Whoami

• Jesse Merhi (Like that plant + “he”)
• Product Security @ Atlassian
• Been interning there for 2 years.
• Not Like @melon (Ex-CommBank)

In saying that..

• If any of you want some advice regarding career things. Consider this tut an opportunity to chat to someone who is in the industry and has some insight!

how to contact me

• [email protected]
• @merhi on the SecSoc Discord (pls join)
• https://secso.cc/discord

places for course discussion

• SecSoc Discord - Ad-hoc and general chatting
• We also have Ed! (More official)
• How do I find Ed? Moodle

• Your name -> I will forget this. I am sorry (I will try to remember your name).
• What is your degree and year
• Why’d you do the course?
• What level of exp do you have in security?

Course content

• Topic Challenges: 20%
• Written Reports: 30% (2 x 15%)
• Exams: 50%

Challenges

• If you havent set up MTLS - we will figure that out today (for real I dont know how to do it so we can do it together).

• https://ctfd.quoccacorp.com

• Rip quoccabank.

• START NOW YOU WONT REGRET IT.

how to approach learning in this course

• Work together - but dont cheat - you are just dooming yourself.

• We aren’t extended - but the challenges are fun to solve, so if you are interested try to get them done.

• I will be of some help - but I wont give things away. If you need extra help, I have two tuts.

Report

• Pentesting / Vulnerability report
  • Groups of 3
  • Keep track of how you got found each of the flags
  • Threats and Remediation are really important
• More on this later.

What happened in the lecture?

• Did we watch the lectures?
• What did the panda say
• Are we internet masterminds?
• Make sure to ask “What is a JWT?” in the next lecture.

Recon Things

I have some cool stuff @ jmerhi.zip/6443/resources/recon

• What is “Active Recon”
• What is “Passive Recon”

Bruteforcing

if you use automated tools, pls dont use uni DNS servers, use these :) Bonus points if you use cloud compute

• Google - 8.8.8.8
• Cloudflare - 1.1.1.1