Elevated attack

How vulnerable can a building guard’s desktop be? Really, it should only be allowed to access the automatic doors controls and maybe a game of Solitaire, right? Think again.

Several months ago, a major real estate company asked BugSec to conduct an external takeover of their IT system. This provides the company with a comprehensive view of various areas of exposure that they might have, which can be taken advantage of by malicious parties. All discoveries were of course reported to the customer.

We began our reconnaissance on a famous office building. A quick look at the guard station revealed that a vulnerable computer operating system had been installed, which was a possible entry point. An additional search of the premises led us to an exposed Ethernet outlet, and like good white hat hackers, we decided to plug in.

Once we were in, we managed to bypass the NAC system and gain access to a local IP address. A quick assets scan revealed that this was the guard’s station endpoint, which wasn’t even concealed as it was called “GUARD-PC”. We were able to exploit the previously discovered vulnerability on this endpoint to get a remote shell on the Guard PC, and from that point we were inside the system.

Moving onto the next stage towards privilege escalation, it took about 15 minutes until we had accessed the domain admin. For many ethical hackers, this would have been the jackpot and they would have called it a wrap. But our team was just warming up.

We decided to manipulate the building’s digital signage system, changing the direction of arrows, switching between corporates names and floors, and adding fictional names and signage, like “Dr. Smith – to the right.”

We continued probing until we gained control of the elevators. We were able to stop and restart them, lock people inside, and perform many other operations that would be quite worrisome if carried out by a real hacker.

All issues were reported fully to the customer, who was both surprised by the gaps in their system and happy to have us on their side in order to resolve the issues.