YesYouKen’s MetaNest https://yesyouken.space/ yesyouken.space Fri, 27 Mar 2026 06:46:33 GMT https://validator.w3.org/feed/docs/rss2.html https://github.com/jpmonette/feed en-US All rights reserved 2026, YesYouKen <![CDATA[Extracting binary from other images Vs installing from scratch]]> https://yesyouken.space/article/docker-binaries-from-other-images https://yesyouken.space/article/docker-binaries-from-other-images Wed, 11 Feb 2026 00:00:00 GMT

Benefits

  • Faster builds since I am not compiling or installing packages myself.
  • Smaller final image because I can keep the runtime stage minimal and avoid bundling build tools.
  • More predictable and reproducible results when the source image is pinned by digest.

Shortcomings

  • Compatibility can break, especially when mixing binaries from Alpine (musl) with a Debian or distroless runtime (glibc).
  • Hidden runtime dependencies can be missing in the final image, such as shared libraries, CA certificates, timezone data, or small utilities.
  • Security updates are easier to miss because I need to track patches in the source images I copy from, not only the final base image.
  • Provenance is less explicit, which can make auditing and debugging harder.
  • Licensing and notice files can be overlooked when copying only a single binary.

Requirements

  • Only works with self-contained binary, binaries with statically linked libraries would require more effort
 
]]> <![CDATA[An AI friendly numbering system]]> https://yesyouken.space/article/25673dad-b62e-8063-9ad7-cd2d832847f8 https://yesyouken.space/article/25673dad-b62e-8063-9ad7-cd2d832847f8 Thu, 21 Aug 2025 00:00:00 GMT
You know how Generative Artificial Intelligence (GAI) could still make mistakes in float numbers?
For example, it could still think that 1.11 ≥ 1.2, this is because. it interpreted 1.11 as 1 and 11 and compares them with 1 and 2.
I am sure you have seen this on a LinkedIn post or X post, and using this as grounds to claim that GAI is not ready yet or cannot “replace” humans. I don’t care enough to dispute them. But it made me think, what if the GAI is right? Our numbering representation is the one that is flawed?
 
Why can’t 1.11 ≥ 1.2? If it is using IP address semantics, it is! Why can’t we also do that? every decimal point is a separator of 3 digits, for example:
This actually looks much cleaner.
This is probably not a new idea but I just wanted to write my thoughts down :)
 
]]> <![CDATA[How to output OpenApiV2/swagger in snake case with grpc-gateway?]]> https://yesyouken.space/article/grpc-gateway-snake-case https://yesyouken.space/article/grpc-gateway-snake-case Tue, 15 Apr 2025 00:00:00 GMT

How to output OpenApiV2 /swagger with grpc-ecosysytem/grpc-gateway

The grpc-gateway OpenApi V2 (swagger) generator generates in the fields in camelCase by default (ref)
To generate in snake case if the field names are already written in snake case in the proto files.
Else this would just use the proto names for field names in whatever case they are already in.
]]> <![CDATA[Pintu CTF 2024]]> https://yesyouken.space/article/ctf-pintu-2024 https://yesyouken.space/article/ctf-pintu-2024 Thu, 13 Feb 2025 00:00:00 GMT
Pintu CTF 20241. Welcome - 102. Path to the Flag - 1002.1 Journey 2.2 TLDR - Directory Traversal 3. IP Checker - Username - 1003.1 Journey 3.2 Solution 3.3 TLDR - .git Exposure Vulnerability4. IP Checker - Password - 1004.1 Journey5. Login - 1006. Juicy Injection - Squeeze the Query - 2006.1 Journey

Pintu CTF 2024

This is my first time participating in a CTF (short for “Capture the flag”). I never knew it could be so much fun! Got to give a huge thanks to the Pintu’s cybersecurity team for the exposure and introduction!
💡
Readers’ guide
Every primary header after this was a challenge. Each challenge writings are divided into 3 sub headers:
  • Journey — Just some blabbering on how I arrived at the solution, and of course I did not talk about the little crazy amount of googling web searches I did
  • Solution — some shell commands, code used to solve the challenge
  • TLDR — Well if you want to skip to what the challenge is actually about, the sauce and maybe some of my thoughts

1. Welcome - 10

Excerpt
Welcome to Pintu CTF - Genesis Edition (The Beginning)
A terminal screen flickers to life with a simple challenge: "What is the MD5 hash of the word 'admin'?
Prove your readiness by submitting the answer in the format:
This challenge was simple just to make sure the audience is at the right place. Merely asking for a md5 hash of a word, easily achievable with online tools.

2. Path to the Flag - 100

2.1 Journey

Excerpt
You’ve stumbled upon a mysterious server that holds the key to the challenge. A cryptic message reveals that the flag is hidden inside /home/flag.txt. However, direct access seems impossible, and the application’s file parameter might be the only way in.
Can you exploit the path to uncover the flag?
A url links to server which returns the following message
notion image
At first i just tried http://hostname?file=/home/flag.txt , can’t be that easy right? I got
notion image
Recalling what i read before starting this challenge about directory traversal → https://ctf101.org/web-exploitation/directory-traversal/what-is-directory-traversal/
Tried http://hostname?file=../../home/flag.txt . Voila!

2.2 TLDR - Directory Traversal

Best explained in CTF101 Handbook
Directory Traversal - CTF Handbook
Capture the Flag Competition Wiki
Directory Traversal - CTF Handbook
https://ctf101.org/web-exploitation/directory-traversal/what-is-directory-traversal/
This vulnerability can happen in any application that uses user input in directory path. This could be common with any form of file access or even traversing in s3 buckets. A team could want to save a database query and uses user input to directly navigate to the file — without sanitising the inputs user could navigate the file storage.

3. IP Checker - Username - 100

3.1 Journey

Excerpt
Alex was conducting information gathering on the IP Checker challenge when he discovered that solving it would require a username at some point.
From past experience, Alex knew that developers sometimes fail to deploy applications securely, which can inadvertently expose the source code.
Your goal is to find the hidden username.
This challenge provides a url that links to this web app. It does not really do anything and it is buggy.
notion image
I had to reveal the hint to move on… as I really didn’t know what to do.
Merge and Conflict :D , the tools has default hidden directory. Can you dump and read the username?
With this hint I immediately tried http://hostname/.git and it revealed the following directory listing.
notion image
Downloading the .git folder and running git status showed us that there are local changes to delete username.go.bak we just had to do a git checkout to revert the delete and job done!
notion image

3.2 Solution

  1. wget -mpEk -np robots=off --random-wait http://100.109.132.8:9494/.git
      2. This wget command recursively downloads the entire .git see more at explain shell
  1. cd 100.109.132.8:9494 && git checkout .
  1. There is a file username.go.bak and rename the file by removing .bak
    1. Just have to add the following lines
      1. go run username.go

      3.3 TLDR - .git Exposure Vulnerability

      This is a case of deploying .git folder along with the web app. With the .git folder we could have the entire history of the source code, depending on the clone depth. I found this guy who does scans for exposed .git on websites on a global scale (https://smitka.me/open-git/). They also shared ways to prevent.

      4. IP Checker - Password - 100

      4.1 Journey

      Excerpt
      Alex was conducting information gathering on the IP Checker challenge when he discovered that solving it would require a password at some point.
      From past experience, Alex knew that developers sometimes fail to deploy applications securely, which can inadvertently expose the source code.
      At first glance, Alex didn't notice anything unusual about the application. However, he soon realized that the things related to the image hold valuable information.
      Unfortunately the valueable information can't be read. Can you read the password?
      The image was hosted on a s3 bucket → https://ptu-ctf.s3.ap-southeast-1.amazonaws.com/pintu-banner.jpg . Accessing https://ptu-ctf.s3.ap-southeast-1.amazonaws.com/ revealed a list of items hosted on the s3 bucket.
      notion image
      One of them is password.txt
      TODO: Not completed
       

      5. Login - 100

      6. Juicy Injection - Squeeze the Query - 200

      6.1 Journey

      Excerpt
      Welcome to the Juice Market, where every juice bottle is identified by a unique ID. However, a critical flaw in the /juice/:id endpoint allows an attacker to manipulate the database through unsanitized user input. To make matters worse, the /ping endpoint shows the server is alive, providing an extra clue.
      Your task:
      Exploit the vulnerability in the query, retrieve the secret flag hidden in the database, and show the Juice Market who's boss!
       
       
      ]]>             <![CDATA[Ethernaut Walkthrough - Part 1]]> https://yesyouken.space/article/ethernaut-walkthrough-1 https://yesyouken.space/article/ethernaut-walkthrough-1 Fri, 21 Apr 2023 00:00:00 GMT
      Hello I am YesYouKen, this is my first time writing a walkthrough and I am just going to write as things come. Enjoy! And, I hope this helps!
      Each level gets its own section and I will talk about how I get to the answer but if you want to go to the hint or the answer they are at the end of each section.

      Levels

      1. Hello Ethernaut

      This one is easy. Just got to go through everything.
      Take a longer look at the contract object to see if anything shouts password
      Solution on how to get the password
      contract.password()

      2. Fallback

      Our goal is to call contract.withdraw to get all the balance in the smart contract account
      1. Notice the onlyOwner modifier
          • it prevents anyone other than the owner from calling contract.withdraw
      1. There are two lines in the smart contract that allows us to change the owner of the smart contract with the following line owner = msg.sender;
          • in contribute and receive
      1. Notice that receive looks a little different from other function. Did some research and found out that receive() external payable is a fallback function that is called "if Ether are sent to the contract and no calldata are provided"
      There are two possible solutions
      Solution A
      Solution B

      3. Fallout

      Once again, same goal become the owner of the contract.

      Solution

      1. Notice that there is only one function that allows change of owner which is Fallout
      1. Tries to call contract.Fallout but realised it is undefined.
      1. then notice the typo it is actually Fal1out , the second l is actually a 1
      1. Just execute the following in the browser console and you will become the owner

      Takeaways

      • Turns out that it has to be a typo else the challenge will not work, the challenge simulates a typo where the constructors is misnamed and became a public function instead.
      • Seems like a bad idea to even define constructors by the contract name, note to myself, maybe just use the constructor keyword?

      4. Coin Flip

      We need to rack up some consecutive wins by making the right guesses.
      I faced a few hiccups here.
      1. I tried to be fancy here and did a for-loop only to realised that the challenge prevents that with the following
      it will error out with execution reverted example transaction
      Solution

      Takeaways

      • external is like public but cannot be called internally
       

      Next -
      Ethernaut Walkthrough - Part 2
      Ethernaut Walkthrough - Part 2

       
      ]]>             <![CDATA[Ethernaut Walkthrough - Part 2]]> https://yesyouken.space/article/ethernaut-walkthrough-2 https://yesyouken.space/article/ethernaut-walkthrough-2 Thu, 27 Apr 2023 00:00:00 GMT

      We are back at it!

      In case you missed the previous post, here is the link to the previous post
      Ethernaut Walkthrough - Part 1
      Ethernaut Walkthrough - Part 1

      Levels

      5. Telephone

      source: 0x2C2307bb8824a0AbBf2CC7D76d8e63374D2f8446

      Thought process

      1. Notice in Telephone.sol that we just have to call changeOwner such that tx.origin and msg.sender are not the same and we can change the owner to whichever address we want
      1. Did a quick google on “tx origin solidity” which led me to this page https://docs.guardrails.io/docs/vulnerabilities/solidity/use_of_insecure_function#:~:text=,calls into a malicious contract.
      1. So tx.origin is the address of the account that sent the transaction
      Solution
      1. Deploy the following contract
        1. Get contract’s address by running the following in the browser console
          1. Run the deployed TelephoneSolution.solve with the contract’s address

          Takeaways

          • tx.origin is the address which started the transaction
          • msg.sender is the address which sent the message to the contract, and this could be another contract that was triggered by the transaction

          6. Token

          source: 0x478f3476358Eb166Cb7adE4666d04fbdDB56C407

          Thought Process

          1. I had to google for help on this one. I googled a little and found out that it had to do with integer underflow and overflow.
              2. To hack this contract first you need to understand the concept of integer underflow and overflow. The overflow is a situation when uint (unsigned integer) reaches its byte size. Then the next element added will return the first variable element. - https://hackernoon.com/how-to-solve-the-ethernaut-games-level-5-token
          Solution
          1. Execute the following in the browser console

          Takeaways

          • We can check overflow with the following
            • An easier alternative is to use OpenZeppelin's SafeMath library that automatically checks for overflows in all the mathematical operators. The resulting code looks like this:

              7. Delegation

              source: 0x73379d8B82Fda494ee59555f333DF7D44483fD58

              Thought Process

              1. Went to research about delegatecall as suggested (reference: Solidity Docs)
                1. Notice that delegatecall is similar to using another contract’s code as a library
              1. Notice that in Delegate.sol the pwn() function changes the owner to msg.sender

              Solution

              1. Load this interface into remix IDE
                1. Just overlay this interface on top of the level's contract address
                1. And call pwn()
                1. Make sure that there is enough gas limit given

                Takeaways

                • delegatecall combined with fallback is very much like composition in OOP (Object Oriented Programming)
                • Solidity documentation on fallback function was not easy to understand, in my opinion.
                • The first possible way to trigger fallback function was just calling a non-existent method on the target contract. This can be simulated by overlaying a wrong interface on an contract address and calling whichever method that was defined in the interface but not on the contract
                • The second possible way to trigger fallback function was not easy to understand for me. I thought I could trigger solve the level another way by sending Ether to it but turns out that does not work. The fallback function has to be marked payable for that to work
                ]]>