https://skelmis.co.nz/tags/cyber-security/ Recent content in Cyber Security on Skelmis Hugo en Wed, 31 Dec 2025 00:00:00 +0000 https://skelmis.co.nz/posts/c_sharp-pathing/ Wed, 31 Dec 2025 00:00:00 +0000 https://skelmis.co.nz/posts/c_sharp-pathing/ Background Link to heading During a security review this year I stumbled across some C# that at a glance looked fine. Turns out however it actually contained path traversal which was by design (of the language). After asking some of my friends who are familiar with C# they also went ‘huh thats weird’ so I figured I’d make this and share with you all. TLDR Link to heading If you are reviewing C# and come across Path. https://skelmis.co.nz/posts/cve-2024-41808/ Mon, 05 Aug 2024 00:00:00 +0000 https://skelmis.co.nz/posts/cve-2024-41808/ This is a cross post from a research group blog post I made which can be found here OpenObserve vulnerability chain Link to heading TL;DR - OpenObserve deployments using version 0.9.1 or lower are vulnerable to the following privilege escalation chain: A malicious user submits logs via a service which sends logs to an OpenObserve instance. These logs contain malicious content. A site user attempts to create a dashboard, using the logging field containing malicious input. https://skelmis.co.nz/posts/file-faking/ Sat, 20 Jul 2024 00:00:00 +0000 https://skelmis.co.nz/posts/file-faking/ Recently during some personal research I came across a very interesting avenue for remote code execution (RCE). The program let you provide one argument to the command line before appending some flags after. Now it wasn’t “one” escapable argument, but was actually only one argument much to my disappointment. Due to this, we are unlikely to LOLBIN our way out of the situation. So instead, let’s talk about a tale of bypassing theoretical file validation within some file upload and how to convince Linux to then run arbitrary code via said file when the rough following command is typed into a shell! https://skelmis.co.nz/posts/cve-2024-37893/ Tue, 18 Jun 2024 00:00:00 +0000 https://skelmis.co.nz/posts/cve-2024-37893/ TL;DR - Even with MFA enabled on firefly III versions v6.1.16 and lower, an attacker is able to authorize OAuth applications against user accounts using only a username and password. Advisory can be found here. Firefly III is a personal finance manager which is both free and open source for anyone to use. After a recommendation from a colleague, I decided to spin up a version for myself. I configured my Firefly account with a strong password + MFA. https://skelmis.co.nz/posts/rubber-duckys/ Fri, 06 Oct 2023 00:00:00 +0000 https://skelmis.co.nz/posts/rubber-duckys/ After attending BSides Canberra I managed to get one of the DigiSparks from Redacted who offered them up as a sort of home brew USB rubber ducky. Kudos to Tomais for actually getting me one. The DigiSpark for reference: Naturally I wanted to have some fun with it, and being primarily a linux user I developed the payload with that in mind. It took a fair amount of trial and error, but I ended up with a payload that was able to pull a script from this site, download it and execute. https://skelmis.co.nz/posts/cve-2023-41885/ Mon, 18 Sep 2023 00:00:00 +0000 https://skelmis.co.nz/posts/cve-2023-41885/ It started as “bring password hashing inline with industry best practices” and two weeks later ended as “BaseUser.login implementation is vulnerable to time based user enumeration”. So here’s how a PR to bring a package inline with security best practices lead to a CVE. Recently I moved, and am still in the processing of moving my websites to an ORM called Piccolo which provides a nice database layer, batteries included approach to working with FastAPI while allowing me; a former Django developer; the ability to easily build data driven platforms without the need to write SQL. https://skelmis.co.nz/posts/tbue/ Sat, 22 Jul 2023 00:00:00 +0000 https://skelmis.co.nz/posts/tbue/ I discovered some time based user enumeration in the wild with some pretty nice implications, so let’s discuss them. So firstly, what is time based user enumeration or tbue as I will refer to it for the rest of this post? Essentially tbue occurs in sites which do not return constant time responses regardless of if an account exists or not. You can think of it roughly speaking as the following code block: https://skelmis.co.nz/posts/nzcsc-2023/ Mon, 12 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/posts/nzcsc-2023/ NZCSC tends to repeat challenges or at-least the themes of challenges yearly yet there is a distinct lack of resources such as write-ups from previous years. This aims to solve that while also just being a nice reference for things. “The S in NZCSC stands for stego” HexF The following write-ups are either nice, concise paths to the solution I’ve improved in post to remove extra fluff or the path I took to actually solve them including dead ends. https://skelmis.co.nz/cheatsheets/secops/ Tue, 06 Jun 2023 00:00:00 +0000 https://skelmis.co.nz/cheatsheets/secops/ A lil collection of commands I find useful every so often. PNG file? Link to heading Try zsteg: gem install zsteg zsteg -a <filename>.png EVTX parser Link to heading https://github.com/williballenthin/python-evtx Zip directory traversal Link to heading Tool to create zips which may result in the unzipped items being placed in arbitrary locations https://github.com/ptoomey3/evilarc Deobfuscate JS Link to heading JS Nice