translations 2

2025-10-10 18:36:50 +00:00 · 2025-01-02 11:51:00 +01:00 · 2025-01-02 11:51:00 +01:00 · 905e0e00a9
commit 905e0e00a9
parent 6d64e83ab5
300 changed files with 326 additions and 0 deletions
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
@ -633,3 +633,5 @@ litefuzz -s -a tcp://localhost:5900 -i input/screenshared-session --reportcrash
 - [**The Art of Mac Malware: The Guide to Analyzing Malicious Software**](https://taomm.org/)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
@ -795,3 +795,5 @@ call_execve:
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.md
@ -442,3 +442,5 @@ dup2:
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.md
@ -151,3 +151,5 @@ Then, the struct has a pointer to the struct `class_ro_t` stored on disk which c
 During runtime and additional structure `class_rw_t` is used containing pointers which can be altered such as methods, protocols, properties...

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md
@ -268,3 +268,5 @@ The directory `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/
 - **`/private/var/db/launchd.db/com.apple.launchd/overrides.plist`**: List of daemons deactivated.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md
@ -42,3 +42,5 @@ This structure ensures that all necessary components are encapsulated within the
 For more detailed information on `Info.plist` keys and their meanings, the Apple developer documentation provides extensive resources: [Apple Info.plist Key Reference](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html).

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md
@ -164,3 +164,5 @@ productbuild --distribution dist.xml --package-path myapp.pkg final-installer.pk
 - [https://redteamrecipe.com/macos-red-teaming?utm_source=pocket_shared#heading-exploiting-installer-packages](https://redteamrecipe.com/macos-red-teaming?utm_source=pocket_shared#heading-exploiting-installer-packages)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md
@ -53,3 +53,5 @@ cd /tmp; wget https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md
@ -273,3 +273,5 @@ These are notifications that the user should see in the screen:
 - **`NSUserNotificationCenter`**: This is the iOS bulletin board in MacOS. The database with the notifications in located in `/var/folders/<user temp>/0/com.apple.notificationcenter/db2/db`

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
@ -412,3 +412,5 @@ In `__DATA` segment (rw-):
 - `_swift_typeref`, `_swift3_capture`, `_swift3_assocty`, `_swift3_types, _swift3_proto`, `_swift3_fieldmd`, `_swift3_builtin`, `_swift3_reflstr`

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
@ -275,3 +275,5 @@ Note that to call that function you need to be **the same uid** as the one runni
 - [https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
@ -118,3 +118,5 @@ The full POC code for injection into PowerShell is accessible [here](https://gis
 - [https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/](https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.md
@ -33,3 +33,5 @@ Find more examples in the tools links
 - [https://twitter.com/RonMasas/status/1758106347222995007](https://twitter.com/RonMasas/status/1758106347222995007)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md
@ -71,3 +71,5 @@ From macOS Sonoma onwards, modifications inside App bundles are restricted. Howe
 **Note**: Recent macOS updates have mitigated this exploit by preventing file modifications within app bundles post Gatekeeper caching, rendering the exploit ineffective.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
@ -268,3 +268,5 @@ Shell binding requested. Check `nc 127.0.0.1 12345`
 - [https://m.youtube.com/watch?v=VWQY5R2A6X8](https://m.youtube.com/watch?v=VWQY5R2A6X8)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.md
@ -376,3 +376,5 @@ static void customConstructor(int argc, const char **argv) {
 - [https://nshipster.com/method-swizzling/](https://nshipster.com/method-swizzling/)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md
@ -1285,3 +1285,5 @@ macos-mig-mach-interface-generator.md
 - [https://web.mit.edu/darwin/src/modules/xnu/osfmk/man/task_get_special_port.html](https://web.mit.edu/darwin/src/modules/xnu/osfmk/man/task_get_special_port.html)

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
@ -402,3 +402,5 @@ The code generated by MIG also calles `kernel_debug` to generate logs about oper
 - [\*OS Internals, Volume I, User Mode, Jonathan Levin](https://www.amazon.com/MacOS-iOS-Internals-User-Mode/dp/099105556X)

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
@ -175,3 +175,5 @@ By adhering to these guidelines and utilizing the `threadexec` library, one can
 - [https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/](https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/)

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md
@ -484,3 +484,5 @@ The communication between BridgeOS and the host occurs through a dedicated IPv6
 It's possible to find thee communications using `netstat`, `nettop` or the open source option, `netbottom`.

 {{#include ../../../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md
@ -440,3 +440,5 @@ int main(void) {
 - [https://theevilbit.github.io/posts/secure_coding_xpc_part1/](https://theevilbit.github.io/posts/secure_coding_xpc_part1/)

 {{#include ../../../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md
@ -94,3 +94,4 @@ if ((csFlags & (cs_hard | cs_require_lv)) {

 {{#include ../../../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md
@ -290,3 +290,5 @@ int main(int argc, const char * argv[]) {
 - [https://saelo.github.io/presentations/warcon18_dont_trust_the_pid.pdf](https://saelo.github.io/presentations/warcon18_dont_trust_the_pid.pdf)

 {{#include ../../../../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md
@ -124,3 +124,4 @@ Below is a visual representation of the described attack scenario:

 {{#include ../../../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md
@ -172,3 +172,5 @@ sudo eslogger lookup | grep vmoption # Give FDA to the Terminal
 Note how interesting is that Android Studio in this example is trying to load the file **`/Applications/Android Studio.app.vmoptions`**, a place where any user from the **`admin` group has write access.**

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md
@ -338,3 +338,4 @@ DYLD_INSERT_LIBRARIES=inject.dylib ./hello-signed # Won't work

 {{#include ../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md
@ -165,3 +165,4 @@ sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"

 {{#include ../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md
@ -315,3 +315,4 @@ find . -type f | xargs grep strcmp| grep key,\ \" | cut -d'"' -f2 | sort -u

 {{#include ../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md
@ -70,3 +70,5 @@ For example, if a script is importing **`use File::Basename;`** it would be poss
 - [https://www.youtube.com/watch?v=zxZesAN-TEk](https://www.youtube.com/watch?v=zxZesAN-TEk)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-python-applications-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-python-applications-injection.md
@ -18,3 +18,5 @@ BROWSER="/bin/sh -c 'touch /tmp/hacktricks' #%s" python3 -I -W all:0:antigravity
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md
@ -31,3 +31,5 @@ RUBYOPT="-I/tmp -rinject" ruby hello.rb --disable-rubyopt
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
@ -144,3 +144,4 @@ References and **more information about BTM**:

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.md
@ -130,3 +130,4 @@ iOS AMFI maintains a lost of known hashes which are signed ad-hoc, called the **

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.md
@ -87,3 +87,4 @@ That will fork and exec `/usr/libexec/security_authtrampoline /bin/ls` as root,

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.md
@ -369,3 +369,4 @@ struct cs_blob {

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
@ -170,3 +170,4 @@ Allow the process to **ask for all the TCC permissions**.

 </details>

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
@ -411,3 +411,4 @@ This feature is particularly useful for preventing certain classes of security v

 {{#include ../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md
@ -181,3 +181,4 @@ xattr -l protected

 {{#include ../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md
@ -481,3 +481,4 @@ In an ".app" bundle if the quarantine xattr is not added to it, when executing i

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.md
@ -177,3 +177,4 @@ Even if it's required that the application has to be **opened by LaunchService**

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md
@ -252,3 +252,4 @@ __END_DECLS

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
@ -398,3 +398,4 @@ Sandbox also has a user daemon running exposing the XPC Mach service `com.apple.

 {{#include ../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-default-sandbox-debug.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-default-sandbox-debug.md
@ -114,3 +114,4 @@ codesign --remove-signature SandboxedShellApp.app

 {{#include ../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
@ -323,3 +323,4 @@ Process 2517 exited with status = 0 (0x00000000)

 {{#include ../../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md
@ -51,3 +51,4 @@ The thing is that even if **`python`** was signed by Apple, it **won't execute**

 {{#include ../../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md
@ -280,3 +280,4 @@ mount

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md
@ -603,3 +603,4 @@ macos-tcc-bypasses/

 {{#include ../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-events.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-events.md
@ -21,3 +21,4 @@ Sandboxed applications requires privileges like `allow appleevent-send` and `(al

 {{#include ../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
@ -529,3 +529,4 @@ Another way using [**CoreGraphics events**](https://objectivebythesea.org/v2/tal

 {{#include ../../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md
@ -33,3 +33,4 @@ However, there are still some tools that can be used to understand this kind of

 {{#include ../../../../../banners/hacktricks-training.md}}

+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md
@ -929,3 +929,4 @@ int main() {

 {{#include ../../../../banners/hacktricks-training.md}}

+
--- a/src/misc/references.md
+++ b/src/misc/references.md
@ -48,3 +48,4 @@

 {{#include ../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/README.md
@ -832,3 +832,4 @@ Stay informed with the newest bug bounties launching and crucial platform update

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/adb-commands.md
+++ b/src/mobile-pentesting/android-app-pentesting/adb-commands.md
@ -353,3 +353,4 @@ If you want to inspect the content of the backup:

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
+++ b/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
@ -397,3 +397,4 @@ if (dpm.isAdminActive(adminComponent)) {

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/android-task-hijacking.md
+++ b/src/mobile-pentesting/android-app-pentesting/android-task-hijacking.md
@ -46,3 +46,4 @@ To prevent such attacks, developers can set `taskAffinity` to an empty string an

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/apk-decompilers.md
+++ b/src/mobile-pentesting/android-app-pentesting/apk-decompilers.md
@ -61,3 +61,4 @@ This tool can be used to dump the DEX of a running APK in memory. This helps to

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
+++ b/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
@ -229,3 +229,4 @@ You can **use the GUI** to take a snapshot of the VM at any time:

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
+++ b/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
@ -87,3 +87,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/content-protocol.md
+++ b/src/mobile-pentesting/android-app-pentesting/content-protocol.md
@ -97,3 +97,4 @@ Proof-of-Concept HTML:

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md
@ -306,3 +306,4 @@ run app.package.debuggable

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
+++ b/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
@ -201,3 +201,4 @@ Vulnerable Providers:

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
+++ b/src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
@ -90,3 +90,4 @@ This example demonstrated how the behavior of a debuggable application can be ma

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
@ -214,3 +214,4 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
@ -146,3 +146,4 @@ You can see that in [the next tutorial](frida-tutorial-2.md).

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md
@ -230,3 +230,4 @@ There is a part 5 that I am not going to explain because there isn't anything ne

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md
@ -287,3 +287,4 @@ exit

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md
@ -132,3 +132,4 @@ Java.perform(function () {

 {{#include ../../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
+++ b/src/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
@ -68,3 +68,4 @@ You need to do this inside a physical device as (I don't know why) this doesn't

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
+++ b/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
@ -159,3 +159,4 @@ nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/intent-injection.md
+++ b/src/mobile-pentesting/android-app-pentesting/intent-injection.md
@ -4,3 +4,4 @@

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
+++ b/src/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
@ -47,3 +47,4 @@ Finally, you need just to **sign the new application**. [Read this section of th

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md
+++ b/src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md
@ -39,3 +39,4 @@ By executing the code in a controlled environment, dynamic analysis **allows for

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/react-native-application.md
+++ b/src/mobile-pentesting/android-app-pentesting/react-native-application.md
@ -40,3 +40,4 @@ To search for sensitive credentials and endpoints, follow these steps:

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@ -55,3 +55,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/smali-changes.md
+++ b/src/mobile-pentesting/android-app-pentesting/smali-changes.md
@ -199,3 +199,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md
+++ b/src/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md
@ -36,3 +36,4 @@ In situations where an application is restricted to certain countries, and you'r

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/tapjacking.md
+++ b/src/mobile-pentesting/android-app-pentesting/tapjacking.md
@ -70,3 +70,4 @@ The mitigation is relatively simple as the developer may choose not to receive t

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-app-pentesting/webview-attacks.md
+++ b/src/mobile-pentesting/android-app-pentesting/webview-attacks.md
@ -146,3 +146,4 @@ xhr.send(null)

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/android-checklist.md
+++ b/src/mobile-pentesting/android-checklist.md
@ -70,3 +70,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and

 {{#include ../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/cordova-apps.md
+++ b/src/mobile-pentesting/cordova-apps.md
@ -62,3 +62,4 @@ For those seeking to automate the cloning process, **[MobSecco](https://github.c

 {{#include ../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting-checklist.md
+++ b/src/mobile-pentesting/ios-pentesting-checklist.md
@ -108,3 +108,4 @@ Get Access Today:

 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

+
--- a/src/mobile-pentesting/ios-pentesting/README.md
+++ b/src/mobile-pentesting/ios-pentesting/README.md
@ -1206,3 +1206,4 @@ Get Access Today:
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ios-pentesting" %}
 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md
+++ b/src/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md
@ -202,3 +202,4 @@ To install iPad-specific applications on iPhone or iPod touch devices, the **UID

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md
+++ b/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md
@ -103,3 +103,4 @@ Get Access Today:
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=burp-configuration-for-ios" %}
 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md
+++ b/src/mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md
@ -46,3 +46,4 @@ Adjusting the `-A num, --after-context=num` flag allows for the display of more

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md
+++ b/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md
@ -377,3 +377,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-app-extensions.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-app-extensions.md
@ -53,3 +53,4 @@ Tools like `frida-trace` can aid in understanding the underlying processes, espe

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-basics.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-basics.md
@ -137,3 +137,4 @@ This example indicates that the app is compatible with the armv7 instruction set

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
@ -82,3 +82,4 @@ However, because the malicious app also registered it and because the used brows

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md
@ -260,3 +260,4 @@ Now that you have **enumerated the classes and modules** used by the application

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md
@ -4,3 +4,4 @@

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
@ -75,3 +75,4 @@ When serializing data, especially to the file system, it's essential to be vigil

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-testing-environment.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-testing-environment.md
@ -129,3 +129,4 @@ You can try to avoid this detections using **objection's** `ios jailbreak disabl

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md
@ -56,3 +56,4 @@ For **receiving items**, it involves:

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-uipasteboard.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-uipasteboard.md
@ -86,3 +86,4 @@ setInterval(function () {

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-universal-links.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-universal-links.md
@ -89,3 +89,4 @@ Through **diligent configuration and validation**, developers can ensure that un

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/ios-pentesting/ios-webviews.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-webviews.md
@ -309,3 +309,4 @@ However, be mindful of the limitations:

 {{#include ../../banners/hacktricks-training.md}}

+
--- a/src/mobile-pentesting/xamarin-apps.md
+++ b/src/mobile-pentesting/xamarin-apps.md
@ -70,3 +70,4 @@ The tool [Uber APK Signer](https://github.com/patrickfav/uber-apk-signer) simpli

 {{#include ../banners/hacktricks-training.md}}

+
--- a/src/network-services-pentesting/10000-network-data-management-protocol-ndmp.md
+++ b/src/network-services-pentesting/10000-network-data-management-protocol-ndmp.md
@ -25,3 +25,4 @@ nmap -n -sV --script "ndmp-fs-info or ndmp-version" -p 10000 <IP> #Both are defa

 {{#include ../banners/hacktricks-training.md}}

+
--- a/Show More
+++ b/Show More
				`@ -94,3 +94,4 @@ if ((csFlags & (cs_hard \| cs_require_lv)) {`

				`{{#include ../../../../../../banners/hacktricks-training.md}}`
				`@ -124,3 +124,4 @@ Below is a visual representation of the described attack scenario:`

				`{{#include ../../../../../../banners/hacktricks-training.md}}`
				`@ -338,3 +338,4 @@ DYLD_INSERT_LIBRARIES=inject.dylib ./hello-signed # Won't work`

				`{{#include ../../../../banners/hacktricks-training.md}}`
				`@ -165,3 +165,4 @@ sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"`

				`{{#include ../../../../banners/hacktricks-training.md}}`
				`@ -315,3 +315,4 @@ find . -type f \| xargs grep strcmp\| grep key,\ \" \| cut -d'"' -f2 \| sort -u`

				`{{#include ../../../../banners/hacktricks-training.md}}`
				`@ -144,3 +144,4 @@ References and more information about BTM:`

				`{{#include ../../../banners/hacktricks-training.md}}`
				`@ -130,3 +130,4 @@ iOS AMFI maintains a lost of known hashes which are signed ad-hoc, called the **`

				`{{#include ../../../banners/hacktricks-training.md}}`
				@ -87,3 +87,4 @@ That will fork and exec `/usr/libexec/security_authtrampoline /bin/ls` as root,

				`{{#include ../../../banners/hacktricks-training.md}}`
				`@ -369,3 +369,4 @@ struct cs_blob {`

				`{{#include ../../../banners/hacktricks-training.md}}`
				`@ -170,3 +170,4 @@ Allow the process to ask for all the TCC permissions.`

				`</details>`