hpr-knowledge-base/hpr_transcripts/hpr3425.txt

Episode: 3425
Title: HPR3425: Hacking Stories with Reacted: part 4
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3425/hpr3425.mp3
Transcribed: 2025-10-24 23:09:17

---

This is Hacker Public Radio Episode 3425 for Friday, the 17th of September 2021.
Today's show is entitled Hacking Stories with Reupted.
Part 4. It is hosted by Operator and is about 18 minutes long and carries a clean flag.
The summary is, I talk about some old, old, old, pen-testing stories from days old.
This episode of HBR is brought to you by an honesthost.com.
Get 15% discount on all shared hosting with the offer code HBR15.
That's HBR15.
Better web hosting that's honest and fair at An Honesthost.com.
This is another episode of Hacker Public Radio.
This is another episode of Hacker Public Radio with Redacted.
I'm going to tell you another Hacker story here.
This should be sort of one.
This one starts out pretty standard.
Had some folks shadowing with me, which is not usually normal to have more than one person
with me.
But we had two people with me.
One was a technical in nature, which he was pretty green.
I'll say that he didn't have any technical knowledge hardly at all.
But the other guy was kind of the manager of the project, and he was kind of hanging out
for the first couple of days establishing relationships with a client and having some stuff,
usually a little talk to him and all that.
So that went down.
We'd started with the normal stuff.
This was the internet kind of a small internet service provider.
We're talking like dial up DSL type of stuff.
So these guys were pretty small outfit.
I won't say that they were huge, but I would say that they would like a regional
internet service provider or something.
They might have been bigger than that, I don't remember.
But they were pretty small, small, small beans.
It's a pretty small shop.
So I do the standard stuff.
Do the discovery phase, recon.
Kind of have the guy shadowing.
We're taking our time because I think we had like two weeks on site.
Or maybe it just felt like I was taking my time because everything kind of fell over when we
tried to do great stuff.
So we started discovery things.
I've got the guy with me shadowing.
I don't run a clock across a whole lot of low-heating fruit.
I do find one vulnerability with a semantic server or a semantic endpoint where you can execute
arbitrary code.
And generally when it comes to like buffer overflows or any kind of exploiting stuff
that can be potentially sensitive or potentially damaging to the service or server,
I'll generally try to get permission from the client before we do it.
So I had already scoped out some of the Unix Linux stuff and I had gotten this was before
HashKat had support for the hash type that Unix Linux uses.
There are several different hash types, but default Unix Linux uses whatever it is.
I don't know, something and then fault it or whatever it was.
So anyways HashKat or OCL HashKat didn't have the support for that.
So there was the only thing around was called extreme brute-forcer and that was the only one
that supported that that hash type.
And I will say not even six months after that.
OCL, I think at least HashKat had support.
OCL did OCL HashKat had support for later, but anyways we had this extreme brute-forcer
and we were using it with a cheap video card, maybe $150, $150, maybe even a $200 video card.
We were using that to crack on these hashers because we had found some default
log-in system Unix boxes, Unix Linux boxes that were used, which appeared to be for some
level of services. So you could default credentials to a Linux box, usually that's how you get
access to a Linux box or some kind of issue with a PHP script or Apache.
Those are the low-hanging route for creating an Linux stuff.
Default log-ins, back-and-figs, route-root, route-link password, whatever.
So get access to that, dump the hashes of users that are not essentially blank or
route-root users that already have the password too.
Literally, I'll just dump all the passwords in there because it will crack
wing passwords instantly. So I got all these hashes, these Unix boxes, I said they're their ISPA,
and I started rumbising around the Unix Linux stuff, starting getting some fruit,
started getting some of the beans and potatoes and all that of the structure
and understanding how the users are connected and I essentially had access to all the Unix Linux
environment, which where a lot of your important stuff sits is actually in the Unix Linux
environment. If you really dig into most companies and infrastructures, they're sitting in a
database somewhere and usually that database is hopefully not Windows SQL or Microsoft SQL.
Hopefully, it's a postgres database or something like that, if they're big scale enough.
So these guys had some stuff running, but you know, it was ugly enough to where we had
basically owned all their Unix Linux environment with a couple of Default log-ins and then dumping
those hashes, cracking them, and they were some pretty weak passwords that went to all the other
boxes and they were flown across the enterprise. Trying to pay attention, make sure I'm not missing my
exits here. So anyways, we got Unix Linux stuff, but we hadn't gotten no money in admin yet,
which is that's kind of a holy grail where you can kind of show that impact log-in to the
exchange controller. What people will do is back in the day when everybody ran exchange,
you can log-in to the exchange server and run something like maybecats and dump every single user,
like we're talking phones, everything that was authenticated through Outlook.
Any user, it would dump their plain text credentials. So we would use that and then do like a
password audit and say, okay, here's all your weak passwords. They're like company name,
winter 27, or whatever, winter 2015, or whatever the year was. So we had Unix Linux, we had
some windows, but not like domain admin, and there was one particular box that we wanted to
run on x-way against, but I didn't have a whole lot of experience with this particular
x-way, and it involved that buffer overflow or some type of memory used after free, whatever
type of attachment. So generally, what I'll say is if I'm not 100% sure if it's going to crash
it or not, crash the box or blue screen in or maybe crash the service, I'll say, you know what,
I want to get approval for this x-way before I run it against this box. I'm not 100% sure
the confidence level in this x-way to damage or crash the box, whatever I haven't reviewed.
So as I'm waiting for that to go through for management and the management are and they're
talking to the client and they're trying to get the okay. As I'm doing that, I stumble across
a misconfiguration somewhere. I want to say I want to say it had to do with, it wasn't an exploit,
it was like a misconfiguration of either a default user, again, it's always default user,
default configuration, some kind of weird app somewhere it was or like a default login of
some kind of something that had code execution. So I get code execution and then I get kind of
domain admin and by the time I do that, this is probably day three, day four. By the time I do
that, I get wordbacked from the client saying yes, you can run the exploit. Tee hee hee hee,
Unix Linux guys said that, you know, huh, Windows sucks, you know, blah, blah, blah, we don't have
to worry about our stuff because our stuff was a jid. This guy's been testing Windows and we're
all good because we're Linux and we're locked down and they didn't know that I actually had access
to all or most of their Unix Linux boxes. I think that's the sage keys, which essentially is
like a password or a key to get in what people will do is install the same key on all their servers.
In that key, they'll put on one server and they'll install on all their servers so they can
SSH straight into all their servers. By not having multiple keys or protecting those keys with
strong passwords, once you pop one box, you can SSH into all the other boxes that have that same
key without a password. So the idea there is that gives you kind of lateral movement across
that whole space. So I had access to like 300, 500 boxes, something like that of all Unix stuff.
So the Unix guys are sitting there laughing in the corner. Meanwhile, I've already owned the
domain. I don't need that silly exploit anymore. I've already found something we can figure
somewhere and we're ready to go off to the races. We're off to the races, pulling everything down
and I had had a coworker that said, you know what, he took a screenshot of like the CFO's email
and to show the impact. And usually what I would do was kind of show the, just show the impact
from its rating at the audio there. Just show the impact from a standpoint of making
it real. I usually I would just do, so okay, I had that domain admin. I draw a little picture
in Visio and show that escalation path. The kill chain to domain admin. And that would
scare the pants off of most good IT people, but anybody in the business doesn't really know the
impact of that. They don't understand that that gives you access to everything eventually, right?
That's how AD is kind of configured and most people wrap around AD around everything and don't
use password vaulting and all that stuff. So what I did was I wanted to kind of step up my game
on the impact and show the impact to the client and make it real. And the client had actually told
us that you know what, this report is going to be massaged on this way up. I'm not really comfortable,
you know, I'm not really confident in the value that it's going to provide. I said, you know what,
I think we can do something about that. We can give you some real impact and show you some real,
you know, real world scenarios of what this would look like on the front page of the newspaper,
right? So first thing I do is dump all the credits. I find out who is logging to the,
logging to exchange, run mini-cats, dump all the passwords, figure out which of those users is
like the CFO or COO or somebody super important. Login 2 is OWA, of course it's externally facing
like every OWA back then. And the logs straight into that their OWA. And I just took a screenshot
of the title pages. Like it was the titles of the emails and that was pretty much it, right? I left
it at that and then I scrubbed, I don't even think I scrubbed anything. I just left the titles
and then it had the person's name, which is like the CFO of the company in the screenshot.
And then the course I might have taken some other screenshots of like authentication cookies,
but it's nobody's going to understand any of that crap that I had authentication cookies for all
of his like social media and anything that was in his browser for stored cashed credentials and
stored cookies. I had access to all that and all the internal apps that he had access to. He was
accessing internal or resources and I had all the cookies to log in and authenticate to those,
which nobody understands. They they they see email somebody else's email and that that hits
closer to home right as far as it back goes. So do my standard report, get it all out and
the manager on the project, I don't think he's actually worked with me before. I don't think he's
actually done a real pen testing full-blown pen testing agent before. So given the report
he decides to tell the client like 20 minutes before the meeting that he's just going to drop the
bomb on him and let him know. Generally what happens is when you tell him hey you know this guy
he got he got access to this machine and now we have Dominant and how do you want to approach
this? How do you want to sew this message? Do we want to do we want to have a quick chat?
Talk about it first before we drop the bomb on everybody and say you know this guy completely
owned the sideways. But what he decided to do was to just drop the bomb like right before the
meeting and he sent out the attachment. And we get on the bridge, I dial in, I'm doing my
thing, running through it. When we get through like this until like the second slide of the email
and people flip it, they lose it. They see the CFOs, they say the CFOs email and they're like how
do you get to this? It's like well I don't mean I'm in and I dump the credentials, blah blah blah
and they're like okay well let's just let's just you know they either breeze through the rest of
the report. But they say let's just let's just put this on hold. Let's you know we're trying to
try to figure out what's going on and that night or later that next day I think it was that night
what after the call we had in them earlier in the morning, that night my boss calls up and says
look man these guys are flipping out, don't touch anything, don't touch your computer, lawyers
are getting might get involved, these guys are going crazy, they're flipping out because of
this email. Supposedly a title of the email has supposedly scared people about some kind of
acquisition or some BS which is all total. I have to assume that's just total BS. What happened
is that this went up rolled up to the business. The business saw that I could someone you know
a malicious actor could actually access someone's email. That came that was a little too real
for for the client in the business and they said they just kind of like aims and pitch works
torches right. So I get this call and I'm kind of half scared but at the same time I'm
hilariously laughing internally because he just dropped it. He's like you know this guy came in
on his sideways, here's your CFO's email like mic drop and I thought I was a little aggressive
and it did turn out to be a cluster. So after that that night I'm kind of concerned a little bit
but I'm still more amused than anything because we did our debilitance, we had our get out of jail,
we followed all the processes, we didn't break out of scope, we did everything we were supposed to do.
So they come back, finally a day or two later the manager finally calls me and says yeah you know
cooler heads have prevailed and this engagement is kind of as whatever we're good, right?
You can go ahead and whatever and I think he actually told me to delete everything
from the from the actual engagement and he told me to like send him an email saying that I
deleted it which is kind of like proving a negative I don't really understand the point of that but
anyways I was actually told to delete all the evidence from the from the report which I wasn't too
concerned about it was all the standard crap you know debilitantials, week, week, hashes all that
stuff. There wasn't anything super ninja that I would need to keep notes on and sanitize
but in general he told me to delete all that stuff so the next day or two goes by and finally
he calls me back and it's you know cooler heads have prevailed you know don't worry about it we're
taking care of it blah, blah, blah, blah and we had some laughs and it was kind of funny and
that was the whole game for a while it's like you know this it just got real for these guys it was
kind of hilarious. The cooler story is maybe a year or two later Steve client says oh yeah we
wanted to we don't want to do another pin test but you know that guy you sent the first time
do not send that guy and when I heard that and when the manager told me that the same manager that
did the whole mic drop thing when he told me that I just that was the the most best validation you
could possibly get because I did everything I was supposed to do I was the guy on the field I was
the guy on the ground I didn't really have to communicate to the client that much I just had to
do my job and execute effectively and show that impact and when I showed that impact I think
it got too real for the client right and they they they they they went a little bit a little bit crazy
based on that. So it's pretty good validation that's another example of like you know if you know
stuff got real and you know that when you hear that someone you know you did a pin test and they
don't want you back because of how fucking sideways you owned them that's a pretty good sign
that you're doing your job right unfortunately at the time and even now people can can meet
that type of impact and showing that type of level of scare tactics for lack of a better term
um can can can can kind of go sideways if if you're not careful but anyways that was a quick one
might do another one would see how long this ended up being 17 so I'll probably end this one up
and then do maybe another one you've been listening to hecka public radio at hecka public radio
we are a community podcast network that release the shows every weekday Monday through Friday
today's show like all our shows was contributed by an hbr listener like yourself if you ever
thought of recording a podcast and click on our contributing to find out how easy it really is
hecka public radio was founded by the digital dog pound and the infonomicon computer club and
it's part of the binary revolution at binrev.com if you have comments on today's show please email
the host directly leave a comment on the website or record a follow-up episode yourself
unless otherwise stated today's show is released on the creative comments
attribution share a light 3.0 license