468 lines
32 KiB
Plaintext
468 lines
32 KiB
Plaintext
|
Episode: 3395
|
||
|
|
Title: HPR3395: Hacking Stories with Reacted: part 1
|
||
|
|
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3395/hpr3395.mp3
|
||
|
|
Transcribed: 2025-10-24 22:41:00
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
This is Hacker Public Radio Episode 3395 for Friday, the 6th of August 2021.
|
||
|
|
Today's show is entitled Hacking Stories with Reupted.
|
||
|
|
Part 1. It is hosted by Operator and is about 33 minutes long and carries an explicit flag.
|
||
|
|
The summary is, I talk about some old old, old pen-testing stories, from days old.
|
||
|
|
This episode of HBR is brought to you by an Honesthost.com.
|
||
|
|
Get 15% discount on all shared hosting with the offer code HBR15.
|
||
|
|
That's HBR15.
|
||
|
|
Better web hosting that's Honest and Fair at An Honesthost.com.
|
||
|
|
This is a episode of Hacker Public Radio with your host Redacted.
|
||
|
|
Today I'm going to be going over a series called Hacker Stories.
|
||
|
|
I will be using some voice modulation and protecting the clients and users that I've worked with.
|
||
|
|
But I wanted to go over a couple of stories, or at least one, here on the drive that I'm doing.
|
||
|
|
So this first one was a school, a technical school that was fairly popular with younger generations.
|
||
|
|
And I would say they're pretty big school, I think, to head several campuses in the city.
|
||
|
|
But anyways, these guys wanted a physical assessment.
|
||
|
|
We had done some remote stuff with them before in the past.
|
||
|
|
It was pretty high level.
|
||
|
|
But they wanted a full bone, physical, you know, fishing, and all that good stuff.
|
||
|
|
So I had been on my own for a while and this was, I think, an on my own assessment.
|
||
|
|
And they had two kind of buildings or two targets.
|
||
|
|
One was like a corporate or a home office or a school office thing where all their technical
|
||
|
|
information and accounting and all the administration and all that stuff was out of.
|
||
|
|
Which had a few floors and about five floors or so of this tall water building.
|
||
|
|
And the other campus was an actual school where they had the equipment.
|
||
|
|
I don't want to say what kind of equipment it was, but it was fairly high in the equipment
|
||
|
|
for these kids to work on.
|
||
|
|
Really cool, creative environment for people to test out and work on these different types of equipment.
|
||
|
|
So we're talking about some pretty high dollar stuff.
|
||
|
|
You had goons wearing various colors depending on what type of goon they were.
|
||
|
|
The students had particular colors.
|
||
|
|
And myself, I was supposed to get a shirt.
|
||
|
|
But I never got a shirt for the school so that I would blend in with the other other students.
|
||
|
|
So did my, you know, recon about the building, did a couple of drive rounds.
|
||
|
|
You know, they had physical cameras and physical everything.
|
||
|
|
You have your get out of jail card, all that stuff.
|
||
|
|
The general approach is that you're given kind of some scope of what you can do,
|
||
|
|
what you can't do.
|
||
|
|
And then more importantly, what the contacts are for your get out of jailness.
|
||
|
|
And you have that with the document and printed information.
|
||
|
|
And you take that once you do get caught or if you do get caught.
|
||
|
|
I haven't done a whole lot of them, but when I have, they're quite exciting stories because
|
||
|
|
the physical stuff can be quite entertaining sometimes.
|
||
|
|
So I just want to try to bring a couple of these to you guys.
|
||
|
|
So what ended up happening is did some recon.
|
||
|
|
And the first time around, I think this was a two year engagement actually.
|
||
|
|
We hit him first and then we hit him a second time.
|
||
|
|
So I'll go over the first time.
|
||
|
|
The first time we hit him, I want to say, yeah.
|
||
|
|
So the first time we hit him was at the regular office.
|
||
|
|
It wasn't actually at the school, it was at the administration office.
|
||
|
|
So the contact there was probably two cubes away or two offices away from where I sat.
|
||
|
|
So it was behind two layers of bad access.
|
||
|
|
So if I wanted to go to the restroom, I kind of had to do it during lunch rush because
|
||
|
|
I had to kind of piggyback two layers deep into to get back to my cube where my system was and
|
||
|
|
all that stuff. So that was a bit of a predicament.
|
||
|
|
Physical access is usually pretty easy.
|
||
|
|
What I like to do is pretend like that I'm on my phone.
|
||
|
|
A lot of people don't want to bother you.
|
||
|
|
You're on your phone and people let you open the door.
|
||
|
|
Nobody's going to interrupt your phone call.
|
||
|
|
And you're talking about a guy with a black backpack and spiky hair and a green
|
||
|
|
line green phone, like suspect on all levels, right?
|
||
|
|
And I never really got stopped that much.
|
||
|
|
And if it was, it was because I was kind of turning up the knob too much.
|
||
|
|
So physical is actually kind of cheating.
|
||
|
|
It's a little too easy.
|
||
|
|
And I don't have a whole lot of experience in that space anyways.
|
||
|
|
But I'll go more along the story.
|
||
|
|
The first thing we got there, I got there, did some recon with the round,
|
||
|
|
figured out what the floors were.
|
||
|
|
The first floor was where I was told that I would try to sit.
|
||
|
|
And again, that was behind two layers at Badge Access.
|
||
|
|
So I got past the two layers.
|
||
|
|
You kind of, what you want to do is kind of go in one room.
|
||
|
|
And there's millions of books out there.
|
||
|
|
But what I had success in is that kind of go into a common area
|
||
|
|
and then come out of the common area and follow someone else to a second staging area,
|
||
|
|
a second area, or hang out in front of the door with your phone
|
||
|
|
and until you can get into that second area.
|
||
|
|
So I actually kind of piggybacked to get into the facility.
|
||
|
|
And then I went to the break room and kind of would follow people around
|
||
|
|
from the break room to the second area to where I could get to a cube.
|
||
|
|
Ended up at a cube.
|
||
|
|
And this guy across from me was, you know, Bob, whatever his name was.
|
||
|
|
This guy Bob coded applications for the support of the company.
|
||
|
|
I don't know what he coded in, but he was a coder.
|
||
|
|
And you know, I talked to him and said, you know,
|
||
|
|
how long he's been there and what he's been up to.
|
||
|
|
And he asked me, you know, he asked me what I was here for.
|
||
|
|
And I said, yeah, I'm here to do some consulting for you guys,
|
||
|
|
which wasn't a lie.
|
||
|
|
I wasn't lying to anyone.
|
||
|
|
And I try not to lie to him, to people in general.
|
||
|
|
I just tell them what I'm there for and what I do.
|
||
|
|
And I said, yeah, I'm hearing you know,
|
||
|
|
I'm just consulting to do some security stuff.
|
||
|
|
And, you know, he figured I had a badge and all that good stuff.
|
||
|
|
I don't even think I wore a badge.
|
||
|
|
And it's during this assessment.
|
||
|
|
So I plug in setup.
|
||
|
|
Of course, I can jump straight on the network.
|
||
|
|
So I kind of start my discovery efforts and go through that mess.
|
||
|
|
You know, kind of the quiet, tell-out approach is what,
|
||
|
|
is what generally you all end up doing.
|
||
|
|
So I start doing my testing.
|
||
|
|
I get through access default credentials, of course,
|
||
|
|
to a box or a SO8067, which is an XP vulnerability
|
||
|
|
that's been around since the ages.
|
||
|
|
So it started out with kind of, I think,
|
||
|
|
a vulnerable service or default credential.
|
||
|
|
Usually that's what it is.
|
||
|
|
Passwords, brain, things like that.
|
||
|
|
So I got access to that.
|
||
|
|
Started looking around to get access to their Citrix environment,
|
||
|
|
which was where the meeting potatoes was.
|
||
|
|
Everything they had was in Citrix.
|
||
|
|
Every app they had was inside of a Citrix app.
|
||
|
|
And I have very little knowledge with Citrix
|
||
|
|
to that it's basically the kiosk that you remote into.
|
||
|
|
And you can kind of do stuff and it's sort of a kiosk
|
||
|
|
to where you can't really do much of anything
|
||
|
|
except run that application.
|
||
|
|
And that's the intention.
|
||
|
|
But it's not often explained that you can break out of a kiosk
|
||
|
|
and how easy that is.
|
||
|
|
So I knew that stuff was inside of this virtual,
|
||
|
|
whatever you call it, the Citrix garbage.
|
||
|
|
So I went around, started hunting around to see which users
|
||
|
|
were using the application.
|
||
|
|
And I kind of got lazy, right?
|
||
|
|
So what I ended up doing was adding myself
|
||
|
|
to, I had domain admin at this point
|
||
|
|
by what usually happens is you take credentials
|
||
|
|
and spray them across the network.
|
||
|
|
So if I have valid credentials or valid hash
|
||
|
|
for a particular system and SMB signing is not enabled,
|
||
|
|
which is very rare even today, SMB signing is not enabled.
|
||
|
|
You can take those credentials and spray them across the network.
|
||
|
|
So you can try to get administrator level access
|
||
|
|
and then dump those credentials to playing text
|
||
|
|
if there's no AV on there, whatever.
|
||
|
|
So I get domain admin by getting access to several boxes
|
||
|
|
and escalating from there straight to domain admin.
|
||
|
|
I started to add myself to, I think, I had a script
|
||
|
|
that would add me to every single domain user.
|
||
|
|
And don't ever do that because if you think about it,
|
||
|
|
if you've ever been technology,
|
||
|
|
sometimes people create scripts based on what group you're in.
|
||
|
|
So if you're in a group or if you trigger a specific thing
|
||
|
|
or script, it kicks off something, some kind of process.
|
||
|
|
So if I put myself in all of the groups
|
||
|
|
in all of the active directory,
|
||
|
|
that's usually not going to go well
|
||
|
|
because in some cases there's groups in there
|
||
|
|
that are like disabled groups.
|
||
|
|
Like does it disable users group or something like that?
|
||
|
|
I essentially kind of got lazy and I wanted to see
|
||
|
|
what would happen if I could just add myself to all the groups
|
||
|
|
and then see what happened if I had, if I could actually
|
||
|
|
do this with all these pieces.
|
||
|
|
So the idea is that I let this script run
|
||
|
|
and it kind of got wonky and I killed it.
|
||
|
|
And this was about two days in the assessment.
|
||
|
|
Generally speaking, under about 3,000 hosts or so,
|
||
|
|
it starts to get pretty easy to compromise an entire network.
|
||
|
|
If it's Windows-based and you've got no singular point
|
||
|
|
of segmentation and you've got about 3,000 or more hosts,
|
||
|
|
it starts to get pretty easy.
|
||
|
|
Things kind of go down pretty quickly.
|
||
|
|
Not so much today.
|
||
|
|
This was probably, you know, eight years ago or so.
|
||
|
|
So things go down and hit quickly.
|
||
|
|
After about the first day you get your recon,
|
||
|
|
you get your target boxes, you get your shells
|
||
|
|
and then maybe after the second day or by the end of the first day,
|
||
|
|
you're pivoting around in your and or I have domain
|
||
|
|
I've been by the second or third day.
|
||
|
|
Usually I usually get domain I'm in about the third day
|
||
|
|
because that leaves me the rest of the week to
|
||
|
|
kind of do some pilfering, right?
|
||
|
|
If you go too hot and heavy, you might get caught, right?
|
||
|
|
So we're trying to compress an attacker's
|
||
|
|
what an attacker would do over the course of a week.
|
||
|
|
Maybe sometimes if you're lucky, you get two weeks.
|
||
|
|
So you're taking what an attacker would do slow and steady and stealthy
|
||
|
|
and you're trying to spread that over the course of four days sometimes
|
||
|
|
and if you're lucky a couple of weeks.
|
||
|
|
So what I thought was that I had myself to these domain groups
|
||
|
|
and see what happened.
|
||
|
|
Maybe I can get access to the Citrix crap.
|
||
|
|
Do that.
|
||
|
|
Don't have a whole lot of success.
|
||
|
|
And then all of a sudden I noticed that my account
|
||
|
|
is been disabled or something like that.
|
||
|
|
And I used legitimate credentials from a different user
|
||
|
|
to actually give myself domain admin.
|
||
|
|
So I said, okay, that's funny.
|
||
|
|
Hilarious.
|
||
|
|
Let me just give myself, reactivate my account or
|
||
|
|
re-add my account as domain admin.
|
||
|
|
So at this point, I realized that somebody had realized what I was doing
|
||
|
|
and that they were, they had visibility into what was going on.
|
||
|
|
After the engagement, what I realized is that they were,
|
||
|
|
they had alert scripts set up for active directory
|
||
|
|
but they didn't have alert script for domain admin.
|
||
|
|
So essentially when I add myself to, you know,
|
||
|
|
Sally or accounting manager's group or whatever,
|
||
|
|
that is actually what triggered the alert
|
||
|
|
because they weren't watching for new domain admins.
|
||
|
|
Which was kind of funny because they,
|
||
|
|
they're like, oh, we got rid of it and we killed them the first day.
|
||
|
|
And it was like, well, I had domain admin for like three days before,
|
||
|
|
two or three days before you guys actually detected me.
|
||
|
|
So that was kind of interesting and fun.
|
||
|
|
What actually happened in the client was,
|
||
|
|
what she said she would walk by my cube and just be an utter awe and dismay
|
||
|
|
that I was sitting there for, you know, two or three or four days
|
||
|
|
and not being caught or asked questions or escorted or whatever.
|
||
|
|
It ended up being, I don't think I ever got caught that first time.
|
||
|
|
Um, and I don't know how much time we're on here.
|
||
|
|
You look, about 12 minutes, so maybe go over another 15 minutes.
|
||
|
|
So I don't think I ever got caught when I went the first time around.
|
||
|
|
I got that domain admin.
|
||
|
|
I kind of filtered a little bit.
|
||
|
|
I never got access to the data that I wanted to get access to student records
|
||
|
|
and all that stuff.
|
||
|
|
I did find some websites and had some database access to some of that information
|
||
|
|
that I never could pilfer and get kind of proof of concept going for
|
||
|
|
or what that was.
|
||
|
|
But generally speaking, usually you can log into the CFO's email or somebody
|
||
|
|
important's email and show their email and that actually shows more impact than
|
||
|
|
actually getting to the data that will scare most people.
|
||
|
|
So between those two things, generally if you go straight domain admin,
|
||
|
|
people aren't really going to understand that.
|
||
|
|
They're not going to understand the impact unless they see like,
|
||
|
|
you know, Bob's email and like, oh, Bob's super important.
|
||
|
|
It's, you know, this email is important where that's not really what's important.
|
||
|
|
What's important is the access that you have through domain admin.
|
||
|
|
But that's how you can easily show impact.
|
||
|
|
So anyways, I've got domain admin.
|
||
|
|
I've got access to everything and I think that pretty much ended that engagement.
|
||
|
|
I did my normal right up and pretty standard access to one box
|
||
|
|
to pivot to another and move the ladder over here on the network and then go over there.
|
||
|
|
So pretty, pretty cut dry.
|
||
|
|
So fast forward a year later, excuse me trying not to get hit here in the car.
|
||
|
|
Fast forward a year later, I have the same engagement set.
|
||
|
|
They want me to do the same thing.
|
||
|
|
And I don't know, yep, I remember this one and they all kind of blend together after a while.
|
||
|
|
So the second time around, I ended up not in a meeting room, but I ended up somewhere else.
|
||
|
|
They had, they had like full disk encryption, I think, with a smanteck or some other piece of software.
|
||
|
|
And I tried to, it wasn't full disk encryption.
|
||
|
|
It was like signing of particular binaries through some antect, some kind of some antectal.
|
||
|
|
So if you modified any of the binaries in a, it wasn't encrypted, this wasn't encrypted.
|
||
|
|
But if you've modified any of the binaries inside of like the system folder or something like that.
|
||
|
|
So if you did these to keep these bypass, to get a command prompt shell,
|
||
|
|
it would say, oh, I can't boot no more, no, no bad, bad, bad doggy, you know, donut.
|
||
|
|
And you would get like blue screen basically and you would get screwed.
|
||
|
|
And yeah, eventually that computer ended up fixing itself.
|
||
|
|
But I think I found a workstation in like a meeting room to, to hijack,
|
||
|
|
potentially try to hijack credentials off of it.
|
||
|
|
And that's when I discovered this smanteck, piece of smanteck technology that was kind of like
|
||
|
|
signed binary checking thing that would check from the boot from boot to see if it had,
|
||
|
|
you know, been mangled with. I don't really understand why you would do that,
|
||
|
|
not just go full disk encryption and be done with it. But,
|
||
|
|
anyways, we had that set up. So I was able to get past the batch system like again before, same building.
|
||
|
|
And I was able to get access to a system, but I wasn't able to get
|
||
|
|
root to it or anything because of that signing stuff.
|
||
|
|
I may have gotten access to it in a different way, but I don't think I did.
|
||
|
|
Hey, I left that conference room. I trolled in there for a while, I think until I got kicked out.
|
||
|
|
So I trolled in there for a while, and eventually I system ended up fixing itself.
|
||
|
|
The client told me that somehow I didn't fix it self or maybe somebody else fixed it.
|
||
|
|
So I get kicked out that conference room, I think, and I end up in one of the,
|
||
|
|
something called pods, which is essentially a little, you know, if the contractor is working,
|
||
|
|
they'll sit in these little pods. And it's usually like a really tiny cube,
|
||
|
|
like a third of a cube with a phone, a network jack, and then like some level of privacy where you
|
||
|
|
can close a door, slide a slide or whatever. I ended up in one of these, and it was actually
|
||
|
|
fairly close to the, I remember it was fairly close to the front entrance of the
|
||
|
|
administration building of the technical school this was. And I don't know if she ever came by
|
||
|
|
or anything like that, but the lady, I think I talked to her and said I was there for security
|
||
|
|
and stuff, and had pointed out that, you know, I would be sitting over in this pod of, and she,
|
||
|
|
you know, asked me if I ever need anything or whatever, nobody bothered to check my credentials,
|
||
|
|
at least at this time. So this is the second time around. Sit on site, doing my thing, kind of
|
||
|
|
pilfering around, kind of running neccess and about mid day, day one, day two.
|
||
|
|
I had a gentleman stop by and just kind of peek his head in, and he's like blah, blah, blah.
|
||
|
|
And that was when I got caught. And talking with him, I realized that he's basically the reason
|
||
|
|
he got hired because of the assessment we did the year prior. So I was wondering why I didn't have
|
||
|
|
all this low-hanging fruit sitting out there, you know, usually there was a, you know, if you run
|
||
|
|
in map on someone that's not really taking security or neccess or any vulnerability scanner on
|
||
|
|
somebody that's not really taking security seriously, you'll get this low-hanging fruit and it will
|
||
|
|
always be there and it'll always be one system on the network that has that low-hanging fruit,
|
||
|
|
unless you've got somebody that's confident and that has the skills and tool sits and support
|
||
|
|
they need to squash out and they need that low-hanging fruit stuff. So I noticed none of this low-hanging
|
||
|
|
fruit that was there before. You know, I had like two or three AMC with a six sevens, I had probably
|
||
|
|
some default logins here and there. And none of my old stuff worked, you know, the old passwords I
|
||
|
|
probably didn't work and I was like, this is weird. Like, why did they fixed all this stuff?
|
||
|
|
Which is not normal for most people to actually fix things with an environment.
|
||
|
|
So what I did was is after he stopped by, I said, yeah, you got me, you know, blah, blah, blah.
|
||
|
|
I'm here to his security assessment, you know, here's the get out of jail card and he's like, well,
|
||
|
|
I don't know what to do, like, yeah, blah, blah, blah. And I'm like, I don't know what to do.
|
||
|
|
It's your job, like, what's your process. So he has cursed me out and I still have a copy of the
|
||
|
|
get out of jail card and I do whatever. And I think at some point in time, the actual campus,
|
||
|
|
school campus with students was the secondary target or a secondary target. But I actually ended
|
||
|
|
up going back in to try to get a t-shirt from the client. And I essentially, of course, I still
|
||
|
|
still engineer my way back in and I'm walking down the hallway and they're like, here he is again,
|
||
|
|
here's that guy again. And they go and like escort me out of the building again that the same
|
||
|
|
client asked me back out of the building after being caught the second time trying to get a shirt.
|
||
|
|
And that was my excuse is that I was like, yeah, I'm trying to get a shirt. So when I go to the thing,
|
||
|
|
and of course, I was met with some a little bit of hostility given that they had already escorted me
|
||
|
|
out of the building once. But I tried to get a shirt. I never did get a shirt. So here I am trying
|
||
|
|
to go to the school campus with the, for the second time, well, for the third time, essentially,
|
||
|
|
this will be the third time that they've been attacked by a third party consulting firm. So
|
||
|
|
I recon during the day and then I eventually, this might have been the second week I was there.
|
||
|
|
I might have not done this all in one week. It might have been one week. But I go to the school,
|
||
|
|
I walk around my book bag. I can't find anywhere set up. There's a little tech lab. I walk in the tech
|
||
|
|
lab. I try to, you know, there's a computer lab with a guy literally a guy walking around.
|
||
|
|
I call him a goon. Anybody that's going to try to catch you with a goon. So the goon's walking around
|
||
|
|
kind of watching his students and kind of creeping me out. So I bail out of there. I didn't really
|
||
|
|
see anything super interesting. I think they were logged in with some kind of default login. But
|
||
|
|
they didn't have admin and it was kind of like a kiosk. There wasn't a whole lot of fruit there.
|
||
|
|
The guy just honestly weirded me out. So I didn't like, I don't like anybody of authority sitting
|
||
|
|
around me. I wanted to be a bunch of, a bunch of people that aren't, that aren't going to ask me any
|
||
|
|
questions or why I'm there. So I wanted a while, I wanted a while, and eventually finding a room
|
||
|
|
that was kind of off into the corner that had a desktop, that had a desktop that was plugged into
|
||
|
|
the wall. And now this desktop, I think, if I remember correctly, they had more monitoring on. And
|
||
|
|
what you can't do with more monitoring is what most people do is they'll do a MAC address
|
||
|
|
based. They won't use certificates, as the cell certificates, they'll do like MAC address base. So
|
||
|
|
they'll assign, you know, a MAC address to, they'll assign a port on a switch to a MAC address.
|
||
|
|
And maybe only two devices can be on that switch. So your phone and your computer. So if you go to
|
||
|
|
Walmart by a new computer or plug into the port, it's going to kick you off because that, or not
|
||
|
|
allow you on the network at a minimum, because that MAC address is not why listed. So there's two
|
||
|
|
methods you can do this. You can actually plug in that exact computer to your computer.
|
||
|
|
And instantly, the computer will try to talk to your computer over a link table or nowadays,
|
||
|
|
you only have to do a link cable. You can just plug in a regular ethernet cable into your laptop,
|
||
|
|
fire up a wire shark, and you'll see the MAC address of the computer that's trying to access the
|
||
|
|
internet. And so you can look on the back of the computer. Sometimes they'll have the MAC address
|
||
|
|
on there. But for simplicity's sake, I always just plug it directly into the back of my computer.
|
||
|
|
And then when it tries to get DHCP, if it tries to get an IP address for me, I can see the MAC address
|
||
|
|
that it's requesting and all that good stuff. So what I'll do is I will unplug, keep that
|
||
|
|
cable unplugged from the desktop. And I will take that MAC address and use it to get on the network.
|
||
|
|
So I've essentially hijacked the identity that's not signed or encrypted or whatever of that system
|
||
|
|
to masquerade as that interface. So I'll plug in. I think I actually ended up using the desktop itself.
|
||
|
|
And I have a bootable USB stick. Now I've got a solid state 120 gig bootable
|
||
|
|
Ubuntu or Debian, a Debian build with portable PTF-pintesting framework. It's kind of like
|
||
|
|
Cali, but you can build it yourself and you don't have to worry about repose getting all jack up.
|
||
|
|
So that's what I use now with this. At the time I had like a portable backtrack or maybe it was
|
||
|
|
Cali or whatever it is at that time. So I boot up to that with all my tools and all my VMs.
|
||
|
|
And I was using the, I was thinking I was using the actual workstation itself.
|
||
|
|
And I think I pulled off, I pulled the credentials off of it and cracked them.
|
||
|
|
Or somehow I was able to, I think because of the disk wasn't encrypted, I was able to somehow
|
||
|
|
run binaries on that system. I want to say I did invent some necessary stuff through there
|
||
|
|
or some basic scans. What I wanted to do is get credentials. So I think I was trying to crack
|
||
|
|
the credentials of that workstation through Windows and booting it off of a third party.
|
||
|
|
Application and dumping the registry and then trying to crack those, that registry or kind of
|
||
|
|
crack the hash for that user name offline. If I remember correctly and again this is years and years
|
||
|
|
ago. The funny part is, let me get the funny part of the story. I was sitting in there kind of
|
||
|
|
by myself and I just kind of got lazy. I had logged in as I had out of myself as a local administrator.
|
||
|
|
And what you can find in some instances is you can find that other processes run
|
||
|
|
when the computer is started. So for example, there might be a user that run the local admin user
|
||
|
|
that's running some kind of process where maybe some other process is jacked into your,
|
||
|
|
maybe it's a monitoring service that runs as system, you know, some kind of system administrator
|
||
|
|
user. And I think I was using trying to use dump credentials, plain text credentials for some reason,
|
||
|
|
into the system to try to either pass some, pass the hash to somewhere or something like that.
|
||
|
|
So I ended up copying the binary from the Windows system for Windows Credential Editor,
|
||
|
|
which is kind of nemicats, but same thing.
|
||
|
|
Um, it was, uh, excuse me, triggering the AV. So how about I would say 30 minutes after I triggered
|
||
|
|
the AV, some cat comes in there. I think it's an older guy and he was like the owner, the runner of
|
||
|
|
that class. So he was the, the teacher that taught in that class or that workout room or whatever,
|
||
|
|
breakout room. Um, and he came in and he was like, hey, you know, what are you doing here in my room
|
||
|
|
on my workstation and I gave him some BS that I was, you know, I was just, I was the IT guy and then
|
||
|
|
I was installing some kind of something wrong with his AV, giving him some BS. So he disappears
|
||
|
|
for a minute and I'm not feeling super warm and fuzzy. I should have bugged out in hindsight
|
||
|
|
when I, when I, whatever, but I'm not the biggest fan of like, you know, kind of run around and
|
||
|
|
make everybody crazy. Um, generally, if I get caught, I'll just kind of slowly just kind of let
|
||
|
|
people know and say, hey, try to make people feel comfortable and I don't want to run around circles
|
||
|
|
and hide in bathrooms and make people crazy to try to find me. Um, but he came back shortly after
|
||
|
|
and said, look, you know, I'm talking to my IT guy. He says you're not supposed to be here. Um,
|
||
|
|
you know, blah, blah, blah. And he stays with me and is asking me all these questions and I let
|
||
|
|
him know it basically what I'm, who I'm way that I'm trying to, I think I'm still at this point.
|
||
|
|
No, I haven't really used my get out of jail card yet. So at this point, I, uh, I'm kind of,
|
||
|
|
I've kind of given up or, or realized the assessments isn't really going anywhere. I think I had
|
||
|
|
credentials, hash credentials from the actual machine itself and then I don't even think I'd
|
||
|
|
gotten access to anything really. Um, I went a little bit too noisy too quickly because there was
|
||
|
|
actually a kid on the other end that was responding to the AV alerts which nobody really does. Um,
|
||
|
|
usually there's dashboards or AV, but nobody actually responds to like someone downloading it.
|
||
|
|
Maybe this was years ago, but someone downloading a virus or something. Um, not a whole lot of people
|
||
|
|
do that, especially larger, uh, infrastructures as clients. So kid comes in, you know, is, you know,
|
||
|
|
probably can't be more than 20 years old comes in and it's like, you know, trying to figure out
|
||
|
|
what's going on. I let him know and give him the get out of jail card and all that stuff and,
|
||
|
|
you know, he's like, I don't know what to do. So if you follow the process, escort me out of the
|
||
|
|
building, all that. I bail, take a quick break, get grab some dinner, whatever. And then I decide
|
||
|
|
that I'm going to go back to try to try to find, either go back to that same place or try to find
|
||
|
|
a better place to hang out with and try and try and get some, some, some better, some better fruit.
|
||
|
|
So this is late. I mean, the lights are out, the sun's down. So I park in the parking lot,
|
||
|
|
I had no problems. Uh, start walking into the building and I make it like two turns into the
|
||
|
|
building and this dude, it's like six feet tall, um, six or seven feet, just massive dude, just
|
||
|
|
wide and tall, um, is wearing the goons shirt. It's like a black goons shirt and he walks up
|
||
|
|
and he's like, he says something, whatever to the point where it is, he's like looking at me
|
||
|
|
and like pointing towards the door and telling me to like, that I need, you know, a vinyl
|
||
|
|
have a shirt or a vinyl have an IT, I need to get out. Um, they had, they had, I guess they had
|
||
|
|
identified me and told people to look out for me and had goons patrolling always because I did not
|
||
|
|
make it very far at all. Um, and I was not met with friendly, uh, friendly, uh, anything.
|
||
|
|
So anyways, um, that one was pretty fun because I felt like, uh, I felt like I got, I got, I made
|
||
|
|
a change, I made a difference in people, people cared enough to fix the problems that I, that we
|
||
|
|
had articulated during our assessment. So, um, you know, that was one example, one of many examples
|
||
|
|
where we did some assessments for clients and they actually fixed things and that, that kind of
|
||
|
|
makes, makes you feel good at the end of the day that you made, or you made a real change
|
||
|
|
somewhere, um, because they hired the security guy who's like super, in security. Um, so I think
|
||
|
|
that's pretty much it. I think I ended up going that same day or the day before. I ended up
|
||
|
|
trying to go to the accounting level of the administration building and that might have been before,
|
||
|
|
I completely got escorted out, I think. Um, so I go to this, this level with all the accounting
|
||
|
|
people are on and they're all neat, they're all like close knit, apparently. So I go in there
|
||
|
|
and I do my full, my whole phone trick and somebody asked me if I need anything, I said no,
|
||
|
|
I'm just waiting for somebody else, you know, who you with, and they go with the consulting company
|
||
|
|
and KPMG. So she disappears. I don't have the warm fuzzies. Um, I kind of, I think I'm okay at that
|
||
|
|
point. Um, so then I'm sitting in the room and she comes back and she's like, you know, you need to
|
||
|
|
like figure out what's going on, you know, what you can't really be here. This is like the accounting
|
||
|
|
floor. Super important. So I said, I okay, you know, I'm on the phone with a now, let me, let me figure
|
||
|
|
out what's that. Maybe he's on the other side of the building. I don't know, he says he's here.
|
||
|
|
So I go to the other side of the building and I camp out, um, I actually end up grabbing credentials
|
||
|
|
from somebody that didn't like their workstation. So, um, using a USB Ducky, um, I think I launched
|
||
|
|
the payload on that system and I had that interpreter shell on that, uh, on that box,
|
||
|
|
particular system. If I remember correctly. Um, so I'm sitting there trying to, you know,
|
||
|
|
escalate privileges and move laterally and like, don't make it drop creds and all that stuff,
|
||
|
|
trying to figure out what he's on there. Um, so I'm, I've got an active shell and then out of the
|
||
|
|
corner of my eye, I see this woman like just hauling ads down, uh, down the cubes and she's like
|
||
|
|
running and I noticed that it's the same woman that had asked me if I needed anything in this,
|
||
|
|
she was getting kind of refuffled. So I think what happens is she came around the corner or something
|
||
|
|
and saw me and somebody's cube or saw me in the different cube, um, and like banging on the
|
||
|
|
keyboard. She's like, who the heck is this guy? So she finally, she runs down the hallway and
|
||
|
|
grabs her manager by the way. And none of this is the actual client contact. They're on the first floor
|
||
|
|
and I'm on like the fourth floor where all the accounting people are. So none of these people have
|
||
|
|
any clue what's going on. So they finally come over like two girls, uh, two ladies come over. They
|
||
|
|
they kind of ask me what's going on and why am I here? And that's when I said, okay, I'm here for
|
||
|
|
an assessment. Here's my get a jail car blah blah blah blah. Um, I think that was kind of funny
|
||
|
|
because it's just to watch her like hauling it down the hallway trying to figure out who the heck
|
||
|
|
have I am and why I'm there and what to what to do. Um, what's kind of interesting. Um, but that's
|
||
|
|
pretty much the story there. I might, uh, depending on the feedback and if you guys find it interesting
|
||
|
|
or you find that I can't tell stories very well because I have ADD, um, let me know. And uh, I've got
|
||
|
|
probably three or four more decent ones, pretty pretty good ones that are that can be pretty funny.
|
||
|
|
And as I, as I do these, if the, if it comes out to be whatever, I can think of the ones that are,
|
||
|
|
that can be quite hilarious with back stories and all that stuff too. Um, so let me know if you, uh,
|
||
|
|
if you, if you're into it, yeah, if you're not, or if you have any constructive criticism of
|
||
|
|
about the storyline, I know what's kind of all over the place. Um, it kind of comes to me as I,
|
||
|
|
as I talk about it because I haven't talked about it or thought about some of these engagements
|
||
|
|
in probably eight years or so. So anyways, let me know if you have any input and, um,
|
||
|
|
put some comments in the show notes if you want to see more of this or if you want some constructive
|
||
|
|
criticism or if you think this is just the horrible idea that, um, this is not fun at all. But I heard
|
||
|
|
the Dark Knight Diaries and some really funny stories about that and obviously this one's not as
|
||
|
|
funny as, as interesting, but it's still an interesting story, uh, nevertheless. Anyways, uh,
|
||
|
|
hope you guys enjoy it and, uh, I'll probably do a couple more of these before. Um, I'll, I'll,
|
||
|
|
I'll stop and let you guys give me, give us some feedback.
|
||
|
|
You've been listening to Hacker Public Radio at HackerPublicRadio.org.
|
||
|
|
We are a community podcast network that releases shows every weekday, Monday through Friday.
|
||
|
|
Today's show, like all our shows, was contributed by an HPR listener like yourself.
|
||
|
|
If you ever thought of recording a podcast and click on our contributing,
|
||
|
|
to find out how easy it really is. Hacker Public Radio was founded by the Digital Dog
|
||
|
|
Pound and the Infonomicon Computer Club and is part of the binary revolution at binrev.com.
|
||
|
|
If you have comments on today's show, please email the host directly, leave a comment on the
|
||
|
|
website or record a follow-up episode yourself. Unless otherwise status, today's show is released
|
||
|
|
under Creative Commons, Attribution, ShareLife, 3.0 license.
|