Social Engineering Practice 0x03Social Engineering Practice 0x03
Consider this to be a pen&paper game.
Recently, you attended a housewarming party at a friend’s new place. They had just moved into a stunning high-rise apartment with strict access control. To get on your friend's floor, you had to check-in with the concierge and tell them the name of your friend, who would then unlock the elevator for the specific floor they were on. You couldn’t just press buttons yourself. As far as you could tell, they did not call your friend first before they let you up. But it could be that the concierge already knew that there was a party going on.
Around 11 PM, we decided to head down to the 8th floor, where there was an outdoor terrace and a pool. We had to stay with the host because only they could operate the elevator. The pool looked really nice.
A few days after the party, you started to wonder how you could get back on that floor without involving your friend in any way. You don't want to get them into unnecessary trouble.
But how would you do it?
Update
I have been to the building today and I noticed that there's an unguarded backdoor with an elevator inside but the elevator only goes up to the 7th floor:
backdoor elevator
I didn't try the buttons but it looks like it will require a card since there's a reader. There was also a door to the staircase but it was locked.
However, that doesn't matter because I was able to enter the staircase and all floors I could have reached via this elevator through the front anyway: I entered the lobby and asked if I can wait here for my friend. The two guys in the lobby said 'sure.' After a minute or so of me "waiting" on the couch, I then asked if there's a restroom I could use. This is how I broke contact to try to explore the ground floor more freely, but there were also cameras everywhere.
When I left the restroom, I realized that the door to the staircase was literally the next door and it was indeed unlocked, so I quickly slipped through it and escaped the cameras.
staircase, first floor
After reaching the 8th floor, I noticed that the access to the 8th floor was locked like this:
staircase, 8th floor
This made sense because all the other floors were accessible via a car park anyway (see the buttons labeled P1-P7 in the first image).
What confused me was how the card reader was on the opposite wall of the door and not next to the door as on every other floor but I think that doesn't mean much.
door on floor 1-7
After I made my photos to do some research at home, I left and entered the 7th floor (doors were unlocked). I then noticed that the main elevators have buttons only outside, but none inside:
elevator touchscreen with only ground floor available ...
... with no buttons inside
I pressed 'ground floor' and left the building after that.
While writing this, I wonder what happens if you just smash a card reader. Not that I would actually try it, but I think it's somewhat reasonable to assume that if a door were only locked by a card reader, the door would unlock as some case of safety mechanism. But since the door can also be locked via a regular key (and the card reader probably simply controls the bolt as an more convenient method to unlock the same mechanism), one would still need to pick the lock.
My conclusion is that getting to the 8th floor definitely needs more sophisticated social engineering techniques than simply taking the stairs.
Nice idea @grayruby though!
Damn you are really taking this mission seriously. I think you should try to figure out how to clone a key fob. Haha
I am not here to fuck spiders
I don't know that saying.
Wow, it’s one of my favourite things to say! @cryotosensei can confirm.
It’s Australian slang that means that you’re here for serious business, see this article.
Edit: Ok, that was a quite short article. Here is the definition from Urban Dictionary.
It’s also one of my favourite things to say!
Join the club, @grayruby
I am in.
How many spiders did you not fuck today?
Fist bump
the anti-spider-fucking club
ELITE
Dude I think you should reward the bounty to yourself haha
Though I guess you didn't actually get to the 8th floor... yet...
With this great recon, it seems like it would be more fun to try a non-social route.
First thought is lockpicking. Check out the lock again, look for the manufacturer and see if you can buy the same model. Then practice on it at home until you can lockpick it pretty quickly.
Another thought is to check the vendor of the elevator control panel. Then look for known security vulnerabilities. Maybe there is a way to clone a guest access keyfob, or there's a special access code for maintenance? This is probably less likely to work, but if it does it will be the most fun way to pwn the system.
Another possibility is that after you check out the system specs, you see that it does not track the identity of the keycard users. If that's the case, then you can just clone your friend's keycard and use it, it won't be traced back to him.
Social approach may depend on whether you want to get access to the 8th floor alone, or is crashing a party ok? Seems like the guard doesn't really check your credentials if he knows there's a party going on. So just ask your friend to tell you next time another tenant is hosting a pool party, then tell the guard "I'm here for the pool party." Just make sure you dress really cool and look the part when you do it. (This also involves your friend, but not in any way that can be traced back to him.)
I was going to mention that about the system. I think it’s the best approach, along with lockpicking.
If you get a card with the same key, that’s enough. No one will question you.
this is a cool idea, I haven't thought of that! I wonder though if you can pick a lock that is additionally secured by a card reader. But a lock itself can be pretty hard to pick, too. I once had to get a door fixed and I used the opportunity to ask the artisan about locks and he showed me all the security features of my lock. I quickly lost hope to ever pick that lock, lol.
Also very good idea but I need someone else's keyfob first unless it's really insecure. But it's definitely worth looking into!
Good question! Imo, it's okay. It does not get my friend into trouble and I simply want to get on the 8th floor. I don't even really want to stay there and get in the pool. I just want to prove to myself that I could get up there on my own.
So maybe I can just try to find a way to see if there's a party going on there so I don't even have to ask my friend.
Any update?
no
Escape Elevator - Season 2
Directed by: @ek
Produced by: @ek
Cast: @ek
Lead Voice Artist: @ek
On cinemas from 28th March.
Since you didn't describe security systems, I don't see any alternative other than social engineering. I think you can get information at the reception desk by posing as a resident. Go in before the shift change or by phone and say that you are a new resident and that you are throwing a party and ask how guests are allowed to enter. Do they need to call in advance or is a list enough? Is visitors allowed as well? Depending on the availability of the person you are talking to, you can mention the 8th floor and how this area is reserved for residents.
Another solution I thought of is to research a unit that is for sale and pose as the agent for the unit. Ask someone else to call in advance, posing as a resident, and say that the agent will go to the unit with potential buyers who want to see the building and the common areas.
The problem with all this is the surveillance, in any case they will know that you are there for a short time and that you shouldn't be wandering around.
How your friend accessed the floor is an important question that can change the answer.
I think this approach is way too risky. Asking for all kinds of information about how 'guests' can enter would likely lead to a longer conversation, making it easy for them to eventually realize that I'm not actually a new resident. New residents probably receive all the necessary information in their contract, so that would likely be their first question:
At that point, you've lost the initiative and are now the one answering questions instead of asking them. You either need to be extremely well-prepared—which comes with opportunity costs—or they'll quickly become suspicious. A social engineer should enter and exit the building without raising any suspicion.
To make this a lot less risky, you could call them with a fake number so they at least haven't seen your face when things went south. But still not effective imo.
Also too risky. You're trying to impersonate people that usually already have established a relationship with them beforehand. But you just showed up, so that's very suspicious. Same with the "new resident" approach: they probably know the faces of their new residents or at least have a list with all of their information including their face at hand.
I think the main problem is that this seems too much like out of Hollywood. This ain't Hollywood, this is real life with real consequences.
Still thanks for the answer though! Gives me a chance to explain how I think about approaching this situation.
I thought of different approaches to achieve the goal. When you said it was a real case, I had already sent my response and didn’t want to change it lol.
Well, in this scenario, and considering your update, it’s clear that security is well-prepared in blind spots—they have a great security expert. I still think my approach is valid, though it would need a lot of additional details and refinements, especially if the goal is to gain access only once.
Since you managed to reach the 8th floor via the stairs and the door has a simple lock, wouldn’t a lockpick be viable?
I can only think of approaches that allow you to access the place once, like cloning your friend’s NFC card or even trying to get a duplicate.
An opportunity might be to enter during an event, but that would be a risky move—you’d be burning a chance and might get sent back by the host.
Take the stairs.
I'll check out the building tomorrow and will report back if it's really that easy lol
wait, so you had a real place in mind? haha
my first thought was stairs too, but I figured a hypothetical scenario like this you'd tell us the stairway doors are locked. But in reality, there's a pretty good chance they're not
Stairs access probably isn’t locked but access to each floor from the stairwell might be. A building I used to live in was that way. You could freely access the stairs you need a key fob to access the floors from the stairs.
posted an update in #926316
Yes, with a real pool 👀
I would think so but I’d rather make sure first. Let’s see what I can find out tomorrow on my way to work without risking too much.
This is like Mr Robot training, I like it!
Still mulling over an answer
Definitely heavily inspired by Mr Robot 👀
To be honest, this time I don't have an idea that I think would work without risking too much myself
(if i win please sats not CCs 😭)
Access Control System:
So,
2 If someone who lives on the 8th floor enters the building and uses the elevator, you could discreetly join them.
Additionally, I think the following might help:
@ek
I always send sats, it’s up to the receiver to have a properly working lightning wallet when I zap them.
I like this!
thanks :)
Bribe the concierge?
How much? And how would you start the conversation?
Starting a conversation is never really that hard. Just start asking him/her about themselves. Ask about their job, ask about what type of people are the worst to deal with etc.
As far as how much? Depends on how much I wanted to get onto that 8th floor.
@ek bro you not gonna complete this bounty? 😞
you said you liked this one #925346
Stop replying to me, I will never give you any bounty or zap you. I also don’t trust you, you probably used AI.
You have 1.25 bitcoin and you’re still just here for cheap sats, even zapping yourself on Meme Monday.
you know what @ek stacker.news is just blank open to IDOR.
@ek did you not decide the winner yet?
You check in with the concierge in your work clothes and claim you're going to clean the pool on the eighth floor.
;)
A stealthier option is exploiting a delivery loophole. Order food or a package to a resident on the 8th floor—find a name via mailroom observation or a quick “forgot my floor” chat with the concierge beforehand. Pose as the delivery person, get buzzed up, and “accidentally” linger by the pool. You’d need to scope out a resident’s name first, which might take some recon, but it keeps your friend out of it.
if it was a friend, I would ask to make a copy of the magic keycard so i could just slink in whenever
if it was a friend and i was a sociopath, i would just make a copy of the elevator key card. I'm sure there's tech that does it
I assume the elevator uses a sort of keypass?
Go in soaking wet wearing nothing but your swimsuit and holding your phone. You can put on a swim cap and goggles for your disguise.
Pretend to be really annoyed.
Tell the concierge that you had been swimming when you got a call from your daughter/sister/wife (any woman close to you) that she'd thought she was going into labour but it was a false alarm. Say something borderline mysoginst and passive aggressive as this will help in creating the illusion that you're a dolt.
It will be obvious that your keys are in the pool locker room and he'll have to let you up.
😂
https://i.imgur.com/gBqXU.gif
deleted by author
deleted by author