lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
37e8274bffbd347c22b084a14454141cee746a76
hpr-knowledge-base/hpr_transcripts/hpr3415.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

173 lines
15 KiB
Plaintext
Raw Blame History

Episode: 3415
Title: HPR3415: Hacking Stories with Reacted: part 3
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3415/hpr3415.mp3
Transcribed: 2025-10-24 22:58:26
---
This is Hacker Public Radio Episode 3415 for Friday, the 3rd of September 2021.
Today's show is entitled Hacking Stories with Reupted.
Part 3, it is hosted by operator and is about 14 minutes long and carries an explicit flag.
The summary is, I talk about some old old, old, pen-testing stories, from days old.
This episode of HPR is brought to you by archive.org.
Support universal access to all knowledge by heading over to archive.org forward slash donate.
This is another episode of Redacted Hacker Stories with your host, Redacted.
I'm going to go over, I'm still driving here, so you might hear some vibrating of when
people send me messages. Anyways, this one should be quick, it was a interest company,
or like a big data company. I think it was a medium-sized company, and it felt medium-sized,
it could have been huge, I don't know. They all kind of blend together. The engagements and the
experiences are all different, but the companies blend together, and it's kind of funny after a while.
I've been doing it for a while, and after a while they kind of start blending together.
You can't tell what client goes, what issue you found, and they all kind of start blending
together after a while, and you can only remember the experiences, but you can't match them to
the client or the person or whatever. So, which is probably a good thing, because I shouldn't
be disclosing it in that anyways. Anyways, it's a pretty decent medium, it's a large client,
and it was after hours testing, and I had a new guy with me, he's kind of green, kind of shadowing
me, he knew some stuff, but there was a lot of words, not a whole lot of talking. It's actually
pretty good, he was actually pretty technical, as far as some of the other skill sets we had,
or the course of the last few years doing this stuff.
So, we start our testing, we do our scans, I find a system, he's doing something with databases,
I can't remember, he finds like a desolate database login, and we're going back and forth,
and I'm trying to kind of half-help him, but at the same time, I don't have the time to like,
sometimes when I'm in the middle of an engagement, unless I've, you know, got complete domain admin,
and I'm running around with the keys to the castle, I don't have a whole lot of time to,
to spoon-free people. So, what I'll do is, is I'll kind of like help a little bit where I can,
but let me try to finish this up, and I'll help you out. So, anyways, I'm trying to help him with
some kind of database thing he found, which is probably ends up being nothing, I think it ended
up being nothing to little, but I end up finding a older system with either, again, default login,
or MSO8067, it's like a 2000 box, when there's 2000 boxes or something. So,
I drop, I drop shell on it, log into it, mode into it, I start looking around, it's got two
interfaces on it, one's like a 10 died, and the other one's like a, you know, for example, 172 dead,
so we're talking about two different interfaces, on kind of two different networks,
which I thought was kind of odd, so I'll fire it up some other tools, utilities,
ended up getting some MS cache hashes, which are, I think, equivalent, or a little bit less,
a little bit less strength than NTFS, or NCLNP1, they might be on par, or a little bit more complex,
but they're definitely crackable, right? This MS cache hashes actually crackable,
so I get some MS cache hashes, I'm looking at those, the names, the user names don't match up
with any of the clients, so when you're on a domain, you can say like, you know, if it's Bob,
Bob Spurgers, you know, the guy's name is Bob Spurgers, you can do like B Burgers and say what,
is he an actual user name, right? So none of these user names matched up with the AD that I had access to,
so I knew that it wasn't a, I think I had, I had spray credentials across the network and I'd
gotten some access, but this particular computer that I originally exploited was, was suspect for
some reason, it seemed, it seemed kind of odd, so crap, I mean, yes, so it seemed kind of odd,
so I'm filtering around, looking around, there's two different nicks, I'm like, wow, this is
some kind of jump box of some sort, this is a different network almost, wasn't really thinking
all that much about it, I thought it was just some proper segmentation, maybe it's a development
network or something like that, that's what people will do, people will put other interfaces on
a system and call that segmentation, it is segmentation and it's sort of physical segmentation,
but at the same time, if I compromise that box and it's connected to another network, it's not
physically segmented, right? It's physically segmented from the standpoint of the interfaces are
two separate interfaces, but if it's on the same computer and there's a management network
and a Bob network, then that system is a jump point for the whole network,
so I get this MS cache, I crack it, one of the passwords for it, ends up being I think a domain
admin account or I spray those credentials across the domain and get domain admin, so I'm still
trying to figure out where I'm at, I see all this security stuff and I don't see anything about
the company, I don't see whatever insurance company here, I don't see data, it's just not a security
crap, all this monitoring apps and going through the applications and the users that are logged in,
they don't match up with anything within the company and I'm kind of starting to get confused,
so I think the next morning we're still there or that night, we're still there,
and I say look, I go up to the client and say look, I don't understand, help me understand
what this box is, it's this box here, it's sitting on the network, it's got this IP,
I've got DC's names, I've got domain admin, and I don't know what it's for, it's there's
several other computers on there and it's doing stuff, but I don't know what it's for, it doesn't,
it's some kind of management network that I don't know about, well come to find out, he tells me
the client says oh well you know that's our security vendor, excuse me, and he's like yeah,
I know we pay for them to watch hard stuff, you know like one of those, I don't know,
you know, Whizbane, you know, Threademic Thread washer things, and they put a computer sensor
on your network, and then they, you know, notify you when something bad happens, right?
So this is their security vendor, it's in charge of monitoring the network,
which we just compromised, which is pretty bad. Now how deep that could have gone, I don't know,
I didn't chain all the way down to the top level of the tree, or trying to pivot through that,
I just knew that I was somewhere weird, and that I should probably figure out what's going on
before I kind of keep digging, I thought it was more of a, it was more of a, am I, am I somewhere
stupid and this doesn't matter, or is this really important? I had no idea that I might be in a
completely different client's network, which is not good at all, so I tell the client and he's like
oh that's kind of funny, you know, that's just our security vendor, don't worry about it, and I'm
kind of floored in my, my face is white at this time because, you know, he kind of, he kind of
shrugs it off, but you know, for a fair amount of time, my heart stops because when you cross over
to a different company, engagement letter or get out of jail car or not, you've essentially
compromised the system that's not within scope, you've got out of scope at that point,
and most people will recognize that, you know, if you compromise a box and that box,
it's a part of someone else's system and they're sitting on the same network, it's kind of
in scope because it's connected, to that point, everything on the internet is in scope because
everything is connected to everything, even your skater systems have internet, don't tell me that
because I know they do and they have DNS and all that stuff, so to say that something is air-gapped,
that's very rare, people will say things are air-gapped, they're not actually air-gapped,
so that's something that you just have to deal with, so anyways, my heart stops and I'm sure my
face goes flush because I'm flipping out thinking lawyers are going to get involved, something's
going to happen, which reminds me of another story I can tell you guys, lawyers are going to
get involved, something's going to happen and I'm going to get, you know, been big trouble,
I'm probably not going to get fired, but I'm going to be in some kind of big trouble for this,
potentially, so he blows it off, I tell my manager, my manager talks with the client, I mean,
this guy, this guy, this manager is awesome, he would, in kind of a weird creepy kind of,
in a weird way, he would be like, go here, here's the company, be here, Monday morning at 9,
let's meet at the Starbucks and we're going to hack this company, and no scope, no rules and
engagements are so high level, there were just like, we're just going to come and tear up your
shit, so, you know, sign here, and he did, he just, like, I don't, nobody else had the ability to,
what is going on here, nobody else had the ability to scope these projects out,
where it was so open-ended, so he was able to give us some pretty good scoping,
but anyways, I talked to the manager of this project and he just thinks it's hilarious,
he talks to his, the client, and everybody's cool, everybody's fine, everybody, I nobody,
and I notify the client, said you probably want to let him know that there's another
Dolwin M in rummaging around in there, their, you know, boot network, whatever it is,
it's probably minimized, and it appeared that way, it was maybe only for maybe that client,
and maybe a couple other clients, I don't know, I didn't even rummage around enough to figure it out,
but in the end of the story, at the end of the day, I looked out, nobody got in trouble,
I didn't get in trouble, everybody thought it was hilarious, and I thought it was just one accident
waiting to happen, it could have easily gotten into a big lawyer or kerfuffle, and I'll probably go
into one of those, I don't have a whole, I don't have any time left, but I'll, on the way back home,
I'll probably do one, so that one was pretty, pretty interesting, trying to think of anything else
that came out of that assessment that was, that was funny in or interesting, that was just the
first time I realized it, like, dude, you got to like pay attention when you're doing these type
of assessments, because you might compromise a system that's not even yours, even though it's
connected to the internet, and connected to the network, just because it's connected doesn't
necessarily mean that it's in scope, and then, you know, if you, you compromise a system, you want
to look and make sure that, you're actually supposed to be there, and even within
side of applications, sometimes the data within side of applications might be out of scope, so
you're poking in an application that's talking to a third party, that you're not really
supposed to be talking to, so, for example, CRM systems, before I bail on you, I'll give you
another quick one, we had a big, huge company, massive company, that I was doing what we were
doing some work for, and we were there for, hopefully, I don't even know if it was, it wasn't,
it wasn't for, it was something out of scope, so I, the reason I found out about it is that
their process to onboard a new person was to go through this CRM tool content management system,
or whatever, so you had to sign up, and you sign up, and then when you signed up, they added you
to all these groups and users, and it kicked up all these other processes, and automated all this
stuff. Well, what I noticed is that the CRM for this huge company allowed me to, without any
authentication, I could request a user, go into that email address of that user's account,
activate the account, log in with the username, and with one, I don't even think I need to log in,
I think I just did a post request with the, I think it was two post requests, so I'd log in,
and in the second, I would request in the CRM, it would let me get to the user's table,
and within that user's table, I could dump every single email, every single first name last name,
which is all only 10, single email, let first name last name, more importantly, the phone number
of that person, or persons, and then the actual managers, their manager, which is very important for,
you know, phishing attacks, and in in in in in in in in in all that stuff, so that's quick one
before I'll wrap up here. That one was kind of interesting, and that's also part of a different
story I could tell on the way home to, I'm I'm there. We've got two more stories to tell you,
but that one was that one was pretty funny because we were there for a particular reason,
and I talked to, I talked to my boss and kind of made a joke about, you know, putting it on the
the public internet, and for a second there, he actually believed me that I was going
to place it on like some kind of public forum to look at, and you know, after realizing
that I'm not that crazy, that I would work with him and see how we want to notify the
client of this out of scope item that wasn't necessarily part of the client's infrastructure,
but it was part of their processes and was a kind of a recon slash passive finding
what to say.
Hey, I can see the first 500 users, okay, tell me the first 10,000, wow, I got up 10,000
users, okay?
Tell me 9999999, and I get like 160,000 user names, emails, names, managers names, and
phone numbers, so of the entire company, not just the specific subset of that company,
but the entire freaking company, so that was a quick one, and I hope you guys find these
interesting, I'll do two more, I've got like an hour and a half ride home, and unfortunately
the audio is going to be horrible with these, but you know, I'll do some magical audio
processing on them, and hopefully they won't be too terrible.
So cool man, I hope you guys make it.
You've been listening to Heccupublic Radio at HeccupublicRadio.org.
We are a community podcast network that releases shows every weekday, Monday through Friday.
Today's show, like all our shows, was contributed by an HBR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out
how easy it really is.
Heccupublic Radio was founded by the digital dog pound and the infonomicon computer club,
and it's part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly, leave a comment on
the website or record a follow-up episode yourself, unless otherwise stated, today's show
is released on the creative comments, attribution, share a like, 3.0 license.
Reference in New Issue View Git Blame Copy Permalink