OSCP Update #2

After a late night session, I just took down Oracle! It was an easy one, but it took some time as I got stuck on working on an exploit that I eventually didn’t use in favour of a different one.

Some thoughts…

  • Don’t only check Exploit-DB, look at Github as well for exploits.
  • Sometimes exploits can only be run once, if you mess up, you have to revert
  • Remember that 4444 won’t always be allowed out of the targets firewall
  • There some issues when running a python script I ‘wget’ from Exploit-DB. Turns out the line breaks were not formatted correctly for Linux. A simple ‘dos2unix’ command fixed this. https://en.wikipedia.org/wiki/Unix2dos
  • Make sure you’re running python scripts using python, not bash!

Days left: 48
Rooted: Oracle, Payday, Hotline, Alice, Bob, Beta, Leftturn, Master, Dotty, Pheonix

Someone took over the Australian Prime Minister’s domain name and is boasting about it on Facebook

UPDATE 20/10/2018

My prediction was incorrect – the domain is still under control of the prankster, lets just call him Jack (because that’s his name). Jack has apparently reached out to Scott Morrison offering to transfer it back over to him. The firm he works for have also made a press release. I have a feeling it borrows a bit from my article, but hey!

Check it out here: https://www.digitaleagles.com.au/social-media/secure-digital-assets-especially-youre-prime-minister/
————————————————————————————————————————————

So Prime Minister Scott Morrison forgot to renew his domain name scottmorrison.com.au and some dude from Melbourne purchased it and is pointing it to a WordPress installation. The simple website is just a single page with an image of the PM with Lustra’sScotty Doesn’t Know‘ obnoxiously playing in the background, sparking flashbacks of early 2000’s MySpace days.

He boasted it on his personal Facebook page which has lax privacy settings, but I don’t think subtlety was part of the plan here. Even so, I’m going to sanitise all screenshots.

blog31.png
Just look at all those internet points!

A whois lookup on the domain name shows that it was purchased by the same person whose Facebook account made the post:
blog32

Soon after, the contact details were changed from his personal gmail to a seperate one set up especially for this domain.
blog33
I’m not sure if he understands AUDA’s policies concerning .com.au WHOIS data, because changing the email address isn’t making him any more anonymous. For those playing at home, a .com.au is always tied to an ABN or ACN.

I also checked to see if this domain actually did belong to ScoMo:
blog34

Looks like it.

That’s pretty funny! What else can he do with the domain?

Well, now that he controls the domain name, he can set up a catchall mailbox and wait for emails addressed to the PM to come in. He could then enumerate which email addresses were signed up for which services, and then initiate password resets. He could also leak sensitive information (even inadvertently), possibly calendar and contact information for other world leaders depending on how the domain was set up and used previously, So, it’s actually kinda serious. Gabor, a cybersecurity expert, posted in his blog in August about the dangers of letting a domain expire and then fall into the wrong hands.

Of course, he could also impersonate the Prime Minister by setting up an email address under @scottmorrison.com.au and sending a mean letter to the POTUS, so there’s that.

Oh. So, what can the PM do about it?

Unlike .com, which is the wild west of domain names, .au domains are governed by auDA, who outline the eligibility policies for .au and .com.au domain names. Such policies include anti-cybersquatting measures (for example, buying a domain for the sole purpose of selling it to someone else), and also requiring a genuine need for registering the domain, which should be in line with the purpose of the ABN required to register the domain in the first place.

For a normal person like you or I, we would have to lodge a dispute claim with auDA, stating that the domain wasn’t registered in good faith (it would be very hard to argue the point). It’s not clear how effective or costly this is, a Whirlpool forum discussion discusses .au cyber-squatting at length.

Of course, he’s not like us, he’s the Prime Minister. I suspect Scotty now knows, and will have contacted the right people to have regained control over the domain by COB tomorrow. I imagine our prankster will get a stern talking to, but hopefully not much else. And please, DON’T FORGET TO RENEW YOUR DOMAIN NAMES!

OSCP Update #1

So I renewed my OSCP Lab time for another 90 days, with the goal of spending a lot more time. Well that hasn’t worked out so far, but I’ll keep at it.

Something I learned about the atftp service – the ‘path’ switch doesn’t seem to work, at least not for me. https://linux.die.net/man/8/atftpd according to this page and the OSCP Manual, the following should start the TFTP server with /tftp as the directory.

atftpd –daemon –port 69 /tftp

Anyway, it wasn’t working for me, and I couldn’t figure out why:

until I found a helpful forum post that suggested to check /etc/default/atftpd

I guess that the path flag wasn’t overwriting the default path of /srv/tftp. after changing the path, it worked.

onwards…

Rooted: alice, bob, payday, hotline, master, dotty, pheonix, beta

Days left: 73

Show Announcements!

I have two massive shows coming up! My side-project Skylla is playing with with Filipino rock band Parokya Ni Edgar on the 28th of September at Blacktown Workers Club:

 

 

 

 

 

 

 

https://www.facebook.com/events/1842677179122963/

and Aura Animi is playing with Alpha Wolf at the last ever Hot Damn! back on Oxford Street. This will be the 5 time I’ve played Hot Damn, the 4th Band I’ve played in at Hot Damn, and the 4th Hot Damn Venue I’ve played. I’m sure it will come back… one day..

 

 

 

 

 

 

 

https://www.facebook.com/events/218037652355347/

Update

So I have plenty of existing content to upload here. So little time. I’ve began my OSCP journey which is has been taking up all of my free time. I’ve only got a few days of lab time left, after which I’ll have to extend for another 90 days. This time I’ll try and keep more of a journal of my progress. I’ve nearly got Bob, one of the harder targets…

Other than that, my band Aura Animi has two awesome shows coming up. One supporting Alpha Wolf at Hot Damn and another supporting Drowning Atlantis. Head over to our Facebook page for all the info!

Stream the NRL from your PC

In Australia, if you want to watch the NRL live on a large screen (not a mobile screen), you a few options options:

1. Watch selected games on Channel Nine – The 2018 season is going to show more than usual this season thanks to a new deal between Channel Nine and the NRL.

2. Watch all games on Fox Sports, or Fox Sports Go. The cheapest plans start around $39 a month and include all the required sports channels plus the other standard Foxtel channels.

3. Use a dodgy streaming website – make sure you’re always running an ad/script blocker like uBlock Origin.

4. Use the NRL Live Pass with Bluestacks on your PC. Bluestacks is an Android emulator that you can run on your PC. The NRL Live Pass is a subscription that allows you to stream all NRL games live using the NRL App. From 2018 onwards, new deals prevent the NRL Live App from streaming Grand Final or State of Origin games – these will be available on Channel Nine anyway, so you still won’t need a Foxtel subscription.

To get the NRL Live Pass, you can pay weekly or annually, but it’s still cheaper than Foxtel either way.If you’re a Telstra Mobile customer, you will get access to the NRL Live Pass for free, and it will be un-metered (won’t count towards your data if, because net-neutrality isn’t a thing to Telstra…).

It seems that you used to be able to plug your Android phone into your TV to stream the game on a larger screen, but that stopped working at some point. Other ways to stream a phone to your TV while using the NRL App also seem to have been blocked.

The solution to this is to download Bluestacks – an Android emulator for Windows. Once installed, install the NRL App inside Android (requires a Google account), and then log in using your Telstra Account if you’re a Telstra customer, or your NRL account if you’re not a Telstra customer and purchased the NRL Live Pass.

Now you should be able to stream NRL games live. Note that the resolution on an 1920*1080 screen will look pretty average as the NRL Live Pass streaming resolution is quite low – I’ll update this post with more information if I find it. If you full screen Bluestacks, you may have to download the Set Orientation app from the App Center to force Bluestacks to use Landscape mode. From my experimentation, if you set the the resolution on Bluestacks to any higher than 1280 x 720, it will force the NRL Live Pass play box to dispaly in a small window – this is likely some kind of restriction on the NRL App itself, I’ll update this post with more info if it becomes available.

Sources:

https://www.nrl.com/nrl-app-terms-and-conditions/
https://itunes.apple.com/au/app/nrl-official-app/id442363523?mt=8
https://wwos.nine.com.au/2018/02/28/19/27/nine-announce-nrl-season-coverage-for-2018-season
https://www.telstra.com.au/tv-movies-music/sports-offer

List your gigs on Spotify

If your band streams music from Spotify, listing your gigs on your bands Artist Profile is a good way to get new listeners to your shows. I found the documentation on how to achieve this a bit confusing, so I’ve summed it up here.

1. Create a Tourbox account with Songkick here: https://accounts.songkick.com/signup

The options allow you to continue authenticate with Spotify or Facebook, however I’d recommend creating a single band account that everyone in your band can share so everyone else can manage your band via Songkick as well.

2. Navigate to https://tourbox.songkick.com – this is where you want to sign in, as otherwise it signs you into a personal account. This is confusing, and Songkick have done a terrible job at creating an intuitive UI. You have to make sure you’ve signed up and logged in as an artist to access Tourbox.

3. Click on the Add artist button, then search for your own band name. If there are multiple. If you already appear there, it might be because someone else listed your band as someone playing in their Event, or, it could be a duplicate.

4. Now, you’d expect Songkick to want to validate that you actually represent the band you’re  claiming to manage, but they will only ask for validation if you try to manage a big band like Metallica or something. So, in theory, you could claim to manage a bunch of bands you like like and create bogus events that will appear on their Spotify page.

5. Once you’ve added your band as an artist that you manage, you can start adding events. It not only allows you to add your band to the event, but also other bands on the lineup. Songkick doesn’t have any mechanism to validate this, so it will trust whatever you tell it. Ideally, you’d list the actual bands by search for them. If they don’t exist, you can add them, which creates an Artist page for them and adds them to the event. Songkick will also start listing the event on that bands Spotify artist page, without telling them, so hopefully it adds the right one. Sometimes it’s hard to know if there are multiple bands on Songkick/Spotify with the same  name. The take away from this is to add yourself to Songkick before someone else does.

6. After a few days, check back on your Spotify artist page and it should have listed your events like so:

Sources:

https://artists.spotify.com/faq/concerts#how-can-i-promote-my-concerts-on-spotify

https://community.spotify.com/t5/Social-Off-Topic/How-to-add-Gigs-and-Event-in-my-artist-page/td-p/1450826