OSCP Update #2

After a late night session, I just took down Oracle! It was an easy one, but it took some time as I got stuck on working on an exploit that I eventually didn’t use in favour of a different one.

Some thoughts…

  • Don’t only check Exploit-DB, look at Github as well for exploits.
  • Sometimes exploits can only be run once, if you mess up, you have to revert
  • Remember that 4444 won’t always be allowed out of the targets firewall
  • There some issues when running a python script I ‘wget’ from Exploit-DB. Turns out the line breaks were not formatted correctly for Linux. A simple ‘dos2unix’ command fixed this. https://en.wikipedia.org/wiki/Unix2dos
  • Make sure you’re running python scripts using python, not bash!

Days left: 48
Rooted: Oracle, Payday, Hotline, Alice, Bob, Beta, Leftturn, Master, Dotty, Pheonix

Someone took over the Australian Prime Minister’s domain name and is boasting about it on Facebook

UPDATE 20/10/2018

My prediction was incorrect – the domain is still under control of the prankster, lets just call him Jack (because that’s his name). Jack has apparently reached out to Scott Morrison offering to transfer it back over to him. The firm he works for have also made a press release. I have a feeling it borrows a bit from my article, but hey!

Check it out here: https://www.digitaleagles.com.au/social-media/secure-digital-assets-especially-youre-prime-minister/

So Prime Minister Scott Morrison forgot to renew his domain name scottmorrison.com.au and some dude from Melbourne purchased it and is pointing it to a WordPress installation. The simple website is just a single page with an image of the PM with Lustra’sScotty Doesn’t Know‘ obnoxiously playing in the background, sparking flashbacks of early 2000’s MySpace days.

He boasted it on his personal Facebook page which has lax privacy settings, but I don’t think subtlety was part of the plan here. Even so, I’m going to sanitise all screenshots.

Just look at all those internet points!

A whois lookup on the domain name shows that it was purchased by the same person whose Facebook account made the post:

Soon after, the contact details were changed from his personal gmail to a seperate one set up especially for this domain.
I’m not sure if he understands AUDA’s policies concerning .com.au WHOIS data, because changing the email address isn’t making him any more anonymous. For those playing at home, a .com.au is always tied to an ABN or ACN.

I also checked to see if this domain actually did belong to ScoMo:

Looks like it.

That’s pretty funny! What else can he do with the domain?

Well, now that he controls the domain name, he can set up a catchall mailbox and wait for emails addressed to the PM to come in. He could then enumerate which email addresses were signed up for which services, and then initiate password resets. He could also leak sensitive information (even inadvertently), possibly calendar and contact information for other world leaders depending on how the domain was set up and used previously, So, it’s actually kinda serious. Gabor, a cybersecurity expert, posted in his blog in August about the dangers of letting a domain expire and then fall into the wrong hands.

Of course, he could also impersonate the Prime Minister¬†by setting up an email address under @scottmorrison.com.au and sending a mean letter to the POTUS, so there’s that.

Oh. So, what can the PM do about it?

Unlike .com, which is the wild west of domain names, .au domains are governed by auDA, who outline the eligibility policies for .au and .com.au domain names. Such policies include anti-cybersquatting measures (for example, buying a domain for the sole purpose of selling it to someone else), and also requiring a genuine need for registering the domain, which should be in line with the purpose of the ABN required to register the domain in the first place.

For a normal person like you or I, we would have to lodge a dispute claim with auDA, stating that the domain wasn’t registered in good faith (it would be very hard to argue the point). It’s not clear how effective or costly this is, a Whirlpool forum discussion discusses .au cyber-squatting at length.

Of course, he’s not like us, he’s the Prime Minister. I suspect Scotty now knows, and will have contacted the right people to have regained control over the domain by COB tomorrow. I imagine our prankster will get a stern talking to, but hopefully not much else. And please, DON’T FORGET TO RENEW YOUR DOMAIN NAMES!

OSCP Update #1

So I renewed my OSCP Lab time for another 90 days, with the goal of spending a lot more time. Well that hasn’t worked out so far, but I’ll keep at it.

Something I learned about the atftp service – the ‘path’ switch doesn’t seem to work, at least not for me. https://linux.die.net/man/8/atftpd according to this page and the OSCP Manual, the following should start the TFTP server with /tftp as the directory.

atftpd –daemon –port 69 /tftp

Anyway, it wasn’t working for me, and I couldn’t figure out why:

until I found a helpful forum post that suggested to check /etc/default/atftpd

I guess that the path flag wasn’t overwriting the default path of /srv/tftp. after changing the path, it worked.


Rooted: alice, bob, payday, hotline, master, dotty, pheonix, beta

Days left: 73


So I have plenty of existing content to upload here. So little time. I’ve began my OSCP journey which is has been taking up all of my free time. I’ve only got a few days of lab time left, after which I’ll have to extend for another 90 days. This time I’ll try and keep more of a journal of my progress. I’ve nearly got Bob, one of the harder targets…

Other than that, my band Aura Animi has two awesome shows coming up. One supporting Alpha Wolf at Hot Damn and another supporting Drowning Atlantis. Head over to our Facebook page for all the info!