Read the introduction of what to do when a website doesn’t exist. They ask to look up RepublicOfKoffee.com on Google.
It confirms that there is no actual website for the domain and hints that it is archived.
The objective is to find the domain’s registry information. The recommended sources are lookup.icann.org or any other service for a ‘whois’ lookup.
I looked up the domain on ‘lookup.icann.org’ and through the terminal on the attackbox to see what options they each provided. The terminal had more information available.
I was able to answer the following questions:
What was the name of the company the domain was registered with? NameCheap Inc.
What phone number is listed for the registration company? (do not include country code or special characters/spaces) 6613102107
What is the first nameserver listed for the site? DNS1.REGISTRAR-SERVERS.COM
What is listed for the name of the registrant? Redacted for Privacy
Now for the last question, this was hard to answer as the listed country for the mailing address was IS or Iceland but that wasn’t right. So I looked at whoxy.com and found all owners of the domain. Panama was the most recent besides Iceland.
What country is listed for the registrant? Panama
The new task was to actually view the site using Archive.org and/or the Internet WayBack Machine. So I searched the Wayback Machine for the domain. I was given a calendar of when the site was archived.
I clicked on the first available capture on Dec. 31st 2015 and was able to see the website for the first time.
From the most recent blog posts I assumed the author was familiar from Gwangju so I Googled where that was and it’s a city in South Korea where a popular place to visit is Mudeungsan Mountain National Park. It also listed a temple in the park.
I was able to answer the following questions:
What city and country was the author writing from? Gwangju, South Korea
[Research] What is the name (in English) of the temple inside the National Park the author frequently visits? Jeungsimsa temple
To find out the author of the blog I went back to the Wayback Machine summary for the domain. I selected the ‘Site Map’ which looked like this:
I clicked on the outer red ring which brought me to an actual blog post that had the author’s name and further confirmed they were writing from South Korea.
What is the first name of the blog’s author? Steve
This task is to look at the technical information about the domain. I started this research by going to ViewDNS.info and looking up the IP history.
After clicking ‘Go’ the IP history is displayed.
What was RepublicOfKoffee.com’s IP address as of October 2016? 173.248.188.152
How many times has the IP address changed in the history of the domain? 4
Then by doing a reverse IP lookup I was able to see what other domains are/were hosted on the IP that RepublicOfKoffee.com was associated with from the previous question.
There were others associated with the IP which answers:
Based on the other domains hosted on the same IP address, what kind of hosting service can we safely assume our target uses? Shared
Now the objective is to learn about heat[dot]net. I just stayed on viewdns.info and used the ‘Domain/IP Whois’ option.
What is the second nameserver listed for the domain? NS2.HEAT.NET
Then I did an IP History Search and a Reverse IP Lookup.
What IP address was the domain listed on as of December 2011? 72.52.192.24
Based on the domains that share the same IP, what kind of hosting service is the domain owner using? Shared
I then went to the Wayback Machine site and searched heat.net.
On what date was the site first captured by the internet archive? (MM/DD/YY format) 06/01/97
I then looked at the last capture of 2001 which was a good-bye from the creators as they moved to another platform/website.
What is the first sentence of the first body paragraph from the final capture of 2001? “After years of great online gaming, it’s time to say good-bye.”
After that I searched “who created heat.net back in 1997” on Google and found out it was SegaSoft.
Using your search engine skills, what was the name of the company that was responsible for the original version of the site? SegaSoft
They also want to look at the capture for heat.net for 2010 which looks like:
What does the first header on the site on the last capture of 2010 say? Heat.net - Heating and Cooling
This task focuses on using ways to get an outlook on who created the website like using ‘View Source’ to find hidden comments. The url in question is: heat[dot]net/36/need-to-hire-a-commercial-heating-contractor/
I navigated to the page by using the Wayback Machine again and searched through the site map for years 2010-2011. I found the page in 2011.
After reading through the article I can see the internal links used throughout the page. Example:
How many internal links are in the text of the article? 5
As there were only 5 links for the page in 2011 and all redirecting to internal links I began to look at different captures of the page. It changed/updated in 2021 and included an external link.
How many external links are in the text of the article? 1
Website in the article’s only external link (that isn’t an ad): purchase.org
In order to find the answer for the next question I thought I’d view the page source. I searched the source-code for the word ‘google’ and by the second result I found the Google Analytics code.
Try to find the Google Analytics code linked to the site: UA-251372-24
For the next question I clicked the link for Bellingcat’s Tutorial as the code has ‘ua-’ as the prefix and I didn’t know how to go about finding the answer. After reading through the tutorial it gives some links to find occurrences in code that match. I used NerdyData and searched for ‘UA-251372-24’.
Is the Google Analytics code in use on another website? Nay
Going back to the website in question I hovered over the links in the article in search of a variable/parameter at the end with an equal sign or really just any additional information after the original URL. A common example would be: site.com/?ref=john.
None of the links had additional information besides for other pages within the website.
Does the link to this website have any obvious affiliate codes embedded with it? Nay
This task is supposed to get us to connect the dots while using tools from Task 4 (viewdns.info). Finding maybe a connection in the IP history or may the Whois seemed like a good start so I searched ‘purchase.org’ in the IP history.
I immediately noticed they both had the same IP address owner, Liquid Web, that heat.net had in 2011 (refer to Task 5, the second image).
I looked up what Liquid Web did and possible other names as the format seemed similar but not quite. So I found their website and looked for their copyright.
Use the tools in Task 4 to confirm the link between the two sites: Liquid Web, LLC
We learn about PBNs and their ability to alter search engine algorithms since they map out the internet using links. The more links that lead to a specific website assumes trust with that website. So the website heat.net is now exposed as potentially cheating this system to promote purchase.org in the search engine rankings.
This answers why there is a connection between the two sites.
After the debrief I clicked the ‘Click to complete’ button.
There are plenty of sources to immerse yourself in the world of OSINT such as case studies, other THM rooms, podcasts, and training programs. All of them have captured my interest but I’ll complete this room for now!