mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GITBOOK-3949: change request with no subject merged in GitBook
This commit is contained in:
parent
0a586a7c70
commit
28e205b34c
16 changed files with 231 additions and 160 deletions
|
@ -22,7 +22,7 @@ dht udp "DHT Nodes"
|
|||
|
||||
![](<.gitbook/assets/image (273).png>)
|
||||
|
||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (6).png>)
|
||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
||||
|
||||
InfluxDB
|
||||
|
||||
|
|
|
@ -401,7 +401,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
|
|||
|
||||
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
|
||||
|
||||
![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (7).png>)
|
||||
![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
|
||||
|
||||
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
|
||||
|
||||
|
|
|
@ -61,7 +61,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
|
|||
|
||||
In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command)
|
||||
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
And then use the following code
|
||||
|
||||
|
|
|
@ -156,7 +156,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
|
|||
|
||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
|
||||
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (19).png>)
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (5).png>)
|
||||
|
||||
### USB Detective
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (26).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
@ -172,7 +172,7 @@ echo bye >> ftp.txt
|
|||
ftp -n -v -s:ftp.txt
|
||||
```
|
||||
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (26).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
@ -384,7 +384,7 @@ Now we just copy-paste the text into our windows-shell. And it will automaticall
|
|||
|
||||
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
|
||||
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (26).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
|
|
@ -337,7 +337,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
|
|||
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
||||
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
||||
|
||||
![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (25).png>)
|
||||
![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (5).png>)
|
||||
|
||||
{% hint style="info" %}
|
||||
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
|
||||
|
|
|
@ -404,148 +404,11 @@ I you manage to **inject code in a process** you will be able to abuse the TCC p
|
|||
|
||||
### Sandbox
|
||||
|
||||
MacOS Sandbox (initially called Seatbelt) makes applications run inside the sandbox **need to request access to resources outside of the limited sandbox**. This helps to ensure that **the application will be accessing only expected resources** and if it wants to access anything else it will need to ask for permissions to the user.
|
||||
MacOS Sandbox (initially called Seatbelt) **limits applications** running inside the sandbox to the **allowed actions specified in the Sandbox profile** the app is running with. This helps to ensure that **the application will be accessing only expected resources**.
|
||||
|
||||
Any app with the **entitlement** `com.apple.security.app-sandbox` will be executed inside the sandbox. **Apple binaries** are usually executed inside a Sanbox and in order to publish inside the **App Store**, **this entitlement is mandatory**. So most applications will be executed inside the sandbox.
|
||||
|
||||
In order to control what a process can or cannot do the **Sandbox has hooks** in all **syscalls** across the kernel. **Depending** on the **entitlements** of the app the Sandbox will **allow** certain actions.
|
||||
|
||||
Some important components of the Sandbox are:
|
||||
|
||||
* The **kernel extension** `/System/Library/Extensions/Sandbox.kext`
|
||||
* The **private framework** `/System/Library/PrivateFrameworks/AppSandbox.framework`
|
||||
* A **daemon** running in userland `/usr/libexec/sandboxd`
|
||||
* The **containers** `~/Library/Containers`
|
||||
|
||||
Inside the containers folder you can find **a folder for each app executed sanboxed** with the name of the bundle id:
|
||||
|
||||
```bash
|
||||
ls -l ~/Library/Containers
|
||||
total 0
|
||||
drwx------@ 4 username staff 128 May 23 20:20 com.apple.AMPArtworkAgent
|
||||
drwx------@ 4 username staff 128 May 23 20:13 com.apple.AMPDeviceDiscoveryAgent
|
||||
drwx------@ 4 username staff 128 Mar 24 18:03 com.apple.AVConference.Diagnostic
|
||||
drwx------@ 4 username staff 128 Mar 25 14:14 com.apple.Accessibility-Settings.extension
|
||||
drwx------@ 4 username staff 128 Mar 25 14:10 com.apple.ActionKit.BundledIntentHandler
|
||||
[...]
|
||||
```
|
||||
|
||||
Inside each bundle id folder you can find the **plist** and the **Data directory** of the App:
|
||||
|
||||
```bash
|
||||
cd /Users/username/Library/Containers/com.apple.Safari
|
||||
ls -la
|
||||
total 104
|
||||
drwx------@ 4 username staff 128 Mar 24 18:08 .
|
||||
drwx------ 348 username staff 11136 May 23 20:57 ..
|
||||
-rw-r--r-- 1 username staff 50214 Mar 24 18:08 .com.apple.containermanagerd.metadata.plist
|
||||
drwx------ 13 username staff 416 Mar 24 18:05 Data
|
||||
|
||||
ls -l Data
|
||||
total 0
|
||||
drwxr-xr-x@ 8 username staff 256 Mar 24 18:08 CloudKit
|
||||
lrwxr-xr-x 1 username staff 19 Mar 24 18:02 Desktop -> ../../../../Desktop
|
||||
drwx------ 2 username staff 64 Mar 24 18:02 Documents
|
||||
lrwxr-xr-x 1 username staff 21 Mar 24 18:02 Downloads -> ../../../../Downloads
|
||||
drwx------ 35 username staff 1120 Mar 24 18:08 Library
|
||||
lrwxr-xr-x 1 username staff 18 Mar 24 18:02 Movies -> ../../../../Movies
|
||||
lrwxr-xr-x 1 username staff 17 Mar 24 18:02 Music -> ../../../../Music
|
||||
lrwxr-xr-x 1 username staff 20 Mar 24 18:02 Pictures -> ../../../../Pictures
|
||||
drwx------ 2 username staff 64 Mar 24 18:02 SystemData
|
||||
drwx------ 2 username staff 64 Mar 24 18:02 tmp
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
Note that even if the symlinks are there to "escape" from the Sandbox and access other folders, the App still needs to **have permissions** to access them. These permissions are inside the **`.plist`**.
|
||||
{% endhint %}
|
||||
|
||||
```bash
|
||||
# Get permissions
|
||||
plutil -convert xml1 .com.apple.containermanagerd.metadata.plist -o -
|
||||
|
||||
# In this file you can find the entitlements:
|
||||
<key>Entitlements</key>
|
||||
<dict>
|
||||
<key>com.apple.MobileAsset.PhishingImageClassifier2</key>
|
||||
<true/>
|
||||
<key>com.apple.accounts.appleaccount.fullaccess</key>
|
||||
<true/>
|
||||
<key>com.apple.appattest.spi</key>
|
||||
<true/>
|
||||
[...]
|
||||
|
||||
# Some parameters
|
||||
<key>Parameters</key>
|
||||
<dict>
|
||||
<key>_HOME</key>
|
||||
<string>/Users/username</string>
|
||||
<key>_UID</key>
|
||||
<string>501</string>
|
||||
<key>_USER</key>
|
||||
<string>username</string>
|
||||
[...]
|
||||
|
||||
# The paths it can access
|
||||
<key>RedirectablePaths</key>
|
||||
<array>
|
||||
<string>/Users/username/Downloads</string>
|
||||
<string>/Users/username/Documents</string>
|
||||
<string>/Users/username/Library/Calendars</string>
|
||||
<string>/Users/username/Desktop</string>
|
||||
[...]
|
||||
```
|
||||
|
||||
### Sandbox Profiles
|
||||
|
||||
The Sandbox profiles are configuration files that indicates what is going to be **allowed/forbidden** in that **Sandbox**. It uses the **Sandbox Profile Language (SBPL)**, which uses the [**Scheme**](https://en.wikipedia.org/wiki/Scheme\_\(programming\_language\)) programming language.
|
||||
|
||||
Here you can find an example:
|
||||
|
||||
```scheme
|
||||
(version 1) ; First you get the version
|
||||
|
||||
(deny default) ; Then you shuold indicate the default action when no rule applies
|
||||
|
||||
(allow network*) ; You can use wildcards and allow everything
|
||||
|
||||
(allow file-read* ; You can specify where to apply the rule
|
||||
(subpath "/Users/username/")
|
||||
(literal "/tmp/afile")
|
||||
(regex #"^/private/etc/.*")
|
||||
)
|
||||
|
||||
(allow mach-lookup
|
||||
(global-name "com.apple.analyticsd")
|
||||
)
|
||||
```
|
||||
|
||||
{% hint style="success" %}
|
||||
Check this [**research**](https://reverse.put.as/2011/09/14/apple-sandbox-guide-v1-0/) **to check more actions that could be allowed or denied.**
|
||||
{% endhint %}
|
||||
|
||||
Important **system services** also run inside their own custom **sandbox** such as the mdnsresponder service. You can view these custom **sandbox profiles** written in a language called Sandbox Profile Language (SBPL) inside the **`/usr/share/sandbox`** and **`/System/Library/Sandbox/Profiles`** directories. Other sandbox profiles can be checked in [https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles).
|
||||
|
||||
|
||||
|
||||
**App Store** apps use the fixed **Mac App Sandbox profile**.
|
||||
|
||||
SIP is a Sandbox profile called platform\_profile in /System/Library/Sandbox/rootless.conf
|
||||
|
||||
To start an application with a sandbox config you can use:
|
||||
|
||||
```bash
|
||||
# Use -t to rtace the execution
|
||||
sandbox-exec [-t] -f example.sb /Path/To/The/Application
|
||||
```
|
||||
|
||||
{% hint style="info" %}
|
||||
Note that the **Apple-authored** **software** that runs on **Windows** **doesn’t have additional security precautions**, such as application sandboxing.
|
||||
{% endhint %}
|
||||
|
||||
Bypasses examples:
|
||||
|
||||
* [https://lapcatsoftware.com/articles/sandbox-escape.html](https://lapcatsoftware.com/articles/sandbox-escape.html)
|
||||
* [https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c](https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c) (they are able to write files outside the sandbox whose name starts with `~$`).
|
||||
{% content-ref url="macos-sandbox/" %}
|
||||
[macos-sandbox](macos-sandbox/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### SIP - System Integrity Protection
|
||||
|
||||
|
|
|
@ -140,7 +140,7 @@ The response is a JSON dictionary with some important data like:
|
|||
* Signed using the **device identity certificate (from APNS)**
|
||||
* **Certificate chain** includes expired **Apple iPhone Device CA**
|
||||
|
||||
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (8).png>)
|
||||
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
### Step 6: Profile Installation
|
||||
|
||||
|
|
|
@ -14,9 +14,205 @@
|
|||
|
||||
## Basic Information
|
||||
|
||||
MacOS Sandbox (initially called Seatbelt) **limits applications** running inside the sandbox to the **allowed actions specified in the Sandbox profile** the app is running with. This helps to ensure that **the application will be accessing only expected resources**.
|
||||
|
||||
Any app with the **entitlement** **`com.apple.security.app-sandbox`** will be executed inside the sandbox. **Apple binaries** are usually executed inside a Sanbox and in order to publish inside the **App Store**, **this entitlement is mandatory**. So most applications will be executed inside the sandbox.
|
||||
|
||||
### Start Sandbox
|
||||
In order to control what a process can or cannot do the **Sandbox has hooks** in all **syscalls** across the kernel. **Depending** on the **entitlements** of the app the Sandbox will **allow** certain actions.
|
||||
|
||||
Some important components of the Sandbox are:
|
||||
|
||||
* The **kernel extension** `/System/Library/Extensions/Sandbox.kext`
|
||||
* The **private framework** `/System/Library/PrivateFrameworks/AppSandbox.framework`
|
||||
* A **daemon** running in userland `/usr/libexec/sandboxd`
|
||||
* The **containers** `~/Library/Containers`
|
||||
|
||||
Inside the containers folder you can find **a folder for each app executed sanboxed** with the name of the bundle id:
|
||||
|
||||
```bash
|
||||
ls -l ~/Library/Containers
|
||||
total 0
|
||||
drwx------@ 4 username staff 128 May 23 20:20 com.apple.AMPArtworkAgent
|
||||
drwx------@ 4 username staff 128 May 23 20:13 com.apple.AMPDeviceDiscoveryAgent
|
||||
drwx------@ 4 username staff 128 Mar 24 18:03 com.apple.AVConference.Diagnostic
|
||||
drwx------@ 4 username staff 128 Mar 25 14:14 com.apple.Accessibility-Settings.extension
|
||||
drwx------@ 4 username staff 128 Mar 25 14:10 com.apple.ActionKit.BundledIntentHandler
|
||||
[...]
|
||||
```
|
||||
|
||||
Inside each bundle id folder you can find the **plist** and the **Data directory** of the App:
|
||||
|
||||
```bash
|
||||
cd /Users/username/Library/Containers/com.apple.Safari
|
||||
ls -la
|
||||
total 104
|
||||
drwx------@ 4 username staff 128 Mar 24 18:08 .
|
||||
drwx------ 348 username staff 11136 May 23 20:57 ..
|
||||
-rw-r--r-- 1 username staff 50214 Mar 24 18:08 .com.apple.containermanagerd.metadata.plist
|
||||
drwx------ 13 username staff 416 Mar 24 18:05 Data
|
||||
|
||||
ls -l Data
|
||||
total 0
|
||||
drwxr-xr-x@ 8 username staff 256 Mar 24 18:08 CloudKit
|
||||
lrwxr-xr-x 1 username staff 19 Mar 24 18:02 Desktop -> ../../../../Desktop
|
||||
drwx------ 2 username staff 64 Mar 24 18:02 Documents
|
||||
lrwxr-xr-x 1 username staff 21 Mar 24 18:02 Downloads -> ../../../../Downloads
|
||||
drwx------ 35 username staff 1120 Mar 24 18:08 Library
|
||||
lrwxr-xr-x 1 username staff 18 Mar 24 18:02 Movies -> ../../../../Movies
|
||||
lrwxr-xr-x 1 username staff 17 Mar 24 18:02 Music -> ../../../../Music
|
||||
lrwxr-xr-x 1 username staff 20 Mar 24 18:02 Pictures -> ../../../../Pictures
|
||||
drwx------ 2 username staff 64 Mar 24 18:02 SystemData
|
||||
drwx------ 2 username staff 64 Mar 24 18:02 tmp
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
Note that even if the symlinks are there to "escape" from the Sandbox and access other folders, the App still needs to **have permissions** to access them. These permissions are inside the **`.plist`**.
|
||||
{% endhint %}
|
||||
|
||||
```bash
|
||||
# Get permissions
|
||||
plutil -convert xml1 .com.apple.containermanagerd.metadata.plist -o -
|
||||
|
||||
# In this file you can find the entitlements:
|
||||
<key>Entitlements</key>
|
||||
<dict>
|
||||
<key>com.apple.MobileAsset.PhishingImageClassifier2</key>
|
||||
<true/>
|
||||
<key>com.apple.accounts.appleaccount.fullaccess</key>
|
||||
<true/>
|
||||
<key>com.apple.appattest.spi</key>
|
||||
<true/>
|
||||
[...]
|
||||
|
||||
# Some parameters
|
||||
<key>Parameters</key>
|
||||
<dict>
|
||||
<key>_HOME</key>
|
||||
<string>/Users/username</string>
|
||||
<key>_UID</key>
|
||||
<string>501</string>
|
||||
<key>_USER</key>
|
||||
<string>username</string>
|
||||
[...]
|
||||
|
||||
# The paths it can access
|
||||
<key>RedirectablePaths</key>
|
||||
<array>
|
||||
<string>/Users/username/Downloads</string>
|
||||
<string>/Users/username/Documents</string>
|
||||
<string>/Users/username/Library/Calendars</string>
|
||||
<string>/Users/username/Desktop</string>
|
||||
[...]
|
||||
```
|
||||
|
||||
### Sandbox Profiles
|
||||
|
||||
The Sandbox profiles are configuration files that indicates what is going to be **allowed/forbidden** in that **Sandbox**. It uses the **Sandbox Profile Language (SBPL)**, which uses the [**Scheme**](https://en.wikipedia.org/wiki/Scheme\_\(programming\_language\)) programming language.
|
||||
|
||||
Here you can find an example:
|
||||
|
||||
```scheme
|
||||
(version 1) ; First you get the version
|
||||
|
||||
(deny default) ; Then you shuold indicate the default action when no rule applies
|
||||
|
||||
(allow network*) ; You can use wildcards and allow everything
|
||||
|
||||
(allow file-read* ; You can specify where to apply the rule
|
||||
(subpath "/Users/username/")
|
||||
(literal "/tmp/afile")
|
||||
(regex #"^/private/etc/.*")
|
||||
)
|
||||
|
||||
(allow mach-lookup
|
||||
(global-name "com.apple.analyticsd")
|
||||
)
|
||||
```
|
||||
|
||||
{% hint style="success" %}
|
||||
Check this [**research**](https://reverse.put.as/2011/09/14/apple-sandbox-guide-v1-0/) **to check more actions that could be allowed or denied.**
|
||||
{% endhint %}
|
||||
|
||||
Important **system services** also run inside their own custom **sandbox** such as the `mdnsresponder` service. You can view these custom **sandbox profiles** inside:
|
||||
|
||||
* **`/usr/share/sandbox`**
|
||||
* **`/System/Library/Sandbox/Profiles`** 
|
||||
* Other sandbox profiles can be checked in [https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles).
|
||||
|
||||
**App Store** apps use the **profile** **`/System/Library/Sandbox/Profiles/application.sb`**. You can check in this profile how entitlements such as **`com.apple.security.network.server`** allows a process to use the network.
|
||||
|
||||
SIP is a Sandbox profile called platform\_profile in /System/Library/Sandbox/rootless.conf
|
||||
|
||||
### Sandbox Profile Examples
|
||||
|
||||
To start an application with an **specific sandbox profile** you can use:
|
||||
|
||||
```bash
|
||||
sandbox-exec -f example.sb /Path/To/The/Application
|
||||
```
|
||||
|
||||
{% tabs %}
|
||||
{% tab title="touch" %}
|
||||
{% code title="touch.sb" %}
|
||||
```scheme
|
||||
(version 1)
|
||||
(deny default)
|
||||
(allow file* (literal "/tmp/hacktricks.txt"))
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
```bash
|
||||
# This will fail because default is denied, so it cannot execute touch
|
||||
sandbox-exec -f touch.sb touch /tmp/hacktricks.txt
|
||||
# Check logs
|
||||
log show --style syslog --predicate 'eventMessage contains[c] "sandbox"' --last 30s
|
||||
[...]
|
||||
2023-05-26 13:42:44.136082+0200 localhost kernel[0]: (Sandbox) Sandbox: sandbox-exec(41398) deny(1) process-exec* /usr/bin/touch
|
||||
2023-05-26 13:42:44.136100+0200 localhost kernel[0]: (Sandbox) Sandbox: sandbox-exec(41398) deny(1) file-read-metadata /usr/bin/touch
|
||||
2023-05-26 13:42:44.136321+0200 localhost kernel[0]: (Sandbox) Sandbox: sandbox-exec(41398) deny(1) file-read-metadata /var
|
||||
2023-05-26 13:42:52.701382+0200 localhost kernel[0]: (Sandbox) 5 duplicate reports for Sandbox: sandbox-exec(41398) deny(1) file-read-metadata /var
|
||||
[...]
|
||||
```
|
||||
|
||||
{% code title="touch2.sb" %}
|
||||
```scheme
|
||||
(version 1)
|
||||
(deny default)
|
||||
(allow file* (literal "/tmp/hacktricks.txt"))
|
||||
(allow process* (literal "/usr/bin/touch"))
|
||||
; This will also fail because:
|
||||
; 2023-05-26 13:44:59.840002+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-metadata /usr/bin/touch
|
||||
; 2023-05-26 13:44:59.840016+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-data /usr/bin/touch
|
||||
; 2023-05-26 13:44:59.840028+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-data /usr/bin
|
||||
; 2023-05-26 13:44:59.840034+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-metadata /usr/lib/dyld
|
||||
; 2023-05-26 13:44:59.840050+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) sysctl-read kern.bootargs
|
||||
; 2023-05-26 13:44:59.840061+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-data /
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
{% code title="touch3.sb" %}
|
||||
```scheme
|
||||
(version 1)
|
||||
(deny default)
|
||||
(allow file* (literal "/private/tmp/hacktricks.txt"))
|
||||
(allow process* (literal "/usr/bin/touch"))
|
||||
(allow file-read-data (literal "/"))
|
||||
; This one will work
|
||||
```
|
||||
{% endcode %}
|
||||
{% endtab %}
|
||||
{% endtabs %}
|
||||
|
||||
{% hint style="info" %}
|
||||
Note that the **Apple-authored** **software** that runs on **Windows** **doesn’t have additional security precautions**, such as application sandboxing.
|
||||
{% endhint %}
|
||||
|
||||
Bypasses examples:
|
||||
|
||||
* [https://lapcatsoftware.com/articles/sandbox-escape.html](https://lapcatsoftware.com/articles/sandbox-escape.html)
|
||||
* [https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c](https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c) (they are able to write files outside the sandbox whose name starts with `~$`).
|
||||
|
||||
### Debug & Bypass Sandbox
|
||||
|
||||
**Processes are not born sandboxed on macOS: unlike iOS**, where the sandbox is applied by the kernel before the first instruction of a program executes, on macOS **a process must elect to place itself into the sandbox.**
|
||||
|
||||
|
|
|
@ -23,7 +23,13 @@ The compiler will link `/usr/lib/libSystem.B.dylib` to the binary.
|
|||
Then, **`libSystem.B`** will be calling other several functions until the **`xpc_pipe_routine`** sends the entitlements of the app to **`securityd`**. Securityd checks if the process should be quarantine inside the Sandbox, and if so, it will be quarentine.\
|
||||
Finally, the sandbox will be activated will a call to **`__sandbox_ms`** which will call **`__mac_syscall`**.
|
||||
|
||||
### Sanbox load debug & bypass
|
||||
## Possible Bypasses
|
||||
|
||||
### Run binary without Sandbox
|
||||
|
||||
If you run a binary that won't be sandboxed from a sandboxed binary, it will **run within the sandbox of the parent process**.
|
||||
|
||||
### Debug & bypass Sandbox with lldb
|
||||
|
||||
Let's compile an application that should be sandboxed:
|
||||
|
||||
|
@ -266,6 +272,12 @@ ld -o shell shell.o -macosx_version_min 13.0
|
|||
ld: dynamic executables or dylibs must link with libSystem.dylib for architecture arm64
|
||||
```
|
||||
|
||||
### Abusing Write & Execute
|
||||
|
||||
If a sandboxed process can **write** in a place where **later an unsandboxed application is going to run the binary**, it will be able to **escape just by placing** there the binary. A good example of this kind of locations are `~/Library/LaunchAgents` or `/System/Library/LaunchDaemons`.
|
||||
|
||||
For this you might even need **2 steps**: To make a process with a **more permissive sandbox** (`file-read*`, `file-write*`) to execute your code which will actually write in a place where it will be **executed unsandboxed**.
|
||||
|
||||
## References
|
||||
|
||||
* [http://newosxbook.com/files/HITSB.pdf](http://newosxbook.com/files/HITSB.pdf)
|
||||
|
|
|
@ -727,7 +727,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
|
|||
5. Reproduce the problem.
|
||||
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
||||
|
||||
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (24).png>)
|
||||
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (6).png>)
|
||||
|
||||
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
||||
|
||||
|
|
|
@ -332,7 +332,7 @@ C:\xampp\tomcat\conf\server.xml
|
|||
|
||||
If you see an error like the following one:
|
||||
|
||||
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (18).png>)
|
||||
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
It means that the server **didn't receive the correct domain name** inside the Host header.\
|
||||
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
|
||||
|
|
|
@ -176,7 +176,7 @@ To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
|
|||
|
||||
The message _"Incorrect username or password"_ inside a 200 code response should appear if the credentials aren't valid.
|
||||
|
||||
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (7).png>)
|
||||
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (4).png>)
|
||||
|
||||
![](<../../.gitbook/assets/image (102).png>)
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ The good news is that **this payload is executed automatically when the file is
|
|||
|
||||
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
||||
|
||||
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (8).png>)
|
||||
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
||||
|
||||
### More
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
|
||||
## Attacks Graphic
|
||||
|
||||
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (20).png>)
|
||||
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
||||
|
||||
## Tool
|
||||
|
||||
|
|
|
@ -475,7 +475,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w
|
|||
|
||||
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (19).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part.
|
||||
|
||||
|
@ -524,7 +524,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w
|
|||
|
||||
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (22).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (6).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part.
|
||||
|
||||
|
@ -555,7 +555,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w
|
|||
|
||||
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (20).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (4).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`.
|
||||
|
||||
|
|
Loading…
Reference in a new issue