Thaddeus’s Personal Site

Intro# Today while messing around with one of the HackTheBox retired machines “Previous”, the method of gaining initial access is due to the “Middleware” Authentication Bypass in Next.js. This vulnerability can be exploited to bypass authorization and access sensitive pages. Details of the affected versions can be found here CVE-2025-29927. Background# The CVE is a vulnerability in the handling of “middleware”. In its simplest terms (the only ones I understand) middleware is a function used to process a user request in some form or fashion.

01. Intro# I use ZFSBootMenu to manage my boot environments and help me roll back when I inevitably do something destructive to my system. Today I decided to change my encryption password because my current one has a key combination that confused my fingers so I almost always typed it incorrectly the first time. I changed my zfs rpool password, but I neglected to update initramfs. Im documenting the steps to properly change my password here so that i dont forget.

01. Intro# I was doing the Password Attacks lab in hackthebox academy and I found it pretty interesting so I figured I would redo it and step through how I did it and my thought process to help solidify concepts and because I enjoyed this one, even though it was a bit frustrating initially. 02. Gathering Initial Info# To start this engagement we know a couple things. We have a user Betty Jade that works at Nexura LLC.

Today I was looking at something new to learn and I came accross some material on DLL Hijacking. Previously I was only really aware of DLL search order hijacking, but I was interested to see that theres actually several varients to this idea. It may be best to first explain what a DLL is before talking about methods of manipulation. A DLL is a shared object or a snippet of code that several applications and operating system components can import for many common functions as to not have to re-invent the wheel on many things.

Today I was looking into some stuff for SSH and I wanted to know more about the maths behind how diffie helman works and since its just always something I took for granted so today I learned. Below is a simple graphic that I made that illustrates the process of the key exchange. So what does this mean? Well asymetric cryptography is built upon the idea of creating a shared secret independently without passing it over the public internet.

So I didn’t do anything today so I’m going to take today to write about NixOS. I started using NixOS recently because I would like to incorporate declarative and immutable operating systems into my research. I was introduced to NixOS via one of my favorite podcasts Linux Unplugged. I wasn’t initially sold on it because it sounded like a fad, but so far its pretty cool. This is how I understand it.

Hello, this is the beginning of my (somewhat) daily blog. The intention of this blog is less of an exercise in writing about my life and more of a exercise in making a habit of documentation. I plan to write daily about lessons I learned about computers that day and I’m sure there will be a non-computer related blog or two. When I implement tagging and search, I will make sure that things are tagged appropriately.

Bash scripts are very sensitive to line endings which can cause some portability issues between windows and unix-like systems (depending on how the text editor encodes line breaks). If you would like to see the invisible characters that are making your life confusing simply type: cat -v <FILE> The easiest solution to this issue is a simple sed replace line: sed -i -e 's/\r$//' <FILE>

So for some reason in v2021.7.0 HomeAssistant introduced a bug that breaks a lot of systems that rely on its NGINX reverse proxy add-on to provide ssl capabilities. Thankfully the fix itself is pretty simple. To begin, try to navigate to the site to produce the error, then in the HAS web GUI navigate to the Supervisor Logs (Settings>System>Logs) Grab the IP that shows up in the error that reads

So for some reason in v2021.7.0 HomeAssistant introduced a bug that breaks a lot of systems that rely on its NGINX reverse proxy add-on to provide ssl capabilities. Thankfully the fix itself is pretty simple. To begin, try to navigate to the site to produce the error, then in the HAS web GUI navigate to the Supervisor Logs (Settings>System>Logs) Grab the IP that shows up in the error that reads