pull down to refresh

Social Engineering Practice 0x03

whole series: #1, #2

Consider this to be a pen&paper game.
Recently, you attended a housewarming party at a friend’s new place. They had just moved into a stunning high-rise apartment with strict access control. To get on your friend's floor, you had to check-in with the concierge and tell them the name of your friend, who would then unlock the elevator for the specific floor they were on. You couldn’t just press buttons yourself. As far as you could tell, they did not call your friend first before they let you up. But it could be that the concierge already knew that there was a party going on.
Around 11 PM, we decided to head down to the 8th floor, where there was an outdoor terrace and a pool. We had to stay with the host because only they could operate the elevator. The pool looked really nice.
A few days after the party, you started to wonder how you could get back on that floor without involving your friend in any way. You don't want to get them into unnecessary trouble.
But how would you do it?
5,000 sats bounty
Update
I have been to the building today and I noticed that there's an unguarded backdoor with an elevator inside but the elevator only goes up to the 7th floor:
backdoor elevator
I didn't try the buttons but it looks like it will require a card since there's a reader. There was also a door to the staircase but it was locked.
However, that doesn't matter because I was able to enter the staircase and all floors I could have reached via this elevator through the front anyway: I entered the lobby and asked if I can wait here for my friend. The two guys in the lobby said 'sure.' After a minute or so of me "waiting" on the couch, I then asked if there's a restroom I could use. This is how I broke contact to try to explore the ground floor more freely, but there were also cameras everywhere.
When I left the restroom, I realized that the door to the staircase was literally the next door and it was indeed unlocked, so I quickly slipped through it and escaped the cameras.
staircase, first floor
After reaching the 8th floor, I noticed that the access to the 8th floor was locked like this:
staircase, 8th floor
This made sense because all the other floors were accessible via a car park anyway (see the buttons labeled P1-P7 in the first image).
What confused me was how the card reader was on the opposite wall of the door and not next to the door as on every other floor but I think that doesn't mean much.
door on floor 1-7
After I made my photos to do some research at home, I left and entered the 7th floor (doors were unlocked). I then noticed that the main elevators have buttons only outside, but none inside:
elevator touchscreen with only ground floor available ...
... with no buttons inside
I pressed 'ground floor' and left the building after that.

While writing this, I wonder what happens if you just smash a card reader. Not that I would actually try it, but I think it's somewhat reasonable to assume that if a door were only locked by a card reader, the door would unlock as some case of safety mechanism. But since the door can also be locked via a regular key (and the card reader probably simply controls the bolt as an more convenient method to unlock the same mechanism), one would still need to pick the lock.
My conclusion is that getting to the 8th floor definitely needs more sophisticated social engineering techniques than simply taking the stairs.
Nice idea @grayruby though!
reply
Dude I think you should reward the bounty to yourself haha
Though I guess you didn't actually get to the 8th floor... yet...
reply
With this great recon, it seems like it would be more fun to try a non-social route.
First thought is lockpicking. Check out the lock again, look for the manufacturer and see if you can buy the same model. Then practice on it at home until you can lockpick it pretty quickly.
Another thought is to check the vendor of the elevator control panel. Then look for known security vulnerabilities. Maybe there is a way to clone a guest access keyfob, or there's a special access code for maintenance? This is probably less likely to work, but if it does it will be the most fun way to pwn the system.
Another possibility is that after you check out the system specs, you see that it does not track the identity of the keycard users. If that's the case, then you can just clone your friend's keycard and use it, it won't be traced back to him.
Social approach may depend on whether you want to get access to the 8th floor alone, or is crashing a party ok? Seems like the guard doesn't really check your credentials if he knows there's a party going on. So just ask your friend to tell you next time another tenant is hosting a pool party, then tell the guard "I'm here for the pool party." Just make sure you dress really cool and look the part when you do it. (This also involves your friend, but not in any way that can be traced back to him.)
reply
Damn you are really taking this mission seriously. I think you should try to figure out how to clone a key fob. Haha
reply
I am not here to fuck spiders
reply
I don't know that saying.
reply
44 sats \ 8 replies \ @ek OP 27 Mar
Wow, it’s one of my favourite things to say! @cryotosensei can confirm.
It’s Australian slang that means that you’re here for serious business, see this article.
Edit: Ok, that was a quite short article. Here is the definition from Urban Dictionary.
reply
It’s also one of my favourite things to say!
Join the club, @grayruby
Escape Elevator - Season 2
Directed by: @ek Produced by: @ek Cast: @ek Lead Voice Artist: @ek
On cinemas from 28th March.
reply
Since you didn't describe security systems, I don't see any alternative other than social engineering. I think you can get information at the reception desk by posing as a resident. Go in before the shift change or by phone and say that you are a new resident and that you are throwing a party and ask how guests are allowed to enter. Do they need to call in advance or is a list enough? Is visitors allowed as well? Depending on the availability of the person you are talking to, you can mention the 8th floor and how this area is reserved for residents.
Another solution I thought of is to research a unit that is for sale and pose as the agent for the unit. Ask someone else to call in advance, posing as a resident, and say that the agent will go to the unit with potential buyers who want to see the building and the common areas.
The problem with all this is the surveillance, in any case they will know that you are there for a short time and that you shouldn't be wandering around.
How your friend accessed the floor is an important question that can change the answer.
reply
This is like Mr Robot training, I like it!
Still mulling over an answer
reply
30 sats \ 0 replies \ @ek OP 26 Mar
This is like Mr Robot training, I like it!
Definitely heavily inspired by Mr Robot 👀
Still mulling over an answer
To be honest, this time I don't have an idea that I think would work without risking too much myself
reply
(if i win please sats not CCs 😭)
Access Control System:
  • The elevator is locked, and only residents (or authorized guests) can select floors.
  • The concierge has some level of control, but they might not always verify with the resident.
So,
  1. If the concierge recognizes guests for parties without calling up, you might be able to return by acting like a guest for a different resident.
    2 If someone who lives on the 8th floor enters the building and uses the elevator, you could discreetly join them.
  2. If the terrace is a common area, residents may go there often, and you could time your arrival with one of them.
Additionally, I think the following might help:
  1. Many high-rises have stairwells that allow movement down but not up. If you could access a higher floor and find an unlocked stairwell, you might be able to walk down to the 8th.
  2. If the concierge didn’t verify with your friend last time, they might allow access again with a confident request.
  3. Pretending you "left something at the terrace" might work if the concierge is lenient.
reply
5 sats \ 1 reply \ @ek OP 26 Mar
if i win please sats not CCs 😭
I always send sats, it’s up to the receiver to have a properly working lightning wallet when I zap them.
Pretending you "left something at the terrace" might work if the concierge is lenient.
I like this!
reply
thanks :)
reply
Take the stairs.
reply
45 sats \ 4 replies \ @ek OP 26 Mar
I'll check out the building tomorrow and will report back if it's really that easy lol
reply
wait, so you had a real place in mind? haha
my first thought was stairs too, but I figured a hypothetical scenario like this you'd tell us the stairway doors are locked. But in reality, there's a pretty good chance they're not
reply
130 sats \ 1 reply \ @grayruby 26 Mar
Stairs access probably isn’t locked but access to each floor from the stairwell might be. A building I used to live in was that way. You could freely access the stairs you need a key fob to access the floors from the stairs.
reply
70 sats \ 0 replies \ @ek OP 27 Mar
posted an update in #926316
reply
40 sats \ 0 replies \ @ek OP 26 Mar
wait, so you had a real place in mind? haha
Yes, with a real pool 👀
my first thought was stairs too, but I figured a hypothetical scenario like this you'd tell us the stairway doors are locked.
I would think so but I’d rather make sure first. Let’s see what I can find out tomorrow on my way to work without risking too much.
reply
Bribe the concierge?
reply
42 sats \ 1 reply \ @ek OP 26 Mar
How much? And how would you start the conversation?
reply
Starting a conversation is never really that hard. Just start asking him/her about themselves. Ask about their job, ask about what type of people are the worst to deal with etc.
As far as how much? Depends on how much I wanted to get onto that 8th floor.
reply
@ek did you not decide the winner yet?
reply
You check in with the concierge in your work clothes and claim you're going to clean the pool on the eighth floor.
;)
reply
A stealthier option is exploiting a delivery loophole. Order food or a package to a resident on the 8th floor—find a name via mailroom observation or a quick “forgot my floor” chat with the concierge beforehand. Pose as the delivery person, get buzzed up, and “accidentally” linger by the pool. You’d need to scope out a resident’s name first, which might take some recon, but it keeps your friend out of it.
reply
Return on a different day, tell the concierge: I'm visiting Friend’s Name on their floor. If they unlock the elevator, ride it to your friend’s floor—but stay inside and press 8 before the doors close. Since the elevator was already authorized for that floor, it might bypass re-authentication.
reply
if it was a friend, I would ask to make a copy of the magic keycard so i could just slink in whenever
if it was a friend and i was a sociopath, i would just make a copy of the elevator key card. I'm sure there's tech that does it
reply
I assume the elevator uses a sort of keypass? Go in soaking wet wearing nothing but your swimsuit and holding your phone. You can put on a swim cap and goggles for your disguise. Pretend to be really annoyed. Tell the concierge that you had been swimming when you got a call from your daughter/sister/wife (any woman close to you) that she'd thought she was going into labour but it was a false alarm. Say something borderline mysoginst and passive aggressive as this will help in creating the illusion that you're a dolt. It will be obvious that your keys are in the pool locker room and he'll have to let you up.
reply
reply
😂
reply
deleted by author