Tethik's weblog

April 2024linux

Setting up keepassxc with yubikey

I use keepassxc to store my passwords. Up until now for my setup I have been using Password + Keyfile as the database credentials, where keyfile has been mostly used as a salt rather than an actual secrets. I store a backup of this keyfile in various online accounts. Because of this I've never been entirely comfortable storing the passwords anywhere online, as it would only require cracking my password. Adding the yubikey secret to the credentials should add an offline factor that will be very difficult to compromise.

Read

October 2023sysadmin

Resetting HP M15w

Trying to find instructions on how to reset the M15w printer to set up a new wifi connection was annoying enough that I wrote it down.

Read

March 2023infosec

Claiming a microsoft shorturl for an easy phish

**tl;dr;** Microsoft has an internal use shorturl service at **go.microsoft.com** that can be enumerated for hijackable links. It might be useful for you as a red teamer if you want to phish windows users.

Read

February 2023infosec

Bitbucket CSRF on SSH Add Key Endpoint via superdomain cookie

In October 2022 I found a pretty specific CSRF vulnerability on Bitbucket Server (the self hosted version). Since it has now been patched, here are the details.

Read

February 2023infosec

kms.nhp.gov.in rooted via syncthing

In May last year (2022) I found and disclosed a vulnerability on a subdomain of nhp.gov.in. Using an exposed syncthing admin interface, I was able to gain root SSH access to the server by syncing the `/root/.ssh` directory.

Read

February 2022programming