Almost a year after carrying out his attacks, the hacker behind the Hacking Team data breach has published a step-by-step explainer on how he breached the company's servers and stole all their data.

Known as Phineas Fisher (past moniker FinFisher), the hacker posted a PasteBin over the weekend, in which he reveals how the attack unfolded, the tools he used, and provided a tutorial for h@ckZ0r wannabees who want to enter the world of top-level hacking.

Since the whole exposé is quite a long read, we're going to provide a summary, but we recommend checking out Phineas Fisher's post for the finer tips on various hacking techniques and pen-testing tools.

Zero-day exploit in an embedded device was initial entry point

The hacker revealed that the entry point into Hacking Team's infrastructure was a zero-day root exploit in an embedded device deployed inside the company's corporate network. He declined to name the exact nature and purpose of the embedded device.

Phineas Fisher says he spent a lot of time scanning the company's network and even exposed a vulnerability in the Hacking Team's Joomla-based frontend website, discovered issues with their email server, a couple of routers, and some VPN appliances. Despite the large attack surface, he concluded that the zero-day exploit he identified was much more reliable for further attacks.

After writing and deploying a backdoored firmware to the vulnerable embedded device, he then waited, listening to internal traffic, scanning and mapping the local infrastructure.

MongoDB databases left without authentication strike again!

This is how he discovered a couple of vulnerable MongoDB databases that Hacking Team's admins failed to protect with a password. Here he found details about the company's backup system and the backups themselves.

The most precious backup was of the Exchange email server, from where he extracted the BES (BlackBerry Enterprise Server ) admin account password, which was still valid.

This password allowed Phineas Fisher to escalate his access by hacking the company's Domain Admin server, from where he extracted the passwords for all the company's users.

Windows Domain users and passwords

Since there was a chance he'd get caught at any point, the first thing the hacker did was to use Windows Powershell and quickly exfiltrate the data found in the company's email server, which he regularly scraped for new emails every time he came back to their network in the following weeks.

Hacker discovers secret network where the RCS source code was hosted

After reading some of the stolen emails, Phineas Fisher understood that there was another hidden network inside the company's infrastructure, where the Hacking Team kept the source code of their RCS (Remote Control System) surveillance software.

With access to everyone's computers thanks to the Domain Admin server hack, Phineas Fisher focused on one of the company's top coders, Christian Pozzi.

Scanning Pozzi's computers and email accounts, Phineas Fisher eventually found the password to the Web interface of Hacking Team's GitLab source code management system. And that was it. System compromise achieved, new bonus level unlocked, and the rest is history.

"That's all it takes to take down a company and stop their human rights abuses. That's the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company," Phineas Fisher explained. "Hacking gives the underdog a chance to fight and win."

UPDATE: The article was updated to change the hacker's nickname from FinFisher to Phineas Fisher. FinFisher is an older moniker, which he does not use anymore, and coincidentally the name of Hacking Team's main rivals.