Social Engineering ? true story...
20-01-2023, 13:11
? true story from Group IB. Social Engineering.
• Today I have prepared for you another and interesting story from Group IB, accepted reading:
• Within the framework of the Red Team project, the bank had a super task - to get access to the remote banking service segment (RBS). The iteration of redtiming was far from the first, and the customer regularly conducted more classic formats like pentests and application audits. Accordingly, the perimeter was not replete with holes. We decided to test various hypotheses, including those related to incorrectly configured Wi-Fi in the offices.
• We conducted reconnaissance in several branches, chose the most suitable one with the most interesting radio broadcast and the least serious employees. One of them bought into the legend of our specialist that he urgently needs to go into online banking with a zero mobile account balance. It is logical: to pay for the Internet, you need Internet access. The employee gave out the Wi-Fi password, the specialist poked at the phone, thanked him and left. Went, of course, to the locale!
• For horizontal promotion, we used information obtained in the process of foreign intelligence: the password of an unprivileged user from #Linux servers was not too securely stored in the personal blog of one of the DB administrators. With this account, we got SSH and found a Kerberos ticket on one of the servers — already with admin privileges.
• Promoted on the host and got Linux admin users. To our surprise, the privileges of the current user were already enough to achieve the goal.
20-01-2023, 13:11
20-01-2023, 13:40
20-01-2023, 13:20
There are no comments
Information
Users of Visitor are not allowed to comment this publication.