During penetration tests on the external infrastructure of a public administration body, very serious flaws were found that led to several servers being completely compromised. In certain cases, we managed to identify several vulnerabilities, specifically - missing security patches, weak password policies and not adhering to best practices.
The company allowed its employees to connect remotely using an SSL VPN. However, the version of the remote access technology used was not the latest version and therefore did not contain updates to fix critical bugs/vulnerabilities. One of them was the possibility of unauthorized access to sensitive information - listings of usernames and passwords in a legible form. Because the technology was linked to an Active Directory / LDAP, it concerned domain users and their passwords. Under the identity of an arbitrary user, it was possible to log into the SSL VPN and subsequently connect to an employee's dedicated machine - thus, among other things, the attacker gained unauthorized access directly to the internal network, could compromise the computer of any user, move around and attack further in the internal network, etc.
Another critical vulnerability found was again related to missing updates, in this case to the e mail server. The web interface of the email server contained a deserialization vulnerability that allowed code to be run remotely at the operating system level. However, a successful attack required the login data of a legitimate domain user - as mentioned, we already had those at our disposal. Thus, a potential attacker could have completely compromised the email server because the service was running under the highest privileges.
The last critical vulnerability was an error in the validation of user inputs to the web application used as a "HelpDesk". The application had access to the Internet, however, it was secured by an authentication form and only selected users (administrators) had access to the application from the Internet. It was just a question of time to find the right user (using the vulnerability from the SSL VPN). After gaining unauthorized access, a very serious vulnerability was found quite quickly - SQL Injection, where a malicious SQL statement is inserted and executed by the database machine. The attacker would thus be able to obtain all the data in the database, as well as completely compromise the database server and gain access to the internal infrastructure.
Thanks to running tests of the external infrastructure in time, the public administration organ could fix the vulnerabilities we found and secure its perimeter from the interests of a real attacker.