MONASWIKI

Activity History

60 events · May 13 – May 19

60Total Events
35Agent Actions
25Human Actions
3Engagements
Tuesday, May 19, 2026(10 events)
claude-mcpwiki.lookup.cve06:54

Looked up CVE-2024-1234 — CVSS 9.8, EPSS 0.94, exploit confirmed functional. Linked to fnd-001.

Acme Corp External Pentest
cveId=CVE-2024-1234cvss=9.8epss=0.94
monaswiki.engagement.attach_evidence06:37

Attached sqli_union_proof.png (412KB) — shows full user table dump via UNION injection.

Acme Corp External Pentest
file=sqli_union_proof.pngsize=412KBfindingId=fnd-001
claude-mcpwiki.graph.assert_edge05:49

Asserted edge: SVC_BACKUP → DC01.techstart.local [PATH_TO] (weight: 3). Confidence: 0.91.

TechStart Internal Red Team
edge=ts-svc1→ts-dc1label=PATH_TOweight=3
claude-mcpwiki.knowledge.assert_claim05:14

Claim promoted to FACT: api.acme.com Node.js API has no rate limiting on /api/v1/users (verified 5x).

Acme Corp External Pentest
claimId=clm-0091tier=FACTconfidence=0.99
monaswiki.engagement.add_finding04:44

Added fnd-004: Stored XSS in product review comment field. Severity HIGH. PoC confirmed in Firefox 124.

Acme Corp External Pentest
findingId=fnd-004severity=HIGHstatus=CONFIRMED
claude-mcpwiki.lookup.technique03:59

Looked up T1558.003 (Kerberoasting) — mapped to ts-v1 vulnerability node, linked SVC_BACKUP credential.

TechStart Internal Red Team
mitreId=T1558.003linkedNodes=ts-v1,ts-svc1
claude-mcpwiki.search.findings03:29

Search: "deserialization" → 3 related findings across 2 engagements. Surfaced Commons Collections gadget chain.

Acme Corp External Pentest
query=deserializationresultCount=3
claude-mcpwiki.similar_engagements02:59

Found 2 similar past engagements with JWT hardcoding pattern. FinTech + API + public repo = high-confidence match.

FinTech API Security Audit
matchedEngagements=eng-003pattern=jwt-hardcoded-secret
monaswiki.engagement.log_activity01:49

Manual verification of RCE deserialization — exec whoami returned www-data on api.acme.com:8443.

Acme Corp External Pentest
findingId=fnd-002verificationCommand=idoutput=uid=33(www-data)
monaswiki.tradecraft.propose_payload01:14

Proposed pay-007 (Responder + NTLMRelayx) targeting FS01 via LLMNR poisoning. Estimated 79% success rate.

TechStart Internal Red Team
payloadId=pay-007targetHost=FS01.techstart.local
Monday, May 18, 2026(8 events)
claude-mcpwiki.context.bundle06:29

Context bundle exported for eng-001: 42 claims, 15 nodes, 14 edges. Bundle ID: ctx-20260517-001.

Acme Corp External Pentest
bundleId=ctx-20260517-001claims=42nodes=15edges=14
monaswiki.engagement.add_finding05:59

Added fnd-003: Broken Access Control on /admin/*. Server returns 200 for unauthenticated direct URL requests.

Acme Corp External Pentest
findingId=fnd-003severity=HIGHpath=/admin/*
claude-mcpwiki.graph.assert_edge04:44

Asserted edge: WS-PENTEST01 → ts-v1 [EXPLOITED] (weight: 3). Kerberoasting executed from compromised workstation.

TechStart Internal Red Team
edge=ts-ws1→ts-v1label=EXPLOITEDweight=3
claude-mcpwiki.knowledge.assert_claim03:59

Claim asserted: admin.acme.com affected by same BAC as acme.com — both skip server-side authz. Tier: WORKING.

Acme Corp External Pentest
claimId=clm-0087tier=WORKINGconfidence=0.88
monaswiki.engagement.log_activity03:14

Verified IDOR on /api/v2/transactions/:id — sequential UUIDs confirmed exploitable. 50 transactions accessed.

FinTech API Security Audit
findingId=fnd-007transactionsAccessed=50
claude-mcpwiki.lookup.cve02:29

Looked up CVE-2011-3389 (BEAST) — CVSS 5.9, TLSv1.0 downgrade confirmed on lb.acme.com. Linked to fnd-007.

Acme Corp External Pentest
cveId=CVE-2011-3389cvss=5.9host=lb.acme.com
monaswiki.tradecraft.propose_payload01:59

Proposed pay-008 (SharpHound) for BloodHound AD enumeration. Running as jsmith — domain user privs sufficient.

TechStart Internal Red Team
payloadId=pay-008runAs=jsmith
claude-mcpwiki.search.findings00:44

Search: "admin panel access control" → 2 matches in eng-001, 1 in eng-003. Pattern: React SPA frontend auth only.

Acme Corp External Pentest
query=admin panel access controlresultCount=3
Sunday, May 17, 2026(9 events)
monaswiki.engagement.attach_evidence23:59

Attached rce_deserialization_poc.mp4 (8.2MB) — screen recording of RCE PoC on /api/session/restore.

Acme Corp External Pentest
file=rce_deserialization_poc.mp4size=8.2MBfindingId=fnd-002
claude-mcpwiki.graph.assert_edge22:29

Asserted edge: superAdmin JWT → /api/v2/transactions IDOR [EXPLOITS]. Credential enables access control bypass.

FinTech API Security Audit
edge=ft-c1→ft-v2label=EXPLOITS
claude-mcpwiki.lookup.technique06:14

Looked up T1021.002 (SMB/Admin Shares) — mapped lateral movement path: SVC_BACKUP → FS01 via admin share.

TechStart Internal Red Team
mitreId=T1021.002lateralPath=SVC_BACKUP→FS01
monaswiki.engagement.add_finding05:29

Added fnd-008: SMB Signing Disabled on 14 file servers. Confirmed NTLM relay with Responder on FS01.

TechStart Internal Red Team
findingId=fnd-008affectedHosts=14
claude-mcpwiki.knowledge.assert_claim04:59

Claim: nginx/1.24.0 on a-h1 has TLS 1.0 enabled — sslscan output confirms. Tier: FACT.

Acme Corp External Pentest
claimId=clm-0079tier=FACTtarget=a-s1
monaswiki.engagement.log_activity03:44

Nmap scan complete on 203.0.113.0/24 — 23 live hosts, 4 in scope. Open: 80, 443, 22, 8080, 9090.

Acme Corp External Pentest
liveHosts=23inScope=4
claude-mcpwiki.lookup.cve02:59

Looked up CWE-321 (Use of Hard-coded Cryptographic Key) — matched ft-v1 JWT hardcoded secret finding.

FinTech API Security Audit
cweId=CWE-321findingId=fnd-006
claude-mcpwiki.context.bundle01:29

Context bundle exported for eng-002: 28 claims, 9 nodes, 9 edges. Bundle ID: ctx-20260516-002.

TechStart Internal Red Team
bundleId=ctx-20260516-002claims=28nodes=9edges=9
monaswiki.tradecraft.propose_payload00:59

Proposed pay-001 (PowerShell AMSI Bypass v3) for post-RCE persistence on acme.com Windows server.

Acme Corp External Pentest
payloadId=pay-001targetHost=acme.com
Saturday, May 16, 2026(10 events)
monaswiki.engagement.attach_evidence23:44

Attached jwt_forge_proof.txt — forged superAdmin token and API response showing full account listing.

FinTech API Security Audit
file=jwt_forge_proof.txtfindingId=fnd-006
claude-mcpwiki.graph.assert_edge22:59

Asserted edge: FS01.techstart.local → SMBSigningDisabled vuln [VULNERABLE_TO] (weight: 2).

TechStart Internal Red Team
edge=ts-fs1→ts-v2label=VULNERABLE_TOweight=2
claude-mcpwiki.search.findings21:29

Search: "CORS wildcard" → 0 findings. Search: "rate limit" → 1 finding (eng-001 api.acme.com).

Acme Corp External Pentest
queries=CORS wildcard,rate limitresultCounts=0,1
monaswiki.engagement.add_finding06:39

Added fnd-005: Kerberoastable SVC_BACKUP. Cracked RC4 ticket in 3h 47m with hashcat -m 13100.

TechStart Internal Red Team
findingId=fnd-005crackTime=3h 47mhashType=RC4-HMAC
claude-mcpwiki.knowledge.assert_claim05:59

Claim: DC01.techstart.local holds all 5 FSMO roles — single point of failure for domain. Tier: FACT.

TechStart Internal Red Team
claimId=clm-0055tier=FACTtarget=ts-dc1
claude-mcpwiki.lookup.technique04:44

Looked up T1087.002 (Domain Account Discovery) — BloodHound query identified 3 Kerberoastable accounts total.

TechStart Internal Red Team
mitreId=T1087.002kerberoastableAccounts=3
monaswiki.engagement.log_activity03:29

SharpHound collection complete — 847 nodes, 2,341 edges ingested into BloodHound. Shortest DA path: 4 hops.

TechStart Internal Red Team
nodes=847edges=2341shortestDAPath=4
claude-mcpwiki.similar_engagements02:59

Similarity check: eng-001 API pattern matches 3 prior engagements — all had SQLi in /users endpoint.

Acme Corp External Pentest
matchCount=3pattern=sqli-users-endpoint
monaswiki.tradecraft.propose_payload01:44

Proposed pay-006 (SQLMap blind time-based) targeting /api/v1/users?id= with WAF evasion tamper scripts.

Acme Corp External Pentest
payloadId=pay-006target=/api/v1/userstampers=space2comment,between
claude-mcpwiki.knowledge.assert_claim00:59

Claim: GraphQL introspection enabled on /graphql endpoint — 23 mutations exposed including deleteUser. Tier: FACT.

FinTech API Security Audit
claimId=clm-0040tier=FACTmutationsFound=23
Friday, May 15, 2026(10 events)
claude-mcpwiki.graph.assert_edge23:29

Asserted edge: WS-PENTEST01 → DC01 [AUTHENTICATES_TO] — Kerberos TGT request captured in Wireshark.

TechStart Internal Red Team
edge=ts-ws1→ts-dc1evidence=wireshark-cap-001.pcap
monaswiki.engagement.attach_evidence22:59

Attached admin_panel_bypass.png — shows admin dashboard accessible without authentication.

Acme Corp External Pentest
file=admin_panel_bypass.pngfindingId=fnd-003
claude-mcpwiki.lookup.technique21:14

Looked up T1552.001 (Credentials in Files) — matched ft-v1. GitHub dork confirmed 847-day-old secret exposure.

FinTech API Security Audit
mitreId=T1552.001exposureDays=847
monaswiki.engagement.log_activity06:44

Initial foothold confirmed on WS-PENTEST01 as jsmith. Domain user. SMB access to 3 file shares.

TechStart Internal Red Team
user=jsmithhost=WS-PENTEST01shares=Finance,HR,IT
claude-mcpwiki.context.bundle05:59

Context bundle for blog draft blog-001 — extracted 3 sanitized findings, redacted all client-identifying data.

Acme Corp External Pentest
bundleId=ctx-20260514-001forBlog=blog-001findingCount=3
claude-mcpwiki.graph.assert_edge04:29

Asserted edge: [email protected] credential → T1078 [ENABLES] — credential enables valid account abuse.

Acme Corp External Pentest
edge=a-c1→a-t2label=ENABLES
monaswiki.engagement.add_finding03:44

Added IDOR finding: /api/v2/transactions/:id — sequential UUIDs, no user scoping. CVSS 8.1.

FinTech API Security Audit
findingId=fnd-007cvss=8.1path=/api/v2/transactions/:id
claude-mcpwiki.search.findings02:59

Search: "kerberos" → 1 finding (fnd-005). Search: "ntlm relay" → 1 finding (fnd-008). 0 false positives.

TechStart Internal Red Team
queries=kerberos,ntlm relayresultCounts=1,1
monaswiki.engagement.log_activity01:29

Confirmed credential: [email protected] / [REDACTED] — source: SQLi dump. Admin console access verified.

Acme Corp External Pentest
credentialId=a-c1source=sqli-dumpaccessVerified=true
claude-mcpwiki.knowledge.assert_claim00:44

Claim: FinTech API uses HS256 (symmetric) JWT — secret same for all environments. Tier: FACT (confirmed via GitHub commit).

FinTech API Security Audit
claimId=clm-0022tier=FACTevidence=github-commit-a3f92c1
Thursday, May 14, 2026(8 events)
monaswiki.tradecraft.propose_payload23:59

Proposed pay-005 (Rubeus Kerberoast) against SVC_BACKUP SPN. Expected crack time < 6h with rockyou + rules.

TechStart Internal Red Team
payloadId=pay-005targetSPN=backup/FS01.techstart.local
claude-mcpwiki.lookup.cve06:49

Searched CVE database for SMB signing bypass — no specific CVE. CWE-300 applies. Mapped to fnd-008.

TechStart Internal Red Team
searchTerm=SMB signing disabledcweId=CWE-300
monaswiki.engagement.attach_evidence05:59

Attached sqli_proof.png (234KB) — blind time-based injection confirmed on /api/v1/users?id=1.

Acme Corp External Pentest
file=sqli_proof.pngsize=234KBfindingId=fnd-001
claude-mcpwiki.graph.assert_edge04:29

Asserted edge: Node.js API :8080 → SQLi vuln [VULNERABLE_TO] (weight: 3). Highest-priority path confirmed.

Acme Corp External Pentest
edge=a-s2→a-v1weight=3
claude-mcpwiki.similar_engagements03:44

Similarity: eng-003 JWT pattern matches 1 prior engagement (fintech-2025-q4). Same HS256 hardcoded key class.

FinTech API Security Audit
matchedEngagement=fintech-2025-q4similarity=0.91
monaswiki.engagement.add_finding02:59

Added fnd-001: SQL Injection CRITICAL in /api/v1/users. Confirmed blind time-based + UNION. Data exfiltrated.

Acme Corp External Pentest
findingId=fnd-001severity=CRITICALtechnique=Blind Time-Based + UNION
claude-mcpwiki.context.bundle01:29

Context bundle for AD attack path analysis: SVC_BACKUP → FS01 → DC01. 3-hop domain admin path documented.

TechStart Internal Red Team
bundleId=ctx-20260513-002attackPath=SVC_BACKUP→FS01→DC01hops=3
monaswiki.engagement.log_activity00:59

Google dork confirmed JWT secret in GitHub — repo public, commit 847 days old, no secret scanning enabled.

FinTech API Security Audit
dork=site:github.com/fintech-solutions jwt secretexposureDays=847
Wednesday, May 13, 2026(5 events)
claude-mcpwiki.lookup.technique06:29

Looked up T1190 (Exploit Public-Facing App) — FACT tier, 3 confirmed instances in engagements this month.

Acme Corp External Pentest
mitreId=T1190confirmedInstances=3
monaswiki.engagement.add_finding05:44

Added fnd-002: RCE via Java deserialization on /api/session/restore. Commons Collections 3.1 gadget chain.

Acme Corp External Pentest
findingId=fnd-002gadgetChain=commons-collections-3.1
claude-mcpwiki.knowledge.assert_claim04:59

Claim: /api/session/restore accepts serialized Java objects without type validation. Tier: WORKING → FACT after PoC.

Acme Corp External Pentest
claimId=clm-0011tier=FACTpromotedFrom=WORKING
monaswiki.engagement.log_activity03:59

Engagement kick-off: scope confirmed 10.0.0.0/8. Initial nmap: 342 live hosts, 18 DCs identified across 4 domains.

TechStart Internal Red Team
liveHosts=342domainControllers=18domains=4
claude-mcpwiki.search.findings02:29

Initial search seeded knowledge base for eng-001: 0 prior findings. Starting fresh graph with 3 confirmed host nodes.

Acme Corp External Pentest
engagementId=eng-001priorFindings=0initialNodes=3