The Hotel, the Bellman and the Screaming Lady - Part 3
(following Part 2)
After identifying the two possible attack vectors on their email server we set to work. In order to test the exploit we wanted to use in the direct attack, we needed to mimic as closely as possible the environment. We knew the software that was running, both OS and mail server software. We recreated it as much as we could based on the information we gathered on the recon.
While we were doing this, the Team was also writing two possible exploits. Always have redundancy, don't trust just one exploit, no matter how good it always worked in the past. The exploit's purpose would be to both give us a foothold into the server and drop a small backdoor that we can use to upload a much more sophisticated digital drone (a fancy name for a more complex piece of malware). Both exploits woud do the same, with the difference between them being what vulnerability they would try exploit and how.
Initially we thought about leveraging the fantastic Cobalt Strike / Metasploit combo for the exploit and management of the penetration once inside. However, these two particular exploits we were coding needed to be a bit different, with the listeners on out end (for the backdoors) with a particular capability, so we wrote our own manager, albeit very primitive. But it worked well.
The othe approach we were exploring was the inderect attack via a social engineered email. The email would have two possible ways to get the backdoor to be installed on the computer of the target: a weaponized PDF designed to exploit a possible vulnerability on the hotel's email client, and a link to a website with attack code in it. In both cases, a backdoor would be installed, if possible. Once this was done and the listener would have a shell, we would then copy the same digital drone as the one mentioned above.
After about 4 full days, a lot of caffeine and pizza, we were ready to test both attacks on the server and email client.
We made a number of dry runs and once we were comfotable with the exploits, the weaponized PDF and backdoors working, we created the last piece of the puzzle: a legit website were we could add the attack code for the social engineering attack.
Stand by for part 4 and the actual run...