Introduction
You have been hired as a penetration tester for a large industrial company called Secure Universal
Cyber Kittens, Inc. or SUCK, for short. They are developing future weapons to be used by the highest
bidder and you have been given the license to kill…okay, maybe not kill, but the license to hack. This
authorization gives you full approval to use any tactic in your arsenal to try to break into and steal the
company’s trade secrets.
As you pack your laptop, drop boxes, rubber duckies, Proxmarks, and cables, you almost forget the
most important thing…The Hacker Playbook 2 (THP). You know that THP will help get you out of
some of the stickiest situations. Your mind begins hazing back to your last engagement…
After cloning some badges and deploying your drop box on the network, you run out of the office,
barely sneaking past the security guards. Your drop box connects back to your SSH server and now
you are on their network. You want to stay pretty quiet on the network and not trigger any IDS
signatures. What do you look for? You flip to the Before the Snap chapter and remember printers!
You probe around for a multifunction printer and see that it is configured with default passwords.
Great! You re-configure LDAP on the printer, set up your netcat listener, and obtain Active Directory
credentials. Since you don’t know what permissions these credentials have, you try to psexec to a
Windows machine with a custom SMBexec payload. The credentials work and you are now a regular
user. After a couple tricks with PowerTools in the Lateral Pass section, you move to local admin and
pull passwords from memory with Mimikatz. Phew… you sigh… this is too easy. After pulling
passwords for a few accounts, you find where the domain admins (DA) are and connect to their boxes
to pull passwords again. With domain admin creds, it is pretty straightforward to dump the Domain
controller (DC) with psexec_ntdsgrab and then clear your tracks…
0 Comments