From this foothold, we conducted targeted internal reconnaissance and identified Jira and Confluence instances operating within the network. Our assessment identified a non-primary Confluence instance, used for staging and legacy team workflows, that had not been maintained in line with the organization’s patching SLAs. This instance remained vulnerable to CVE-2022-26134, a widely exploited remote code execution vulnerability.

Fortuna leveraged this flaw to gain a local user account on the affected host. Although the obtained account did not have root privileges, the vulnerability executed code as the Confluence service account. This allowed us to instrument the running Confluence process using strace and observe authentication-related system calls. As a result, we were able to recover LDAP credentials transmitted in cleartext due to insecure directory configuration.

The Confluence service account, while restricted locally, was associated with a privileged Active Directory account used for LDAP authentication. Use of these credentials enabled direct authentication to domain services and resulted in full administrative access, demonstrating a complete compromise of the organization’s identity infrastructure.