This is Hacker Public Radio episode, 3415 for Friday, the 3rd of September 2021.
To its show is entitled, Hacking Stories with Reepted.
Part 3, it is hosted by operator and is about 14 minutes long and carries an explicit flag.
The summary is, I talk about some old old-old pen testing stories, from days old.
This episode of HBR is brought to you by An Anasthost.com.
Get 15% discount on all shared hosting with the offer code HBR15.
That's HBR15.
Bit your web hosting that's AnastonFair at Ananasthost.com.
This is another episode of Redacted Hacker Stories with your host, Redacted.
I'm going to go over, I'm still driving here, so you might hear some vibrating of when people
sent me messages.
Anyways, this one should be quick, it was a company or a big data company.
I think it was a medium-sized company and they felt medium-sized, they could have been huge.
I don't know.
They all kind of blend together.
The engagements and the experiences are all different, but the companies blend together.
It's kind of funny after a while, I've been doing it for a while, and after a while they kind of
start blending together, you can't tell what client goes and what issue you found, and they all
start blending together after a while and you can only remember the experiences, but you can't
match them to the client or the person or whatever, so it's probably a good thing because
this shouldn't be disclosing in that anyways.
It's a pretty decent medium-sized big, it's a large client, and it was after our testing,
and had a new guy with me, he's kind of green, kind of shadowing me, new some stuff,
but there was a lot of words, not a whole lot of talking.
I mean, it's actually pretty good, it was actually pretty technical,
as far as the other skill sets we had, or the course of the course of the last few years doing this
stuff. So we started our testing, we do our scans, I find a system,
he's doing something with databases, I can't remember, he finds like a decent data-based login
and we're going back and forth and I'm trying to kind of half help him, but at the same time
I'll have the time, so like sometimes when I'm in the middle of an engagement, unless I've
you know, got complete domain admin and I'm running around with the keys to the castle,
I don't have a whole lot of time to spoon-free people, so what I'll do is, is I'll kind of like help
a little bit where I can, but let's just look, let me try to finish this up and I'll help you out.
So anyways, trying to help him with some kind of database thinking, you found, which is probably
ends up being nothing, I think it ended up being nothing to little.
But I end up finding a older system with either, again, default login, or an S8067,
it's like a 2000 box when this 2000 box was in, so I drop a drop shell on it,
I log into it, load into it, I start looking around, it's got two interfaces on it,
one's like a 10 dot and the other one's like a, you know, for example, one's 72 dots,
so we're talking about two different interfaces on kind of two different networks,
which I thought was kind of odd, so I fired up some other tools, utilities,
ended up getting some MS cache hashes, which are, I think equivalent, or a little bit less,
a little bit less strength than, um, NTFS, or NTL and P1, they might be on par, or a little bit more
complex, but they're definitely crackable, right? This MS cache hashes actually crackable, so I
get some MS cache hashes, I'm looking at those, the names, the user names don't match up with any
of the clients, so when you're on a domain, you can say like, you know, if it's Bob, Bob Spurger's,
you know, the guy's name is Bob Spurger, and you can do like beat burgers and say what,
and it's seen, it's actually user name, right? So none of these user names matched up with the
AD that I had access to, so I knew that it wasn't a, I think I had, uh, I had spray credentials
across the network, and I had gotten some access, but this particular computer that I originally
exploited was, was suspect for some reason, it seemed, it seemed kind of odd. So, uh, crap, I mean,
you can guess. So, uh, I seemed kind of odd, so I'm filtering around, looking around, there's two
different nicks, I'm like, wow, this is some kind of jumpbox of some sort, this is a different
network almost, um, wasn't really thinking all that much about it, I thought it was just some
proper segmentation, maybe it's a development network or something like that, that's what people
will do. People put other interfaces on a system and call that segmentation, um, it is segmentation,
and it's sort of physical segmentation, but at the same time, if I compromise that box, and it's
gonna have to do another network, it's not physically segmented, right? It's physically segmented
from the standpoint of the interface, is there are two separate interfaces, but if it's on the
same computer, and there's a management network, and, uh, you know, a bot network, then that system is
a jump point for, for the whole network. So, I get that, this MS cache, I crack it, one of the
passwords for it, um, ends up being, I think, a domain admin account, or I spray those credentials
across the domain, and then get domain admin. So, I'm still trying to figure out where I'm at,
I see all the security stuff, and I don't see anything about the company, I don't see whatever
insurance company here, and I don't see data, and it's just a little security crap, like,
I was monitoring apps, and going through the, uh, the applications and the users at a long
day, and they don't match up with anything within the company, and I'm kind of starting it,
you can get confused. So, I think the next morning we're still there, or that night we're still there,
and I say, look, you know, I jump to the client and say, look, I don't understand, you know,
I'll help me understand what this box is. It's this box here, it's sitting on the network, it's got this
IP, um, I've got DC's rename, so I've got domain admin, and I don't know what it's for,
it's, there's several other computers on there, and it's doing stuff, but I don't know what
what it's for, it doesn't, it's got a management network that I don't know about.
Well, come to find out, uh, he tells me the client says, oh, you know, that's, that's our security
vendor. I'm like, excuse me, and he's like, yeah, I don't really pay for them to watch our stuff,
you know, like, one of those, I don't know, you know, with being, you know, thready,
you make thread washer things, and they put a computer sensor on your network, and then they,
you know, notify you when something bad happens, right? So, this is their securing,
even, it's in charge of monitoring the network, which we just compromise, which is pretty bad.
Now, how deep that could have gone, I don't know, but I didn't, I didn't chain all the way down to
the top level of the tree, or trying to pivot through that. I just knew that I was somewhere
weird, and then I should probably figure out what's going on before I kind of keep digging.
I thought it was more of a, it was more of a, am I, am I somewhere stupid, and this doesn't matter,
or is this really important? I had no idea that I might be in a completely different client's network,
which is not, not good at all. So, I, I tell the client, he's like, oh, it's kind of funny,
you know, as is their security vendor, don't worry about it. And I'm, and I'm kind of floored
in my, my face is white at this time, because, you know, he kind of, he kind of shrugs it off,
but, you know, for a fair amount of time, my heart stops because when you cross over to a
different company, um, the engagement letter, or get out of jail card, or not, you've essentially
compromised the system that's not within scope. You've got to let's go with that point. And,
in most people, we'll recognize that, you know, if you compromise a box, in that box, it's part of
someone else's system, and just sitting on the same network, it's kind of in scope, because it's
connected to that point, everything on the internet is in scope, because everything is connected
to everything, even your escape systems have internet. Don't tell me that, because I know they do,
and they have DNS, and all that stuff. So, to say that something is air-gapped, that's very
rare. People will say things are air-gapped. They're not actually air-gapped. Um, so that's,
that's something that you just have to deal with. So, anyways, I'm, my, my heart stops,
and I, I'm sure my face goes flush, because I'm, I'm flipping out thinking,
lawyers are going to get involved. Something's going to happen, which reminds me of another story
I can tell you guys. Lawyers are going to go, something is going to happen, and I'm going to get,
you know, been big trouble. I'm probably not going to get fired, but I'm going to be in some kind of
big trouble for this, um, potentially. So, he blows it off. Uh, I tell my manager, my manager talks
with the client. I mean, this guy, this guy, this manager is awesome. He would, in kind of a,
weird creepy kind of, you know, weird way. He would, he would, he would be like, go here. Here's the
company. Be here Monday morning at nine. Let's meet at the Starbucks, and we're going to act as
company. And no scope, no like rules and like we, the rules and gaines are still high level,
or just like, we're just going to come and tear up your shit. So, you know, sign here. And he did,
he, he just, like, I don't, nobody else had the ability to, um, what is going on here?
Nobody else had the ability to scope. He's got some projects out where it was so open and, um,
so he was able to give us some pretty good scoping. But anyways, I talked to the manager of this
project and he, he just thinks it's hilarious. He talks to his, the client, and everybody's cool.
Everybody's fine. Everybody, I know what he, and I, and I notify the client, said you probably
want to let him know that there's another domain end in rummaging around in there. They're, you know,
boognetwork, whatever it is. It's probable minimized and it appeared that way to the, it was maybe
only for maybe that client and maybe a couple other clients. I don't know. I didn't even
rummaging around enough to figure it out. But, um, and the end of the story, uh, at the end of the
day, I looked out, um, nobody got in trouble. I didn't get in trouble. Every time I thought,
I thought, you know, everybody thought it was hilarious. And I thought it was just one accident
waiting to happen. It could have easily gotten into a big lawyer or fuffle. And I'll probably go into
one of those. I don't have a whole, I don't have any time left, but I'll, on the way back home,
I'll probably do it. So, that one was pretty, pretty interesting. Um, trying to think of anything else
that came out of that assessment that was, that was funny and, or interesting. Um, that was just
the first time I realized it like, dude, you got to like pay attention when you're doing these
type of assessments because you might compromise a system that's not even yours, even though it's
connected to the internet and connected to the network, just because it's connected doesn't necessarily
mean that it's in scope. And then, you know, if you compromise a system, you want to look and make sure
that you're actually supposed to be there. And even within side of applications, sometimes the
data within side of applications might be out of scope. So, you're poking at an application that's
talking to a third party that you're not really supposed to be talking to. So, for example, CRM
systems, um, before I bail on you, I'll give you another quick one. We had big huge company, massive
company, um, and that I was doing what we were doing somewhere for. And we were there for, uh,
I don't even know if it was, uh, it wasn't, it wasn't for, it was something out of scope. So,
I, the reason I found out about it is that their process to onboard a new person was to go through
the CRM tool, contact management system, or whatever. So, you had to sign up and you sign up and
then when you signed up, they added you to all these groups and users and kicked up all the other
processes and automated all this stuff. Well, what I noticed is that the CRM for this huge company
allowed me to, without any authentication, I could request a user, go into that email address of
that user's account, activate the account, log in with the username. And with one, I don't even
think I need to log in. I think I just did a post request with the, I think it was two post requests.
So, I've logged in and in the second, I would request, um, in the CRM. It would let me get to the
users table. And within that user's table, I could dump every single email, every single
name, first name, last name, which is all I'm leaked in. Single email, first name, last name,
more importantly, the phone number of that person, or persons, and then actual managers,
their manager, which is very important for, you know, fishing attacks and, and, and, and,
and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and,
and, and all that stuff. So, that's quick one before I'll wrap up here, um, that one was kind of
interesting, um, um, and that's also part of a different story I could tell on the way home to,
I'm there, I've got two more stories to tell you. But, um, that one was selling pretty funny,
because we were there for, for, for two degrees, and, and I, I talked to, I talked to my boss
and kind of made a joke about, you know, putting it on the public internet. And, for a second,
there, he actually believed me that I was going to place it on, like, some kind of public
forum to, to, for, and to look at, um, and, you know, after realizing that I'm not that crazy, um,
that I would, that I would work with him and, and, and, uh, see if how we want to notify the client
of this out of scope item, that what doesn't necessarily part of the client's infrastructure,
but it was part of their processes, and, was a kind of, uh, a recon slash passive finding,
but to say, hey, I can see the fresh 500 users. Okay, tell me the first 10,000.
Oh, wow, I got up 10,000, okay? Tell me 9, 9, 9, 9, 9, 9, and I get, like, 160,000 user names,
emails, names, managers, names, and phone numbers, um, um, so of the entire company, not just,
the specific subset of that company, like the entire freaking company. So, um, that was a quick one.
And, uh, hope you guys find these interesting. I'll do two more. I've got, like, an hour,
and a half ride home, and unfortunately, the audio is going to be horrible with these,
but, uh, you know, um, I'll do some magical audio processing on them, and hopefully they won't be too
terrible. Coco, man, uh, hope you guys, uh, make it.
You've been listening to Hecker Public Radio as Hecker Public Radio.org.
We are a community podcast network that release the shows every weekday Monday through Friday.
Today's show, like, all our shows, was contributed by a HPR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
Hecker Public Radio was found by the digital.com and the informomicon computer club
and it's part of the binary revolution at binrev.com. If you have comments on today's show,
please email the host directly, leave a comment on the website or record a follow up episode yourself.
On this otherwise status, today's show is released on the creative comments,
attribution, share a light for the other horizons.