The Quiet Killer in Grey Box Testing — Internal IP Leak → Path Traversal →DB Takeover → Outlook Pwn

Hy aLL !! Mr_Curi0sity here !!

This engagement was a Grey Box penetration test of an internal web application. The client provided VPN access, login credentials, and limited documentation — more than blackbox, but far from full whitebox.

What made it special? The application had already been audited by penetration testing teams from three different organizations before us. Previous reports had findings, but nothing particularly exciting or high-impact. I was going through the motions, struggling to find something fresh and interesting after the first few days.

Then this chain unfolded.

The Full Attack Chain

1. Grey Box access to the internal web application via VPN
2. Internal IP disclosure found
3. Discovery of secondary internal application using leaked IPs
4. Path traversal on document viewing feature
5. Extraction of DBconfig.php
6. Successful DBeaver connection to internal DB
7. Extraction of Outlook service account credentials from DB
8. Full Outlook account takeover

The Struggle Was Real… Until the Leak

I had been testing for days — functionality deep dives, parameter fuzzing, API enumeration — but nothing groundbreaking. Just the usual low-hanging stuff that had probably been reported before.

While doing routine Grey Box recon (inspecting responses, JavaScript files, and error messages with partial knowledge of the environment), I ran my normal search in the browser console for interesting information's:

This single disclosure gave us new leads on other internal systems reachable over the VPN. Thats how , we discovered another internal application (different internal domain/vhost) that wasn't heavily covered in previous audits.

Path Traversal on the Discovered Internal App

On this secondary internal application, we found a document/file viewing endpoint that accepted a doc parameter.

Captured the request in Burp and started testing path traversal payloads

It worked. The application was vulnerable to path traversal

Reading DBconfig.php

Path traversal successfully returned the full content of DBconfig.php, which contained clear database connection details (host, username, and password).

DBeaver Magic — Direct Internal DB Access

Armed with the exact credentials and internal DB host from the config file, we fired up DBeaver and connected directly over the VPN.

Connection succeeded immediately.

Outlook Credentials & Account Takeover

Browsing through the database tables, we discovered an integrations table containing service account credentials.

One entry stood out — Outlook / Email service account credentials stored in plaintext.

I used them to log into Outlook Web Access.

Full account takeover achieved — inbox access, email reading, and the ability to send as the service account

Client's Reaction: "Please Stop"

After we presented the complete chain with live proof (especially the working Outlook compromise), the client immediately responded:

"This is serious. Please pause the testing. We need to address this right away."

They were surprised this chain had survived three previous penetration tests and appreciated the depth.

The struggle to find something interesting made the final discovery even more satisfying.

Curiosity (and not giving up) strikes again.

Stay ethical. Test deep. Report impactfully.

— Mr_Curi0sity