Episode: 3435
Title: HPR3435: Hacking Stories with Reacted: part 5
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3435/hpr3435.mp3
Transcribed: 2025-10-24 23:22:59

---

This is Hacker Public Radio Episode 3435 for Friday, the 1st of October 2021.
Today's show is entitled Hacking Stories with Reupted, Part 5.
It is hosted by Operator and is about 18 minutes long and carries an explicit flag.
The summary is, I talk about some old, old, old, pen-testing stories from days old.
This episode of HPR is brought to you by an honesthost.com.
Get 15% discount on all shared hosting with the offer code HPR15.
That's HPR15.
Better web hosting that's honest and fair at An Honesthost.com.
Hi, this is another episode of Hacker Public Radio.
We got a host with your host, Redacted.
Today I'm going to do two short ones and I'm not sure if they're related,
if they're on the same day. Again, they kind of all start mixing together.
So the first one I'll tell you about was, well, it's the combination of the things.
The first time I'm free sure this is the same client. So this is a big bank, whatever.
I get there. They're all worried about my system. All worried about me getting
put in viruses on their network. So I sign this letter saying I'm not going to do all this stuff.
I'm not going to install security software and basically it's like a generic IT violation thing.
And you're forced to sign these sometimes.
Which I'm thinking and assuming that the over arcing agreement that you set up with the actual
client and my employer trumps any of these stupid little things I sign up. But I try to let the
client know that hey, I'm essentially going to be violating all these things because that's my job.
So you're telling me not to do xyz and that's what exactly I'm being paid to do unless it's out
of scope and it's specifically stated in the thing that I won't do xyz. So you know, usually it's
kind of like a just a formality thing in some cases. But these guys were very adamant about like,
they were scared that I was going to put malware on their network and some kind of worm.
And they were also scared that I was going to do some kind of tethering with my phone and
or some other internet device wireless device and connect to networks together through
well needs to switch back to the phone here. Connect two networks together via some tethering
stuff which it's not really the biggest of risks but hey, go crazy if this is what you're going
to worry about. I do think that they had, I don't know if they had had pen tests in the past where
they had gotten bit by that before a very specific thing to tell someone not to do. So I feel like
maybe someone at some point in time had done an assessment for them and they got a piece of malware
from the internet while they were on site and they got owned or some portion of getting compromised
through vendor third party. So they were very adamant about me not being getting on the internet.
So the first thing I do of course is try to get on the internet. They tell me that I'm not
allowed to plug any other device networking devices into the thing. All I can do, they actually had
me, this is funny, they actually had me install a av client that they had on my actual windows
image and then I told them that I run Linux for most of my assessments and they said okay well
blah blah blah and I'm like well I can install some claim maybe here or whatever garbage and show you
a clean bill of health for that and I can also sell you a clean bill of health for the av but again
that's what I effing do for a living that's that's my game like I'm supposed to make stuff
beep and look benign and then potentially be malicious. So if you want to see a green checkbox
I can make you see a green checkbox that's what my job is I'm supposed to do that. So anyways
I show them this green checkbox of my windows they're doing their due diligence to try to make
sure some effing clown is not gonna connect their network and make a big mess. So I get I see that
side of it but to make me jump through a bunch of hoops and do these silly shenanigans doesn't
really make a whole lot of sense when you know the voodoo witch doctors you're you're you're you're
you have to trust the voodoo witch doctor at the end of the day at some point. So I get all my stuff
set up I show them the green checkbox and whatever av garbage they have me installing claim maybe
the Linux av so I show them that and then I proceed to try to tunnel out through various methods
so there's lots of ways to tunnel out through the internet at the very minimum what always works
is DNS tunneling now basically DNS telling is like 53 by your 150 by somebody correct me
it's this very small amount of traffic you can maximum size you can pack in a DNS request
or a DNS request in a response but DNS works everywhere I've seen DNS working on skate
and networks that are quote unquote air gaps I've seen DNS work where where places it's not
supposed to be working where there is no internet and there's no DHCP you set yourself a static
IP of somebody around you make up a gateway find a gateway and tell ask that gateway if you can do
DNS request and boom you're on the internet they'll tell you oh it's not on the internet but if
DNS works you can actually tunnel your traffic over DNS albeit slow and not ideal to exfil data
but it's also it's it's a way to gain an initial foothold into the environment if you have to do
crazy DNS tellings I never have to go that crazy my assessments everything pretty much falls over
with the touch of a touch of a pinky right so I'm looking at the traffic I'm looking at what
all is allowed outbound back then you can you can actually scan AOL's login servers believe it
or not AOL would open have every port open on every service open on every port to try to get
allow you to get out to to AOL servers so you're there client I don't know if they're client would
actually check all those ports but it would check and craft on a port and you could specify
whatever random port that allowed outbound to use over AOL because it would accept requests on
every single port it was beautiful it's a beautiful idea and that's how some of this stuff like
Skype works it tries the traverse back in the day I don't know if they still do it now but they
try to do all kinds of crazy tactics to traverse firewalls stuff like the Cisco VPN does all kinds
of crazy ninja stuff to you can tell it to get out to tunnel out of the environment but you got
DNS and kind of order of simplicity and idealness I like to use s tunnel which is a ssl tunnel
there's some newer hotness tunnels out there there's ICMP tunnel there's DNS tunnel again
those are two pretty small packet size protocols there you got ssh tunnels your standard ssh tunnel
their htps kind of s tunnel thing there's other ways to do s tunnel and have it be set up
under different types you can have a proper regular proxy or whatever you can tunnel up all
mannerisms of ways there's people telling you all over kinds of different protocols and in some
cases you can tunnel over IPp6 so anyways I had already tested this prior because I've had
certain instances where you're on a client site and you want to do some security research but you
can't because you're on the network that you're testing and the network that you're testing has a
proxy so first things first is you want to get a server on the internet that can you can
proxy your traffic through hopefully securely and be able to do security research pull down binaries
pull down source code you know do to do your normal research right so first thing first is
I get on the network can't do anything you can see the internal services you can do discovery
I'm doing in mapping all that stuff and this is running my standard standard checks and I start
poking around with a firewall and you scan AOLs now there's a couple of if you message me your
message chat I can send you some servers that listen on all ports and we'll help you identify
potential exit exit places to get out of the network to listen on all ports I can I can tell you
wondered at least one of those but the idea is you can set up your own to listen on all ports with
just a simple like Python script or something ridiculous but anyways so I scan AOL servers I find
some ports to get out through I think standard 22 but it was blocking as a sage so what they'll have
is I don't know what they call it like identifying tagging your deep packet inspection or whatever
it was being termed you want to call it it's essentially if you're trying to run SSH over if
you're trying to like SSH over 444443 and it's not web traffic it'll say you know why that's
not cool or for example if you're trying to SSH over 421 and it's not actual FTP traffic it'll
say no not gonna let you do that you're trying to tunnel FTP you're trying to set up an FTP
or talk to an ITP over 480 no 480 has to be web or 443 has to be this you'll see that more and
more nowadays that they do this deep packet inspection or whatever they kind of check the
the kind of headers and all that for the valid traffic and say okay this is this is just
somebody trying to run an ITP server over 480 no I'm not gonna allow that
um in this case I can't remember what exactly you set it up but anyways so I'm sitting there
I got my tunnel to work I'm telling all my traffic it's pretty damn fast um it's pretty slick
I'm doing my research listen to my music when I'm while I'm working doing my thing and you know
I thought it relevant to tell the client this because they told me I didn't have internet when
I got there and that's kind of a then possible thing um you know they didn't have DHCP but they
were offering an IP and they were offering connectivity to other internal services all that good
stuff so I get ready to kind of build up a little quick note about how I got access to
what I got access to and how I tunneled out so given that information um and then maybe a
couple of days goes by and I realized that it sounds like a Thursday or something I realized
that I told my wife that I was going to be able to do some kind of corporate event for work and do
some kind of fancy to do for uh for like an office party so we had this little office party going on
and I completely forgot about it so it's like Thursday and noon and I realized that I told my
wife that I'm gonna be home early on Thursday so that we can go to this thing Thursday night
and I might have even been Friday Friday during the day or Friday night I'm pretty sure it was
actually Thursday anyways despite the despite what day it was I I told my wife that I made plans to
come home early and and uh and whatever so here I am I've got some access to some boxes I think I
had like admin credentials or something like that and I was starting to spray them around but I
wasn't you know I was kind of taking my time I generally kind of took my time and and kind of
gave myself plenty of time to to to work up to that I knew it would have fallen over within the day
or the next couple days so um I was letting that thing do and then when I found out that I didn't
have a whole lot of time I had to kick it into height gear so I essentially set up my scripts to do
the automatic kind of once I had valid credentials or valid hatches I had some scripts set up to
automatically check the um check the servers to see if there's any other you know donate admins
logged into those and all that stuff dump out the users dump out the services dump out the
the shared um the shared resources that are logged into it and so I get out the phone teller
you know what um I might be able to do it I might not it just depends I'd really like to get
donate admins first and kind of you know own them sideways before I leave so um I'm sitting there
and I kind of get whatever and I'm like spraying my credentials all over the place going nuts
and eventually I um I come across something I don't remember what it was but I eventually get it
I'm like oh it's crap so I know I'm get there I know I'm close enough to where I can book the flight
so I go ahead and I book a flight for like basically for me to leave in like 20 minutes or like
30 minutes so I book a flight for me that for me that where I'd have to leave in like 30 minutes
to catch the flight or outside be late so here I go I buy my ticket and I'm like all right I got
close to donate admins I'm I really just have to pivot around and and get that escalation
and then dump the garage and then show them that I have donate admins and that and use it whatever
so at this time I'm kind of like kicking in the high gear I'm spraying my crud's everywhere
I'm trying to escalate and I'm just going nuts so just to try to just to try to get
donate admins before I leave um so the client uh oh maps is just crashed for me
one second
so I kind of kick it up tiger get all noisy and finally I end up getting donate
domain admin I you know kind of a little bit more lee but I'm rushing to like wrap all this up
get all my evidence capture all my evidence so that I don't have to like reverse engineer myself when I
get home um yeah gonna make this so I get all my crud get all my stuff get all my notes
come out it all together make sure that I've got legit whatever and then I start to head to the
airport get a new bird uh this is when the bird was still good um so I got a new bird and I think
I called a client and let them know I said hey you know um you know I'm I found some stuff I
I've got domain admin and you know I've got most of the most of what I was going after and I've
got some and some impact and some reports and we've got got everything pretty much done I'm
pretty finished up and he says oh when you when you look at the leave I was like wow I'm
actually in the car on the way to the airport because I'm trying to get head home for uh for
a like uh for uh for a corporate company a bit and he he was pretty legit about it he was okay
whenever um the funny thing is as I get on the plane I whatever and then I land back at home
and when I land back at home I got a phone call from the client and they wanted to ask me some
questions where they're pretty generic in nature but I call them up and this this guy's like yeah
you like took out our our AV like they are it was Bane AB thing our uh malware analysis thing
they had like fire I or something I don't know what it was so what had happened is when I was
spraying my credentials around and dumping my um when on the ones that had a had a AB um I was
triggering AV on hundreds of systems and that was getting sent those packets or whatever or alerts
or whatever were being sent by some central server to be analyzed or whatever it was and this
supposed security server um found that I was like malware or intrusion um which was kind of
mostly true but anyways um so he thinks that I've like completely done what they told me not to do
in the first place and he's kind of sort of half flipping out and I'm like no I can assure you
that this is this that was me and that I wasn't that was intentional and that signature is probably
just a generic signature for like the mature putter payload or whatever like PS exec or like
mini cancer whatever it was I was running at mass scale um so uh he he began to tell me that like
his his security software is like taking a crap just because I spray in all the place um
needs to say I kind of brought him down took a bottom down took him off the ledge and
brought him down for the ledge and you know kind of cooler heads and he didn't seem too upset he
just wanted to make sure that I wasn't actually uh sending a worm out to the to his company I said no
nope that's legit that's me trying not to be in like mr you know taking out the whole network
type of uh type of guy um kind of trying to take everything over once anyway so it was a quick
story um ran a little bit longer than I wanted to but uh that was pretty fun um because they told
me I didn't have internet and I actually ended up coming back uh and when I came back uh you know
I had my internet and I was doing whatever and then um these three guys rolled up and they're like
like the Istanbul they rolled up and they they kind of taught me to say hey you think I
like yeah I can't really do that you know you can't really be on the internet wait you know it's
kind of cheating you know we don't you know we already know about that issue so you know you
whatever and I'm like well if you want me to get off the internet I can you know but
not I'm just gonna keep using it for research until you fix it you clowns so um they kind of
tell me that you know I shouldn't be doing it and then I'm like fuck off I'll do what I want
until you fix it because I'm here to test whatever it is did what's wrong with your security and
that's part of the scope um if you allow me to get on the internet that I'm gonna get on the internet
unless you say no specifically you didn't say that I couldn't get on the internet you just said
that I couldn't tether other devices so that was kind of a kind of a fun experience to go through
anyways hope somebody enjoys some of this random babbling um I probably won't want to do one of
these for a while unless I end up driving a whole bunch again which is um not super fun but it
makes it makes it go by a little bit quicker anyways have a good one take it to you
you've been listening to Hacker Public Radio at Hacker Public Radio dot org
we are a community podcast network that releases shows every weekday Monday through Friday
today's show like all our shows was contributed by an hbr listener like yourself if you ever
thought of recording a podcast then click on our contributing to find out how easy it really is
Hacker Public Radio was founded by the digital dog pound and the infonomican computer club
and it's part of the binary revolution at binrev.com if you have comments on today's show
please email the host directly leave a comment on the website or record a follow-up episode yourself
unless otherwise stated today's show is released on the earth creative comments
attribution share a light 3.0 license