Ghosts in the Bank
John Skipper, Senior Consultant, Coalfire Labs
It was a dark night. A car pulled up in the parking space next to me and quickly extinguished his lights. I looked out the my window and saw the driver. He gave me a quick nod and we exited our cars. Opening the trunk I pulled out my tools for the night. A backpack full of trash bags, a flash light, gloves, a tarp and oily rags taken from the garage. We walked in the warm summer air up a hill and to the street corner where the target was finally in view. There was the bank. Tonight was just recon, getting a lay of the land and some dumpster diving. We approached the bank and made a quick walk around the block identifying windows, entries and exits and connecting the dots of what I found on Google Maps. By the cover of trees we started down an embankment towards the dumpster, but we spotted a police car. Trying not to cause any suspicion, we quickly made our way back to the sidewalk and walked away from the bank. My heart was racing. I didn't want to fail even before we started.
To [Hell] Shell and Back
Justin Berry, Security Consultant, Coalfire Labs
My initial thought was it has to be the firewall keeping my reverse shell from getting out of their environment. So, leveraging the command execution vulnerability, I started testing outbound internet access from the vulnerable server to my server on the internet, only to find that the port I had been using all along in the initial Metasploit attempt was allowed out. This left me with a sense of disappointed optimism because the firewall isn’t blocking it, but for some reason it isn’t working. “Maybe it’s getting caught by Anti-Virus”, I thought. I used the command execution to generate and execute an FTP script that would download a payload from my server. The logs on my server showed an active download from the target companies network. “.. Excellent..”, I mischievously muttered to myself in my best Mr. Burns impression.