You can see my shift in methodology a few times where I mess up the past and present tense and with how some bits have considerably more detail than others.Īs this is my first, I don't know if I'd do it the same way again. I then polished/edited it (rushedly, without too much care) the day after and put it up. I also used the document as a "rubber-duck debugging" aide, writing it for someone unfamiliar to the project. I wanted this doc to record offsets and methodology so I made sure to include that wherever I could.
I also went back and recreated some of the screenshots.įrom then on I played with the software for a bit until I "hit a breakthrough", stopped, and wrote the story and took some screenshots, then worked on the software until the next "breakthrough".
I made sure the thread I was pulling made sense (and thus I was confident I'd get to the end of this), stopped, and wrote the writeup to that point retrospectively. When I came back a couple of days later, I realised how I was going to proceed, but wanted to write it up. I started trying to fix it on a Friday evening and gave up after I couldn't get the "abort -> No Operation" thing. I write a lot of technical software docs for a living so I'm no stranger to writing, but this was my first attempt at such an informal writeup. So I threw some poor team's roadmap into disarray, but a little curiosity on my part helped improve our security posture. AD domain controllers) & (b) the same pattern of client-checks was used on a lot of other tools that team built. Ping it over to a friend who works in appsec, they poke it for awhile, and figure out (a) with admin permissions this tool can change the patch schedule of everything (e.g. I wonder if it works for the admin-looking group? Yup. So easy enough to just return what it's looking for and change my server's schedules as desired.īut hmm.
Take a quick glance at the js, and it's doing AD lookups from my client, via an unofficial AD-REST endpoint everyone used, and then using the result. Only it was behaving like I wasn't authorized to use it (despite being the registered owner of the servers), and I couldn't find any documentation on what groups it wanted me in. There was an internal web app via which one could modify and change the update / patch schedule for servers. At one point, I managing some servers for a project at a large company.
0 kommentar(er)
