GITBOOK-3985: change request with no subject merged in GitBook
BIN
.gitbook/assets/image (10) (2) (1).png
Normal file
After Width: | Height: | Size: 19 KiB |
Before Width: | Height: | Size: 19 KiB After Width: | Height: | Size: 176 KiB |
Before Width: | Height: | Size: 176 KiB After Width: | Height: | Size: 82 KiB |
Before Width: | Height: | Size: 58 KiB |
Before Width: | Height: | Size: 358 KiB |
Before Width: | Height: | Size: 76 KiB After Width: | Height: | Size: 58 KiB |
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 358 KiB |
Before Width: | Height: | Size: 82 KiB After Width: | Height: | Size: 76 KiB |
BIN
.gitbook/assets/image (9) (1) (4).png
Normal file
After Width: | Height: | Size: 138 KiB |
Before Width: | Height: | Size: 138 KiB After Width: | Height: | Size: 165 KiB |
Before Width: | Height: | Size: 165 KiB After Width: | Height: | Size: 32 KiB |
|
@ -101,7 +101,7 @@ In addition to the above WebSec is also a **committed supporter of HackTricks.**
|
||||||
|
|
||||||
### [SYN CUBES](https://www.syncubes.com/)
|
### [SYN CUBES](https://www.syncubes.com/)
|
||||||
|
|
||||||
<figure><img src=".gitbook/assets/image (10) (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src=".gitbook/assets/image (10) (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -163,7 +163,7 @@ Script arguments:
|
||||||
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
|
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (9) (1).png" alt=""><figcaption><p>Dump of traffic during a neighborhood disruption</p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (9) (1) (4).png" alt=""><figcaption><p>Dump of traffic during a neighborhood disruption</p></figcaption></figure>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (27) (1).png" alt=""><figcaption><p>GW1 router endlessly disconnects and reconnects EIGRP</p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (27) (1).png" alt=""><figcaption><p>GW1 router endlessly disconnects and reconnects EIGRP</p></figcaption></figure>
|
||||||
|
|
||||||
|
|
|
@ -53,7 +53,7 @@ Don’t be alarmed if the **output is significantly shorter** on your system; th
|
||||||
Cgroups are typically **accessed through the filesystem**. This is in contrast to the traditional Unix system call interface for interacting with the kernel.\
|
Cgroups are typically **accessed through the filesystem**. This is in contrast to the traditional Unix system call interface for interacting with the kernel.\
|
||||||
To explore the cgroup setup of a shell, you can look in the `/proc/self/cgroup` file to find the shell's cgroup, and then navigate to the `/sys/fs/cgroup` (or `/sys/fs/cgroup/unified`) directory and look for a **directory with the same name as the cgroup**. Changing to this directory and looking around will allow you to see the various **settings and resource usage information for the cgroup**.
|
To explore the cgroup setup of a shell, you can look in the `/proc/self/cgroup` file to find the shell's cgroup, and then navigate to the `/sys/fs/cgroup` (or `/sys/fs/cgroup/unified`) directory and look for a **directory with the same name as the cgroup**. Changing to this directory and looking around will allow you to see the various **settings and resource usage information for the cgroup**.
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (10).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (10) (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Among the many files that can be here, **the primary cgroup interface files begin with `cgroup`**. Start by looking at `cgroup.procs` (using cat is fine), which lists the processes in the cgroup. A similar file, `cgroup.threads`, also includes threads.
|
Among the many files that can be here, **the primary cgroup interface files begin with `cgroup`**. Start by looking at `cgroup.procs` (using cat is fine), which lists the processes in the cgroup. A similar file, `cgroup.threads`, also includes threads.
|
||||||
|
|
||||||
|
|
|
@ -49,7 +49,7 @@ You could use the script [**JamfSniper.py**](https://github.com/WithSecureLabs/J
|
||||||
|
|
||||||
Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form:
|
Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (13).png>)
|
![](<../../.gitbook/assets/image (6).png>)
|
||||||
|
|
||||||
#### JAMF device Authentication
|
#### JAMF device Authentication
|
||||||
|
|
||||||
|
|
|
@ -56,7 +56,7 @@ The events that the Endpoint Security framework can monitor are categorized into
|
||||||
|
|
||||||
### Endpoint Security Framework Architecture
|
### Endpoint Security Framework Architecture
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller:
|
**User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller:
|
||||||
|
|
||||||
|
|
|
@ -64,9 +64,15 @@ This is a [public function](https://developer.apple.com/documentation/security/1
|
||||||
|
|
||||||
For more info check this talk: [https://www.youtube.com/watch?v=lTOItyjTTkw](https://www.youtube.com/watch?v=lTOItyjTTkw)
|
For more info check this talk: [https://www.youtube.com/watch?v=lTOItyjTTkw](https://www.youtube.com/watch?v=lTOItyjTTkw)
|
||||||
|
|
||||||
|
### Execution by mounting
|
||||||
|
|
||||||
|
If an installer writes to `/tmp/fixedname/bla/bla`, it's possible to **create a mount** over `/tmp/fixedname` with noowners so you could **modify any file during the installation** to abuse the installation process.
|
||||||
|
|
||||||
|
An example of this is **CVE-2021-26089** which managed to **overwrite a periodic script** to get execution as root. For more information take a look to the talk: [**OBTS v4.0: "Mount(ain) of Bugs" - Csaba Fitzl**](https://www.youtube.com/watch?v=jSYPazD4VcE)
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [https://www.youtube.com/watch?v=iASSG0\_zobQ](https://www.youtube.com/watch?v=iASSG0\_zobQ)
|
* [**DEF CON 27 - Unpacking Pkgs A Look Inside Macos Installer Packages And Common Security Flaws**](https://www.youtube.com/watch?v=iASSG0\_zobQ)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
|
@ -387,7 +387,7 @@ The folder **`/var/db/locationd/` wasn't protected from DMG mounting** so it was
|
||||||
|
|
||||||
In several occasions files will store sensitive information like emails, phone numbers, messages... in non protected locations (which count as a vulnerability in Apple).
|
In several occasions files will store sensitive information like emails, phone numbers, messages... in non protected locations (which count as a vulnerability in Apple).
|
||||||
|
|
||||||
<figure><img src="../../../../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
## Reference
|
## Reference
|
||||||
|
|
||||||
|
|
|
@ -601,7 +601,7 @@ WITH (create_slot = false); INSERT INTO public.test3(data) VALUES(current_user);
|
||||||
|
|
||||||
And then **execute commands**:
|
And then **execute commands**:
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (9) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### Pass Burteforce with PL/pgSQL
|
### Pass Burteforce with PL/pgSQL
|
||||||
|
|
||||||
|
|