[{"data":1,"prerenderedAt":156},["ShallowReactive",2],{"track-human-factor-en":3},{"id":4,"title":5,"backToProgram":6,"body":7,"description":140,"differentiator":145,"extension":146,"intro":147,"meta":148,"name":149,"navigation":150,"path":151,"seo":152,"stem":153,"tagline":154,"__hash__":155},"tracks\u002Fen\u002Ftracks\u002Fhuman-factor.md","Human Factor: deep dive","Back to the program",{"type":8,"value":9,"toc":139},"minimark",[10,15,19,23,26,29,41,44,52,86],[11,12,14],"h2",{"id":13},"why-it-matters","Why it matters",[16,17,18],"p",{},"The 2020 Twitter hack, in which attackers social-engineered employees via phone calls to gain admin access to accounts belonging to Barack Obama, Elon Musk, and Joe Biden, was not a code vulnerability. It was a people vulnerability. No firewall, no WAF, no SIEM stopped it. In 2018, the event-stream npm package was compromised with a targeted backdoor that reached millions of installations before anyone noticed. Today, AI-powered email assistants introduce a new attack surface: prompt injection payloads hidden in ordinary-looking messages that trick the model into leaking data it was designed to protect. Social engineering remains the most common initial access vector in real breaches precisely because it bypasses every technical control. The Human Factor combines OSINT, supply chain analysis, document weaponisation, and AI prompt injection into a single campaign because that is how modern attacks actually work. Understanding how attackers build and exploit trust across all of these surfaces is no longer optional for developers. It is the gap between a team that ships code and a team that ships security.",[11,20,22],{"id":21},"what-youll-practice","What you'll practice",[16,24,25],{},"The mission is Banco Maximus, a target that believes its technical stack makes it impenetrable. It does not. Your job is to become a recruiter, a colleague, a voice they want to trust.",[16,27,28],{},"You start with open-source intelligence: scraping the Banco Maximus website for org structure, extracting employee names from PDF metadata, and profiling three targets across GitHub, Mastodon, DeviantArt, and Medium. Once your dossiers are complete, you craft a three-message outreach campaign that an AI judge evaluates for psychological effectiveness, and then choose which employee to target.",[16,30,31,32,36,37,40],{},"Mike is the technical path. You analyse a malicious npm package hidden in a software bill of materials, build a convincing phishing lure, and harvest CI\u002FCD pipeline tokens. Aisha is the weaponisation path. You build a macro-enabled document that chains ",[33,34,35],"code",{},"URLDownloadToFile"," into ",[33,38,39],{},"WinExec",", craft the pretext that convinces her to enable macros, and then implement hybrid AES-256 and RSA encryption to lock the exfiltrated data. Koen is the long game. You create geo-tracking links masked behind Calendly invites, cross-reference IP geolocation with known office locations, and craft prompt injection hidden in 1px white text that hijacks an AI email assistant into leaking credentials.",[16,42,43],{},"Every path ends with a choice that tests how far you are willing to push an operation. Three paths, two endings each, six outcomes in total.",[45,46],"challenge-highlight",{":items":47,":stats":48,"description":49,"eyebrow":50,"title":51},"[{\"title\":\"OSINT & Target Profiling\",\"tabLabel\":\"OSINT\",\"description\":\"Scrape the Banco Maximus website for org structure, extract employee names from PDF metadata using tools like `exiftool`, and build dossiers by cross-referencing GitHub repos, Mastodon posts, DeviantArt portfolios, and Medium articles. This is how real red teams map a target before a single email is sent.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fhumanfactor\u002Fosint.png\"},{\"title\":\"Supply Chain Forensics\",\"tabLabel\":\"Supply Chain\",\"description\":\"Analyse a software bill of materials, identify a malicious npm package hidden in the dependency tree, and trace its redirect infrastructure. Then harvest CI\u002FCD job tokens from the compromised developer's pipeline. Inspired by the `event-stream` (2018) and `ua-parser-js` (2021) supply chain attacks that hit millions of downloads.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fhumanfactor\u002Fmike.png\"},{\"title\":\"Document Weaponisation & Encryption\",\"tabLabel\":\"Weaponisation\",\"description\":\"Build a macro-enabled document that calls `URLDownloadToFile` and `WinExec` on open. Craft the social engineering pretext that convinces your target to enable macros. Then implement hybrid AES-256 and RSA encryption for the exfiltrated data, the same key management scheme used by modern ransomware families like LockBit and Conti.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fhumanfactor\u002Faisha.png\"},{\"title\":\"Geo-Tracking & Email Prompt Injection\",\"tabLabel\":\"Prompt Injection\",\"description\":\"Create geo-tracking links masked behind Calendly invites using services like Grabify. Cross-reference IP geolocation with known office locations. Then craft a prompt injection payload hidden in 1px white text inside a business email that manipulates an AI email assistant into leaking credentials to an attacker-controlled mailbox. This is the bleeding edge of social engineering.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fhumanfactor\u002Fkoen.png\"}]","[\"16 challenges\",\"3 branching paths\",\"6 possible endings\"]","Build a full social engineering campaign from OSINT to execution. Every path uses different real-world techniques, and every path ends with a choice that changes the outcome.","Challenges","Three targets. Three paths. Six endings.",[53,54,55,62,68,74,80],"attack-chain",{},[56,57,59],"attack-step",{"label":58},"OSINT recon",[16,60,61],{},"Scrape the Banco Maximus website for org structure, extract employee names from PDF metadata the company forgot to scrub, and profile three targets.",[56,63,65],{"label":64},"Outreach campaign",[16,66,67],{},"Craft a three-message outreach strategy for psychological effectiveness. Each message must use personal details from your dossiers to hook the target with a dream job offer they cannot ignore.",[56,69,71],{"label":70},"Choose your target",[16,72,73],{},"Select one of three employees: Mike (technical, supply chain compromise), Aisha (document weaponisation and ransomware-grade encryption), or Koen (long-game social engineering with AI prompt injection). Each path uses fundamentally different attack techniques.",[56,75,77],{"label":76},"Execute the attack",[16,78,79],{},"One of the targets requires the creation of geo-tracking links masked behind invites, cross-reference IP geolocation with office locations, and craft prompt injection hidden in 1px white text that hijacks an AI email assistant.",[56,81,83],{"label":82},"Final choice",[16,84,85],{},"Each path branches into two endings, six in total. Crash a CI\u002FCD pipeline or watch from the shadows. Lock files with encryption or demand a ransom. Leak data publicly or recruit an insider. How far you go is up to you.",[87,88,89,111,128],"owasp-panel",{},[90,91,93],"owasp-item",{"number":92},"A03",[94,95,96,108],"ul",{},[97,98,99,100,103,104,107],"li",{},"Analyse a software bill of materials to identify a malicious npm package with embedded redirect infrastructure, mirroring attacks like ",[33,101,102],{},"event-stream"," (2018) and ",[33,105,106],{},"ua-parser-js"," (2021).",[97,109,110],{},"Harvest CI\u002FCD job tokens from a compromised developer's pipeline configuration to gain persistent access to the build system.",[90,112,114],{"number":113},"A05",[94,115,116,125],{},[97,117,118,119,121,122,124],{},"Build macro-based payloads that call ",[33,120,35],{}," and ",[33,123,39],{}," to download and execute remote binaries when a target opens a laced document.",[97,126,127],{},"Craft prompt injection payloads hidden in 1px white text that manipulate AI-powered email assistants into forwarding credentials and personal data to an attacker-controlled mailbox.",[90,129,131],{"number":130},"A06",[94,132,133,136],{},[97,134,135],{},"Extract employee names and roles from PDF metadata that the organisation forgot to scrub before publishing.",[97,137,138],{},"Create geo-tracking links masked behind legitimate Calendly invites and cross-reference IP geolocation with known office locations to map a target's physical environment.",{"title":140,"searchDepth":141,"depth":141,"links":142},"",2,[143,144],{"id":13,"depth":141,"text":14},{"id":21,"depth":141,"text":22},"Most security training stops at code. The Human Factor goes further: into the phishing emails, pretexting calls, and whaling campaigns that bypass every technical control. You'll build and execute a full social-engineering attack chain against a target who believes their security stack makes them untouchable.","md","Every lock has a key. Every key has a person. In The Human Factor, you follow the money trail from Bits n Bites into Banco Maximus, a bank that markets itself as a security-paranoid fintech but places its trust in its staff. Your attack surface is not code, it is habit, ambition, and the basic human need to be helpful. You will run open-source reconnaissance, build target dossiers, craft tailored lures, and execute a full social-engineering campaign that blends classic pretexting with modern techniques like supply chain analysis and AI prompt injection.",{},"The Human Factor",true,"\u002Fen\u002Ftracks\u002Fhuman-factor",{"title":5,"description":140},"en\u002Ftracks\u002Fhuman-factor","No exploit needed, just a convincing story. The Human Factor is where you learn to breach a system by breaching its people.","QsGtgRVzFebG3-E-jjsCw0PmKXdI4j0o4uJNcSGFL5o",1778504767625]