The below is my write-up about the strategy that I followed to retrieve the flags for this room.
Target url name: RepublicofKoffee.com
Task#2 : Whois Registration
Lets go to : https://lookup.icann.org/ and put in the domain name RepublicofKoffee.com
- What is the name of the company the domain was registered with?
Answer: NAMECHEAP INC
- What phone number is listed for the registration company?
Answer : 6613102107
- What is the first nameserver listed for the site?
- What is listed for the name of the registrant?
Answer: redacted for privacy
- What country is listed for the registrant?
Using ICANN Lookup, we only get ICELAND as the country, which is not the correct Answer.
Then, I tried another tool https://whois-history.whoisxmlapi.com/api
Using this tool, we get Panama as the registrant city which is the required flag here.
Task#3 Ghosts of Websites Past
- What is the first name of the blog’s author?
Go to url RepublicOfKoffee.com and it opens the following link.
I have the Chrome extension for added for Wayback machine. “Right click” and then select “All Versions”
The following page will load. So select a date in the past.
I selected the year 2015 and the snapshot as below
Click on any Blog on this page and the authors name is mentioned
Answer : Steve
- What city and country was the author writing from?
The second blog tells about the author’s location which is Gwangju
Doing a google search reveals that the location is in South Korea.
Answer : Gwangju, South Korea
- [Research] What is the name (in English) of the temple inside the National Park the author frequently visits?
Did a google search of “Temple”+ “Mudeungsan national park”
The first result gave the name of the temple.
Answer: Jeungsimsa temple
Task#4 Digging into DNS
- What was RepublicOfKoffee.com’s IP address as of October 2016?
Go to https://viewdns.info/
Use the option “ IP History”
- Based on the other domains hosted on the same IP address, what kind of hosting service can we safely assume our target uses?
Doing a reverse ip lookup for 188.8.131.52
We can see the following
Multiple, domains are using the same ip address (184.108.40.206) . Hence they are sharing the hosting resource.
- How many times has the IP address changed in the history of the domain?
Doing a reverse IP history search we can see the following
Answer : 4
Task#5 Taking Off The Training Wheels
- What is the second nameserver listed for the domain?
Website name is heat.net
Went to https://whois-history.whoisxmlapi.com/ and did a lookup
Answer : NS2.HEAT.NET
- What IP address was the domain listed on as of December 2011?
For viewing the historic records lets go to https://viewdns.info/ and select IP history
Answer : 220.127.116.11
- Based on domains that share the same IP, what kind of hosting service is the domain owner using?
Doing a reverse IP search , we can see multiple sites using the same ip.
- On what date did was the site first captured by the internet archive? (MM/DD/YY format)
Went to url heat.net and then clicked on the add-on for wayback-machine.
Going all the back in 1997, we can see the date which is 1st Jun 1997
- What is the first sentence of the first body paragraph from the final capture of 2001?
Let’s navigate to 2001. The final capture is on 6th July.
Answer: After years of great online gaming, it’s time to say good-bye.
- Using your search engine skills, what was the name of the company that was responsible for the original version of the site?
- What does the first header on the site on the last capture of 2010 say?
Lets navigate to 30th Dec 2010
Answer: Heat.net — Heating and Cooling
Task#6 Taking A Peek Under The Hood Of A Website
Go to url heat.net/36/need-to-hire-a-commercial-heating-contractor/
- How many internal links are in the text of the article?
Clicked on webpage > right click> view source code
Answer : 5
- How many external links are in the text of the article?
- Website in the article’s only external link ( that isn’t an ad)
- Try to find the Google Analytics code linked to the site
Searching using keyboard “analytics” we can find the below
- Is the Google Analytics code in use on another website? Yay or nay
Checked the code <UA-251372–24> in Nerdydata.com.
Result comes as 1.
- Does the link to this website have any obvious affiliate codes embedded with it? Yay or Nay
Searched using keyword “affiliate” and also href and it comes as negative.
Task#7 Final Exam: Connect the Dots
- Use the tools in Task 4 to confirm the link between the two sites. Try hard to figure it out without the hint.
Upon checking the ip history for purchase.org we see that the owner is Liquid Web, L.L.C
Answer : Liquid Web, L.L.C