Initial commit

4 files changed, 412 insertions, 0 deletions

diff --git a/writeups/headless-vnc.ko/headless-vnc.ko-kr.md b/writeups/headless-vnc.ko/headless-vnc.ko-kr.md
new file mode 100644
index 0000000..05d2486
--- /dev/null
+++ b/writeups/headless-vnc.ko/headless-vnc.ko-kr.md
@@ -0,0 +1,88 @@
+# 클라우드 리눅스 VM에 GUI 돌리기
+
+AWS EC2나 GCP CE의 윈도 머신은 대부분 RDP로 접근하는 반면에, 리눅스 머신은 모두 CUI로만
+사용하도록 되어있음. 리눅스는 셸로 모든 작업을 할 수 있지만 유니티 에디터같은 소프트웨어는 GUI없이
+거의 사용이 불가능하다. 머신에 하드웨어를 추가할 수 없는 환경이라면 이 방법을 추천한다.
+
+## 개요
+**Xorg X11 dummy video**를 사용해서 가상 fb를 만들고, **TigerVNC X 윈도 서버 모듈**을
+사용해 원격에서 접속할 수 있도록 설정한다. 이 문서는 VM에 GDE를 설치하는 방법을 다룬다. 이 문서는
+VNC 포트를 외부에 공개하지 않고 SSH 터널링을 사용해 서버 VNC에 연결하는 방법을 설명한다.
+
+## 방법
+### SSH 접속
+원격 VNC 포트를 로컬로 터널링한다. 포트 2개를 사용하는 이유는 추후에 설명:
+```
+ssh -L15900:127.0.0.1:5900 -L15901:127.0.0.1:5901 <주소>
+```
+
+### 패키지 설치
+RPM:
+
+```xorg-x11-drv-dummy tigervnc-server-module gnome-shell gnome-terminal```
+
+DEB: (TODO)
+
+### 설정
+
+**/etc/X11/xorg.conf.d/00-dummy-vnc-video.conf** (새로 만들기):
+```
+Section "Module"
+	Load "vnc"
+EndSection
+
+Section "Device"
+    Identifier  "Configured Video Device"
+    Driver      "dummy"
+EndSection
+
+Section "Monitor"
+    Identifier  "Configured Monitor"
+    HorizSync 31.5-48.5
+    VertRefresh 50-70
+EndSection
+
+Section "Screen"
+    Identifier  "Default Screen"
+    Monitor     "Configured Monitor"
+    Device      "Configured Video Device"
+    DefaultDepth 24
+    SubSection "Display"
+        Depth 24
+        Modes "1280x720"
+    EndSubSection
+
+    Option "SecurityTypes" "None"
+    Option "AlwaysShared" "true"
+EndSection
+```
+
+해상도나 색상 깊이를 알맞게 변경한다.
+
+`Option "SecurityTypes" "None"` 행은 VNC 접속 시
+암호를 묻지 않도록 설정한다는 의미이다. 암호를 설정하고 싶다면 [이 문서](https://wiki.archlinux.org/index.php/TigerVNC#Expose_the_local_display_directly)
+를 참조.
+
+`Option "AlwaysShared" "true"` 행은 동시 접속을 허용한다는 의미. 원치 않으면 주석처리.
+
+VNC 포트를 외부에 노출하여 사용하는 것은 안전하지 않다. TigerVNC가 TLS를 지원하나, X11 모듈로
+사용되어 X11 설정으로 옵션을 넘겨주어야 해서 복잡한 설정이 어려울 것이다. 따라서 저자는 VNC 포트를
+개방하지 않고 SSH 터널링으로 VNC 접속하는 방법을 택하였다.
+
+### X 서버 실행
+```
+systemctl set-default graphical.target
+systemctl start graphical.target
+```
+
+Systemd를 사용하지 않는 배포판에서는 gdm을 enable, start하거나 runlevel을 5로 설정하는 등의
+작업을 하여 gdm을 실행한다.
+
+### 접속, 로그인
+**127.0.0.1:15900**에 접속하여 원하는 계정으로 로그인한다. 로그인에 성공하면 VNC로 보이는
+화면이 빈 화면으로 유지되면 정상. **127.0.0.1:15901**로 접속하면 로그인된 GUI 세션을 이용할 수
+있다.
+
+## 외부 링크
+* https://lxtreme.nl/blog/headless-x11/
+* https://wiki.archlinux.org/index.php/TigerVNC#Expose_the_local_display_directly
diff --git a/writeups/powershell-email/README.md b/writeups/powershell-email/README.md
new file mode 100644
index 0000000..4d815d4
--- /dev/null
+++ b/writeups/powershell-email/README.md
@@ -0,0 +1,43 @@
+# Sending Mail using Powershell
+Turns out, Powershell can be used to send emails through harnessing the power of
+C#. I made this script as a POC as to show how far .Net and Powershell have
+come.
+
+Should work on all platforms that support Powershell.
+
+## Usage
+Copied from the script.
+```sh
+echo 'Hi! it going? Testing my Powershell script.' | \
+  smtp_host=smtp.gmail.com \
+  smtp_username=example@gmail.com \
+  smtp_password='0123456789' \
+  mail_from=alice@gmail.com \
+  mail_to=bob@example.com \
+  mail_subject='Sent using Powershell' \
+   sendmail.ps1 \
+     doc.pdf
+```
+
+## Few Tips
+### Password
+Services like Gmail will require you to get a separate password for external
+apps. Google calls this "App password". Refer to the links below.
+
+* https://support.google.com/accounts/answer/185833
+* https://support.google.com/mail/answer/7126229
+
+Even if the normal password for the account can be used, a separate password
+should always be used for program access. Always check if your email provider
+supports this.
+
+### TLS
+Most services will refuse to serve on unsecure connections. Use `smtp_tls=O`
+only as the last resort.
+
+`smtp_tls_cert` is for TLS CN SASL authentication. if authenticating using this
+method, `smtp_username` and `smtp_password` are not required.
+
+### CC and More
+Didn't think about CC and all the advanced composition. Feel free to add more
+feature to the script that is already monstrous!
diff --git a/writeups/powershell-email/sendmail.ps1 b/writeups/powershell-email/sendmail.ps1
new file mode 100644
index 0000000..e5500ec
--- /dev/null
+++ b/writeups/powershell-email/sendmail.ps1
@@ -0,0 +1,181 @@
+#!/usr/bin/env pwsh
+
+# Send an email using Powershell.
+# Usage: sendmail.ps1 [attachment 1 [attachment 2 [... attachment N]]]
+#
+# This is a POC on how to send an email using Powershell. The script should work
+# on all platforms. The information required for the script to work is all
+# supplied via environment variables.
+#
+# Env Vars
+#   smtp_host
+#   smtp_port (best if you let the implementation decide)
+#   smtp_tls:
+#     'F' to insist on secure connection (default)
+#     'O' for opportunistic
+#     'N' to disable (default if $smtp_host is "localhost")
+#   smtp_tls_cert
+#   smtp_username
+#   smtp_password
+#   mail_from (required)
+#   mail_to (required)
+#   mail_subject (required)
+#
+# Example
+#```pwsh
+#   echo 'Hi! it going? Testing my Powershell script.' | \
+#     smtp_host=smtp.gmail.com \
+#     smtp_username=example@gmail.com \
+#     smtp_password='0123456789' \
+#     mail_from=alice@gmail.com \
+#     mail_to=bob@example.com \
+#     mail_subject='Sent using Powershell' \
+#      sendmail.ps1 \
+#        doc.pdf
+#```
+using namespace System
+using namespace System.Net
+using namespace System.Security.Cryptography
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$PSDefaultParameterValues['*:ErrorAction'] = 'Stop'
+
+<#
+.SYNOPSIS
+Get an environment variable and unset it
+
+.PARAMETER Name
+The name of the environment variable to read and unset
+
+.PARAMETER Required
+If set, throw FileNotFoundException if the environment variable requested is not
+set
+
+.NOTES
+The purpose of the function is to get and scrub off the password passed as an
+env var in one go. To preserve the env var, use `GetEnvironmentVariable()`
+directly.
+#>
+function FetchEnv ([string]$Name, [bool]$Required = $false) {
+	$RetVal = [Environment]::GetEnvironmentVariable($Name)
+	[Environment]::SetEnvironmentVariable($Name, '')
+	if ( $RetVal ) {
+		return $RetVal
+	}
+	else {
+		if ($Required) {
+			throw New-Object IO.FileNotFoundException ("${Name}: unset env var")
+		}
+		else {
+			return $null
+		}
+	}
+}
+
+<#
+.SYNOPSIS
+Read data from STDIN until EOF and return data as decoded string
+#>
+function ExhaustStdin () {
+	$stream = New-Object IO.StreamReader ( [Console]::OpenStandardInput() )
+	return $stream.ReadToEnd()
+}
+
+
+######################################################################
+# Execution starts here
+######################################################################
+
+# Compose a message
+$mail = New-Object Mail.MailMessage (
+	(FetchEnv "mail_from" $true),
+	(FetchEnv "mail_to" $true),
+	(FetchEnv "mail_subject" $true),
+	(ExhaustStdin)) # This is the part where the mail body is read from STDIN
+
+# Add attachments
+foreach ($file in $args) {
+	[string]$file = $file
+
+	$a = New-Object Mail.Attachment (
+		$file,
+		# Treat all attachments as binary
+		[System.Net.Mime.MediaTypeNames+Application]::Octet)
+	# Timestamp support
+	$a.ContentDisposition.CreationDate = [IO.File]::GetCreationTime($file)
+	$a.ContentDisposition.ModificationDate = [IO.File]::GetLastWriteTime($file)
+	$a.ContentDisposition.ReadDate = [IO.File]::GetLastAccessTime($file)
+
+	$mail.Attachments.Add($a)
+}
+
+# Set up credentials
+$client_cred = New-Object NetworkCredential (
+	(FetchEnv "smtp_username"),
+	(FetchEnv "smtp_password"))
+
+# Set up client TLS cert
+$tls_cert = FetchEnv("smtp_tls_cert")
+if ($null -ne $tls_cert) {
+	$cert_chain = New-Object X509Certificates.X509Certificate ( $tls_cert )
+}
+else {
+	$cert_chain = $null
+}
+
+# Read target SMTP host
+$smtp_host = FetchEnv "smtp_host"
+if (!$smtp_host) {
+	$smtp_host = "localhost"
+}
+
+# Set up SMTP client object
+$smtp = New-Object Mail.SmtpClient ($smtp_host)
+if ($cert_chain) {
+	$smtp.ClientCertificates.Add($cert_chain)
+}
+$smtp.Credentials = $client_cred
+$smtp_port = FetchEnv "smtp_port"
+if ($smtp_port) {
+	$smtp.Port = [int]$smtp_port
+}
+
+$tlsmode = FetchEnv "smtp_tls"
+if (!$tlsmode) {
+	# Determine the "tlsmode" to default to
+	if ($smtp_host -eq "localhost") {
+		# No need to waste computing power on TLS.
+		# Unless you're paranoid and don't trust the hosts file.
+		$tlsmode = "N"
+	}
+	else {
+		# Transmitting plain text data on the internet nowadays is no-brainer.
+		# Most email services will refuse anyway.
+		$tlsmode = "F"
+	}
+}
+
+# Set `$smtp.EnableSsl` based on `$tlsmode`
+if ($tlsmode -eq "F" -or $tlsmode -eq "O") {
+	$smtp.EnableSsl = $true
+}
+elseif ($tlsmode -eq "N") {
+	$smtp.EnableSsl = $false
+}
+
+try {
+	$smtp.Send($mail)
+}
+catch {
+	if ($tlsmode -eq "O") {
+		# Opportunistic tlsmode. Try again with TLS disabled.
+		# Please think twice and fix the problem before resorting to this bit.
+		$smtp.EnableSsl = $false
+		$smtp.Send($mail)
+	}
+	else {
+		# Let the script die
+		throw $_
+	}
+}
diff --git a/writeups/selfhosting-email/fuckyou-gmail.en.md b/writeups/selfhosting-email/fuckyou-gmail.en.md
new file mode 100644
index 0000000..1bdfe7f
--- /dev/null
+++ b/writeups/selfhosting-email/fuckyou-gmail.en.md
@@ -0,0 +1,100 @@
+# What to do when Gmail marks all the mails from your server as spam
+If you're self-hosting your services and having trouble getting your emails
+through Gmail and infuriated by Google's non-existent support, you're not the
+only one. I'd like to share my experiences trying to get it sorted out.
+
+* https://support.google.com/mail/thread/171517615?hl=en&msgid=172576102
+
+I'm the author of the post above. You can tell how arrogant Google employees are
+from all the previous posts he made in the past.
+
+* https://support.google.com/mail/thread/4857692/how-to-delist-my-ip-address-from-gmail-blacklist?hl=en
+* https://support.google.com/mail/thread/3745648?hl=en
+
+![Mocking Spongebob: There is nothing wrong with out servers. You're doing
+something
+wrong!](https://ashegoulding.github.io/attmnts/fuckyou-gmail.en/stoP-THAt-RiGHT-nOW.en.jpg)
+
+Seriously, fuck these guys.
+
+## The Basics
+Don't embarrase yourself by setting up your servers wrong. Make sure that emails
+have valid DKIM signatures, mail contents are good, rDNS is properly set, MTAs
+use TLS 1.3 with valid certificates, and there's no error in TXT records. You
+have to get those all "PASS" marks and the padlock icon next to the email
+address. This is the very basic. Make sure your servers are complaint before
+sending anything. And whenever you change the settings, **TEST IT** or your IP
+address can be listed because of broken configuration.
+
+Here are the tools I use to diagnose.
+
+- https://www.checktls.com/TestReceiver (most favourable for TLS diagnosis)
+- https://www.mail-tester.com/
+- https://mxtoolbox.com/deliverability
+
+## Getting a clean public IPv4 address
+If you're sure you've got everything right and all the other providers respect
+the mails from your server, it's most likely Google's internal rep list.
+
+Contrary to that guy's claim, it is evident that Google does keep an internal IP
+reputation list. If the IPv4 address you have been assigned is dirty, all the
+email from your server could be marked as spam. Forever. Doesn't matter if
+you've delisted your IP from all known blacklists. Not only Google but also all
+the other major email service providers do not account for the fact that IP
+addresses get passed around and the blacklist entries must expire. **Google DOES
+NOT CARE**. It's our job to ensure that we get clean IP addresses.
+
+There are plenty of posts on the internet on how to check if your IP address is
+dirty, but here are the ones I use.
+
+- https://mxtoolbox.com/blacklists.aspx
+- https://dnschecker.org/ip-blacklist-checker.php
+- https://whatismyipaddress.com/blacklist-check
+- https://cleantalk.org/blacklists
+
+So basically all the tools that show up on the search result.
+
+## IPv6
+It could be safer to just use an IPv6 address for sending emails as the IPv6
+address range is wide and the use of IPv6 addresses is not yet widely spread,
+hence the less chance of getting a dirty address. But there are still MTA's with
+only IPv4 addresses. But at least most of Google's servers use IPv6, so this
+could be the solution for you. See the next section if you're using AWS.
+
+However, if your cloud service provider or your ISP would not support rDNS for
+IPv6 , make sure your server does not send any emails using the IPv6 connection.
+This can be done in many ways.
+
+- Don't assign your machine an IPv6 address at all
+- Disable the setting. For example,
+  - Postfix: `smtp_address_preference` or `inet_interfaces` altogether
+
+There shouldn't be any problem receiving mails via IPv6 connections. But if
+you're paranoid, you can disable IPv6 SMTP connectivity on your daemon or
+firewall.
+
+## Dealing with grumpy AWS support rep
+**AWS will set up a rDNS record for your IPv6 address on request!** Which is
+pretty cool.
+
+However, sometimes your ticket will be assigned to a grumpy representative who
+thinks that they're doing their job right. If your ticket is responded by
+something like "do you know what you're doing, mate?", do not attempt to reason
+with the rep. Instead, toss the ticket in the bin and retry your luck in 2 weeks
+time. Hopefully, your ticket will be assigned to someone generous. It took me 3
+attempts. It's probably because they have to put up with Telstra. It could
+depend on how strict the ISPs are in the part of the world you're in.
+
+This is the link to the tickets I'm talking about:
+
+- https://support.console.aws.amazon.com/support/contacts#/rdns-limits
+
+## Gmail Specific Tests
+There's this awesome tool made by awesome people that lists all the emails
+received by their test accounts. You can use the tool before sending your emails
+to real people's Gmail accounts.
+
+- https://www.gmass.co/inbox
+
+## FUCK YOU GOOGLE
+There I said it.