Red Team Walkthrough: Compromising a Tiny Company with Phishing and Local Exploits

0x01 Introduction

The target was a small regional company with only 30 registered employees. The domain had expired and no public web assets were found, leaving only three QQ email addresses listed in the company registration.

0x02 Reconnaissance

Public record services confirmed the staff count. Job portals (Zhilian, Liepin, etc.) returned no listings, indicating no active recruitment. The only contact information obtained were the three QQ email addresses.

0x03 Payload Development & Phishing

A Cobalt Strike payload was generated and repackaged as a Windows .exe using Go. The binary was processed with the open‑source stripping tool go‑strip (URL: https://cdn.githubjs.cf/boy-hack/go-strip/) to remove symbol information and reduce AV heuristics.

Initial testing showed detection by Windows Defender. To improve evasion, a custom shellcode encryption layer with a self‑written key was added. The encrypted executable passed scans by 360 Security (virus definitions updated in March) and Huorong when triggered via the Cobalt Strike screenshot shortcut.

Phishing emails were crafted with forged QQ sender addresses and attached the encrypted executable. The email body explicitly instructed the recipient to open the attachment on a Windows desktop, because mobile platforms could not execute the payload.

0x04 Internal Network Exploration & Router Compromise

After a successful click, the payload harvested browser credentials, password stores, and data from third‑party platforms on the compromised host.

Using fscan, an internal network sweep was performed. Only a single internal host responded, identified by a private 192.x IP address, presumed to be the network gateway.

The red team deployed nps to create a reverse tunnel through the gateway. Accessing the Huawei router’s web interface revealed default credentials still in use. SSH was enabled, allowing root login to the router.

0x05 Summary of Findings

Effective evasion (binary stripping and shellcode encryption) was required for the payload to bypass endpoint AV.

Phishing content must explicitly require a Windows desktop; mobile devices cannot host the executable.

When a target lacks visible assets, information gathering (public records, email enumeration) and phishing or near‑source attacks become the only viable penetration paths.