~/mzfr

Year In Review - 2025

Wed, 31 Dec 2025 00:00:00 +0000

In this post, I look back on all the stuff I did in 2025

Regex Bypass - Escaping WebView Domain Filters

Tue, 18 Mar 2025 00:00:00 +0000

An Android deeplink validation bypass that allowed loading arbitrary domains in the app’s WebView through regex pattern mismatches.

Year In Review-2024

Tue, 31 Dec 2024 00:00:00 +0000

In this post, I look back on all the stuff that I did in 2024

Couch to Marathon

Thu, 05 Dec 2024 00:00:00 +0000

How I went from never running to completing a marathon in less than a year

Year In Review-2023

Sun, 31 Dec 2023 00:00:00 +0000

In this post, I look back on all the stuff that I did in 2023

Module Review - Semester 1 AY 23/24

Fri, 08 Dec 2023 00:00:00 +0000

Took these course in the first semester of my masters

Starting the NUS Chapter

Thu, 07 Dec 2023 00:00:00 +0000

Got accepted at NUS, started Mcomp, and life at Singapore

Charts in a PDF, Please

Wed, 15 Feb 2023 00:00:00 +0000

Generating PDF from HTML containing pie charts from chartjs

Year In Review-2022

Sat, 31 Dec 2022 00:00:00 +0000

In this post, I look back on all the stuff that I did in 2022

Taking notes with VS Code and obsidian

Tue, 06 Dec 2022 00:00:00 +0000

Using VS Code, syncthing, and obsidian mobile together for taking notes.

Giving self-hosting a go

Sat, 03 Dec 2022 00:00:00 +0000

I’ve been lurking around r/selfhosted for quite a while now, and decided to use old raspi to host some simple applications.

Genie in a bottle

Mon, 01 Aug 2022 00:00:00 +0000

Decided to shift from Ubuntu to Arch WSL and found an amazing way to run systemd.

Year In Review-2021

Wed, 22 Dec 2021 00:00:00 +0000

Looking back to all the 2021 stuff that I did

Introduction to Cardano components

Fri, 05 Nov 2021 00:00:00 +0000

A few months ago one of my friends asked me to help him mint some NFT on the Cardano blockchain. At that point, I had no idea how transactions work on Cardano and how to actually mint any NFT on it. So I started reading all the blog posts I could find and started banging my head on the Cardano documentation.

Now I’m writing this series (hopefully) of blog posts because I had to learn things from different places and couldn’t find everything in the Cardano documentation because it’s not very frequently updated. I believe the main reason for that is because Cardano is under very active development so most of the time devs focus on making the application instead of updating the documentation.

Gaining access to protected components

Fri, 25 Jun 2021 00:00:00 +0000

In the previous post I talked about what activities are and how we can exploit exported activities. In this post, I’ll show you how an attacker might be able to access the components which are protected i.e not exported. And in the end, I’ll show you how I found one of the similar bugs on a public bug-bounty program.

What is this vulnerability?

Basically what happens is that an activity(let’s call it A) accepts some extras. Those could be simple string(getStringExtra) or could be a parcerable. And without any sort of verification it passes the content of those extra to trigger(startActivity). So Activity A ends up starting a new activity which was given by the user via those extras.

My OSCP experience

Mon, 26 Apr 2021 00:00:00 +0000

So it finally happened, I got my OSCP. This blog post is going to be just me talking about what I did right, what I did wrong and maybe some tips for people who plan to take the exam in the future.

PWK Course

Also, known as PEN-200 is the course one takes in order to get their OSCP Certification. The official definition for this course is as follows:

Penetration Testing with Kali Linux (PEN-200) is the foundational course at Offensive Security. Those new to OffSec or penetration testing should start here.

Using Github Action for recon

Sat, 23 Jan 2021 00:00:00 +0000

Let’s see if it’s possible to use GitHub action for recon

Year In Review-2020

Thu, 31 Dec 2020 00:00:00 +0000

In this post, I look back on all the stuff that I did in 2020

Exploiting Exported activities in Android apps

Sat, 07 Nov 2020 00:00:00 +0000

This blog post doesn’t teach you the very basics of the android app, it just talks about the exported activity and their exploitation

Google Summer of Code 2020

Fri, 18 Sep 2020 00:00:00 +0000

This year I got selected for Google Summer of Code 2020 under The Honeynet Project. This year GSoC was very special for me because I finally got selected for the organization, for which I’ve been trying to get selected from past 2 years.

Background

I got to know about Google Summer of Code back in 2018, when I learned that my elder brother has done it 3 years in a row. He wanted me to try to get selected for any org that I like. So I started looking for projects on GSoC archives and came across the Honeynet Project org. I was interested in it because I really liked all the projects under it, projects like Snare&Tanner, Thug, etc. I think these projects attracted my attention because they have a feel of being related to the Information Security field.

Analyzing Snare and tanner data

Sun, 31 May 2020 00:00:00 +0000

I had Snare & Tanner running on two different digital ocean’s droplets. I just wanted to see what juicy data I can get using this honeypot. How I deployed it is a different story and I’ll write a different blog post for that. In this post, I just wanted to share small code I wrote as well as some graphs I was able to generate using them.

Downloading data using Tanner API

Tanner doesn’t support any inbuilt export option(yet) but it has an API so I wrote a small python script to download data from my tanner API and store it in a JSON file.

Running your own Bombsquad server

Sun, 19 Apr 2020 00:00:00 +0000

If you just want to know how to setup bombsquad jump to The setup section and if you are interested in backstory, continue reading.

Back Story

Few days into the COVID-19 lockdown and I was already getting bored. I mean I was spending my time either doing my college assignments, that were supposed to be submitted on Google Classroom, or I was just doing various kind of challenges like Pentesterlabs, VMs from Vulnhub. In the name of Entertainment I was scrolling through the wormhole of youtube videos until all my suggestions were completely uninteresting to me. That is when I decided that I should find a way to interact with my friends, other than talking on our telegram group.

Review of Autopsy online training

Sat, 18 Apr 2020 00:00:00 +0000

It’s been a while since I wrote any blog post. Since this lockdown is going on I decided to learn a few new things from online courses.

I came to know that Basic technology was offering their autopsy basics and hand on (8-hours) training course, worth $495, for free during this COVID-19 crisis. So I decided to take the course since I’m very much interested in digital forensics.

My very first encounter with digital forensics was in one of the CTF, named otter CTF, that I played with OpenToAll. It was complete forensics and RE focusing CTF and had loads of challenges which included the use of tools like volatility, testdisk, photorec, etc and I was very happy that I was able to solve a lot of those challenges(you can read my write for that CTF here).

Getting Started with Docker

Wed, 05 Feb 2020 00:00:00 +0000

What are Docker containers?

Docker containers are a smaller version of Virtual Machines with farless overheads and lot for flexibility. If you want to isolate different services on your system then you can make multiple dockers images for each service and run them, separately.

How it works?

Well all you need to do is make a file named Dockerfile which would contain the rules/instructions of what all has to be done in that container and then you start the build of your container.

Linux Privilege escalation

Sat, 01 Feb 2020 00:00:00 +0000

If you do all the HackTheBox, Vulnhub etc VM you will understand the feeling of getting a reverse shell on the machine but we know that you’re far from home. Finding the right vector for escalating your privileges can be a pain in the ass. I’m going to share some of the methods I completely depends upon for finding those vulnerable vector that helps to escalate privilege on Linux system.

My eJPT experience

Wed, 15 Jan 2020 00:00:00 +0000

Like every Infosec enthusiast I want to do OSCP certification program but when I was reading about it I came across this ceritificate named eJPT so I decided to read about it. Lot of people recommend eJPT as the stepping stone for other bigger certificates like eCPPT or OSCP.

After reading numerous reviews and blog posts about eJPT, I decided to take it. The main reason I took this certificate was to gain some confidence for OSCP and also to improve my resume.

Predictable Network Interface Names and netplan

Sat, 16 Nov 2019 00:00:00 +0000

Recently I was working on making a new Virtual machine for Vulnhub(it’s in beta right now) and one of the issues I came across was the problem of not having any interface except the loopback (lo) in the newly created VM. Now setting a new interface is easy but What I wanted was to set Dynamic DHCP IP so whenever someone starts the VM it’s assigned an IP using which they can attack the box.

Capture the flag!!

Fri, 19 Oct 2018 00:00:00 +0000

Okay, I gotta start by saying that it been a long time. The last thing I remember was trying to figure out how to rebase my pull requests on Kodi’s repository and praying to pass my first GSoC evaluation. Well, as of now I have passed all the GSoC evaluations, received all my stipend and missed a great trip to Sofia, Bulgaria, yup missed it, but that’s a story for next time.

Google Summer of Code 2018 with XBMC foundation

Wed, 27 Jun 2018 00:00:00 +0000

I got selected as a Google Summer of Code student in XBMC foundation (a.k.a Kodi) for the project [Static code analysis in Kodi’s addon-check tool](Static code analysis in Kodi’s addon-check tool). Result came out on April 23 09:30 PM IST. I know it was 2 months ago but I couldn’t get myself to write about it - you can say I was “busy” ;)

What is GSoC ?

Google Summer of Code is a global program focused on bringing more student developers into open source software development. Students work with an open source organization for 3 month programming on any project of their choice during their break from school. More details about GSoC here.

Hello World

Sat, 26 May 2018 00:00:00 +0000

My First Blog post

About Me