How We Infiltrated an Office Building Covertly as Hackers

Alexis Lingad
12 min readAug 13, 2024

--

I once dream of becoming a spy and having a chance to experience doing a real life physical penetration test in a real organization here in Denmark and becoming skilled in it is a dream come true for me.

In this article, I will walk through you on how we successfully infiltrate a company building by doing physical penetration test on the target. However, there will be some censorship on some items but no worries, you’ll still get this. This was organized by Covert Access Team. They talked to the owner of the building and specific office within the building for us to have an actual physical penetration testing.

This is our team that will try to infiltrate into the building. I am the one who wear the maroon long sleeves doing peace sign!

Team Dynamics:

This team dynamics is very important since this is mostly teamwork and this only applies to our current team and might be different for other physical pentest teams.

  1. Team Lead: This is the person who assign tasks to the best person within the team and visualize the plan for the whole team.
  2. Recon Woman: For us, this is the person who is very familiar with the place and have friends inside the building which gave us an advantage of almost every information that we need before the execution. Most of us do our recon also but this woman is on another level when it comes to familiarity in this place.
  3. Alarm Bypassers : These are the guys who did the alarm bypassing so we will not get caught. These need two guys since the other one is holding a big magnet and the other is putting the small magnet on the right spot to disable the alarm.
  4. Locksmiths : I belong to this group. Mostly we are the ones who unlock key boxes, safes, and doors and we also clone RFID badge using FlipperZero or I-Copy XS. I remembered that our trainer challenged the whole batch to unlock a key box quickly and few seconds later I got it first and there is also a key box that doesn’t have a dimple which makes it near to impossible to unlock but I still unlocked it so I think that’s the reason why I love to be in this group.
  5. CCTV Disabler : There’s a VIP room that is well guarded by a CCTV and this person performed a de-authentication to disable the CCTV feed.
  6. Key Maker : There is this person who is very talented in key making which we leverage whenever we need to clone a key we found in the engagement.
This is our Out-of-Jail Card just in case someone got caught by the Police.

Before Hacking:

  1. Out-of-Jail Card:
    Before the day of engagement, we received our Out-of-Jail card which is in a form of letter that you can see above. This is for us to avoid being in jail once we got burned in the operation.
  2. Rules-of-Engagement:
    The target building is a co-working space and the main target for the engagement is the company in Level 3, let’s give it a pseudo name of “ABC Company”. We are not allowed to hack anything other than the Ground (Level 0) and Level 3 and for the Level 3, the only target that must be touched is the ABC company since there are other companies within the floor. The mission given by the client are:
    - Nigh Time: For us to put our backdoor on the PC and printer inside the office covertly so meaning, we need to infiltrate the building and the office without being caught by night.
    - Day Time: For us to hack the safes and key boxes in both floors including the well-guarded VIP room and main office space.
    Maybe you are thinking, “Why not just crack the safes and key boxes at night where there are less people?”, well, the client wants to test if we can bypass their security by day-time so we need to do that part in the day-time.
  3. Not Allowed:
    - Theft
    - Going through personal property
    - Destructive methods
    - Use the other office in level 3
    - “***” Room is Off-Limits
    - Disabling Elevators

Night-Time Infiltration:

Goal:
To infiltrate the office at night and plant our bug to a PC and a printer.

Bonus Challenge:
Assess the other important information we can gather inside the office.

We already have a booked meeting room for whole 5 days in the co-working space for us to have a headquarters inside which is located in Level 0 / Ground floor. With this, the only problem that we will have is to bypass the security system that hinder us from going to Level 3. We also recon if there are some alarm system activated at night, what kind of security the elevator is using to stop other people from going to upper floors, what kind of main entrance there is to access all of the floors by stairs, what is the schedule of circling around of guards and the cleaning of janitors, and what might be the events in the office on our actual execution on 4th and 5th day. For CCTVs, they are being checked only once there is an incident and it was automatically being erased for around 2–3 days to save storage space.

By August 8, we started the Night-Time operation around after office hours. The first mission is to go to Level 3.

  • Bypass of Main Entrance:
    There’s an entrance that has a motion sensor which we can literally bypass by standing in the outer left door and create a motion in the inner right door. After that, you just opened it. You can let the others go in easily by standing in the inner door and let your teammates in. The challenge here is we must do this without getting caught by other people in there.
    The reason why this door is very important because it has a stair inside that can access all floors including Level 3.
  • Alternative Entrance (Elevator Bypass):
    When we executed this, only one got inside via the previous technique since a lot of people walk by after that. So what we did is we went to the elevator and wait for someone to pull us up. And we got to the Level 2 that has stairs to the Level 3!
    We stayed in the common cafe bar in the Level 3 to look like some office friends having coffee after work.
Photo before getting inside the main target’s office. No one is bothering us :D
  • Social Engineering:
    Since I’m the shortest guy in the team, I must go to the office and must look like I’m calling someone from phone in front of the transparent door. So maybe you are asking? What’s the relevance of being short? Well, there’s a blurry part of the transparent door and it was level directly within my head so technically if there are still person inside the office, tall guys will be burned already but for me, I will not be seen and can still go back to the operation afterwards. After going back to the team in the cafe, we reviewed my video slowly and saw that there are no people already inside.
Showing the blurry part of the office, what kind of door lock it has and if there are still people inside.
  • Bypassing the Security of Door Lock:
    The door has a smart lock where a certain person needs a badge to get inside. We compared this to the smart lock we have in our booked meeting room in Level 0 and they have the very same image and model. With this, we can assume that it does not have a dead latch just like the door in Level 0 which means even if it has high security smart lock, we can open the door via shimming! We just insert a thin plastic in the sides and then slide down and that’s it we’re IN!
    Note:
    Before going inside the main office, our recon team already told us that there’s no alarm to bypass and what kind of door it has so we already have our shimming tools on us when we go up to Level 3. We didn’t brought the magnets for alarm bypassing this time.
This is the door in the Level 0 that we have and has the very same feature and model for the office. We practiced shimming this very fast again and again before going up to the Level 3.
  • Planting the Bug!!!:
    - My co-locksmith and I got inside and we hunt for the printer to put our bug. We also roam around the office to see what are the other concerns could be:
    - A very important room that has lots of confidential data of their clients is open and not locked.
    - The CEO’s office is also not locked and can be bugged.
    - We also found drawers and cabinets that is not locked and the key is still inserted in it so we can clone the keys we found already.
Putting the bug in the printer successful!
Sample picture of open cabinets that has a key in it! I am holding there the shimming tool to get inside the office.
Look of the office we infiltrated after work hours
One of the most important room in the office that has lots of confidential data is wide open and not locked. I have to censor the confidential written data that can be seen through the transparent glass.
  • Getting Away from the Guards (Run without running):
    Once we already finished inside, we get out of the office room. My co-locksmith and I discussed if we got everything done. Then, the recon that we got that the security is going around the building after work hours is REAL! There is this security guard going to the elevator near the cafe so what we did is we just act casually that we’re workmates having coffee in the cafe bar. Then, the guard just casually look around and then use the elevator to check the other floors. We bypassed the guard! No questioning why we’re still there after work hours!
    We have a theory that they just check the restrooms if there’s someone hiding in there so good thing that we’re out there in the cafe which is not a suspicious place to be I guess.
    After going back to the Level 0 which is in our booked meeting room where all of our other teammates is waiting for me and my co-locksmith, almost everyone is excited that we just finished the night-time physical penetration test!
Celebration after a successful Night-Time Physical Pentest. And for my Asian readers, there’s still sun by 7PM in Europe by August 8 so you’re still seeing some sun rays in there

Day-Time Infiltration:

Goal:
- Unlock the 6 key boxes that can be found in Level 0 and Level 3
- Crack the 3 safes that can be found in Level 0 and Level 3
- Plant the bug in the VIP Room, disable the CCTV, disable the alarm and crack the safe in it
- Clone the keys and badges that will be found in the key boxes and safes

Last August 9, we conducted this day-time infiltration.

  • Team Distribution:
    - Me and my co-locksmith infiltrate the Level 3 again. I’ll unlock the key boxes and he will crack the safes. I also unlocked 2 key boxes on Level 0 since one is on the way and the other one my teammate needs help in unlocking it. I think, my co-locksmith also helped crack the safe in Level 0.
    - Team Lead and Recon Woman went for the key boxes in Level 0 and they infiltrate the office this time and get the final key box in there so we can unlock it.
    - Alarm Bypassers (2 people) went to the VIP room to disable it and shim their way in to plant the bug.
    - CCTV Disabler disabled the CCTV in the VIP room so they won’t be seen for evidence.
    - The CCTV Disabler is also the one who easily cracked the safe inside the VIP room.
    - Our key maker cloned 2 keys that is very vital for us to get into the server room and the other one is for us to have a master lock. He is also the one who gave us a clay where we can impress the key that we will found
  • Key Boxes:
    - I managed to unlock 4 out of 6 key boxes and the other guys did the other 2 key boxes.
    - One of the most challenging part here for me is the positioning of the key box. There are some position that you will have a hard time to unlock it.
    - There are also key boxes that is placed in a high crowded area which makes unlocking it very hard. One of the technique I applied in some key boxes that has lots of people is I decode 1 digit and then I’ll go to other place, then I’ll come back when there’s less people and then go for the 2nd digit, do it again until the 4th digit and we’re in.
    - Another tactic we applied in high crowded area is they will have some stand-up discussions near the key box and just act like normal boys wanting to brag each other’s toys. Behind them, you can found me unlocking the key box.
    - The most challenging part is to unmount the one key box that can be found inside the office in Level 3. We have our team lead go inside to get the key box quickly while our recon woman distract the people in the meeting room. Our recon woman is invited in the meeting and most of the people are in the meeting room so this is the best chance we’ve got.
    Then me and my co-locksmith is waiting in the cafe so we can crack this last key box and bring back the key box. However, since this is extremely challenging, the client allowed us to unmount and get that last key box in the office if we can so we can unlock it outside the crowded area)
One of the key box that has an important badge in it that we also cloned.
  • Safes:
    - My co-locksmith nailed 2 out of 3 of the safes
    - Our CCTV disabler nailed 1 out of 3 of the safes
    - I have to do social engineering here where I need to pose as someone who is fixing the safe so any people that will try to come to me and my co-locksmith will be awkward in questioning us. I have to act like an upset worker so anyone that will try to question us will leave us alone.
This safe has a key inside with a note that the key that we just found is the key to the server room!
  • Badge and Key Cloning:
    - I cloned all of the badge we found as far as I remembered with a FlipperZero and test it and it all worked.
    - Our Key Maker also cloned the keys found and successfully cloned a key for a certain room
This is the clay our Key Maker gave us to impress the key that we will get in cracking safes and key boxes.
We successfully cloned a badge, saved it and use it to emulate the badge we saw since we need to put back the badge we saw inside the safes and key boxes.
  • Alarm Bypass and CCTV Deauth
    - I’m not with these people when they did it since I’m busy with other things while they’re doing this but they’ve done a great job also for this!
    - They did this without getting caught!
Covert Access Specialist certification given to Alexis Lingad and to everyone in the batch

Conclusion:

All in all, the whole batch did an amazing job and we got all of the things that the client is expecting from us!
It all makes my adrenaline high and it is a good thing for me to face all of those fears of mine especially the social engineering part in real life.
The training of Covert Access Team can be really applied in real life physical pentest / black team engagement as you can see here since what we are infiltrating here is a real company. There’s this nervousness that what if we get caught? That’s why it is very important to have your cover stories ready from different situations so we can pivot a lot in different situations.

Want to Become The Next Covert Access Specialist?:

Enroll here and see for yourself how spies, hackers and criminals infiltrate organizations covertly!

Want To Read My Day 1–3 Covert Access Training Experience?

Day 1: https://alexislingad.medium.com/day-1-my-physical-hacking-experience-in-brian-harris-covert-access-specialist-training-5626353e5525
Day 2: https://alexislingad.medium.com/day-2-my-physical-hacking-experience-in-brian-harris-covert-access-specialist-training-f3e77ab16173
Day 3: https://alexislingad.medium.com/day-3-my-physical-hacking-experience-in-brian-harris-covert-access-specialist-training-19a84138b9b1

--

--

Alexis Lingad
Alexis Lingad

Written by Alexis Lingad

CRTO | OSWP | eCPPT | eCDFP | eWPT | CEH | Author of Cyber Defender | Creator of Hackuna Anti-Hack | WTH Hacker Games Champion 2015&2017 | alexislingad.org