The top

Red Teams
Physical, Fieldcraft

Sometimes you don't know what you agree to until it's too late. In this particular project we were testing physical security around the customer's building. The customer asked us to try to bypass their physical security measures and if possible reach a certain room and leave a note there.

It sounded like a fun project.

The next 3 weeks were spent researching the target, recon during the day and night, trying to get the right names for some social engineering attack if needed and gear, techniques and planning.
At the end we discovered a vulnerability and we thought we could exploit to get us in. The only problem was that in order to get that potential point of entry we needed to get to the roof.

Walking inside the building and taking the elevator was a no-go. However we found that on the back of the building, where the big trash containers were located, there was a service elevator with a lock we could pick, or so we thought. There is a camera pointing at that spot but based on a recon attempt we had a week earlier we noticed that we could be in the vicinity of the area without anyone checking us out. So, we figured that at night it would even be better. Now, you would think that we would use the elevator to get inside the building, however our target was on a second building that was joined to this one (with the elevator) via a brige. We needed to get to the roof to cross to the other building and use the roof access.

We arrived and waited a few hundred meters away until after 3 AM. Then we approached the elevator. H began working on the lock while I kept an eye for any guards. We knew there wasn't any roaming patrols, but you can't never be too careful. H had the lock open in under 5 minutes. Great! hmmmm...
We stepped into the elevator and hit the last floor. When we reached it, we got out and searched for the roof access. Based on the plans we found online the door should have been across a hallway to the right. We walked silently in the darkness and... There was no door. We began walking again trying to find the door when we heard noises. We started walking faster and we found the roof access. It was marked as such.
We opened the door, it was unlocked, and we stepped outside. Meanwhile the voices were getting louder, so we try to find a hiding place on the roof just in case. As soon as we crawled under the space in between the floor and one of the masssive air conditioning units, 2 guards came out of the roof door, they had cigarettes on their hands. They were going to smoke...

In the meantime we are there, lying prone on the ground, when we noticed roaches all around us and on our arms and legs. Damn... We could get out of there and fail, or suck it up and wait for the guards to go away. Well, they took a 45 minute break those two guards... We had nasties all over us and the smell coming out of one of the vents was making us gag...

But, eventually they went away and we crawled out of that hole. Smelling like ass and shaking the roaches. We made it across the bridge and managed to enter the other building...

Was it worth the pain? I don't know... One thing I did learn: roaches are more disgusting when they are on top of you.

photo 2.JPG

The blind spot

PsExec UAC Bypass | SANS Pentesting Blog