Summary

While preparing for a Red Team Engagement, I learned about the Forcepoint Endpoint One DLP client. The product contains a limited Python interpreter that can be run by non-administrator users. I managed to remove the restrictions and now I have a functionally perfectly working Python interpreter. It is essential that according to the Forcepoint recommendation, the entire installation folder should be added to the exclusion list of AV and monitoring systems. This gave me the idea to use the "secret" interpreter to gain "initial access" to the client with a phishing attack. I successfully implemented this in practice. Later, I found an accepted and high-class vulnerability, but internal testing has found it before me, therefore there will be no CVE about it.

Description