t2

2025-10-10 18:36:50 +00:00 · 2025-01-03 01:07:38 +01:00 · 2025-01-03 01:07:38 +01:00 · ad3f52d725
commit ad3f52d725
parent ae1d2e8ee6
300 changed files with 300 additions and 1 deletions
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
@ -71,3 +71,4 @@ macos-system-extensions.md
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md
@ -851,3 +851,4 @@ For more info check:
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
@ -150,3 +150,4 @@ nm -a binaries/com.apple.security.sandbox | wc -l
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md
@ -10,3 +10,4 @@
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
@ -83,3 +83,4 @@ At the end this was fixed by giving the new permission **`kTCCServiceEndpointSec
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
@ -635,3 +635,4 @@ litefuzz -s -a tcp://localhost:5900 -i input/screenshared-session --reportcrash
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
@ -797,3 +797,4 @@ call_execve:
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.md
@ -444,3 +444,4 @@ dup2:
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.md
@ -153,3 +153,4 @@ During runtime and additional structure `class_rw_t` is used containing pointers
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md
@ -270,3 +270,4 @@ The directory `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md
@ -44,3 +44,4 @@ For more detailed information on `Info.plist` keys and their meanings, the Apple
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md
@ -166,3 +166,4 @@ productbuild --distribution dist.xml --package-path myapp.pkg final-installer.pk
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md
@ -55,3 +55,4 @@ cd /tmp; wget https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md
@ -275,3 +275,4 @@ These are notifications that the user should see in the screen:
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
@ -414,3 +414,4 @@ In `__DATA` segment (rw-):
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
@ -277,3 +277,4 @@ Note that to call that function you need to be **the same uid** as the one runni
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
@ -120,3 +120,4 @@ The full POC code for injection into PowerShell is accessible [here](https://gis
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.md
@ -35,3 +35,4 @@ Find more examples in the tools links
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md
@ -73,3 +73,4 @@ From macOS Sonoma onwards, modifications inside App bundles are restricted. Howe
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
@ -270,3 +270,4 @@ Shell binding requested. Check `nc 127.0.0.1 12345`
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.md
@ -378,3 +378,4 @@ static void customConstructor(int argc, const char **argv) {
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md
@ -1287,3 +1287,4 @@ macos-mig-mach-interface-generator.md
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
@ -404,3 +404,4 @@ The code generated by MIG also calles `kernel_debug` to generate logs about oper
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
@ -177,3 +177,4 @@ By adhering to these guidelines and utilizing the `threadexec` library, one can
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md
@ -486,3 +486,4 @@ It's possible to find thee communications using `netstat`, `nettop` or the open
 {{#include ../../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md
@ -442,3 +442,4 @@ int main(void) {
 {{#include ../../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md
@ -95,3 +95,4 @@ if ((csFlags & (cs_hard | cs_require_lv)) {
 {{#include ../../../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md
@ -292,3 +292,4 @@ int main(int argc, const char * argv[]) {
 {{#include ../../../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md
@ -125,3 +125,4 @@ Below is a visual representation of the described attack scenario:
 {{#include ../../../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md
@ -174,3 +174,4 @@ Note how interesting is that Android Studio in this example is trying to load th
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md
@ -339,3 +339,4 @@ DYLD_INSERT_LIBRARIES=inject.dylib ./hello-signed # Won't work
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md
@ -166,3 +166,4 @@ sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md
@ -316,3 +316,4 @@ find . -type f | xargs grep strcmp| grep key,\ \" | cut -d'"' -f2 | sort -u
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md
@ -72,3 +72,4 @@ For example, if a script is importing **`use File::Basename;`** it would be poss
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-python-applications-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-python-applications-injection.md
@ -20,3 +20,4 @@ BROWSER="/bin/sh -c 'touch /tmp/hacktricks' #%s" python3 -I -W all:0:antigravity
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md
@ -33,3 +33,4 @@ RUBYOPT="-I/tmp -rinject" ruby hello.rb --disable-rubyopt
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
@ -145,3 +145,4 @@ References and **more information about BTM**:
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.md
@ -131,3 +131,4 @@ iOS AMFI maintains a lost of known hashes which are signed ad-hoc, called the **
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.md
@ -88,3 +88,4 @@ That will fork and exec `/usr/libexec/security_authtrampoline /bin/ls` as root,
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.md
@ -370,3 +370,4 @@ struct cs_blob {
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
@ -171,3 +171,4 @@ Allow the process to **ask for all the TCC permissions**.
 </details>


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
@ -469,3 +469,4 @@ This feature is particularly useful for preventing certain classes of security v
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md
@ -182,3 +182,4 @@ xattr -l protected
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md
@ -476,3 +476,4 @@ In an ".app" bundle if the quarantine xattr is not added to it, when executing i
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.md
@ -178,3 +178,4 @@ Even if it's required that the application has to be **opened by LaunchService**
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md
@ -253,3 +253,4 @@ __END_DECLS
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
@ -401,3 +401,4 @@ Sandbox also has a user daemon running exposing the XPC Mach service `com.apple.
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-default-sandbox-debug.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-default-sandbox-debug.md
@ -115,3 +115,4 @@ codesign --remove-signature SandboxedShellApp.app
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
@ -501,3 +501,4 @@ Process 2517 exited with status = 0 (0x00000000)
 {{#include ../../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md
@ -52,3 +52,4 @@ The thing is that even if **`python`** was signed by Apple, it **won't execute**
 {{#include ../../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md
@ -281,3 +281,4 @@ mount
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md
@ -604,3 +604,4 @@ macos-tcc-bypasses/
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-events.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-events.md
@ -22,3 +22,4 @@ Sandboxed applications requires privileges like `allow appleevent-send` and `(al
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
@ -538,3 +538,4 @@ Another way using [**CoreGraphics events**](https://objectivebythesea.org/v2/tal
 {{#include ../../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md
@ -34,3 +34,4 @@ However, there are still some tools that can be used to understand this kind of
 {{#include ../../../../../banners/hacktricks-training.md}}


+
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md
@ -930,3 +930,4 @@ int main() {
 {{#include ../../../../banners/hacktricks-training.md}}


+
--- a/src/misc/references.md
+++ b/src/misc/references.md
@ -49,3 +49,4 @@
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/README.md
@ -777,3 +777,4 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/adb-commands.md
+++ b/src/mobile-pentesting/android-app-pentesting/adb-commands.md
@ -354,3 +354,4 @@ If you want to inspect the content of the backup:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
+++ b/src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
@ -398,3 +398,4 @@ if (dpm.isAdminActive(adminComponent)) {
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/android-task-hijacking.md
+++ b/src/mobile-pentesting/android-app-pentesting/android-task-hijacking.md
@ -47,3 +47,4 @@ To prevent such attacks, developers can set `taskAffinity` to an empty string an
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/apk-decompilers.md
+++ b/src/mobile-pentesting/android-app-pentesting/apk-decompilers.md
@ -62,3 +62,4 @@ This tool can be used to dump the DEX of a running APK in memory. This helps to
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
+++ b/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
@ -230,3 +230,4 @@ You can **use the GUI** to take a snapshot of the VM at any time:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
+++ b/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
@ -78,3 +78,4 @@ There are specialized tools and scripts designed to test and bypass authenticati
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/content-protocol.md
+++ b/src/mobile-pentesting/android-app-pentesting/content-protocol.md
@ -92,3 +92,4 @@ Proof-of-Concept HTML:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md
@ -299,3 +299,4 @@ run app.package.debuggable
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
+++ b/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
@ -202,3 +202,4 @@ Vulnerable Providers:
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
+++ b/src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
@ -91,3 +91,4 @@ This example demonstrated how the behavior of a debuggable application can be ma
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
@ -205,3 +205,4 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
@ -137,3 +137,4 @@ You can see that in [the next tutorial](frida-tutorial-2.md).
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md
@ -221,3 +221,4 @@ There is a part 5 that I am not going to explain because there isn't anything ne
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md
@ -280,3 +280,4 @@ exit
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md
@ -123,3 +123,4 @@ Java.perform(function () {
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
+++ b/src/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
@ -69,3 +69,4 @@ You need to do this inside a physical device as (I don't know why) this doesn't
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
+++ b/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
@ -154,3 +154,4 @@ nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/intent-injection.md
+++ b/src/mobile-pentesting/android-app-pentesting/intent-injection.md
@ -5,3 +5,4 @@
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
+++ b/src/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
@ -48,3 +48,4 @@ Finally, you need just to **sign the new application**. [Read this section of th
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md
+++ b/src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md
@ -40,3 +40,4 @@ By executing the code in a controlled environment, dynamic analysis **allows for
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/react-native-application.md
+++ b/src/mobile-pentesting/android-app-pentesting/react-native-application.md
@ -41,3 +41,4 @@ To search for sensitive credentials and endpoints, follow these steps:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@ -46,3 +46,4 @@ Android apps can use native libraries, typically written in C or C++, for perfor
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/smali-changes.md
+++ b/src/mobile-pentesting/android-app-pentesting/smali-changes.md
@ -190,3 +190,4 @@ invoke-virtual {v12}, Landroid/widget/Toast;->show()V
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md
+++ b/src/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md
@ -37,3 +37,4 @@ In situations where an application is restricted to certain countries, and you'r
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/tapjacking.md
+++ b/src/mobile-pentesting/android-app-pentesting/tapjacking.md
@ -65,3 +65,4 @@ The mitigation is relatively simple as the developer may choose not to receive t
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-app-pentesting/webview-attacks.md
+++ b/src/mobile-pentesting/android-app-pentesting/webview-attacks.md
@ -147,3 +147,4 @@ xhr.send(null)
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/android-checklist.md
+++ b/src/mobile-pentesting/android-checklist.md
@ -61,3 +61,4 @@
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/cordova-apps.md
+++ b/src/mobile-pentesting/cordova-apps.md
@ -63,3 +63,4 @@ For those seeking to automate the cloning process, **[MobSecco](https://github.c
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting-checklist.md
+++ b/src/mobile-pentesting/ios-pentesting-checklist.md
@ -93,3 +93,4 @@
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/README.md
+++ b/src/mobile-pentesting/ios-pentesting/README.md
@ -1180,3 +1180,4 @@ otool -L <application_path>
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md
+++ b/src/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md
@ -203,3 +203,4 @@ To install iPad-specific applications on iPhone or iPod touch devices, the **UID
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md
+++ b/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md
@ -90,3 +90,4 @@ Steps to configure Burp as proxy:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md
+++ b/src/mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md
@ -47,3 +47,4 @@ Adjusting the `-A num, --after-context=num` flag allows for the display of more
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md
+++ b/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md
@ -368,3 +368,4 @@ You can check the crashes in:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/ios-app-extensions.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-app-extensions.md
@ -54,3 +54,4 @@ Tools like `frida-trace` can aid in understanding the underlying processes, espe
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/ios-basics.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-basics.md
@ -138,3 +138,4 @@ This example indicates that the app is compatible with the armv7 instruction set
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
@ -83,3 +83,4 @@ However, because the malicious app also registered it and because the used brows
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md
@ -261,3 +261,4 @@ Now that you have **enumerated the classes and modules** used by the application
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md
@ -5,3 +5,4 @@
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
@ -76,3 +76,4 @@ When serializing data, especially to the file system, it's essential to be vigil
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/ios-testing-environment.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-testing-environment.md
@ -130,3 +130,4 @@ You can try to avoid this detections using **objection's** `ios jailbreak disabl
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md
@ -57,3 +57,4 @@ For **receiving items**, it involves:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/Show More
+++ b/Show More
				`@ -71,3 +71,4 @@ macos-system-extensions.md`
				`{{#include ../../../banners/hacktricks-training.md}}`
				`@ -851,3 +851,4 @@ For more info check:`
				`{{#include ../../../../banners/hacktricks-training.md}}`
				`@ -150,3 +150,4 @@ nm -a binaries/com.apple.security.sandbox \| wc -l`
				`{{#include ../../../banners/hacktricks-training.md}}`
				`@ -10,3 +10,4 @@`
				`{{#include ../../../banners/hacktricks-training.md}}`
				@ -83,3 +83,4 @@ At the end this was fixed by giving the new permission **`kTCCServiceEndpointSec
				`{{#include ../../../banners/hacktricks-training.md}}`
				`@ -635,3 +635,4 @@ litefuzz -s -a tcp://localhost:5900 -i input/screenshared-session --reportcrash`
				`{{#include ../../../banners/hacktricks-training.md}}`
				`@ -797,3 +797,4 @@ call_execve:`
				`{{#include ../../../banners/hacktricks-training.md}}`
				`@ -444,3 +444,4 @@ dup2:`
				`{{#include ../../../banners/hacktricks-training.md}}`
				@ -153,3 +153,4 @@ During runtime and additional structure `class_rw_t` is used containing pointers
				`{{#include ../../../banners/hacktricks-training.md}}`
				@ -270,3 +270,4 @@ The directory `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/
				`{{#include ../../../banners/hacktricks-training.md}}`