https://skelmis.co.nz/tags/research/ Recent content in Research on Skelmis Hugo en Wed, 31 Dec 2025 00:00:00 +0000 https://skelmis.co.nz/posts/c_sharp-pathing/ Wed, 31 Dec 2025 00:00:00 +0000 https://skelmis.co.nz/posts/c_sharp-pathing/ Background Link to heading During a security review this year I stumbled across some C# that at a glance looked fine. Turns out however it actually contained path traversal which was by design (of the language). After asking some of my friends who are familiar with C# they also went ‘huh thats weird’ so I figured I’d make this and share with you all. TLDR Link to heading If you are reviewing C# and come across Path. https://skelmis.co.nz/posts/file-faking/ Sat, 20 Jul 2024 00:00:00 +0000 https://skelmis.co.nz/posts/file-faking/ Recently during some personal research I came across a very interesting avenue for remote code execution (RCE). The program let you provide one argument to the command line before appending some flags after. Now it wasn’t “one” escapable argument, but was actually only one argument much to my disappointment. Due to this, we are unlikely to LOLBIN our way out of the situation. So instead, let’s talk about a tale of bypassing theoretical file validation within some file upload and how to convince Linux to then run arbitrary code via said file when the rough following command is typed into a shell! https://skelmis.co.nz/posts/rubber-duckys/ Fri, 06 Oct 2023 00:00:00 +0000 https://skelmis.co.nz/posts/rubber-duckys/ After attending BSides Canberra I managed to get one of the DigiSparks from Redacted who offered them up as a sort of home brew USB rubber ducky. Kudos to Tomais for actually getting me one. The DigiSpark for reference: Naturally I wanted to have some fun with it, and being primarily a linux user I developed the payload with that in mind. It took a fair amount of trial and error, but I ended up with a payload that was able to pull a script from this site, download it and execute. https://skelmis.co.nz/posts/cve-2023-41885/ Mon, 18 Sep 2023 00:00:00 +0000 https://skelmis.co.nz/posts/cve-2023-41885/ It started as “bring password hashing inline with industry best practices” and two weeks later ended as “BaseUser.login implementation is vulnerable to time based user enumeration”. So here’s how a PR to bring a package inline with security best practices lead to a CVE. Recently I moved, and am still in the processing of moving my websites to an ORM called Piccolo which provides a nice database layer, batteries included approach to working with FastAPI while allowing me; a former Django developer; the ability to easily build data driven platforms without the need to write SQL. https://skelmis.co.nz/posts/tbue/ Sat, 22 Jul 2023 00:00:00 +0000 https://skelmis.co.nz/posts/tbue/ I discovered some time based user enumeration in the wild with some pretty nice implications, so let’s discuss them. So firstly, what is time based user enumeration or tbue as I will refer to it for the rest of this post? Essentially tbue occurs in sites which do not return constant time responses regardless of if an account exists or not. You can think of it roughly speaking as the following code block: