https://blog.zars.me/posts/Recent content in Posts on Tyler's BlogHugoen-us© AthulSun, 29 Mar 2026 02:43:32 -0400https://blog.zars.me/posts/embedded/timer/Sun, 29 Mar 2026 02:43:32 -0400https://blog.zars.me/posts/embedded/timer/In the learn how to write an RTOS project I’ve been chipping away at in the evenings, I reached a crossroads… I need to implement timers. Join me on the trail of figuring out there’s a whole lot more to a timer than just counting down! Understanding the timer peripheral Diving into the datasheet for the chip under programming, the “General-Purpose Timers” (Chapter 13) seems like the perfect place to start.https://blog.zars.me/posts/hitb-gsec-2017/Sat, 27 Apr 2024 12:13:32 +0530https://blog.zars.me/posts/hitb-gsec-2017/This was an old challenge, but one of my friends was teaching to it and I knew nothing about QEMU and physical hardware. I went into it know it was a QEMU escape so I won’t be covering the mindset of finding that out but I’ll break down the indepth meaning behind what the exploit does and some of the QEMU internals that make this problem solvable. The Problem The provided resources for the challenge allude to it being a QEMU challenge:https://blog.zars.me/posts/kali-headless-setup/Mon, 20 Nov 2023 12:13:32 +0530https://blog.zars.me/posts/kali-headless-setup/Overview I wanted to be able to use an old Intel NUC for a headless Kali instance. I came into a lot of problems with Kali’s defualt TightVNCServer being a gray (grey?) screen and found the solution below to work perfectly. I enable autologin for headless operation to run my userspace application launching VNC but with the option to also SSH in assuming that doesn’t work. This solution will make the defualt desktop on our fake display adapter available over VNC.https://blog.zars.me/posts/elgato-key-light/Wed, 02 Aug 2023 12:13:32 +0530https://blog.zars.me/posts/elgato-key-light/Overview The Elgato Key Light Air has a hidden unprotected HTTP API running on the device at all times. This API lives behind port 9123 and allows for information GETting and PUTting. This allows anyone to get the current configuration of the light and update those values. The original source for the finding of this API can be found here. The JSON used for the GET/POST request looks like this:https://blog.zars.me/posts/pwnable/blackjack/Mon, 10 Jul 2023 12:13:32 +0530https://blog.zars.me/posts/pwnable/blackjack/Source The source provided in the game can be found here: Link Analysis I noticed the main gameplay block was quite interesting in the way it handled the users bet: if(p<=21) //If player total is less than 21, ask to hit or stay { printf("\n\nWould You Like to Hit or Stay?"); scanf("%c", &choice3); //... if((choice3=='H') || (choice3=='h')) // If Hit, continues { //... if(dealer_total==21) //Is dealer total is 21, loss { printf("\nDealer Has the Better Hand.https://blog.zars.me/posts/pwnable/cmd1/Mon, 10 Jul 2023 12:13:32 +0530https://blog.zars.me/posts/pwnable/cmd1/Starting to solve the pwnable.kr series of problems! Provided Source #include <stdio.h> #include <string.h> int filter(char* cmd){ int r=0; r += strstr(cmd, "flag")!=0; r += strstr(cmd, "sh")!=0; r += strstr(cmd, "tmp")!=0; return r; } int main(int argc, char* argv[], char** envp){ putenv("PATH=/thankyouverymuch"); if(filter(argv[1])) return 0; system( argv[1] ); return 0; } Breaking this down, we can see three main parts: Reset the $PATH to only include one entry Filter the input to no include any strings Run system() Solving The $PATH holds the main directories for where binaries are located, allowing for users to just run something short like pwd instead of /bin/pwd.https://blog.zars.me/posts/nahamctf2023/Sat, 17 Jun 2023 12:13:32 +0530https://blog.zars.me/posts/nahamctf2023/I keep having busy weekends and I wish I had a touch more time to grind out the challenges I had left for this CTF. Awesome challenges by the authors! Thanks for the fun CTF nahamsec team! Glasses 50 points - Warmups - 955 Solves - easy Author: @JohnHammond#6971 Everything is blurry, I think I need glasses! We can’t inspect element with a mouseclick. No worries, just use the keyboard shortcut (or on Mac the menu still pops).https://blog.zars.me/posts/byuctf2023/Sun, 28 May 2023 12:13:32 +0530https://blog.zars.me/posts/byuctf2023/I didn’t complete this while it was running due to travelling but went back after and tried to get some of these done, cool challenges tho. leet1 Just make 1337 nc byuctf.xyz 40000 Attachment: leet1.py We are provided with a file that checks if our input is equal to 1337. However, it has two checks: re.search(r'\d', inp) eval(inp) != 1337 The first check is for any numbers included, those will immeditely fail.https://blog.zars.me/posts/deadsecctf-2023/Mon, 22 May 2023 12:13:32 +0530https://blog.zars.me/posts/deadsecctf-2023/Dont’ hack my website My Attempt echo & head both work with no spaces, id, whoami Running df will show us Filesystem 1K-blocks Used Available Use% Mounted on overlay 98831908 6164312 92651212 7% / /dev/sda1 98831908 6164312 92651212 7% /flag.txt none 4096 0 4096 0% /tmp none 4096 0 4096 0% /run Anything containing flag.txt won’t work. head${IFS}&&${IFS}pwd /app head${IFS}&&${IFS}a=fl&&${IFS}b=ag&&${IFS}c=.t&&${IFS}d=xt a=fl${IFS}b=ag${IFS}c=.t${IFS}d=xt${IFS}&&${IFS}echo${IFS}$a$b$c$d fl b=ag c=.t d=xt a=fl${IFS}ag${IFS}.t${IFS}xt${IFS}&&${IFS}echo${IFS}$a$b$c$d fl ag .t xt Somehow strip out the whitespace?https://blog.zars.me/posts/heroctfv5/Mon, 15 May 2023 12:13:32 +0530https://blog.zars.me/posts/heroctfv5/Overview HeroCTF was my first solo team attempt at CTF’ing. It was a blast and huge props to the authors of the challenges. I had fun solving all the ones I did and had plenty of time to experiment with the ones I couldn’t. The CTF was hosted here: link. I’ll break down my solves below in no particular order. dev.corp 1/4 The famous company dev.corp was hack last week.. They don't understand because they have followed the security standards to avoid this kind of situation.https://blog.zars.me/posts/temperature-to-influxdb/Sat, 18 Mar 2023 12:13:32 +0530https://blog.zars.me/posts/temperature-to-influxdb/The Tech Let’s build out our little form factor advanced thermometer. The BMP280 This little sensor is fantastic for measuring a host of information and all of it can be relayed over the I2C interface to the other piece of the puzzle. The main data points are temperature (with ±1.0°C accuracy), barometric pressure (±1 hPa absolute accuracy), and altitude (±1 meter accuracy). The main ones that are pretty neat here are temperature and barometric pressure; altitude comes built into the BMP280 by default but since we aren’t going to be moving this sensor much it’s not really something that we will need to keep tabs on.https://blog.zars.me/posts/irisctf-babyseek/Wed, 01 Feb 2023 12:13:32 +0530https://blog.zars.me/posts/irisctf-babyseek/The Challenge I’ll let you seek around my file as far as you want, but you can’t go anywhere since it’s /dev/null. Author: sera seek.zip nc seek.chal.irisc.tf 10004 The Provided ZIP chal Provided binary chal.c Source which binary comes from Makefile Provided compilation flags Dockerfile Dockerfile running on the server Protections [*] '/root/workspace/vr_pres2/seek/chal' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled Welp, if we can overflow and overwrite the GOT, seems like we’re in the home stretch.https://blog.zars.me/posts/irisctf-ret2libm/Wed, 01 Feb 2023 12:13:32 +0530https://blog.zars.me/posts/irisctf-ret2libm/The Challenge I need to make a pwn? Let’s go with that standard warmup rop thing… what was it… ret2libm? Author: sera ret2libm.zip / Dockerfile The Provided ZIP chal Provided binary chal.c Source which binary comes from libc-2.27.so Provided libc version libm-2.27.so Provided libm version Makefile Provided compilation flags What is libm? #include <math.h> libm is the standard math library for C. Where does libm live? $ ldd chal linux-vdso.so.1 (0x00007fffd53f5000) libm.https://blog.zars.me/posts/invalid-old/tg-gh/Wed, 01 Apr 2020 00:00:00 +0000https://blog.zars.me/posts/invalid-old/tg-gh/Telegram Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed. It is free to use and extensively hackable. It also has a good bot support system. The API is also easy to implement and has many wrappers for building bots with the API. GitHub Actions GitHub Actions is a CI/CD runtime for your GitHub repository. You can run almost anything from scripts to docker containers.https://blog.zars.me/posts/invalid-old/post-1/Wed, 01 Apr 2020 02:01:58 +0530https://blog.zars.me/posts/invalid-old/post-1/You have a to-do list that scrolls on for days. You are managing multiple projects, getting lots of email and messages on different messaging systems, managing finances and personal health habits and so much more. It all keeps piling up, and it can feel overwhelming. How do you keep up with it all? How do you find focus and peace and get stuff accomplished when you have too much on your plate?https://blog.zars.me/posts/invalid-old/post-4/Wed, 18 Mar 2020 12:13:35 +0530https://blog.zars.me/posts/invalid-old/post-4/I’m on a trip at the moment, and a friend who generously let me sleep on his couch looked at my small travel backpack and commented on how little I travel with: “That’s impressive,” he said. I was a little surprised, because though I’ve gotten that comment before, it’s become normal for me to travel with just a small bag (10 lbs. or less, usually), and I have friends who travel with even less.https://blog.zars.me/posts/invalid-old/post-7/Sun, 18 Mar 2018 12:13:38 +0530https://blog.zars.me/posts/invalid-old/post-7/Here is how you can setup dark mode for Ink and test on various OS like iOS, Android, macOS and Windows 10.https://blog.zars.me/posts/invalid-old/post-5/Sun, 18 Mar 2018 12:13:38 +0530https://blog.zars.me/posts/invalid-old/post-5/Lid est laborum et dolorum fuga. Et harum quidem rerum facilis est et expeditasi distinctio. Nam libero tempore, cum soluta nobis est eligendi optio cumque nihilse impedit quo minus id quod amets untra dolor amet sad. Sed ut perspser iciatis unde omnis iste natus error sit voluptatem accusantium doloremque laste. Dolores sadips ipsums sits. Heading 1 Lid est laborum et dolorum fuga. Et harum quidem rerum facilis est et expeditasi distinctio.https://blog.zars.me/posts/invalid-old/post-3/Sun, 18 Mar 2018 12:13:32 +0530https://blog.zars.me/posts/invalid-old/post-3/The end of procrastination is the art of letting go. I’ve been a lifelong procrastinator, at least until recent years. I would put things off until deadline, because I knew I could come through. I came through on tests after cramming last minute, I turned articles in at the deadline after waiting until the last hour, I got things done. Until I didn’t. It turns out procrastinating caused me to miss deadlines, over and over.https://blog.zars.me/posts/invalid-old/post-2/Sun, 18 Mar 2018 12:13:30 +0530https://blog.zars.me/posts/invalid-old/post-2/We spend our days filling in every available space, cramming in more tasks, responding to messages, checking social media and online sites, watching videos. We are afraid of empty space in our lives. The result is often a continual busyness, constant distraction and avoidance, lack of focus, lack of satisfaction with our lives. We run from silence. We run from the spaces between tasks and appointments. We run from solitude and stillness.