I arrived onsite to suite #102 (the bank’s corporate headquarters) around 9:40am.

I was impersonating a local utility worker – with all the garments like a hardhat, clipboard, obnoxious yellow vest and some old Timberland work boots. I played the part well.

Get in

When I approached the suite I saw a giant glass entrance into the main office of the bank with a secretary minding the entrance and questioning visitors. I also noticed employees were entering and exiting an unmarked door at the end of the hallway – no cameras to be seen. I proceeded slowly past the main entrance and then ran to catch the secured door as it was closing behind an unsuspecting employee. I was in!

Entering that door, I casually walked further into the office looking for opportunity. All desks and offices were occupied, and I made eye contact with a number of employees while walking around without being questioned (it must have been my great outfit.) I saw an empty office, slipped in and deployed a small device under the desk that automatically connected back to a VPN server under my control. I left the suite and returned to the hotel to check connectivity – in and out in about 10 minutes.

Upon arrival at the hotel, I confirmed connectivity and achieved remote access. A few minutes later, authentication hashes were captured off the network from the device and…voila! I had internal access and verified domain credentials to access the network like a typical employee. With some lateral movement through the network, it was only a matter of time before I found domain admin credentials. Now I owned the bank’s corporate network.

If that wasn’t enough, the bank has a branch down the street from me, so I decided to give them a chance to catch me there.

I arrived at the branch at around 12:30pm impersonating a local food delivery driver. The food was prepaid, of course, so I just needed to drop it off. Initial conversations with internal staff at the entrance did not yield any access to the building. Great job by them.

I asked to use the restroom on the first floor and while there successfully dropped a USB drive. This was no ordinary drive, however, because it contained a single file – a reverse shell macro-enabled Excel document titled ‘Employee Bonus Plan.xlsm’. That ought to get someone’s attention.

A final attempt to deliver the food was denied and a local police officer was now stationed by the front door standing guard. Yikes. I took the food with me and exited the building. “Have a nice day officer,” I said, hoping someone would find the drive and open the file. In and out in 10 minutes.

Back at the office. After I enjoyed few sandwiches from my ‘delivery’ – the payload executes! I saw the happy stream of data signaling the Excel document was executed on a user’s workstation and a metasploit meterpreter session was successfully established. This resulted in complete control of the user’s workstation.

With the user’s local access being administrator, persistence was established to maintain the connection through reboots. Now I had internal access at the branch and verified domain credentials to access the network like a typical employee.

With the previous access gained at the corporate office, I also owned the branch network! Anyone need a loan? Great rates!

Are you all clued up on the world’s most notorious hackers? Try our quiz!

Duncan Macrae

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

View Comments

  • So in other words, best job ever? I won't lie, AFOAF got the chills and a small rush as he read this. AFOAF Never did anything close to this scale but it reminded him of days long long ago and but hes ashamed and feel that to do this freelancing or to serve in this role to help prevent such things is what he want and must do. Not to mention, its the most fun thing in the world to try to beat break hack or bypass any sort of system. I personally stay on the whitehat side and I can't even practice anymore for fear of trouble. White hat 100% now.

    Great article man thanks for that

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago