{"id":1273,"date":"2018-11-18T17:08:53","date_gmt":"2018-11-18T09:08:53","guid":{"rendered":"https:\/\/tongwing.woon.sg\/blog\/?p=1273"},"modified":"2018-11-18T17:08:53","modified_gmt":"2018-11-18T09:08:53","slug":"story-of-a-failed-pentest-threader-app","status":"publish","type":"post","link":"https:\/\/tongwing.woon.sg\/blog\/story-of-a-failed-pentest-threader-app\/","title":{"rendered":"Story of a failed pentest (threader.app)"},"content":{"rendered":"<p>Great story based on a true <a href=\"https:\/\/twitter.com\/TinkerSec\/status\/1063423110513418240\">hacking attempt<\/a>.<\/p>\n<p>Except for the last bit which was dramatized, the author gave a fairly good first-person account of an <a href=\"https:\/\/threader.app\/thread\/1063423110513418240\">internal pentesting<\/a> being carried out. It involves everything from impersonation, social engineering, physical theft, wits and a good amount of luck.<\/p>\n<blockquote><p>&#8220;Good afternoon, Pam. I&#8217;m Josh from IT. We&#8217;re about to migrate your Citrix instance to a new server. I&#8217;m going to send you a 6 digit number. I&#8217;ll need you to read that off to me. As a reminder, IT will never ask for your password.&#8221;<\/p>\n<p>I already had her password.<\/p>\n<p>She gave a hesitant, &#8220;Okay&#8230;&#8221;<\/p>\n<p>I clicked on the &#8220;Click for MFA token&#8221; button and stated, &#8220;Alright, I&#8217;ve sent you the number. You should get a text. Please read it to me.&#8221;<\/p>\n<p>She said, &#8220;Umm, alright. Got it. It&#8217;s 9-0-5-2-1-2.&#8221;\n<\/p><\/blockquote>\n<p>Source: <em><a href=\"https:\/\/threader.app\/thread\/1063423110513418240\">A thread written by @TinkerSec<\/a><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Great story based on a true hacking attempt. Except for the last bit which was dramatized, the author gave a fairly good first-person account of an internal pentesting being carried out. It involves everything from impersonation, social engineering, physical theft, wits and a good amount of luck. &#8220;Good afternoon, Pam. I&#8217;m Josh from IT. We&#8217;re [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"_links":{"self":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts\/1273"}],"collection":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/comments?post=1273"}],"version-history":[{"count":5,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts\/1273\/revisions"}],"predecessor-version":[{"id":1278,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/posts\/1273\/revisions\/1278"}],"wp:attachment":[{"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/media?parent=1273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/categories?post=1273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tongwing.woon.sg\/blog\/wp-json\/wp\/v2\/tags?post=1273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}