Pen Test, Part 3: Jumping a Fence and Donning a Disguise

Last updated at Sat, 09 Dec 2023 22:30:28 GMT

Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is the third in a five-part series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our report, “Under the Hoodie 2018: Lessons from a Season of Penetration Testing.”

I was once part of a Red Team of three tasked with testing an energy company with three locations in three different cities. My assigned location was surrounded by an 8-foot barbed-wire fence to guard most of its service and Cat heavy equipment vehicles.

I started by driving by the site on the first day of testing, watching people arrive for work and leave to get an idea of what sort of activity this location had. I went to dinner, and when I came back around 9 p.m., I realized there was a business next door that allowed for cover after hours. I decided to jump the fence and walk around the property in the shadows as much as I could. My goal was to avoid getting picked up by any cameras and getting caught.

As I began checking the commercial vehicles for unlocked doors, I found that one had a laptop on the armrest inside. I got excited, as I was thinking of all the possibilities for what I could do with a laptop if I got my hands on it. The vehicle’s locked doors stumped me for a while until I realized the quarter window was unlocked. I was able to push it open, unlock the truck, jump in, and grab the laptop.

I sat there for about five minutes waiting to see if anyone had spotted me. When nothing happened, I tried to get into the laptop but struggled because I didn’t have any tools on me. I made a call to my point of contact and asked for permission to take the laptop, which was granted. I then slid it under the fence, jumped over to my rental car, and headed to my hotel.

I worked on the laptop all night, getting past the login first with Kon-Boot and adding a local administrator user. Later, I mounted the hard drive with Kali, as the drive wasn’t encrypted. I pulled up the local admin hashes off the PC and set up some malware so that when the box was booted up, it would call back to me and give me access when it was on.

The next morning, I broke back in and returned the laptop before employees’ shifts started so no one would suspect anything. I got a local administrator shell, but it died before I could do anything with it. So, I had to go back the next day and do it again. Once more, I briefly got a shell I was unable to do anything with.

I decided to go to an office of theirs and attempt to see whether I could clone some RFID badges so I could use them to gain access to the facility without having to jump the fence every night. It turns out, the location I cloned badges from was a shared office, and I was unable to tell who or where the cloned badges I obtained came from. In the end, none of them worked at the location I had been given permission to test.

At this point, it was the second-to-last day of the assessment, and I didn’t have everything I wanted. So, I decided to do it again but just keep the laptop and use it to get into the corporate network. This time, I got into a truck and put on a uniform someone left inside. I used this uniform to walk around the property and gain access to more trucks. I figured if I were seen on camera, I would look like a legitimate employee just doing some maintenance or say that if I were somehow found and questioned.

I also knew the laptop would now be reported stolen in the morning, which meant I didn’t have much time to work with, since they could have had a way to shut off access to it. I started taking a forensic clone of the system and decided to take a shower while it was cloning. When I came out, I saw the mouse cursor was moving and closing things! It became a fight for the mouse and keyboard at this time, and I ended up just disconnecting the network connection. I eventually got on the corporate network and gained local admin access on some other systems, which led to domain admin access. With that, I was able to do whatever I wanted on their network and systems.

That was fun.

Interested in learning more about how Rapid7 pen testers conduct their assessments? Check out the other stories in this series:

• “This One Time on a Pen Test, Part 1: Curiosity Didn’t Kill the Cat—Honesty Did”
• “This One Time on a Pen Test, Part 2: How Just One Flaw Helped Us Beat the Unbeatable Network”
• This One Time on a Pen Test, Part 4, "From Zero to Web Application Admin through Open-Source Intelligence Gathering"