https://skelmis.co.nz/ Recent content on Skelmis Hugo en Sun, 15 Mar 2026 00:00:00 +0000 https://skelmis.co.nz/posts/concurrency-is-hard/ Sun, 15 Mar 2026 00:00:00 +0000 https://skelmis.co.nz/posts/concurrency-is-hard/ Scaling software is often thought of as hard problem, yet it is one of the bits of software development I enjoy the most. It provides access to some niche bugs that aren’t simply ‘You forgot to add a ; to the end of the line’ but rather provide scenarios such as ‘What happens when N people attempt to use Y at exactly the same time? Are all requests served by the server? https://skelmis.co.nz/f1-fantasy/ Wed, 25 Feb 2026 00:00:00 +0000 https://skelmis.co.nz/f1-fantasy/ Skip to leagues or FAQs Welcome to our local F1 Fantasy Leagues for 2026. F1 Fantasy is free, simple to pick up, and turns every practice run, pit stop and under-the-radar overtake into a chance for you to top global tables, or take on your friends and family in leagues of your own. Here’s how it works: You get a $100m cost cap to pick five drivers and two constructors. Create up to three teams… Maybe you want one ‘serious’ team, one for the fun of the chaos, and one experiment, but it’s up to you. https://skelmis.co.nz/jemba/ Sat, 03 Jan 2026 00:00:00 +0000 https://skelmis.co.nz/jemba/ Yo, I’m Ethan and these are the Jemba rules! Link to heading Click a letter in the table to go to related rules. A B C D F G H I K L M N O P Q R S T V W Y U Z A Link to heading Name Rule Alcoholic The person who pulled this piece must finish a glass of water before their next turn Android Those with an android phone drink once Andy All players vote on the most sober player, and they must take one drink Anton Any player taller than the picker must drink Apple Those with an apple phone drink once Automatic Those who drive an automatic vehicle must drink once Back to top https://skelmis.co.nz/posts/c_sharp-pathing/ Wed, 31 Dec 2025 00:00:00 +0000 https://skelmis.co.nz/posts/c_sharp-pathing/ Background Link to heading During a security review this year I stumbled across some C# that at a glance looked fine. Turns out however it actually contained path traversal which was by design (of the language). After asking some of my friends who are familiar with C# they also went ‘huh thats weird’ so I figured I’d make this and share with you all. TLDR Link to heading If you are reviewing C# and come across Path. https://skelmis.co.nz/cheatsheets/linux-snippets/ Thu, 26 Jun 2025 00:00:00 +0000 https://skelmis.co.nz/cheatsheets/linux-snippets/ Various snippets of Linux commands & scripts I use enough to justify existing on my $PATH git_fp Link to heading git fetch & pull #!/usr/bin/env bash git fetch git pull echo "Fetched n pulled any new content." git_send Link to heading git add, commit and push in one #!/usr/bin/env bash if [[ $# -eq 0 ]] ; then echo 'Expected commit message' exit 1 fi git add . git commit -m "$1" git push gitr Link to heading Recursive git clone https://skelmis.co.nz/about/ Tue, 21 Jan 2025 00:00:00 +0000 https://skelmis.co.nz/about/ Yo, I’m Ethan! Link to heading I’m a Wellington based cyber security consultant and open source developer making a difference in the world. I spend my days working as a cyber security consultant where I essentially spend my days hacking into companies, writing reports on said hacking and developing internal tooling. It’s fun to say the least ;) In my free time you’ll likely catch me coding. My software has been used by millions of people worldwide, with hundreds of thousands of developers choosing my platforms as the base used to build products which scale and those are some facts I just absolutely love. https://skelmis.co.nz/posts/cve-2024-41808/ Mon, 05 Aug 2024 00:00:00 +0000 https://skelmis.co.nz/posts/cve-2024-41808/ This is a cross post from a research group blog post I made which can be found here OpenObserve vulnerability chain Link to heading TL;DR - OpenObserve deployments using version 0.9.1 or lower are vulnerable to the following privilege escalation chain: A malicious user submits logs via a service which sends logs to an OpenObserve instance. These logs contain malicious content. A site user attempts to create a dashboard, using the logging field containing malicious input. https://skelmis.co.nz/posts/file-faking/ Sat, 20 Jul 2024 00:00:00 +0000 https://skelmis.co.nz/posts/file-faking/ Recently during some personal research I came across a very interesting avenue for remote code execution (RCE). The program let you provide one argument to the command line before appending some flags after. Now it wasn’t “one” escapable argument, but was actually only one argument much to my disappointment. Due to this, we are unlikely to LOLBIN our way out of the situation. So instead, let’s talk about a tale of bypassing theoretical file validation within some file upload and how to convince Linux to then run arbitrary code via said file when the rough following command is typed into a shell! https://skelmis.co.nz/posts/cve-2024-37893/ Tue, 18 Jun 2024 00:00:00 +0000 https://skelmis.co.nz/posts/cve-2024-37893/ TL;DR - Even with MFA enabled on firefly III versions v6.1.16 and lower, an attacker is able to authorize OAuth applications against user accounts using only a username and password. Advisory can be found here. Firefly III is a personal finance manager which is both free and open source for anyone to use. After a recommendation from a colleague, I decided to spin up a version for myself. I configured my Firefly account with a strong password + MFA. https://skelmis.co.nz/cheatsheets/nmap/ Mon, 01 Jan 2024 00:00:00 +0000 https://skelmis.co.nz/cheatsheets/nmap/ A bunch of nmap flags because I often forget. Detection Link to heading -A - All the host detection stuff -sV - Attempts to fingerprint services on ports -sn - No port scanning, only discover hosts. Example command to discover hosts on the network: nmap -sn ip_block/subnet Ports Link to heading -p- - Scan all ports -p80,443 - Scan port 80 and 443 -p1-100 - Scan ports 1 to 100 F - Scan the top 100 most popular ports (Nmap defaults to 1000) Timing templates Link to heading A flag to set underlying timeouts for stuff based on the network https://skelmis.co.nz/posts/discord-bot-sharding-and-clustering/ Thu, 28 Dec 2023 00:00:00 +0000 https://skelmis.co.nz/posts/discord-bot-sharding-and-clustering/ Table of contents What is sharding Sharding in Python libraries What is clustering How to cluster your bot Note: This content relates directly to the experiences of the author. You should tailor your solution to your bots needs as at this scale, everyone has different requirements. What is sharding Link to heading Sharding is the process by which Discord helps to alleviate load by forcing your bot to create multiple connections to Discord to split the load. https://skelmis.co.nz/posts/suggestions-server-december-outage/ Sun, 24 Dec 2023 00:00:00 +0000 https://skelmis.co.nz/posts/suggestions-server-december-outage/ TLDR; We had moved our database onto the same machine as our software a few months earlier, removing all replication in the process and never re-configuring it. Then our server proceeded to brick itself and our hosting provider was unsure if it could be recovered. It was in the end, but that’s how we nearly lost 1.95 million database records and ruined Christmas. And yes, you bet we have off-site backups again. https://skelmis.co.nz/posts/rubber-duckys/ Fri, 06 Oct 2023 00:00:00 +0000 https://skelmis.co.nz/posts/rubber-duckys/ After attending BSides Canberra I managed to get one of the DigiSparks from Redacted who offered them up as a sort of home brew USB rubber ducky. Kudos to Tomais for actually getting me one. The DigiSpark for reference: Naturally I wanted to have some fun with it, and being primarily a linux user I developed the payload with that in mind. It took a fair amount of trial and error, but I ended up with a payload that was able to pull a script from this site, download it and execute. https://skelmis.co.nz/posts/fenz-analysis/ Tue, 19 Sep 2023 00:00:00 +0000 https://skelmis.co.nz/posts/fenz-analysis/ Did you know Fire and Emergency New Zealand (FENZ) publish incident reports? Well they do, and you can read them here. Naturally, the software developer and “Oooo pretty graph” in me decided I wanted to look at the data, and so I created a little tool for myself to gather some information to build this post. Disclaimer Caveat for this data and my inferences: the data supplied is an extract from the ICAD reporting system maintained by Fire and Emergency New Zealand. https://skelmis.co.nz/posts/cve-2023-41885/ Mon, 18 Sep 2023 00:00:00 +0000 https://skelmis.co.nz/posts/cve-2023-41885/ It started as “bring password hashing inline with industry best practices” and two weeks later ended as “BaseUser.login implementation is vulnerable to time based user enumeration”. So here’s how a PR to bring a package inline with security best practices lead to a CVE. Recently I moved, and am still in the processing of moving my websites to an ORM called Piccolo which provides a nice database layer, batteries included approach to working with FastAPI while allowing me; a former Django developer; the ability to easily build data driven platforms without the need to write SQL. https://skelmis.co.nz/cheatsheets/server-mfa/ Sun, 27 Aug 2023 00:00:00 +0000 https://skelmis.co.nz/cheatsheets/server-mfa/ A TL;DR for setting up MFA on Ubuntu servers for SSH access because it took more than one guide to setup. Login to box sudo apt install libpam-google-authenticator sudo nano /etc/pam.d/sshd Scroll to bottom and add this under @include common-password auth required pam_google_authenticator.so Ctrl + S, Ctrl + X sudo nano /etc/ssh/sshd_config Set ChallengeResponseAuthentication to yes. This may be KbdInteractiveAuthentication in newer versions Ctrl + S, Ctrl + X sudo systemctl restart sshd. https://skelmis.co.nz/cheatsheets/pypi/ Tue, 08 Aug 2023 00:00:00 +0000 https://skelmis.co.nz/cheatsheets/pypi/ A TL;DR for package deployment because it’s complicated. Classifiers Link to heading Because I can’t find them when I need them. Find em here Commands to push to Pypi Link to heading Bump the version number Delete these if they exist: build, *.egg-info, dist pip install wheel twine python setup.py sdist bdist_wheel python -m twine upload ./dist/* https://skelmis.co.nz/posts/tbue/ Sat, 22 Jul 2023 00:00:00 +0000 https://skelmis.co.nz/posts/tbue/ I discovered some time based user enumeration in the wild with some pretty nice implications, so let’s discuss them. So firstly, what is time based user enumeration or tbue as I will refer to it for the rest of this post? Essentially tbue occurs in sites which do not return constant time responses regardless of if an account exists or not. You can think of it roughly speaking as the following code block: https://skelmis.co.nz/posts/passwordless-platform-1/ Mon, 19 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/posts/passwordless-platform-1/ This project and by extension article are an on-going piece of work. Firstly, lets define some things. When I say site I mean a website with RBAC and user sign up, however, there should be no requirement for a password. This will hopefully be achieved through a phone which combines ‘something you have’ (The phone) and ‘something you know’ (Your phone creds). So I want to make a site that allows for user sign up, but you don’t need a password essentially. https://skelmis.co.nz/posts/nzcsc-2023/ Mon, 12 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/posts/nzcsc-2023/ NZCSC tends to repeat challenges or at-least the themes of challenges yearly yet there is a distinct lack of resources such as write-ups from previous years. This aims to solve that while also just being a nice reference for things. “The S in NZCSC stands for stego” HexF The following write-ups are either nice, concise paths to the solution I’ve improved in post to remove extra fluff or the path I took to actually solve them including dead ends. https://skelmis.co.nz/cheatsheets/zsh/ Sun, 11 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/cheatsheets/zsh/ I made my own ZSH theme which is basically half-life with tweaks that modify it to exactly what I want. Download it: curl https://skelmis.co.nz/skelmis.zsh-theme --output ~/.oh-my-zsh/themes/skelmis.zsh-theme Then in .zshrc modify ZSH_THEME to ZSH_THEME="skelmis" https://skelmis.co.nz/cheatsheets/secops/ Tue, 06 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/cheatsheets/secops/ A lil collection of commands I find useful every so often. PNG file? Link to heading Try zsteg: gem install zsteg zsteg -a <filename>.png EVTX parser Link to heading https://github.com/williballenthin/python-evtx Zip directory traversal Link to heading Tool to create zips which may result in the unzipped items being placed in arbitrary locations https://github.com/ptoomey3/evilarc Deobfuscate JS Link to heading JS Nice https://skelmis.co.nz/cheatsheets/python-logging/ Tue, 06 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/cheatsheets/python-logging/ Python has some beautiful logging. Here is my goto format: import logging logging.basicConfig( format="%(levelname)-7s | %(asctime)s | %(filename)12s:%(funcName)-12s | %(message)s", datefmt="%I:%M:%S %p %d/%m/%Y", level=logging.INFO, ) Sent here from a help forum? Link to heading If you’ve been sent the link to this page from some form of help forum with me asking for logs, use this please. import logging logging.basicConfig( format="%(levelname)-7s | %(asctime)s | %(filename)12s:%(funcName)-12s | %(message)s", datefmt="%I:%M:%S %p %d/%m/%Y", level=logging. https://skelmis.co.nz/posts/new-site/ Thu, 01 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/posts/new-site/ After having my old site for nearly four years and various other readthedocs hosted sites for documentation, I have finally decided to condense it down into one site and Hugo was the perfect choice. I love markdown. I love not having to write CSS. This was perfect. This should be the new home of all my static content going forward. https://skelmis.co.nz/contact/ Mon, 01 Jan 0001 00:00:00 +0000 https://skelmis.co.nz/contact/ Drop me a line on my email: 145 164 150 141 156 155 153 150 62 100 147 155 141 151 154 56 143 157 155 Oops, looks like that’s not human-readable. Maybe it’s base 8? 👀 Otherwise, hit me up on Discord: skelmis