Android 8 root & cert

Recently i want to mess with some phone traffic so i took out my broken screen Pixel phone and decided to wipe it and use it for testing. After downloading the latest android 10 factory build and flash it to the phone via fastboot, It became apparent that the community hasn’t spent much time modding it and mounting /system as RW is still very alpha or doesnt work at all. This is due to some re-architect that google does for their partition.
Read more

Bash trick

TIRED OF FOGGY BRAIN I always have trouble with recalling what command i ran in the past, constantly looking up for simple trick in bash so i have always wanted to build something similar to cheat.sh for myself. Except cheat.sh runs on a python flask server and i really think it is bloated/overengineered for what it does. All i want is a simple static site generator to convert markdown notes to colored console output.
Read more

Script those mailbox alerts!

UPDATE - automatically save to google drive Update: So I recently found that some of my alerts are quite good at catching password list and i often get 2 or 3 a day and the uploader or pastebin keeps deleting them after a few hours/days. I don’t really look at these files but wanted to collect them for future reference (eg building a password list, building a similar service like haveibeenpwn but more instantaneous eg sending emails to users who are affected out of good will), so i rewrite the appscript a little to fetch the file and save it to google drive.
Read more

How not to run a CTF.

For #cmdevcamp19 our security team decided to host a Jeopardy style Capture The Flag challenge for all the developers. This round of CTF did not run as smoothly as we hoped for and there are a lot of improvements need to be made for the next time. Problem 1 : Flag is inconsistent, not ready or required last minute changes The CTF is built to raise awareness about security at Cammpaign Monitor(CM) so for the main challenges, we decided to tweak the internal dev environment - revert some of the fixes and disable some security flags.
Read more

AWSBill < 10$

So if you followed me from previous blog to this new blog, you know that this blog is served using cloudfront + s3 bucket and every now and then, when i commit new post to master for the blog, like i’m doing now, a webhook fires from github to a lambda function sits behind an AWS API Gateway. This lambda function then download the latest version of the blog, do a hugo build and deploy it to the S3 bucket.
Read more

Building a slackbot with aws lambda

Recently i needed to build a small slackbot and go + aws lambda seems to be a good choice for the job. Slack API A good library for communicating with slack API can be found here: https://github.com/nlopes/slack 1 - Every request from Slack is signed Every request from slack are signed and can be verified with the following code. Note that the code does not take in a http.Request object but the value of the X-Slack-Signature and X-Slack-Request-Timestamp along with the requestbody so i can reuse this code to either handle requests from AWS APIGateway or running this code as http server.
Read more

Learning Go again in 2019

Recently i needed to build some tools in go. To be more specifically, a chatbot running in aws lambda and a cli tool. Here are some cool tricks i picked up along the way: Use go module It’s probably the coolest thing i found in the latest version of go. It blew my mind instantly when someone at work showed it to me. You can now build your code wherever you want, not even under GOPATH.
Read more

DRAT - Dependency Risk Analysis Tool

Just before I left a government gig a few months ago, With my manager’s approval I managed to opensource a fun project I worked on just before I left the organisation - DRAT. I came up with the idea for this project after battling through countless Nodejs and Ruby On Rails pentest. The idea is simple, give the app a project’s repository, it will help developers to identify high risk dependencies.
Read more

Graphing flowlog

Recently I completed a small fun side project i wanted to do when i first joined CM. Correction, in fact, this project has been on my mind since the day I started using AWS. I wanted to graph flowlog and make it pretty/useful. The simplest part of the project using golang aws sdk to download, cache and parse hundred of flowlog gz files using multiple threads. The hardest part was to find a cool graph library or an opensource project i could modify that could graph 500+ notes with ease and the graph makes sense.
Read more

Hugo blog from Git to Cloudfront [UPDATE]

UPDATE The serverless code i wrote now deploys the S3 bucket as well as the Cloudfront distribution. Unfortunately there wasnt an obvious/easy way to have a private role/OriginAccessIdentity configure in serverless.yml so at the moment the s3 bucket is publicly READ-able and cloudfront CDN pull info from the bucket by visiting .s3.amazonaws.com at the moment. Also, the free AWS certificate that can be used with Cloudfront is being verified (using DNS) and created manually.
Read more