Hi. 馃憢

My name is Naz Markuta and I work in cyber security. This website serves as a personal blog where I share my experiences and occasional guides in various topics (mostly in IT). I鈥檝e tried to keep this blog clean and purely content focused.

How to install OpenWRT on QEMU

Overview A short blog on how to install and run the latest version of OpenWRT using QEMU, on a machine with Apple M1. This is similar to my previous blog post on How to build a Debian MIPS image on QEMU. This guide uses the OpenWRT ARMv8 edition, which runs nicely on a Apple M1 chip. It also covers how to install the LuCI web management interface. Download and Install Select and download the necessary files from the link below....

8 April, 2024 路 4 min 路 Naz Markuta

Exploiting a JDBC deserialization vulnerability in MFT Server by JSCAPE

Update: Fixed proof of concept link. Background This research project started back in July 2023, at around the same time when a critical vulnerability in a popular file-sharing software called MoveIt Transfer was disclosed. More details about that particular vulnerability can be found here and here. I was curious and looked for other similar file-sharing software with security issues. And so a few Google searches later, I found a candidate, a software for enterprises called MFT Server by JSCAPE....

22 March, 2024 路 10 min 路 Naz Markuta

Hacking Amazon's eero 6 (part 1)

This is the first in the series of hacking Amazon鈥檚 eero 6 (3rd generation) Wi-Fi device. In this post I will be focusing on device disassembly, identifying pins, brute forcing JTAG, and reading serial output. About Eero is a San Francisco-based wireless Internet company founded in 2015. It is known for making household consumer Wi-Fi products. The company was acquired by Amazon in 2019 for $97 million. Device Specification eero 6 (3rd gen 2020) device specification....

15 June, 2023 路 25 min 路 Naz Markuta

How to block .zip domains with pfSense

A short guide on how to block the entire .zip TLD using pfSense. In particular using a package called pfBlocker-NG, which can be thought of as a 鈥淧iHole鈥 alternative. pfBlocker-NG is capable of much much more but won鈥檛 be covered in this blog. Why is .zip TLD a problem? It鈥檚 simple really, Phishing. Whether it鈥檚 abusing a HTTP URI scheme or using special unicode characters, having a .zip TLD which has always been attributed to the compression file extension is just a bad idea....

25 May, 2023 路 3 min 路 Naz Markuta

PayPal and Passkeys issues since launch

PayPal鈥檚 Help Center - Technical Support post shows how Passkeys work on its platform and how users can add new security devices, this covers both iOS and Android but also desktop systems too. It also goes into more detail on what to do when you鈥檝e lost your device, and much more. TL;DR: As of 26th May 2023, PayPal only supports external security 鈥淧asskeys鈥 keys (such as Yubikeys) for two-factor authentication. Passkeys on mobile devices like iOS or Android still do NOT work, even though you can register one....

25 May, 2023 路 3 min 路 Naz Markuta