https://skelmis.co.nz/posts/ Recent content in Posts on Skelmis Hugo en Sun, 15 Mar 2026 00:00:00 +0000 https://skelmis.co.nz/posts/concurrency-is-hard/ Sun, 15 Mar 2026 00:00:00 +0000 https://skelmis.co.nz/posts/concurrency-is-hard/ Scaling software is often thought of as hard problem, yet it is one of the bits of software development I enjoy the most. It provides access to some niche bugs that aren’t simply ‘You forgot to add a ; to the end of the line’ but rather provide scenarios such as ‘What happens when N people attempt to use Y at exactly the same time? Are all requests served by the server? https://skelmis.co.nz/posts/c_sharp-pathing/ Wed, 31 Dec 2025 00:00:00 +0000 https://skelmis.co.nz/posts/c_sharp-pathing/ Background Link to heading During a security review this year I stumbled across some C# that at a glance looked fine. Turns out however it actually contained path traversal which was by design (of the language). After asking some of my friends who are familiar with C# they also went ‘huh thats weird’ so I figured I’d make this and share with you all. TLDR Link to heading If you are reviewing C# and come across Path. https://skelmis.co.nz/posts/cve-2024-41808/ Mon, 05 Aug 2024 00:00:00 +0000 https://skelmis.co.nz/posts/cve-2024-41808/ This is a cross post from a research group blog post I made which can be found here OpenObserve vulnerability chain Link to heading TL;DR - OpenObserve deployments using version 0.9.1 or lower are vulnerable to the following privilege escalation chain: A malicious user submits logs via a service which sends logs to an OpenObserve instance. These logs contain malicious content. A site user attempts to create a dashboard, using the logging field containing malicious input. https://skelmis.co.nz/posts/file-faking/ Sat, 20 Jul 2024 00:00:00 +0000 https://skelmis.co.nz/posts/file-faking/ Recently during some personal research I came across a very interesting avenue for remote code execution (RCE). The program let you provide one argument to the command line before appending some flags after. Now it wasn’t “one” escapable argument, but was actually only one argument much to my disappointment. Due to this, we are unlikely to LOLBIN our way out of the situation. So instead, let’s talk about a tale of bypassing theoretical file validation within some file upload and how to convince Linux to then run arbitrary code via said file when the rough following command is typed into a shell! https://skelmis.co.nz/posts/cve-2024-37893/ Tue, 18 Jun 2024 00:00:00 +0000 https://skelmis.co.nz/posts/cve-2024-37893/ TL;DR - Even with MFA enabled on firefly III versions v6.1.16 and lower, an attacker is able to authorize OAuth applications against user accounts using only a username and password. Advisory can be found here. Firefly III is a personal finance manager which is both free and open source for anyone to use. After a recommendation from a colleague, I decided to spin up a version for myself. I configured my Firefly account with a strong password + MFA. https://skelmis.co.nz/posts/discord-bot-sharding-and-clustering/ Thu, 28 Dec 2023 00:00:00 +0000 https://skelmis.co.nz/posts/discord-bot-sharding-and-clustering/ Table of contents What is sharding Sharding in Python libraries What is clustering How to cluster your bot Note: This content relates directly to the experiences of the author. You should tailor your solution to your bots needs as at this scale, everyone has different requirements. What is sharding Link to heading Sharding is the process by which Discord helps to alleviate load by forcing your bot to create multiple connections to Discord to split the load. https://skelmis.co.nz/posts/suggestions-server-december-outage/ Sun, 24 Dec 2023 00:00:00 +0000 https://skelmis.co.nz/posts/suggestions-server-december-outage/ TLDR; We had moved our database onto the same machine as our software a few months earlier, removing all replication in the process and never re-configuring it. Then our server proceeded to brick itself and our hosting provider was unsure if it could be recovered. It was in the end, but that’s how we nearly lost 1.95 million database records and ruined Christmas. And yes, you bet we have off-site backups again. https://skelmis.co.nz/posts/rubber-duckys/ Fri, 06 Oct 2023 00:00:00 +0000 https://skelmis.co.nz/posts/rubber-duckys/ After attending BSides Canberra I managed to get one of the DigiSparks from Redacted who offered them up as a sort of home brew USB rubber ducky. Kudos to Tomais for actually getting me one. The DigiSpark for reference: Naturally I wanted to have some fun with it, and being primarily a linux user I developed the payload with that in mind. It took a fair amount of trial and error, but I ended up with a payload that was able to pull a script from this site, download it and execute. https://skelmis.co.nz/posts/fenz-analysis/ Tue, 19 Sep 2023 00:00:00 +0000 https://skelmis.co.nz/posts/fenz-analysis/ Did you know Fire and Emergency New Zealand (FENZ) publish incident reports? Well they do, and you can read them here. Naturally, the software developer and “Oooo pretty graph” in me decided I wanted to look at the data, and so I created a little tool for myself to gather some information to build this post. Disclaimer Caveat for this data and my inferences: the data supplied is an extract from the ICAD reporting system maintained by Fire and Emergency New Zealand. https://skelmis.co.nz/posts/cve-2023-41885/ Mon, 18 Sep 2023 00:00:00 +0000 https://skelmis.co.nz/posts/cve-2023-41885/ It started as “bring password hashing inline with industry best practices” and two weeks later ended as “BaseUser.login implementation is vulnerable to time based user enumeration”. So here’s how a PR to bring a package inline with security best practices lead to a CVE. Recently I moved, and am still in the processing of moving my websites to an ORM called Piccolo which provides a nice database layer, batteries included approach to working with FastAPI while allowing me; a former Django developer; the ability to easily build data driven platforms without the need to write SQL. https://skelmis.co.nz/posts/tbue/ Sat, 22 Jul 2023 00:00:00 +0000 https://skelmis.co.nz/posts/tbue/ I discovered some time based user enumeration in the wild with some pretty nice implications, so let’s discuss them. So firstly, what is time based user enumeration or tbue as I will refer to it for the rest of this post? Essentially tbue occurs in sites which do not return constant time responses regardless of if an account exists or not. You can think of it roughly speaking as the following code block: https://skelmis.co.nz/posts/passwordless-platform-1/ Mon, 19 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/posts/passwordless-platform-1/ This project and by extension article are an on-going piece of work. Firstly, lets define some things. When I say site I mean a website with RBAC and user sign up, however, there should be no requirement for a password. This will hopefully be achieved through a phone which combines ‘something you have’ (The phone) and ‘something you know’ (Your phone creds). So I want to make a site that allows for user sign up, but you don’t need a password essentially. https://skelmis.co.nz/posts/nzcsc-2023/ Mon, 12 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/posts/nzcsc-2023/ NZCSC tends to repeat challenges or at-least the themes of challenges yearly yet there is a distinct lack of resources such as write-ups from previous years. This aims to solve that while also just being a nice reference for things. “The S in NZCSC stands for stego” HexF The following write-ups are either nice, concise paths to the solution I’ve improved in post to remove extra fluff or the path I took to actually solve them including dead ends. https://skelmis.co.nz/posts/new-site/ Thu, 01 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/posts/new-site/ After having my old site for nearly four years and various other readthedocs hosted sites for documentation, I have finally decided to condense it down into one site and Hugo was the perfect choice. I love markdown. I love not having to write CSS. This was perfect. This should be the new home of all my static content going forward.