Alice vs. Robert Sky: Round 1
Alice vs. Robert Sky: Round 1
The Hacker Chronicles is an original series created by the team at Tenable.
Produced by Caspian Studios.
Alice:
I had called Lake Placid home for two weeks. I rented a cabin behind the general store from a nice old guy named Arthur and I got to work. I knew if I was going to hit Robert Sky, it meant hitting just Robert Sky. No one else could be collateral. My MO was simple. Rule one, I don't put anyone else at risk. Only my neck goes out on the line. Rule two, inflict maximum damage on my target. And rule three, leave no trace. I attacked Oglethorpe and Hudson for the money. Now I was hacking for a cause, to give Robert Sky a taste of the chaos they'd made their business model. That wasn't going to be easy and I had no idea how long it would take.
Alice:
I spent most of my days doing reconnaissance and enumerating inside Robert Sky's systems. To put it in English, I was mapping their end points, looking for where I could attack next, listening to what their computers told me. A hack of this magnitude could take months to prepare. I had to know Robert Sky's servers better than they knew them themselves.
Alice:
Of course, you can't do that all day, so I spent my morning snowboarding. I worked to skill up as a hacker. I listened to hours of podcasts. I read the message boards on the dark web. I'd never been more focused. I had never been better, but I was lying to Genie. Even though I never met him in person, he was one of my best friends. And to make things worse, he lived two hours away in Burlington, Vermont. Twice we made plans to hang out and twice I canceled. I told him I was too busy with piano, but third time's a charm. I couldn't put it off any longer. I hated keeping my secret, but if I wanted to keep my friend, I didn't have a choice.
Liftie:
How you doing, Alice? Ready for some fresh powder?
Alice:
Yeah, totally. But seriously. I've never seen a lift line this long before.
Liftie:
It's the biggest day of this season, but honest to God, it'll be worth the wait.
Alice:
If you say so. I just hope I can get two or three runs in before I get back to work.
Liftie:
Enjoy that long line.
Alice:
Thanks. That's what podcasts are for.
Jerry:
Today on the Tenable Research Podcast, we're diving into Log4j, the back door of vulnerability that has rocked the cybersecurity world over the last month.
Alice:
I'm listening.
Jerry:
For our listeners who don't know what Log4j is, it's an open source logging library that's used in countless pieces of software. Today I'm joined by Francois Cortez, global cybersecurity expert. It's been a month since Log4j was first noticed. How big of a deal is this still, Francois?
FRANCOIS:
Oh, it's big, Jerry. I mean, in the development world, Log4j is as common as ice in the North Pole and virtually ...
Jerry:
I don't know how long ice is going to be in North Pole.
FRANCOIS:
Jerry, you're not funny. Virtually every single company is still vulnerable. Security names are scrambling to fix this vulnerability, but it's going to be a while before this is behind us and you are making jokes, and bad jokes at that.
Jerry:
Okay, okay, okay. What I'm hearing you say is that this is an IT domino effect like nothing we've ever seen before.
FRANCOIS:
Absolutely. Scary shit. It takes only a few pieces of code to seize control of any system operating with an unpatched log4j. It really is that simple.
Jerry:
And the scariest thing about it, until November 24th, 2021, no one even knew this thing existed, but the discovery of its existence up upended the cybersecurity world completely. Today on the Tenable Research Podcast, we're breaking down everything Log4j, the Pearl Harbor of cybersecurity.
Alice:
Holy shit. This might be what I'm looking for. Sorry. Sorry. I know I'm getting out of line on an awesome powder day. Just everybody enjoy yourselves. Work emergency.
Alice:
Okay. Just a quick check of the proton mail. And then we are going to tackle Log4j today. Ugh. It stings. I should try that acupuncture place. Arthur was talking about. Hm. You've got mail. A system report for my ransomware service provider. That's new. They're upping their game. Let's see. Systems are operational. No kidding. The list of end points I own. Cool. Some basic enumeration. The security I've already seen. Okay. This is high level pointless shit. I got to ask tech support to make them stop sending this crap. Who knows what else they're going to send if they want to start acting like they're a legit IT services company?
Alice:
Ugh, whatever. It's time for the big show. Okay. Hello, Robert Sky. I've been spying on you for 16 days and you still have no idea I'm here. You are a bit more challenging than I thought you'd be. You're definitely a big fish, but today is going to be different. Today, we're going to see just how quickly you patched your Log4j vulnerabilities. Hmm. Good job. You've patched up every Log4j vulnerability that can be accessed online. Oh, we don't care about that, do we? Because we're already inside your end points, so today we're going to find out if you've patched your internal vulnerabilities. Okay. That's been patched and that one, too.
Alice:
No. Wait. Okay. No, no, no, no. Don't get excited. Oh my God. Let's double check this. Holy crap. Do we have our in? Oh, God. Their Amwear server is still vulnerable to Log4j? What? I can ... It's the kill switch. This is it. This is the kill switch. Oh my God. Holy cow. I almost feel sorry for these guys and girls. Let's not forget about the ladies in IT. Come on, Alice. Well, time to exploit that. Oh, God. They could be working on fixing this right now. Shit. It's Genie. Oh, wait. He's coming today. You got to cancel. No, you can't. Just pick up. Hey, Genie.
Genie:
Hey, I'm at that microbrewery in Burlington. I told you about, I was trying to remember which beer you wanted me to bring. Was it the double IPA or the oatmeal stout?
Alice:
Oh, why don't we just do both?
Genie:
You did remember I'm coming today, right?
Alice:
Yeah. Yeah, of course. Yeah. I'm just working on my work. You know me.
Genie:
Right. Yeah, for sure. I'm sorry. My bad. I just had to ask. I mean, you canceled on me twice already, but if you're into the groove, I can come tomorrow.
Alice:
No, no, no, no. Come on. No, I just got music notes on the brain. That's all. I just lost track of time. It's all good. It's all good.
Genie:
Cool. Well, great. Once I get this, I'll be on the road, so it'll be about two hours.
Alice:
Oh, you're leaving now?
Genie:
Yeah. It's like 4:00.
Alice:
Okay.
Genie:
You sure you don't want to cancel? I don't want to get in the way.
Alice:
No, no. I mean, duh, come on. Come on. Come down here. We planned on this.
Genie:
Okay. Awesome. Oh, and you ordered those dalgona cookies, right? For tonight? Big game night with Falcon.
Alice:
Yeah. Yeah, they're at the store. Listen, Genie. I really got to keep on ...
Genie:
Alice, can I say something?
Alice:
Sure.
Genie:
Okay. I know you're distracted right now and you probably feel kind of rude, but you shouldn't. This is why you did everything so that you can focus on what you love, your music. I'm really happy for you.
Alice:
Thank you, Genie. I'll see you soon. Okay? But I'm already forgetting if this piece is in three four time or six eight times, so I got to go.
Genie:
Oh, right. My bad.
Alice:
Okay. See you soon.
Genie:
Bye.
Alice:
See you soon. Okay. As if there wasn't a ticking clock already, I've now got two hours to exploit Log4j, buy groceries, clean the house. And did I shower today? Yeah, I totally showered. Oh, yeah. Definitely showered.
Alice:
Okay. Where was I? We just need to modify some headers, few ones and zeros. I've got my net cat listening in port 4444 in case I get a response. Okay. That first payload did not work. Patience, patience. Ooh. What's that, net cat? Was X forwarded for the one? All right. Remote code execution. That's the holy grail. It can't do much on its own, but I can use it to install something in here that can launch local commands AKA a reverse shell. Shouldn't be hard to find something online that will help me do this.
Alice:
Whoa. That's a lot of choices. And here we go. Boom. There you sail, my little ghost in the shell. Ooh. What's that, Alice? What's that you smell? Oh, that's the sweet scent of a server whose software is vulnerable to Log4j and you've exploited it. Now you're king of the hill. Scratch that, queen of this single server. You're so close. Hell, yeah. Okay. It's time to see what this root access gives me now. Let's dig into this hill and see what it's made of.
Alice:
Seriously? Seriously? All that trouble got me into a freaking Linux system? Everything in my exploit kit's been designed to work on Windows. Ah, I'm the queen of the only hill I can't climb. How the hell am I going to get domain domination now? Shit. Where's my burner phone? And I haven't cleaned either. Dang it. All right. Well, lean into the game or stereotype. I'd kill for a wine night right now. Whew. There you are. Now tech support, come on.
Tech Support:
Hello.
Alice:
Hey, I have a big problem and I really need your help right now.
Tech Support:
Nice to talk to you too, Able 10, but I must caution you. The idea of "right now" is an illusion. Our perception of time is completely subjective.
Alice:
Okay, yeah. We all live in a simulation and wear giant meat sacks on Europa and nothing is real, but in the simulation we're living in right now, I need to finish exploiting Log4j and my target before my friend, who thinks that I've left hacking behind, comes over in two hours. Hello? Hello? Time is objectively limited at the moment, dude.
Tech Support:
Did you say your target is still vulnerable to Log4j?
Alice:
Yes. They patched their internet facing systems, but not their internal ones.
Tech Support:
And here I thought you were having an issue with your reconnaissance kit, like you did last week. This is [inaudible 00:13:20].
Alice:
Yeah. It's a kill switch if I can exploit it.
Tech Support:
You can't? It's fairly simple.
Alice:
Well, yeah, but it got me root access on a Linux server.
Tech Support:
Oh. And all the tools in your exploit kit are geared toward Windows. Right.
Alice:
Exactly, and I'm totally stumped. I've read so much on hacking, but I have no idea what to do. It's like I know exactly how to fly the plane, but someone just completely changed the laws of physics.
Tech Support:
Yeah. I know the feeling. No, I can't teach you hacking Linux for newbies in 45 minutes, and let's be honest. I'm not sure I've gone to either. Trying to teach Linux architecture is like trying to paddle a boat with a toothpick.
Alice:
Okay. I could try to find other internal servers that are Log4j vulnerable and run on Windows, but it's going to take ages and I don't have that kind of time.
Tech Support:
And honestly, I suspect if patch those as their management provider probably detected all the vulnerable servers a long time ago, but the IT team just put the Linux servers last on the to-do list. You're going to have to get credentials from this server somehow. It's not more complicated really, but again, this is not hacking university. It's going to take some, say it, face me now, gray matter. Able, you didn't say it.
Alice:
Gray matter.
Tech Support:
There we go.
Alice:
Okay. All right. We can figure this out. Let me think. Wait a second. They've got to manage authentication the same way a Windows system does. Right? So no matter what operating system they use, they're still part of the same infrastructure. They have to be interoperable.
Tech Support:
Of course.
Alice:
Okay. Wait, wait, wait. So when a user comes and authenticates themselves on that server, like login password, blah, blah, blah, when that happens, Linux systems create the same sort of authentication tickets as Windows, correct?
Tech Support:
Yes. There we go.
Alice:
So these tickets, which basically serve as substitutes for their logins and passwords, are also stored somewhere in here.
Tech Support:
This is so entertaining, Able. It's like watching a baby walk for the first time. Yes. These tickets are stored locally. You wouldn't want your users to reauthenticate themselves every time their machine does something on the network, right?
Alice:
Yeah. That'd mean asking for your login and password every minute or so. Hey, don't these tickets have some kind of weird name? I know I've read about, like a [inaudible 00:16:18]
Tech Support:
Kerberos tickets. Yeah. It works the same way old-fashioned theater tickets worked. You get a ticket when you get admitted the first time. Then the usher tears it apart into two halves, keeps one and gives you the other one. When she later needs to verify you're permitted in there, she doesn't need to reauthenticate you formally. She just needs to compare your two halves of the ticket. But for that, of course, your Linux server, which is the visitor in the theater analogy, needs to keep its half of the ticket somewhere so it can be continuously trusted by the rest of the IT infrastructure, which is the usher in this analogy. And that's where the analogy stops though, because your server keeps the whole ticket, but doesn't matter, really. You're following me, right?
Alice:
Yes. Couldn't you have just told me this in the first place?
Tech Support:
Yeah, but then I got to thinking. I mean, maybe this could be hacker university. I mean, I can't do tech support forever and the Socratic message seems to work for you, so the building's at gray matter.
Alice:
There's a time and a place, dude.
Tech Support:
You should see my face right now. I am smiling so wide, Able, which is a big deal. This may surprise you, but I don't smile very often. I have what's known as resting existential dread face.
Alice:
Oh, yeah. I bet you do. Okay. Let's find where this server keeps its user's magic tickets, which we could have done a long time ago. Okay.
Tech Support:
This is all very exciting, Able, and I do want to know where it's going, but do you still need me here? I mean, I'm just sitting on the phone, listening to you type. The rest is pretty for now. Find a ticket here that holds some privileges and if you don't, then go to another server, rinse, and repeat. Once you have your ticket to your next ride, you authenticate to another machines that runs on windows this time so you can use your beloved ransomware kit to do, as you Americans say, your thing.
Alice:
Oh, come on. You teach me all this and now you want to go? What, do you have a date at a concert or something? Oh wait, I found a ticket in the temp directory.
Tech Support:
I have never been to a concert.
Alice:
All right. Now you're just messing with me. Okay. All right. I just tested this ticket and it won't get me through, not privileged. All right. I'm going to do as you said, repeat all these steps on other Amware servers until I find the right ticket for me. This is going to take a while, right?
Tech Support:
Maybe, but probably not. You've got the whole recipe now. Now you just have to repeat and I guess call me back when you wrap up. Yeah.
Alice:
Yes.
Tech Support:
I want to know how it goes.
Alice:
Thank you. Okay. So while the computer here sorts through the tickets, I'm going to go to the grocery store and maybe clean the house. I'm not that clean, though. Wouldn't it seem just right if there's stacks of dirty dishes and popcorn on the ground? I mean, my friend has never seen my place before. Maybe I can just run with this messy musician thing. It's my vibe.
Tech Support:
Yeah. You should really clean. That sounds disgusting.
Alice:
You're savage.
Tech Support:
Ah, first impressions matter, even if nothing else does.
Alice:
Hey, Arthur, can I get a pound of ribeyes real quick, please?
Arthur:
Alice, say, it's nice to see you.
Alice:
Yeah. Sorry. I'm in a bit of a rush. Where are the potato chips?
Arthur:
Second to last aisle.
Alice:
Okay. Wait. Second to the last from the right or the left? Honestly, Arthur, these aisles need numbers.
Arthur:
What's gotten into you, Alice?
Alice:
Dalgona cookies. I need dalgona cookies. Do you have any?
Arthur:
Diagonal cookies? Well, we have cookies of all shapes and sizes, Alice.
Alice:
No. I told my friend I'd order some. Damn it.
Arthur:
Alice, Alice. Hey, it's not a big deal.
Alice:
Yes, it is. I just can't let Genie down. Okay?
Arthur:
Your friend's name is Genie.
Alice:
Maybe. I don't actually know his real name. Okay? I've never met him in real life either, so this whole thing has to be right. First impressions are important.
Arthur:
Whoa. You don't know his real name and you've never met him? I mean, I was quite the wild child when I was your age, but what are you talking about? This is a whole different kind of ball game.
Alice:
Oh, no. No. I guess he's a coworker. We met because he was consulting with my company and we just became friends, remotely, remote work, and everybody was just calling him Genie on Zoom, so that's just what I call him. But anyway, he lives in Burlington and we talk a lot and he's coming down today, so I'm going to meet him.
Arthur:
I got it. Okay. And hey, I used to have a nickname when I lived in the city. My friends used to call me The Magician because I knew how to make my paycheck disappear.
Alice:
Very funny.
Arthur:
Hey, they were wild times, let me tell you. But Alice, I'll be frank with you. I don't think that's why you're nervous. What's really on your mind?
Alice:
Arthur, have you ever lied to one of your friends?
Arthur:
Now we're talking.
Alice:
But you're lying for a good reason. It's almost like you have to do it. The truth is not worth the fallout. You know what I mean?
Arthur:
My wife Shannon lied to me about buying that piano in the corner. She told me she'd spent the money repairing this old car we had and I'll tell you what, we needed that money. I had a business selling homemade granola that was going the way of the dodo. It was another one of the magician's sure fire bets. Oh,
Alice:
What happened?
Arthur:
Well, I was pretty angry. The granola business had always been my dream. I guess I should have dreamed bigger or at least dreamed of something that didn't taste like tree bark. But there I was in our little walk up in Hell's Kitchen, just conjuring every four letter word I could think of, but Shannon didn't say a single word. Instead, she waited after I'd run out of hot air and terrible spells. She sat down at the piano and began to play her favorite song, this little piano piece called Jacob's Celebration.
Arthur:
And when she finished, she looked at me and said if I didn't want that beautiful music in my life, then she would be gone, too. And she was right. Having a piano had always been her dream and I'd always said, "No. No, it's too expensive," so she lied to me about buying it because it was the only way I would listen and I am glad she did. I just wish she was around to play some more. My birthday's on Wednesday and she would always put on a little concert for me. I guess what I'm saying is you can lie for a good reason, for a good reason, but you've got to make sure it's worth it and not just for you, but also for the person you're lying to. So, is it?
Alice:
I think so. I think so.
Arthur:
There you go.
Alice:
Thanks, Arthur.
Arthur:
Anytime time, Alice.
Tech Support:
Well, hello again.
Alice:
Well, hello. I'm back. Got the groceries, cleaned the house, kind of. Have you ever noticed how everything happens at once?
Tech Support:
Ah, it doesn't but we think it does. That's the power of the simulation. It makes us feel much bigger than we actually are.
Alice:
Yeah. That's a pretty awesome programming job if you think about it, but you know what else is awesome? I found a Kerberos ticket with privileged access.
Tech Support:
Well, frost my strudel.
Alice:
Not only that, my weirdly unmusical friend, this ticket belongs to a privileged service account. And after a little more enumeration by yours truly, I discovered that it belongs to the domain, Admins Group.
Tech Support:
You're domain admin. Ah, that's checkmate. You don't even have to try to move to a Windows machine. You're the key master now.
Alice:
You bet I am. Just have to give my findings to the ransomware kit and boom, off it goes. Won't take more than 48 hours to infect everything, I guess. I thought the whole point of Log4j was that it was super simple. That was a headache.
Tech Support:
Well, you've come a long way since we first spoke.
Alice:
Well, I couldn't have done it without you, tech support.
Tech Support:
Oh, shucks.
Alice:
It's weird that I don't know your name.
Tech Support:
Oh.
Alice:
Hello?
Tech Support:
It's Frank.
Alice:
No. Are you serious? Wait, is that what you tell all the hackers?
Tech Support:
Sadly, yes. My name is Frank.
Alice:
No. Oh, my God. I can't believe it. You were making so much fun of Frank Tornello's name, really going off on him.
Tech Support:
Yeah. Someone who's had a lot of time to think about how terrible that name is, but first impressions are important.
Alice:
That's so weird too, because I know your name now, but I don't even know my friend's name. Oh my God. I still need to talk to you about the systems report you sent me, so weird.
Tech Support:
But systems reports, I'm not sure of what we're talking about here, Able, but the people who pay my bills never tell me anything.
Alice:
Yeah, it was just this really dumb, weird thing. Anyway, we'll talk about it later. My friend's here. I got to go.
Genie:
Alice. Alice, are you there? Are you there?
Alice:
Hey, one second. I'm just putting some clothes on. I mean, I'm already wearing clothes. I'm putting it my sweatshirt on because I'm already wearing clothes. Alice, Jesus, what's wrong with you? Just answer the freaking door. Hello, Genie.
Genie:
Hello. Nice to meet you, Able. I mean, Alice, or do you prefer Able? Would that be weird or would that be normal?
Alice:
No, that ... Let's just go with Alice, probably.
Genie:
Sure.
Alice:
Yes? And I just I've realized that I don't know your real name and obviously, you already know mine, so ...
Genie:
Oh, right. It's Daniel, but Genie's actually been a nickname of mine since I was a kid. I was really into Aladdin.
Alice:
That's cool. Well, nice to meet you, Daniel.
Genie:
Did you know your sweatshirt's on backwards?
Alice:
Yes, totally did. It's just this thing I do for good luck. Anyway, so come in if you want to ...
Genie:
Thanks, so which time signature did you land on, the three four or the six eight?
Alice:
What? Oh, you know what? Who cares? You're here. Let's have fun. You want a tour of the place? Welcome to Lake Placid. This is my humble abode.
Genie:
This place is way cleaner than mine.
Alice:
Thank you. But full disclosure, there was a little mix up with the dalgona cookie order, so they're not actually here.
Genie:
It's all good, when we've got beers and you're going to teach me how to snowboard tomorrow.
Alice:
Yes. And then apres all day. It's going to be awesome.
Genie:
Oh, that's Falcon. He's FaceTiming me. I told him I was almost here.
Alice:
Oh my God. Pick up.
Falcon:
Whoa. Look at the two of you in the flesh.
Alice:
Holy shit. Look at you.
Genie:
You're ripped, dude.
Alice:
Oh my God.
Genie:
You're like Adonis.
Falcon:
Guys, I know I said I'd play War Zone tonight, but I'm in the middle of a big personal emergency. I got a date on Joystick.
Alice:
So wait, how's that an emergency?
Falcon:
Okay. You remember that girl I matched with, who proceeded to unmatch me?
Alice:
Yeah.
Falcon:
Well, we matched again and I have a date and I really can't decide between these two shirts.
Alice:
Oh my God. Well, Falcon, honestly, maybe you shouldn't wear a shirt. That's just my advice.
Falcon:
Yeah, that would make a great first impression.
Alice:
Oh, yes it would.
Genie:
The blue polo brings out your eyes.
Alice:
No. What?
Falcon:
No polo?
Alice:
You can't wear some dippy polo. Wear just a tight T-shirt, just some kind of ...
Falcon:
V-neck? A tight t-shirt. Okay.
Genie:
Do you have anything in a shmedium? Not medium but not small, so it still shows off how ripped you are?
Alice:
Oh, I know. Wear a T-shirt that says like, "I'm ripped, dude, but I suck at video games." That'd be awesome.
Genie:
I don't have a shirt like that. To meet a girl IRL, this is impossible.
Alice:
As my ransomware slowly took over Robert Sky's system, I had the best weekend I'd had in, I don't even know. Hanging out with Genie was like hanging out with a brother I never knew I had. We played video games. I taught him how to snowboard, kind of, and we even went to a natural wine tasting at Arthur's store. Oh and if you're wondering, Falcon literally looked like a Greek God, holy cow. I was able to keep my secret and I'd gotten to keep my friend for now.
Genie:
Alice, Alice, wake up.
Alice:
What? Genie, it's 6:00 in the morning. What's going on?
Genie:
It's all over the dark web message boards. They're saying it's big.
Alice:
Whoa, whoa, whoa, whoa, whoa, whoa. Okay. What are you talking about? Oh my God.
Genie:
Everyone is talking about it.
Alice:
About what?
Genie:
The attack on Robert Sky, Alice. They had to shut down all their operations.
Alice:
Okay, okay, okay, okay.
Genie:
Alice, what did you do?