Enterprise zone: legacy, accumulated privilege, and dual-homed bridges¶
From wizzards-retreat, the enterprise zone (10.10.1.x) sits on a standing network attachment. Three live hosts appear in the segment: the attacker’s current position, a legacy machine at 10.10.1.10, and two workstations at 10.10.1.20 and 10.10.1.30.
The legacy machine embodies two decades of organisational inertia. Telnet on port 23 drops directly to a Windows 95 shell with no login prompt, a configuration from 1999 that was never closed. FTP and SMB open the same public share. The ENGINEER.LOG file in that share reads like a credential cheat sheet: every system password in the building, written by someone attempting to consolidate knowledge for a system administrator who has accumulated too much to memorise.
The second finding is the finance workstation at 10.10.1.20. It began as a corporate machine, accessing the operational zone for legitimate work: a monthly report script that ran against the historian. But reasonable decisions accumulated. Credentials were hard-coded because that was faster. A scheduled task ran the script; nobody revoked access when the temporary arrangement became permanent. Over time, the machine became dual-homed without anyone noticing the pivot it represented.
route print on the finance workstation shows it. Two adapters, two routes: one to 10.10.1.0/24 via the enterprise NIC, one to 10.10.2.0/24 via a second NIC nobody documented. A finance workstation that can reach every operational-zone host without going through the engineering workstation or any inter-zone firewall. That is the moment the machine stops being a finance workstation and becomes a crossing point.
The dual-homed architecture repeats throughout the network. Machines added to new zones keep their old ones. The result is a system where connectivity was intended to flow through explicit paths, but actually flows through every machine that ever belonged to more than one segment.