lavafroth

Easy SSH Tunnel

Tue, 03 Feb 2026 17:14:13 +0530

Sometimes I forget the correct syntax to tunnel a port through SSH but I don’t want to read through a bunch of AD infested websites.

This simple tool outputs the command to run on the local machine.

You can edit the local port, remote host and port, and traffic direction.

Easy SSH tunnel

Local port Traffic direction Remote port Connect to

Step to the 💗 beat

Sun, 18 Jan 2026 08:06:06 +0530

My first procedurally generated animation using shaders.

The shader can be visualized with glslViewer.

uniform vec2 u_mouse;
uniform vec2 u_resolution;
uniform float u_time;

void main (void) {
 vec2 st = gl_FragCoord.xy/u_resolution.xy;
 float aspect = u_resolution.x/u_resolution.y;
 st.x *= aspect;

 // positioning shenanigans
 st.x = st.x * 2.0 - 1.8;
 st.y = st.y * 2.0 - 0.9;

 float r = st.x*st.x + st.y*st.y - abs(st.x)*st.y;
 r *= 2.0;

 float duration = 3.0;
 float bin = 0.1;
 float scaled_time = fract(u_time/duration);
 float loop = scaled_time * 2.0 - 1.0;
 float r_disc = floor((r + loop*loop)/bin) * bin;

 vec3 deep_pink = vec3(0.917, 0.235, 0.478);
 vec3 light_pink = vec3(0.976, 0.780, 0.803);

 if (r_disc >= 1.0) {
 gl_FragColor = vec4(deep_pink, 1.0);
 return;
 }
 vec3 color = mix(deep_pink, light_pink, r_disc);
 gl_FragColor = vec4(color,1.0);
}

I tinkered around for quite a while before discovering that I can intersect two $xy$ skewed ellipses with the absolute value operator. Here’s my custom equation for the heart shape.

Working With LUKS File Stashes

Thu, 01 Jan 2026 07:24:36 +0530

LUKS is an incredible solution for encrypting entire partitions in Linux. Often times, however, we can’t afford to create new partitions inside a disk without having to completely format the drive anew.

This post will guide you through the process of creating and working with LUKS container files that are encrypted at rest and can be decrypted on demand with knowledge of the passphrase.

Creating the image base

head --bytes=4G /dev/urandom > stash.img

Format the image

The image can be formatted by either including the header in the image itself or keeping a detached header.

Algebraic Python Enums

Sun, 02 Nov 2025 19:08:46 +0530

University has compelled me to use Python despite my preference for Rust, primarily due to the machine learning and data science hype. One Rust feature that I dearly miss is enumerable data types that can encapsulate various other data types.

Although Python has the answer to creating structs as dataclasses, including support for structural match expressions in recent versions, most tutorials will suggest Union types as the equivalent to Rust’s enums.

I highly encourage you to try out the code snippets and follow along with this article. Use the collapse explanation button to copy multiple code blocks in one go.

NixOS Notes to Self

Sun, 14 Sep 2025 18:31:52 +0530

A dedicated post collecting solutions to minor NixOS headaches.

`nixos-rebuild` shows no network activity

On rare occasions, a system rebuild will get stuck while downloading a package from a source. No network activity, no timeout, no writes to the nix store.

root@rahu /h/u/dotfiles (main)# nixos-rebuild boot --flake .
building the system configuration...
[0/9 built, 1/0/1 copied (0.0/681.0 MiB), 0.0/670.5 MiB DL] fetching linux-firmware-20250808-zstd from https://cache.nixos.org

This issue persists if the build command is simply rerun. According to @manveru from the NixOS discourse, nix-daemon has a bug where it might not close a connection to the source, with no timeout context. Force kill it with

Privacy Policy

Sat, 30 Aug 2025 09:00:14 +0530

This site does not use cookies or <link> any third party resources to track you. The site theme changes based on your theme preference propagated by your browser.

Posts here can be viewed without javascript excepting live demos. The only feature relying on javascript is the search.

Guide: Changing Recents Provider on /e/OS

Wed, 20 Aug 2025 09:55:43 +0530

Overview

Over the past month I have been daily driving my new phone, the Nothing CMF 1 flashed with /e/OS after I unlocked its bootloader. It’s a very pleasant experience except for the default Bliss launcher (home app).

Reasons I do not prefer it:

iOS like feel
Icons can’t be rearranged
Pull down from top opens search instead of notification shade
Consumes a lot of RAM

I started using Lawnchair as my default launcher but this did not change the recents provider (quickstep) from BlissLauncher to Lawnchair.

✨

Tue, 15 Jul 2025 11:52:20 +0530

Easy grep to detect stripped Go binaries

Fri, 13 Jun 2025 08:39:58 +0530

A couple of days ago when I was reading the guide to the Go garbage collector, I came across the following excerpt:

When all else fails, the Go GC provides a few different specific traces that provide much deeper insights into GC behavior. These traces are always printed directly to STDERR, one line per GC cycle, and are configured through the GODEBUG environment variable that all Go programs recognize.

An environment variable that all Go programs recognize, you say? I had a sneaking suspicion that I could just perform a string search for this term, given all Go programs would need to look for this environment variable definition. This way, we could guess if a binary was written in Go.

Need a hand?

Thu, 03 Apr 2025 15:56:04 +0530

The tides

Over the past few months, a sizable fraction of my developer peers have taken to AI tools. Beckoned from under a rock by the light of day, I was taken aback by this rising wave of vibe coding.

They claim AI tools to be phenomenal for frontend technologies like React and NextJS. The selling point? Context aware autocompletes and agent mode.

Context aware autocompletes happen when the model watches your code so it can suggest autocompletes while you code.

In search of the smallest DNA complement function

Fri, 14 Feb 2025 09:40:11 +0530

For the past few weeks, I have been trying to come up with a fast and purely agebraic function to convert DNA bases to their respective complements.

Problem statement

Our goal is rather straightforward. We aim to create a mapping of the characters a, t, g, c and n to their respective complements. We choose to keep our solution one step behind the classical reverse complement which reverses the string after the mapping.

Building an in-browser Manim clone

Mon, 20 Jan 2025 19:41:51 +0530

Note: The following interactive animation requires JavaScript to render. Please enable it if it isn’t already.

A live, in-browser demo of PROJECT_MANA.

Feel free to look around: rotate, zoom or pan the 3D view.

Frames for the outline animation will be recomputed on the fly! The hardcoded duration for the animation is 5 seconds in this example.

PicoCTF SansAlpha Writeup

Sun, 05 Jan 2025 11:55:52 +0530

Hey everyone, since 2024 hasn’t seen a lot of posts on this blog, I plan to start this year off by going back to the roots.

I’ll be focusing on posting more CTF writeups again! Today’s challenge is SansAlpha from PicoCTF. The challenge description states

The Multiverse is within your grasp! Unfortunately, the server that contains the secrets of the multiverse is in a universe where keyboards only have numbers and (most) symbols.

A Tale of a Frugal Home Server

Sat, 04 Jan 2025 10:04:37 +0530

Having run an on-premise server for the past two years, I think my setup has finally matured enough to be worth talking about.

At any point, you can check out the source code for the server’s infrastructure here for a concrete example. For each service I talk about, I will also link the respective definitions in my config.

My minimalist mindset has unsurprisingly aided the architecture of my server. Throughout the rest of the post, you will come across the following broad strokes:

NixOS Secureboot Shenanigans

Fri, 20 Dec 2024 12:26:10 +0530

Key takeaways

This issue only pertains to secureboot on NixOS using lanzaboote. Most Linux users have secureboot disabled. If you are paranoid like me and have enabled it, continue reading.
Make sure to track the latest version of lanzaboote. (example)
Set the PKI bundle location to the newer sbctl default. (example)

Deprecated `overrideScope'`

For the past few months, I started noticing this new warning when rebuilding my system with nixos-rebuild.

Wrapping up GSoC 2024

Sat, 24 Aug 2024 10:28:50 +0530

Overview

Hello and welcome to the final GSoC post for 2024! My task was to formalize the SWHKD parser using context-free EBNF notation. This post is to serve as a birdseye view of what I have developed over this summer.

Report

Architecting the parser

I started out with the scaffolding of the parser in an extended Backus-Naur form garmmar template in a separate repository called SWEET using a Rust framework called pest.rs. Quite a lot of time was spent in modelling the architecture of the syntax tree for our domain specific language.

Painlessly setting up ML tooling on NixOS

Sat, 10 Aug 2024 08:18:30 +0530

Note: Use the following method only if you wish to have the latest version of CUDA that is not yet available in the nix-community cache, otherwise follow this.

TL;DR: Save this flake, run nix develop and setup PyTorch as described

CUDA is a proprietary vendor lock-in for machine learning folks. Training ML models is incredibly fast with CUDA as compared to CPUs due to the parallel processing. So if you’re doing something serious, you have no other choice besides CUDA as of writing. Although, OpenAI’s Triton and ZLUDA are worth keeping an eye on.

Amateur Blender Sculpture

Sat, 03 Aug 2024 17:50:00 +0530

This is my first time trying out sculpting in blender, so forgive me for the quality of the sculpt. I’m still pretty much in the learning stage. Big thank you to Nichole Sebastian for the reference photo. Also apologies if the empty eye sockets gave you a jumpscare.

How I Use SWHKD in My Workflow

Thu, 01 Aug 2024 17:17:31 +0530

SWHKD is the project that I have been working on for the past few months as a part of Google Summer of Code for this year. Now that we are done with the development process, I want to talk about why I wanted to improve the project. Although the easy answer is to get paid or to get a more production facing OSS development experience, for me, the most important driving force is using it in my own workflow.

Polishing and Bugfix Week

Mon, 29 Jul 2024 13:46:41 +0530

Hello and welcome to the last instalment in the series where we build a parser for a domain specific langauge in Rust. Please go through the previous articles since this article assumes you are aware of such contextual details.

Let’s start with the bugfixes.

Eagerly removing unbinds

While going through the tests, I figured that the prior parser eagerly parses unbinds and removes said keystroke combinations from our binding set. Unlike the previous iteration, our iteration had unbinds as a separate set which deferred the task of the removing the set intersection to the upstream crate instead.

Humans Suck at Command Sanitization

Wed, 17 Jul 2024 07:55:34 +0530

Hello and welcome to the eighth instalment in the series where we build a parser for a domain specific language in Rust. I’d highly recommend going through the previous articles to make sense of what we’ll talk about today.

Previously, we had built the scaffolding for modes to bind shortcuts to. Today, we’ll create the mechanism to invoke commands in the contexts of the modes that can be built.

Now, SWHKD has a clever way to enter (and escape) mode contexts with inside commands by chaining subcommands and mode instructions with double ampersands. Consider the following example:

Preventing Infinite Recursions From Eating Your Lunch

Thu, 04 Jul 2024 09:57:01 +0530

After a bit of back and forth with my mentor, we landed on moving the logic that imports other config files into the parser crate itself. Config files can reference other modules using import statements of the following form:

Test Driven Development - The Pinnacle of Engineering

Mon, 24 Jun 2024 08:45:49 +0530

Hello and welcome to the seventh instalment in the series where we build a parser for a domain specific language in Rust. I would highly recommend you to go through the previous articles to make sense of what we’ll talk about today.

Tying loose ends

Up until the last post, we had covered quite some ground, from building elementary expressions to the penultimate levels of abstraction for macroscopic expressions.

Let’s begin today’s conversation by finishing off where we left off. For us to be able to parse an entire config file, we must have one main rule. We combine all of the primitives that we have built so far: comments, modes, bindings, unbinds and imports into a blanket content expression.

Drowning

Tue, 18 Jun 2024 09:30:00 +0530

A cyborg head sinking in a pool of water. What more did you expect? Here’s a timelapse.

This Error

Tue, 18 Jun 2024 09:30:00 +0530

My first hand drawn YouTube thumbnail, I’m might continue using lawyer ferris as my mascot both due to ferris being in the public domain as well as the sheer memeworthiness of the debacle.

Modes, Unbinds and Other Ensembled Parser Patterns

Mon, 10 Jun 2024 08:27:06 +0530

Hello and welcome to the sixth instalment in this series where we build a parser for a domain specific language from scratch. I would highly recommend you to go through the previous articles to make sense of what we’ll talk about today.

So far, we have built ranges, shorthands and bindings, starting all the way down from primitives such as keys and modifiers. Continuing with the theme, we will ensemble these patterns together along with some newer syntax to build modes.

I Solemnly Swear to Never Buy a Gaming Laptop Again

Fri, 07 Jun 2024 17:01:01 +0530

Around half a decade ago, I bought an Asus gaming laptop, one I’m currently using to write this article. Although it came preinstalled with Windows, I never let it even boot and instead opted for linux. Bill Gates can cry a river.

Despite switching distros multiple times, one sporadical issue my setup suffered from was the wireless card dying after a few minutes of booting the box. The only solution to this was to reboot my computer, classic!

Modeling More Realistic Keybinds With Modifiers

Wed, 05 Jun 2024 10:26:13 +0530

Real world keybindings for shortcuts often involve more than just a simple keypress, especially outside the context of a single application. The general distinction for these two types involves modifier keys. When I talk about a shortcut bound to super v, chances are you automatically think of global bindings at the operating system or desktop environment level. Today we’ll go through the process of writing the grammar for these bindings for swhkd.

Edge cases? You Shall Not Pass!

Mon, 03 Jun 2024 08:18:19 +0530

This post is a part of a series that explains the architecture of the config parser I am building for swhkd as a part of Google Summer of Code. I highly recommend reading through the previous posts as I’ll be referring to them from time to time.

In the last post I talked about key attributes that can be used as prefix to denote the timing of an event, on key press (send / ~) or release (on_release / @). One nuanced case we did not cover was the use of these attributes inside shorthands.

Timing is Key: A Tale of Keystrokes and Timings

Wed, 29 May 2024 21:18:22 +0530

Whether you’re playing a video game or competing in a constrained attack-defense CTF, your keystroke timings matter. We at waycrate value your precision, to the extent that you can configure your keybindings to perform actions either on a key’s press or a release.

Hi, my name’s Himadri and this post is a part of a series explaining how we (basically just me) are rewriting the config parser for swhkd using EBNF grammar. I highly recommend reading the previous posts because I’ll be referring to them from time to time. In the last post, we talked about regular keys that form the foundation of bindings. However, we glossed over the send and on_release expressions in the code.

Keep the Keys Clackin'

Mon, 27 May 2024 08:59:29 +0530

This is the second post in a series of posts I’m writing for Google Summer of Code. Each post covers a separate topic. While the previous posts might have given you an overview of ideas, this post will delve into more technical details. I highly recommend reading the previous posts because I will refer to them from time to time.

Let’s begin with why we chose EBNF grammar in pest.rs instead of regular expressions.

2 Afternoons, 2 Languages, 2 TUIs

Thu, 23 May 2024 18:37:47 +0530

Yesterday I created a tool in Golang to help me render my animations a little faster. Although the alterior reason was to check my Golang proficiency, today I rewrote it in Rust and I was blown away by the differences in the final products.

When I’m rendering animations for a YouTube video, the general development iteration comprises me creating or modifying a file, switching to a different terminal pane and manually issuing a manim command for the respective file to render and play the animation. My goal was to automate the last two processes, switching terminal panes and manually issuing a command. The idea is to have a tool running in the background that listens for filesystem events, like when a file gets created or modified, and if the file happens to contain an animation, renders it. On linux systems, it’s mostly a bunch of bindings to inotify but I have used platform agnostic libraries for both the languages.

A SWEET Little Parser

Fri, 17 May 2024 07:52:44 +0530

A few days ago, I had announced my project for this year’s Google Summer of Code. Today I’ll be explanding upon that. I believe that to construct a good grammar, I should be able to understand and explain it well. So here goes.

General Idea

SWHKD’s grammar parser, although similar to tools before it like sxhkd, has a more coherent syntax. For starters, every binding declaration is one or more accelerators followed by a composite key.

Wayland Tools Rock!

Fri, 17 May 2024 07:52:44 +0530

Hey folks. Quite a few months have passed since I last posted here. As you might have known from my earlier posts, I’ve been daily driving Wayland instead of Xorg on my NixOS setup for quite some time now.

One of the tools I stumbled upon while writing my voice automation abomination was SWHKD (Simple Wayland HotKey Daemon). It’s a spiritual successor to sxhkd from the Xorg world and in a sense better than the former because it works not only in wayland sessions but also under X and TTY sessions!

Using an Android Phone as a webcam in NixOS

Sun, 10 Mar 2024 08:47:08 +0530

I recently had to attend an online meeting for a software development event. While my PC did have a decent microphone, the built-in camera has been damaged to the extent that the best it can capture is this:

No, it’s not a close-up of the moon, it’s the refraction caused by the scuffs to the lens plus other sciency stuff I’m not qualified enough to explain to you.

Throwing knives

Fri, 19 Jan 2024 09:30:00 +0530

An unfinished animation with a focus on anatomy. Thank you Polina Tankilevitch for the reference video.

Kringlecon 2023 Writeup

Wed, 10 Jan 2024 19:51:32 +0530

Happy new year everyone! As every year, I’ll begin this one with sharing my writeup for the 2023 Holiday Hack Challenge for Kringlecon. I must warn you, I was unable to finish all the challenges due to other life events.

With that out of the way, enjoy the writeup!

Christmas Island: Orientation

Cranberry Pi

This is a sanity check question to kick the tires. The answer to it simply is answer.

Abstracting Structured Patterns in Concurrent Programming

Wed, 06 Dec 2023 10:58:10 +0530

I hope this article provides a solid blueprint for building a concurrency management API. If you have questions or feel that I have missed something, feel free to talk about it in this repository’s issue tracker or the discussion board.

In recent months, I have come across multiple articles talking about the need of structured concurrency in modern programming languages as a built-in. Notably, in the article Notes on structured concurrency, or: Go statement considered harmful, the author compares the go statement used to spawn coroutines to goto statements used for jumping to other parts of code in early languages like COBOL.

Headache

Thu, 07 Sep 2023 07:03:27 +0530

This challenge involves reverse engineering a polymorphic binary, one that modifies its own instructions during runtime.

Essentially, the binary checks if the current character equals a known value and xor decrypts the next section where the code jumps to. If the characters don’t match, the logic short-circuits and the program exits.

This process of checking the character and decrypting the next branch continues like opening up a Matryoshka doll until the last branch which returns instead of calling the decryption subroutine.

Compact XOR

Thu, 24 Aug 2023 18:05:59 +0530

Description

I found some hex in a file called fleg, but I’m not sure how it’s encoded. I’m pretty sure it’s some kind of xor…

Exploration

We begin by creating a new rust project.

cargo new amateurs
cd amateurs
cargo add hex
cargo add itertools

Let’s decode the hexadecimal contents of the file using the following Rust code:

fn main() -> Result<(), Box<dyn std::error::Error>> {
 let bytes = hex::decode("610c6115651072014317463d73127613732c73036102653a6217742b701c61086e1a651d742b69075f2f6c0d69075f2c690e681c5f673604650364023944")?;
 let stream = String::from_utf8_lossy(&bytes);
 println!("{:?}", stream);
 Ok(())
}

To execute the code, issue the following.

Volcano

Fri, 21 Jul 2023 18:29:59 +0530

This reversing challenge is very mathematical, focusing mainly on modulo congruences. Like all challenges, there is some scary looking obfuscation for the fun which I’ll try my best to explain. The challenge description says that it was inspired by recent “traumatic” events but I’m oblivious to what that reference meant.

Decompilation

We start off with downloading the binary and opening it in Ghidra.

In the list of functions under the Symbol Tree, we can navigate to the entry function which looks like:

Waiting an Eternity

Wed, 19 Jul 2023 07:53:17 +0530

This was a fairly straightforward and fun challenge that required a bit of common sense to solve. We are given the URL https://waiting-an-eternity.amt.rs to begin with.

Let’s use curl with its verbose flag to fetch this URL.

curl -v "https://waiting-an-eternity.amt.rs"

We get a response that tells us to wait an enternity.

> GET / HTTP/2
> Host: waiting-an-eternity.amt.rs
> User-Agent: curl/8.1.1
> Accept: */*
> 
< HTTP/2 200 
< content-type: text/html; charset=utf-8
< date: Tue, 18 Jul 2023 04:28:52 GMT
< refresh: 1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000; url=./secret-site?secretcode=5770011ff65738feaf0c1d009caffb035651bb8a7e16799a433a301c0756003a
< server: gunicorn
< content-length: 21
< 
* Connection #0 to host waiting-an-eternity.amt.rs left intact
just wait an eternity

On closer inspection, the refresh header with the gigantic number sticks out like a sore thumb.

I Switched to NixOS

Sat, 08 Jul 2023 09:29:34 +0530

Hi. It’s been quite a while since I had last posted. I had been spending my time on some programming projects that withheld me from even participating in CTFs. Tired of this workflow that I somehow spiraled into, I’m now seeking to learn new things in an attempt to break out of this workflow.

The End of an Overarching Journey

As any of my long time audience might be familiar with, I daily drove Arch Linux. A very flexible distribution, Arch allows beginners to get a good grasp of the Linux way of doing things. It has an amazing package manager as well as a user repository for extra software unavailable in the official repositories. It’s rather easy to setup Arch for gaming, thanks to programs like Lutris and Bottles.

Twosum

Mon, 10 Apr 2023 08:44:28 +0530

This is a rather simple binary exploitation challenge. We are given the following source code for the program running on the remote server:

#include <stdio.h>
#include <stdlib.h>

static int addIntOvf(int result, int a, int b) {
 result = a + b;
 if(a > 0 && b > 0 && result < 0)
 return -1;
 if(a < 0 && b < 0 && result > 0)
 return -1;
 return 0;
}

int main() {
 int num1, num2, sum;
 FILE *flag;
 char c;

 printf("n1 > n1 + n2 OR n2 > n1 + n2 \n");
 fflush(stdout);
 printf("What two positive numbers can make this possible: \n");
 fflush(stdout);
 
 if (scanf("%d", &num1) && scanf("%d", &num2)) {
 printf("You entered %d and %d\n", num1, num2);
 fflush(stdout);
 sum = num1 + num2;
 if (addIntOvf(sum, num1, num2) == 0) {
 printf("No overflow\n");
 fflush(stdout);
 exit(0);
 } else if (addIntOvf(sum, num1, num2) == -1) {
 printf("You have an integer overflow\n");
 fflush(stdout);
 }

 if (num1 > 0 || num2 > 0) {
 flag = fopen("flag.txt","r");
 if(flag == NULL){
 printf("flag not found: please run this on the server\n");
 fflush(stdout);
 exit(0);
 }
 char buf[60];
 fgets(buf, 59, flag);
 printf("YOUR FLAG IS: %s\n", buf);
 fflush(stdout);
 exit(0);
 }
 }
 return 0;
}

In order to trigger the program to disclose the flag, we need to supply two numbers that are greater that 0 and result in an integer overflow. Since this is C and there is no integer overflow check, we can simply supply the maximum interger value for the first number and the value 1 for the second. Adding them would cause the result to wrap around and become negative.

Java Code Analysis!?!

Sat, 18 Mar 2023 07:10:17 +0530

To get started we are given the username “user” and password “user” to log into the BookShelf Pico web application. We are also given the source code of the application.

Taking a look at the src/main/java/io/github/nandandesai/pico/security subdirectory of the project, we see that it uses JWT.

Interestingly, the file SecretGenerator.java in the aforementioned directory contains a weak hardcoded “random” value 😱.

@Service
class SecretGenerator {
 private Logger logger = LoggerFactory.getLogger(SecretGenerator.class);
 private static final String SERVER_SECRET_FILENAME = "server_secret.txt";

 @Autowired
 private UserDataPaths userDataPaths;

 private String generateRandomString(int len) {
 // not so random
 return "1234";
 }

 String getServerSecret() {
 try {
 String secret = new String(FileOperation.readFile(userDataPaths.getCurrentJarPath(), SERVER_SECRET_FILENAME), Charset.defaultCharset());
 logger.info("Server secret successfully read from the filesystem. Using the same for this runtime.");
 return secret;
 }catch (IOException e){
 logger.info(SERVER_SECRET_FILENAME+" file doesn't exists or something went wrong in reading that file. Generating a new secret for the server.");
 String newSecret = generateRandomString(32);
 try {
 FileOperation.writeFile(userDataPaths.getCurrentJarPath(), SERVER_SECRET_FILENAME, newSecret.getBytes());
 } catch (IOException ex) {
 ex.printStackTrace();
 }
 logger.info("Newly generated secret is now written to the filesystem for persistence.");
 return newSecret;
 }
 }
}

This string “1234” is used as the secret for the JSON web token.

Java Script Kiddie 2

Fri, 03 Mar 2023 09:47:54 +0530

The challenge

This is a web challenge involving javascript, meaning most of the solution is going to be client side. We are asked to visit the challenge page.

From here, we can view the source code of the page.

<html>
	<head> 
		<script src="jquery-3.3.1.min.js"></script>
		<script>
			var bytes = [];
			$.get("bytes", function(resp) {
				bytes = Array.from(resp.split(" "), x => Number(x));
			});

			function assemble_png(u_in){
				var LEN = 16;
				var key = "00000000000000000000000000000000";
				var shifter;
				if(u_in.length == key.length){
					key = u_in;
				}
				var result = [];
				for(var i = 0; i < LEN; i++){
					shifter = Number(key.slice((i*2),(i*2)+1));
					for(var j = 0; j < (bytes.length / LEN); j ++){
						result[(j * LEN) + i] = bytes[(((j + shifter) * LEN) % bytes.length) + i]
					}
				}
				while(result[result.length-1] == 0){
					result = result.slice(0,result.length-1);
				}
				document.getElementById("Area").src = "data:image/png;base64," + btoa(String.fromCharCode.apply(null, new Uint8Array(result)));
				return false;
			}
		</script>
	</head>
	<body>

		<center>
			<form action="#" onsubmit="assemble_png(document.getElementById('user_in').value)">
				<input type="text" id="user_in">
				<input type="submit" value="Submit">
			</form>
			<img id="Area" src=""/>
		</center>

	</body>
</html>

Let’s break it down. We are going to begin with the contents in the script tags. First, the script fetches a blob of whitespace separated numbers into the variable bytes.

Some Assembly Required 3

Thu, 09 Feb 2023 16:39:08 +0530

This is a web exploitation challenge from 2021. It’s pretty old but has less solves as of writing this post. I figured, it’s worth talking about.

We are told to visit http://mercury.picoctf.net:60022/index.html where we find a simple textbox prompting us to submit the flag.

Looking at the page source by pressing ctrl u, we see that it is sourcing javascript code from rTEuOmSfG3.js.

<script src="rTEuOmSfG3.js"></script>

While examining the javascript, we will notice that it is obfuscated and packed. Put this through de4js to prettify it.

Kringlecon 2022 Writeup

Mon, 09 Jan 2023 10:36:35 +0530

This writeup is rather haphazard as I jumped around from one place to another solving different unrelated challenges. Although the writeup covers all the challenges, it definitely is not sequential. Just wanted to point that out before diving in.

Clone with a Difference

This challenge wants us to clone a git repository. It’s using git with ssh for cloning which doesn’t seem to work.

git clone git@haugfactory.com:asnowball/aws_scripts.git

We can clone this the HTTPS way:

Pixelated

Tue, 22 Nov 2022 09:25:20 +0530

This challenge gives use two images and asks us if we can make a flag out of them. At first glance, both the images look like noise. Upon a quick web lookup of visual cryptography, it appears that these separate images, known as shares of the original image, can be overlayed on each other to reconstruct the original image.

Exploration

Now, I’m pretty sure that there are online services that will automatically solve these but I decided to write some code to solve this locally. For the past week, I’ve been learning the Rust programming language and this was the perfect excuse to test my knowledge.

Treebox

Fri, 19 Aug 2022 10:04:36 +0530

This challenge asks for python code as an input, converts it into an AST (abstract syntax tree) and if there aren’t any function calls or imports, executes the code.

Our goal here is to avoid explicitly calling any functions yet reading the flag located at flag. We also can’t import any modules explicitly.

The source code provided with the challenge imports the sys module giving us an opportunity to chain its functionalities.

I Saw a Little Elf

Fri, 19 Aug 2022 09:57:34 +0530

Introduction

This challenge asks us to connect to an webpage with a base64 encoded message. If we try to decode the message manually, the decoded message ends up either in a reversed ELF (Executable and Linkable Format) binary or more base64 to be decoded.

Trying this multiple times, it becomes apparent that the challenge reverses an ELF binary, encodes it one or more times in base64 and sends it to us. If we run the executable, we are given a string which we must send to the challenge endpoint through the r HTTP GET query parameter. The real challenge is to do this within the few seconds before the server resets the challenge.

RingZer0 CTF Hash Me Reloaded

Fri, 19 Aug 2022 09:57:15 +0530

In this RingZer0 challenge, we are to visit the challenge url where we are given 2 seconds to SHA512 hash the message represented by the binary provided string. We must send the response with the request parameter r. Let’s write a go program to do that.

First let’s declare the url as a constant.

const uri = "http://challenges.ringzer0team.com:10014/"

We fetch the challenge page and defer closing its body once the program ends.

Hash Me Please

Fri, 19 Aug 2022 09:57:00 +0530

In this RingZer0 challenge, we are asked to visit http://challenges.ringzer0team.com:10013/ and are given 2 seconds to hash the provided message using the SHA512 algorithm. We must send the response as http://challenges.ringzer0team.com:10013/?r=response and to do that, we’ll be using some Golang.

Let’s declare the URI as a constant.

const uri = "http://challenges.ringzer0team.com:10013/"

We fetch the challenge page using the Get function from the http standard library, checking for errors along the way.

resp, err := http.Get(uri)
if err != nil {
	log.Fatalln(err)
}

We defer closing the response body when the program ends.

Oh my God, they killed Kenny!

Tue, 02 Aug 2022 09:26:51 +0530

Introduction

Despite its infamy for profanity and dark, satiric humor, I’ve been a huge fan of South Park over the years. I’d like you to try out a random episode of South Park. Before you walk away saying, “Screw you guys, I’m going home”, I’ll be sharing a little trick to watch a random episode without even launching the browser.

Prerequisites:

Nushell
mpv
youtube-dl or yt-dlp

Gone scripting

South Park’s official website has a route called random-episode which redirects us to, well, a random episode. The redirection, however, is done using javascript instead of regular HTTP status codes like 302. This meant, one couldn’t simply run the following and expect to see a video.

Bash Jail 3

Sun, 24 Jul 2022 12:29:56 +0530

The challenge

Logging into the box we are told that the flag is located at /home/level3/flag.txt.

function check_space { 
 if [[ $1 == *[bdksc]* ]] 
 then 
 return 0 
 fi 
 
 return 1 
} 
 
while : 
do 
 echo "Your input:" 
 read input 
 if check_space "$input" 
 then 
 echo -e '\033[0;31mRestricted characters has been used\033[0m' 
 else 
 output=`$input` &>/dev/null 
 echo "Command executed" 
 fi 
done

We are also told that this prompt is launched using ./prompt.sh 2>/dev/null which means we cannot exfiltrate the flag from stderr since it is blocked.

Bash Jail 2

Sun, 24 Jul 2022 12:28:56 +0530

The challenge

Logging into the box we are told that the flag is located at /home/level2/flag.txt

Challenge bash code

function check_space {
 if [[ $1 == *[bdks';''&'' ']* ]]
 then 
 return 0
 fi

 return 1
}

while :
do
 echo "Your input:"
 read input
 if check_space "$input" 
 then
 echo -e '\033[0;31mRestricted characters has been used\033[0m'
 else
 output="echo Your command is: $input"
 eval $output
 fi
done

Inference

This time, the check_space function returns a 1 if there are any characters in the input string among b,d,k,s, a semicolon, an ampersand and a whitespace. If the function does return 1, we get a “restricted characters” message and no further processing happens.

Bash Jail 1

Sun, 24 Jul 2022 12:27:56 +0530

The challenge

Upon SSHing into the box, we are told that the flag is located at /home/level1/flag.txt

Challenge bash code:

while :
do
 echo "Your input:"
 read input
 output=`$input`
done

Inference and experimenation

The script is reading an input, executes it and then stores it in the output variable without ever displaying the output to the console.

I tried a dummy command to see if I could see its stderr since command substitution (backticks) only capture the stdout.

Hi, this is Himadri!

Sat, 23 Jul 2022 19:11:10 +0530

I’m a self taught programmer and a digital artist. You might have arrived here from my YouTube channel or my open source work. I’m doing a bachelors in data science at IITM.

I’m decent with programming languages like C and Java, the latter of which was taught in school. I’m great at writing Golang and Rust. I render my YouTube videos with Python and the manim framework, so I’d argue I’m competent at it as well.

Truce

Sat, 23 Jul 2022 19:07:32 +0530

A painting of the lead vocalist of Twenty Øne Piløts, named after one of my favorite songs from their album Vessel.

She's a Rebel

Sun, 17 Apr 2022 17:01:44 +0530

Clearly the title was an afterthought.

Operation Oni, Operation Orchid

Fri, 18 Mar 2022 07:10:17 +0530

In this post, we’ll walk through the Operation Oni and Operation Orchid challenges from the PicoCTF competition held in March 2022. Both of these challenges involve the use of tools from The Sleuth Kit suite. In order to follow along, I’d recommend installing the suite of tools.

Operation Oni

The challenge has an associated instance which we’ll need to log into using SSH using the following command:

ssh -i key_file -p 61948 ctf-player@saturn.picoctf.net

We are provided with a compressed disk image disk.img.gz which we’ll decompress with:

JAuth

Tue, 22 Feb 2022 14:49:34 +0530

The challenge description states that most web application developers use third party components without testing their security. It mentions some past affected companies, then asks us to identify and exploit the vulnerable component for the challenge at http://saturn.picoctf.net:52025/

The goal is to become an admin. We are provied with the username test and the password Test123! to look around.

The challenge is a dummy bank portal. On login, we see the message:

Liberating 14GiB of disk space

Mon, 21 Feb 2022 13:15:26 +0530

The idea is simple:

Remove all duplicates, including zero length files
Fine tuning: Hand-pick and remove files deemed unnecessary

Since the mileage for second step might vary from person to person, I’ll elaborate on the first step.

I chose jdupes for deleting the duplicates because it’s open-source and is cross platform.

For a given folder we would run the following to wipe the duplicates:

jdupes --recurse --delete --no-prompt --zero-match .

This will recursively delete all the duplicates except the source file without prompting for a confirmation. It will also consider zero length files to be duplicates.

Notepad

Mon, 21 Feb 2022 09:24:30 +0530

At first glance the webapp looks like a stripped down version of Pastebin where we can post a text / code snippet. After submitting the query, we are redirected to an html page containing the content of the post.

The first thing I tried was triggering XSS (cross site scripting) with the following:

<script>alert(1)</script>

The application source directory tree looks like the following:

.
├── app.py
├── Dockerfile
├── flag.txt
├── static
└── templates
 ├── errors
 │ ├── bad_content.html
 │ └── long_content.html
 └── index.html

Let’s inspect the app.py source.

Gadgeting in Python Jails

Thu, 09 Dec 2021 09:52:29 +0530

We’ve all been there. That one CTF that wants to test your object oriented skills by confining you to a python jail. Additionally some might even keep builtins and eval out of reach.

Here is a cool video explanation by @pwnfunction on server side template injection wherein he mentions a way to “gadget” our way out of Flask’s Jinja2 backend to get remote code execution.

Here’s the gist of it:

Mon, 01 Jan 0001 00:00:00 +0000

Easy SSH tunnel

Local port Traffic direction Remote port Connect to

Mon, 01 Jan 0001 00:00:00 +0000

lavafroth

Easy SSH Tunnel

Step to the 💗 beat

Working With LUKS File Stashes

Creating the image base

Format the image

Algebraic Python Enums

NixOS Notes to Self

nixos-rebuild shows no network activity

Privacy Policy

Guide: Changing Recents Provider on /e/OS

Overview

✨

Easy grep to detect stripped Go binaries

Need a hand?

The tides

In search of the smallest DNA complement function

Problem statement

Building an in-browser Manim clone

PicoCTF SansAlpha Writeup

A Tale of a Frugal Home Server

NixOS Secureboot Shenanigans

Key takeaways

Deprecated overrideScope'

Wrapping up GSoC 2024

Overview

Report

Architecting the parser

Painlessly setting up ML tooling on NixOS

Amateur Blender Sculpture

How I Use SWHKD in My Workflow

Polishing and Bugfix Week

Eagerly removing unbinds

Humans Suck at Command Sanitization

Preventing Infinite Recursions From Eating Your Lunch

Test Driven Development - The Pinnacle of Engineering

Tying loose ends

Drowning

This Error

Modes, Unbinds and Other Ensembled Parser Patterns

I Solemnly Swear to Never Buy a Gaming Laptop Again

Modeling More Realistic Keybinds With Modifiers

Edge cases? You Shall Not Pass!

Timing is Key: A Tale of Keystrokes and Timings

Keep the Keys Clackin'

2 Afternoons, 2 Languages, 2 TUIs

A SWEET Little Parser

General Idea

Wayland Tools Rock!

Using an Android Phone as a webcam in NixOS

Throwing knives

Kringlecon 2023 Writeup

Christmas Island: Orientation

Cranberry Pi

Abstracting Structured Patterns in Concurrent Programming

Headache

Compact XOR

Description

Exploration

Volcano

Decompilation

Waiting an Eternity

I Switched to NixOS

The End of an Overarching Journey

Twosum

Java Code Analysis!?!

Java Script Kiddie 2

The challenge

Some Assembly Required 3

Kringlecon 2022 Writeup

Clone with a Difference

Pixelated

Exploration

Treebox

I Saw a Little Elf

Introduction

RingZer0 CTF Hash Me Reloaded

Hash Me Please

Oh my God, they killed Kenny!

Introduction

`nixos-rebuild` shows no network activity

Deprecated `overrideScope'`