diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 000000000..e70bceed6
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index e70bceed6..2173ed0a4 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 2173ed0a4..53e9f7c1f 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png
index 53e9f7c1f..0ea1b8586 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png
index 0ea1b8586..b38f1e7c3 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png
index b38f1e7c3..0e554c193 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1).png
index 0e554c193..a8cfa5b77 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png
index a8cfa5b77..33c23d55b 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png
index 33c23d55b..bedca8e18 100644
Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png
index bedca8e18..a0a303a29 100644
Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index a0a303a29..f9a051e20 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 000000000..eaa792ed6
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index eaa792ed6..eb7611c98 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png
index eb7611c98..4ede9266b 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png
index 4ede9266b..d7789e602 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png
index d7789e602..ca4b6651b 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png
index ca4b6651b..0330f840b 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1).png
index 0330f840b..8190e06a7 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1).png
index 8190e06a7..0c49287b0 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1).png b/.gitbook/assets/image (2) (1) (1).png
index 0c49287b0..bedca8e18 100644
Binary files a/.gitbook/assets/image (2) (1) (1).png and b/.gitbook/assets/image (2) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
index bedca8e18..611702103 100644
Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 611702103..f0efd5ebd 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index f0efd5ebd..0b96b38ef 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/README.md b/README.md
index 358f92380..4b1f90d86 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [Intigriti](https://www.intigriti.com)
-
+
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
diff --git a/backdoors/salseo.md b/backdoors/salseo.md
index 453450c72..1a4205ed0 100644
--- a/backdoors/salseo.md
+++ b/backdoors/salseo.md
@@ -99,7 +99,7 @@ Open the SalseoLoader project using Visual Studio.
### Add before the main function: \[DllExport]
- (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### Install DllExport for this project
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
index 64995552a..02aff9ebe 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -231,7 +231,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/macos-hardening/macos-auto-start-locations.md b/macos-hardening/macos-auto-start-locations.md
index 613da4115..b3aa25f16 100644
--- a/macos-hardening/macos-auto-start-locations.md
+++ b/macos-hardening/macos-auto-start-locations.md
@@ -449,7 +449,7 @@ The iTerm2 preferences located in **`~/Library/Preferences/com.googlecode.iterm2
This setting can be configured in the iTerm2 settings:
-
+
And the command is reflected in the preferences:
@@ -774,7 +774,7 @@ mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts"
Then, open the `Folder Actions Setup` app, select the **folder you would like to watch** and select in your case **`folder.scpt`** (in my case I called it output2.scp):
-
+
Now, if you open that folder with **Finder**, your script will be executed.
@@ -972,7 +972,7 @@ Writeup: [https://posts.specterops.io/saving-your-access-d562bf5bf90b](https://p
* `~/Library/Screen Savers`
* **Trigger**: Select the screen saver
-
+
#### Description & Exploit
diff --git a/macos-hardening/macos-red-teaming/README.md b/macos-hardening/macos-red-teaming/README.md
index 2a7e3e5e9..503d24c8f 100644
--- a/macos-hardening/macos-red-teaming/README.md
+++ b/macos-hardening/macos-red-teaming/README.md
@@ -53,7 +53,7 @@ Moreover, after finding proper credentials you could be able to brute-force othe
#### JAMF device Authentication
-
+
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md
index 00dc88c44..9d56f95a9 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md
@@ -1144,6 +1144,343 @@ static void customConstructor(int argc, const char **argv)
}
```
+## MIG - Mach Interface Generator
+
+MIG was created to **simplify the process of Mach IPC** code creation. It basically **generates the needed code** for server and client to communicate with a given definition. Even if the generated code is ugly, a developer will just need to import it and his code will be much simpler than before.
+
+### Example
+
+Create a definition file, in this case with a very simple function:
+
+{% code title="myipc.defs" %}
+```cpp
+subsystem myipc 500; // Arbitrary name and id
+
+userprefix USERPREF; // Prefix for created functions in the client
+serverprefix SERVERPREF; // Prefix for created functions in the server
+
+#include
+#include
+
+simpleroutine Subtract(
+ server_port : mach_port_t;
+ n1 : uint32_t;
+ n2 : uint32_t);
+```
+{% endcode %}
+
+Now use mig to generate the server and client code that will be able to comunicate within each other to call the Subtract function:
+
+```bash
+mig -header myipcUser.h -sheader myipcServer.h myipc.defs
+```
+
+Several new files will be created in the current directory.
+
+In the files **`myipcServer.c`** and **`myipcServer.h`** you can find the declaration and definition of the struct **`SERVERPREFmyipc_subsystem`**, which basically defines the function to call based on the received message ID (we indicated a starting number of 500):
+
+{% tabs %}
+{% tab title="myipcServer.c" %}
+```c
+/* Description of this subsystem, for use in direct RPC */
+const struct SERVERPREFmyipc_subsystem SERVERPREFmyipc_subsystem = {
+ myipc_server_routine,
+ 500, // start ID
+ 501, // end ID
+ (mach_msg_size_t)sizeof(union __ReplyUnion__SERVERPREFmyipc_subsystem),
+ (vm_address_t)0,
+ {
+ { (mig_impl_routine_t) 0,
+ // Function to call
+ (mig_stub_routine_t) _XSubtract, 3, 0, (routine_arg_descriptor_t)0, (mach_msg_size_t)sizeof(__Reply__Subtract_t)},
+ }
+};
+```
+{% endtab %}
+
+{% tab title="myipcServer.h" %}
+```c
+/* Description of this subsystem, for use in direct RPC */
+extern const struct SERVERPREFmyipc_subsystem {
+ mig_server_routine_t server; /* Server routine */
+ mach_msg_id_t start; /* Min routine number */
+ mach_msg_id_t end; /* Max routine number + 1 */
+ unsigned int maxsize; /* Max msg size */
+ vm_address_t reserved; /* Reserved */
+ struct routine_descriptor /* Array of routine descriptors */
+ routine[1];
+} SERVERPREFmyipc_subsystem;
+```
+{% endtab %}
+{% endtabs %}
+
+Based on the previous struct the function **`myipc_server_routine`** will get the **message ID** and return the proper function to call:
+
+```c
+mig_external mig_routine_t myipc_server_routine
+ (mach_msg_header_t *InHeadP)
+{
+ int msgh_id;
+
+ msgh_id = InHeadP->msgh_id - 500;
+
+ if ((msgh_id > 0) || (msgh_id < 0))
+ return 0;
+
+ return SERVERPREFmyipc_subsystem.routine[msgh_id].stub_routine;
+}
+```
+
+In this example we only defined 1 function in the definitions, but if we would have defined more, the would have been inside the array of **`SERVERPREFmyipc_subsystem`** and the first one will be assigned to the ID **500**, the second one to the ID **501**...
+
+Actually it's possible to identify this relation in the struct **`subsystem_to_name_map_myipc`** from **`myipcServer.h`**:
+
+```c
+#ifndef subsystem_to_name_map_myipc
+#define subsystem_to_name_map_myipc \
+ { "Subtract", 500 }
+#endif
+```
+
+Finally, another important function to make the server work will be **`myipc_server`**, which is the one that will actually **call the function** related to the received id:
+
+
+
+Check the following code to use the generated code to create a simple server and client where the client can call the functions Subtract from the server:
+
+{% tabs %}
+{% tab title="myipc_server.c" %}
+```c
+// gcc myipc_server.c myipcServer.c -o myipc_server
+
+#include
+#include
+#include
+#include "myipcServer.h"
+
+kern_return_t SERVERPREFSubtract(mach_port_t server_port, uint32_t n1, uint32_t n2)
+{
+ printf("Received: %d - %d = %d\n", n1, n2, n1 - n2);
+ return KERN_SUCCESS;
+}
+
+int main() {
+
+ mach_port_t port;
+ kern_return_t kr;
+
+ // Register the mach service
+ kr = bootstrap_check_in(bootstrap_port, "xyz.hacktricks.mig", &port);
+ if (kr != KERN_SUCCESS) {
+ printf("bootstrap_check_in() failed with code 0x%x\n", kr);
+ return 1;
+ }
+
+ // myipc_server is the function that handles incoming messages (check previous exlpanation)
+ mach_msg_server(myipc_server, sizeof(union __RequestUnion__SERVERPREFmyipc_subsystem), port, MACH_MSG_TIMEOUT_NONE);
+}
+```
+{% endtab %}
+
+{% tab title="myipc_client.c" %}
+```c
+// gcc myipc_client.c myipcUser.c -o myipc_client
+
+#include
+#include
+#include
+
+#include
+#include
+#include "myipcUser.h"
+
+int main() {
+
+ // Lookup the receiver port using the bootstrap server.
+ mach_port_t port;
+ kern_return_t kr = bootstrap_look_up(bootstrap_port, "xyz.hacktricks.mig", &port);
+ if (kr != KERN_SUCCESS) {
+ printf("bootstrap_look_up() failed with code 0x%x\n", kr);
+ return 1;
+ }
+ printf("Port right name %d\n", port);
+ USERPREFSubtract(port, 40, 2);
+}
+```
+{% endtab %}
+{% endtabs %}
+
+## Binary Analysis
+
+As many binaries now use MIG to expose mach ports, it's interesting to know how to **identify that MIG was used** and the **functions that MIG executes** with each message ID.
+
+[**jtool2**](../../macos-apps-inspecting-debugging-and-fuzzing/#jtool2) can parse MIG information from a Mach-O binary indicating the message ID and identifying the function to execute:
+
+```bash
+jtool2 -d __DATA.__const myipc_server | grep MIG
+```
+
+It was previously mentioned that the function that will take care of **calling the correct function depending on the received message ID** was `myipc_server`. However, you usually won't have the symbols of the binary (no functions names), so it's interesting to **check how it looks like decompiled** as it will always be very similar (the code of this function is independent from the functions exposed):
+
+
+
+{% tabs %}
+{% tab title="myipc_server decompiled 1" %}
+
int _myipc_server(int arg0, int arg1) {
+ var_10 = arg0;
+ var_18 = arg1;
+ // Initial instructions to find the proper function ponters
+ *(int32_t *)var_18 = *(int32_t *)var_10 & 0x1f;
+ *(int32_t *)(var_18 + 0x8) = *(int32_t *)(var_10 + 0x8);
+ *(int32_t *)(var_18 + 0x4) = 0x24;
+ *(int32_t *)(var_18 + 0xc) = 0x0;
+ *(int32_t *)(var_18 + 0x14) = *(int32_t *)(var_10 + 0x14) + 0x64;
+ *(int32_t *)(var_18 + 0x10) = 0x0;
+ if (*(int32_t *)(var_10 + 0x14) <= 0x1f4 && *(int32_t *)(var_10 + 0x14) >= 0x1f4) {
+ rax = *(int32_t *)(var_10 + 0x14);
+ // Call to sign_extend_64 that can help to identifyf this function
+ // This stores in rax the pointer to the call that needs to be called
+ // Check the used of the address 0x100004040 (functions addresses array)
+ // 0x1f4 = 500 (the strating ID)
+ rax = *(sign_extend_64(rax - 0x1f4) * 0x28 + 0x100004040);
+ var_20 = rax;
+ // If - else, the if returns false, while the else call the correct function and returns true
+ if (rax == 0x0) {
+ *(var_18 + 0x18) = **_NDR_record;
+ *(int32_t *)(var_18 + 0x20) = 0xfffffffffffffed1;
+ var_4 = 0x0;
+ }
+ else {
+ // Calculated address that calls the proper function with 2 arguments
+ (var_20)(var_10, var_18);
+ var_4 = 0x1;
+ }
+ }
+ else {
+ *(var_18 + 0x18) = **_NDR_record;
+ *(int32_t *)(var_18 + 0x20) = 0xfffffffffffffed1;
+ var_4 = 0x0;
+ }
+ rax = var_4;
+ return rax;
+}
+
+{% endtab %}
+
+{% tab title="myipc_server decompiled 2" %}
+This is the same function decompiled in a difefrent Hopper free version:
+
+
+{% endtab %}
+{% endtabs %}
+
+Actually if you go to the function **`0x100004000`** you will find the array of **`routine_descriptor`** structs, the first element of the struct is the address where the function is implemented and the **struct takes 0x28 bytes**, so each 0x28 bytes (starting from byte 0) you can get 8 bytes and that be the **address of the function** that will be called:
+
+
+
+
+
+This data can be extracted [**using this Hopper script**](https://github.com/knightsc/hopper/blob/master/scripts/MIG%20Detect.py).
+
## References
* [https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md
index aec494f71..5e21dcea7 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md
@@ -302,7 +302,7 @@ authenticate-session-owner, authenticate-session-owner-or-admin, authenticate-se
If you find the function: **`[HelperTool checkAuthorization:command:]`** it's probably the the process is using the previously mentioned schema for authorization:
-
+
Thisn, if this function is calling functions such as `AuthorizationCreateFromExternalForm`, `authorizationRightForCommand`, `AuthorizationCopyRights`, `AuhtorizationFree`, it's using [**EvenBetterAuthorizationSample**](https://github.com/brenwell/EvenBetterAuthorizationSample/blob/e1052a1855d3a5e56db71df5f04e790bfd4389c4/HelperTool/HelperTool.m#L101-L154).
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
index bd7162715..552a1bef1 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
@@ -22,7 +22,7 @@ Obviamente, esto es tan poderoso que es complicado cargar una extensión de kern
* Al entrar en **modo de recuperación**, las extensiones de kernel deben estar **permitidas para ser cargadas**:
-
+
* La extensión de kernel debe estar **firmada con un certificado de firma de código de kernel**, que solo puede ser otorgado por **Apple**. Quien revisará en detalle la **empresa** y las **razones** por las que se necesita.
* La extensión de kernel también debe estar **notarizada**, Apple podrá verificarla en busca de malware.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
index 4e8f35166..4eb636c03 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
@@ -50,6 +50,9 @@ jtool2 -D /bin/ls # Decompile binary
# Get signature information
ARCH=x86_64 jtool2 --sig /System/Applications/Automator.app/Contents/MacOS/Automator
+
+# Get MIG information
+jtool2 -d __DATA.__const myipc_server | grep MIG
```
### Codesign
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
index a66440c19..742c6448d 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
@@ -21,7 +21,7 @@ It creates a 2 of names pipes per .Net process in [dbgtransportsession.cpp#L127]
So, if you go to the users **`$TMPDIR`** you will be able to find **debugging fifos** you could use to debug .Net applications:
-
+
The function [**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) will handle the communication from a debugger.
diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
index c6e385d54..003786ead 100644
--- a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
+++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -149,7 +149,7 @@ You can see that in [the next tutorial](frida-tutorial-2.md).
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
index 1254d388f..fbc71528f 100644
--- a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
+++ b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md
@@ -52,15 +52,15 @@ Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you n
1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
-
+
* Check that the certificate was correctly stored going to `Trusted credentials` -> `USER`
-
+
2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
-
+
* After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there
diff --git a/mobile-pentesting/xamarin-apps.md b/mobile-pentesting/xamarin-apps.md
index 9659b0024..d42051cc7 100644
--- a/mobile-pentesting/xamarin-apps.md
+++ b/mobile-pentesting/xamarin-apps.md
@@ -36,7 +36,7 @@ It runs along with the Objective-C Runtime. The runtime environments run on top
The below-given diagram depicts this architecture:
-
+
### What is .Net Runtime and Mono Framework?
@@ -70,7 +70,7 @@ If you encounter a Full AOT compiled application, and if the IL Assembly files a
Just **unzip the apk/ipa** file and copy all the files present under the assemblies directory:
-
+
In case of Android **APKs these dll files are compressed** and cannot be directly used for decompilation. Luckily there are tools out there that we can use to **uncompress these dll files** like [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) and [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress).
diff --git a/network-services-pentesting/15672-pentesting-rabbitmq-management.md b/network-services-pentesting/15672-pentesting-rabbitmq-management.md
index 1b872f86b..bb0ba65dd 100644
--- a/network-services-pentesting/15672-pentesting-rabbitmq-management.md
+++ b/network-services-pentesting/15672-pentesting-rabbitmq-management.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -60,7 +60,7 @@ Content-Length: 267
* `port:15672 http`
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-ssh.md b/network-services-pentesting/pentesting-ssh.md
index 0ff1e1ce0..9f4efeb51 100644
--- a/network-services-pentesting/pentesting-ssh.md
+++ b/network-services-pentesting/pentesting-ssh.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -313,7 +313,7 @@ id_rsa
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/jboss.md b/network-services-pentesting/pentesting-web/jboss.md
index 6e79ec29a..0b1070b15 100644
--- a/network-services-pentesting/pentesting-web/jboss.md
+++ b/network-services-pentesting/pentesting-web/jboss.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -40,7 +40,7 @@ You can expose **management servlets** via the following paths within JBoss (dep
inurl:status EJInvokerServlet
```
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/moodle.md b/network-services-pentesting/pentesting-web/moodle.md
index 208b81760..02f915770 100644
--- a/network-services-pentesting/pentesting-web/moodle.md
+++ b/network-services-pentesting/pentesting-web/moodle.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -120,7 +120,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
/usr/local/bin/mysql -u --password= -e "use moodle; select email,username,password from mdl_user; exit"
```
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/crlf-0d-0a.md b/pentesting-web/crlf-0d-0a.md
index e9c58814d..45a03fc1f 100644
--- a/pentesting-web/crlf-0d-0a.md
+++ b/pentesting-web/crlf-0d-0a.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -249,7 +249,7 @@ The best prevention technique is to not use users input directly inside response
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
* [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
index cabeb410a..cbf553966 100644
--- a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
+++ b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -237,7 +237,7 @@ out of band request with the current username
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
* [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/file-inclusion/phar-deserialization.md b/pentesting-web/file-inclusion/phar-deserialization.md
index 155ec0d8c..7c4f68571 100644
--- a/pentesting-web/file-inclusion/phar-deserialization.md
+++ b/pentesting-web/file-inclusion/phar-deserialization.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -89,7 +89,7 @@ php vuln.php
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/race-condition.md b/pentesting-web/race-condition.md
index 684644430..a5c442b8c 100644
--- a/pentesting-web/race-condition.md
+++ b/pentesting-web/race-condition.md
@@ -52,7 +52,7 @@ Note that It **doesn't work for static files** on certain servers but as static
Using this technique, you can make 20-30 requests arrive at the server simultaneously - regardless of network jitter:
-
+
**Adapting to the target architecture**
@@ -72,7 +72,7 @@ If connection warming doesn't make any difference, there are various solutions t
Using Turbo Intruder, you can introduce a short client-side delay. However, as this involves splitting your actual attack requests across multiple TCP packets, you won't be able to use the single-packet attack technique. As a result, on high-jitter targets, the attack is unlikely to work reliably regardless of what delay you set.
-
+
Instead, you may be able to solve this problem by abusing a common security feature.
@@ -141,7 +141,7 @@ Content-Length: 0
* For **delaying** the process **between** processing **one request and another** in a 2 substates steps, you could **add extra requests between** both requests.
* For a **multi-endpoint** RC you could start sending the **request** that **goes to the hidden state** and then **50 requests** just after it that **exploits the hidden state**.
-
+
### Raw BF
@@ -238,7 +238,7 @@ Operations that edit existing data (such as changing an account's primary email
Most endpoints operate on a specific record, which is looked up using a 'key', such as a username, password reset token, or filename. For a successful attack, we need two operations that use the same key. For example, picture two plausible password reset implementations:
-
+
2. **Probe for clues**
diff --git a/windows-hardening/active-directory-methodology/silver-ticket.md b/windows-hardening/active-directory-methodology/silver-ticket.md
index bb31da385..b049f13c4 100644
--- a/windows-hardening/active-directory-methodology/silver-ticket.md
+++ b/windows-hardening/active-directory-methodology/silver-ticket.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -168,7 +168,7 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc
[dcsync.md](dcsync.md)
{% endcontent-ref %}
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
index f1ca230ea..303df5d00 100644
--- a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
+++ b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -243,7 +243,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
}
```
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
index 9ff685f4d..10c315777 100644
--- a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+++ b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -351,7 +351,7 @@ Find more Autoruns like registries in [https://www.microsoftpressstore.com/artic
* [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -231,7 +231,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
-
.png)
 (1).png)
.png)
 (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
.png)
 (1).png)
 (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -60,7 +60,7 @@ Content-Length: 267
* `port:15672 http`
- (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -40,7 +40,7 @@ You can expose **management servlets** via the following paths within JBoss (dep
inurl:status EJInvokerServlet
```
- (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)