to-ssh-on-borisgsisgr"&gt;Phase 9: From XXE to SSH on boris.gsis.gr&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-10-axis2-admin-service--deploying-a-backdoor"&gt;Phase 10: Axis2 Admin Service – Deploying a Backdoor&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-11-privilege-escalation-to-root"&gt;Phase 11: Privilege Escalation to Root&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-12-internal-network-pivot--the-1019318024-discovery"&gt;Phase 12: Internal Network Pivot – The 10.193.18.0/24 Discovery&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-13-staging-authentix-auth-and-the-database-goldmine"&gt;Phase 13: STAGING-AUTHENTIX-AUTH and the Database Goldmine&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-14-switches-firewalls-and-control-surfaces"&gt;Phase 14: Switches, Firewalls, and Control Surfaces&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-15-15-million-citizens--what-i-found"&gt;Phase 15: 15 Million Citizens – What I Found&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="phase-1-massive-reconnaissance-with-skuntscan"&gt;Phase 1: Massive Reconnaissance with SkuntScan&lt;/h2&gt;
&lt;p&gt;Every engagement starts with comprehensive reconnaissance. SkuntScan, our in‑house tool, combines passive enumeration with intelligent fingerprinting. It scrapes certificate transparency logs, DNS records, web archives, and then correlates everything with IP space to build a complete map of the target.&lt;/p&gt;</description></item></channel></rss>