GITBOOK-4111: change request with no subject merged in GitBook
After Width: | Height: | Size: 1.6 KiB |
Before Width: | Height: | Size: 1.6 KiB After Width: | Height: | Size: 16 KiB |
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 132 KiB |
Before Width: | Height: | Size: 132 KiB After Width: | Height: | Size: 20 KiB |
Before Width: | Height: | Size: 20 KiB After Width: | Height: | Size: 8.1 KiB |
Before Width: | Height: | Size: 8.1 KiB After Width: | Height: | Size: 51 KiB |
Before Width: | Height: | Size: 51 KiB After Width: | Height: | Size: 32 KiB |
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 39 KiB |
Before Width: | Height: | Size: 39 KiB After Width: | Height: | Size: 72 KiB |
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 322 KiB |
Before Width: | Height: | Size: 322 KiB After Width: | Height: | Size: 36 KiB |
After Width: | Height: | Size: 94 KiB |
Before Width: | Height: | Size: 94 KiB After Width: | Height: | Size: 199 KiB |
Before Width: | Height: | Size: 199 KiB After Width: | Height: | Size: 145 KiB |
Before Width: | Height: | Size: 145 KiB After Width: | Height: | Size: 1.2 MiB |
Before Width: | Height: | Size: 1.2 MiB After Width: | Height: | Size: 100 KiB |
Before Width: | Height: | Size: 100 KiB After Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 121 KiB |
Before Width: | Height: | Size: 121 KiB After Width: | Height: | Size: 7 KiB |
Before Width: | Height: | Size: 7 KiB After Width: | Height: | Size: 72 KiB |
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 60 KiB |
Before Width: | Height: | Size: 60 KiB After Width: | Height: | Size: 223 KiB |
Before Width: | Height: | Size: 223 KiB After Width: | Height: | Size: 34 KiB |
|
@ -40,7 +40,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
||||||
|
|
||||||
### [Intigriti](https://www.intigriti.com)
|
### [Intigriti](https://www.intigriti.com)
|
||||||
|
|
||||||
<figure><img src=".gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src=".gitbook/assets/image (2) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
|
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
|
||||||
|
|
||||||
|
|
|
@ -99,7 +99,7 @@ Open the SalseoLoader project using Visual Studio.
|
||||||
|
|
||||||
### Add before the main function: \[DllExport]
|
### Add before the main function: \[DllExport]
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
![](<../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||||
|
|
||||||
### Install DllExport for this project
|
### Install DllExport for this project
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -231,7 +231,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
|
||||||
|
|
||||||
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
|
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -449,7 +449,7 @@ The iTerm2 preferences located in **`~/Library/Preferences/com.googlecode.iterm2
|
||||||
|
|
||||||
This setting can be configured in the iTerm2 settings:
|
This setting can be configured in the iTerm2 settings:
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image.png" alt="" width="563"><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (2).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
And the command is reflected in the preferences:
|
And the command is reflected in the preferences:
|
||||||
|
|
||||||
|
@ -774,7 +774,7 @@ mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts"
|
||||||
|
|
||||||
Then, open the `Folder Actions Setup` app, select the **folder you would like to watch** and select in your case **`folder.scpt`** (in my case I called it output2.scp):
|
Then, open the `Folder Actions Setup` app, select the **folder you would like to watch** and select in your case **`folder.scpt`** (in my case I called it output2.scp):
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (2).png" alt="" width="297"><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (2) (1).png" alt="" width="297"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Now, if you open that folder with **Finder**, your script will be executed.
|
Now, if you open that folder with **Finder**, your script will be executed.
|
||||||
|
|
||||||
|
@ -972,7 +972,7 @@ Writeup: [https://posts.specterops.io/saving-your-access-d562bf5bf90b](https://p
|
||||||
* `~/Library/Screen Savers`
|
* `~/Library/Screen Savers`
|
||||||
* **Trigger**: Select the screen saver
|
* **Trigger**: Select the screen saver
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1).png" alt="" width="375"><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (1).png" alt="" width="375"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
#### Description & Exploit
|
#### Description & Exploit
|
||||||
|
|
||||||
|
|
|
@ -53,7 +53,7 @@ Moreover, after finding proper credentials you could be able to brute-force othe
|
||||||
|
|
||||||
#### JAMF device Authentication
|
#### JAMF device Authentication
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
|
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
|
||||||
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
|
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
|
||||||
|
|
|
@ -1144,6 +1144,343 @@ static void customConstructor(int argc, const char **argv)
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## MIG - Mach Interface Generator
|
||||||
|
|
||||||
|
MIG was created to **simplify the process of Mach IPC** code creation. It basically **generates the needed code** for server and client to communicate with a given definition. Even if the generated code is ugly, a developer will just need to import it and his code will be much simpler than before.
|
||||||
|
|
||||||
|
### Example
|
||||||
|
|
||||||
|
Create a definition file, in this case with a very simple function:
|
||||||
|
|
||||||
|
{% code title="myipc.defs" %}
|
||||||
|
```cpp
|
||||||
|
subsystem myipc 500; // Arbitrary name and id
|
||||||
|
|
||||||
|
userprefix USERPREF; // Prefix for created functions in the client
|
||||||
|
serverprefix SERVERPREF; // Prefix for created functions in the server
|
||||||
|
|
||||||
|
#include <mach/mach_types.defs>
|
||||||
|
#include <mach/std_types.defs>
|
||||||
|
|
||||||
|
simpleroutine Subtract(
|
||||||
|
server_port : mach_port_t;
|
||||||
|
n1 : uint32_t;
|
||||||
|
n2 : uint32_t);
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
Now use mig to generate the server and client code that will be able to comunicate within each other to call the Subtract function:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mig -header myipcUser.h -sheader myipcServer.h myipc.defs
|
||||||
|
```
|
||||||
|
|
||||||
|
Several new files will be created in the current directory.
|
||||||
|
|
||||||
|
In the files **`myipcServer.c`** and **`myipcServer.h`** you can find the declaration and definition of the struct **`SERVERPREFmyipc_subsystem`**, which basically defines the function to call based on the received message ID (we indicated a starting number of 500):
|
||||||
|
|
||||||
|
{% tabs %}
|
||||||
|
{% tab title="myipcServer.c" %}
|
||||||
|
```c
|
||||||
|
/* Description of this subsystem, for use in direct RPC */
|
||||||
|
const struct SERVERPREFmyipc_subsystem SERVERPREFmyipc_subsystem = {
|
||||||
|
myipc_server_routine,
|
||||||
|
500, // start ID
|
||||||
|
501, // end ID
|
||||||
|
(mach_msg_size_t)sizeof(union __ReplyUnion__SERVERPREFmyipc_subsystem),
|
||||||
|
(vm_address_t)0,
|
||||||
|
{
|
||||||
|
{ (mig_impl_routine_t) 0,
|
||||||
|
// Function to call
|
||||||
|
(mig_stub_routine_t) _XSubtract, 3, 0, (routine_arg_descriptor_t)0, (mach_msg_size_t)sizeof(__Reply__Subtract_t)},
|
||||||
|
}
|
||||||
|
};
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
|
|
||||||
|
{% tab title="myipcServer.h" %}
|
||||||
|
```c
|
||||||
|
/* Description of this subsystem, for use in direct RPC */
|
||||||
|
extern const struct SERVERPREFmyipc_subsystem {
|
||||||
|
mig_server_routine_t server; /* Server routine */
|
||||||
|
mach_msg_id_t start; /* Min routine number */
|
||||||
|
mach_msg_id_t end; /* Max routine number + 1 */
|
||||||
|
unsigned int maxsize; /* Max msg size */
|
||||||
|
vm_address_t reserved; /* Reserved */
|
||||||
|
struct routine_descriptor /* Array of routine descriptors */
|
||||||
|
routine[1];
|
||||||
|
} SERVERPREFmyipc_subsystem;
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
|
{% endtabs %}
|
||||||
|
|
||||||
|
Based on the previous struct the function **`myipc_server_routine`** will get the **message ID** and return the proper function to call:
|
||||||
|
|
||||||
|
```c
|
||||||
|
mig_external mig_routine_t myipc_server_routine
|
||||||
|
(mach_msg_header_t *InHeadP)
|
||||||
|
{
|
||||||
|
int msgh_id;
|
||||||
|
|
||||||
|
msgh_id = InHeadP->msgh_id - 500;
|
||||||
|
|
||||||
|
if ((msgh_id > 0) || (msgh_id < 0))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
return SERVERPREFmyipc_subsystem.routine[msgh_id].stub_routine;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
In this example we only defined 1 function in the definitions, but if we would have defined more, the would have been inside the array of **`SERVERPREFmyipc_subsystem`** and the first one will be assigned to the ID **500**, the second one to the ID **501**...
|
||||||
|
|
||||||
|
Actually it's possible to identify this relation in the struct **`subsystem_to_name_map_myipc`** from **`myipcServer.h`**:
|
||||||
|
|
||||||
|
```c
|
||||||
|
#ifndef subsystem_to_name_map_myipc
|
||||||
|
#define subsystem_to_name_map_myipc \
|
||||||
|
{ "Subtract", 500 }
|
||||||
|
#endif
|
||||||
|
```
|
||||||
|
|
||||||
|
Finally, another important function to make the server work will be **`myipc_server`**, which is the one that will actually **call the function** related to the received id:
|
||||||
|
|
||||||
|
<pre class="language-c"><code class="lang-c">mig_external boolean_t myipc_server
|
||||||
|
(mach_msg_header_t *InHeadP, mach_msg_header_t *OutHeadP)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* typedef struct {
|
||||||
|
* mach_msg_header_t Head;
|
||||||
|
* NDR_record_t NDR;
|
||||||
|
* kern_return_t RetCode;
|
||||||
|
* } mig_reply_error_t;
|
||||||
|
*/
|
||||||
|
|
||||||
|
mig_routine_t routine;
|
||||||
|
|
||||||
|
OutHeadP->msgh_bits = MACH_MSGH_BITS(MACH_MSGH_BITS_REPLY(InHeadP->msgh_bits), 0);
|
||||||
|
OutHeadP->msgh_remote_port = InHeadP->msgh_reply_port;
|
||||||
|
/* Minimal size: routine() will update it if different */
|
||||||
|
OutHeadP->msgh_size = (mach_msg_size_t)sizeof(mig_reply_error_t);
|
||||||
|
OutHeadP->msgh_local_port = MACH_PORT_NULL;
|
||||||
|
OutHeadP->msgh_id = InHeadP->msgh_id + 100;
|
||||||
|
OutHeadP->msgh_reserved = 0;
|
||||||
|
|
||||||
|
if ((InHeadP->msgh_id > 500) || (InHeadP->msgh_id < 500) ||
|
||||||
|
<strong> ((routine = SERVERPREFmyipc_subsystem.routine[InHeadP->msgh_id - 500].stub_routine) == 0)) {
|
||||||
|
</strong> ((mig_reply_error_t *)OutHeadP)->NDR = NDR_record;
|
||||||
|
((mig_reply_error_t *)OutHeadP)->RetCode = MIG_BAD_ID;
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
<strong> (*routine) (InHeadP, OutHeadP);
|
||||||
|
</strong> return TRUE;
|
||||||
|
}
|
||||||
|
</code></pre>
|
||||||
|
|
||||||
|
Check the following code to use the generated code to create a simple server and client where the client can call the functions Subtract from the server:
|
||||||
|
|
||||||
|
{% tabs %}
|
||||||
|
{% tab title="myipc_server.c" %}
|
||||||
|
```c
|
||||||
|
// gcc myipc_server.c myipcServer.c -o myipc_server
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <mach/mach.h>
|
||||||
|
#include <servers/bootstrap.h>
|
||||||
|
#include "myipcServer.h"
|
||||||
|
|
||||||
|
kern_return_t SERVERPREFSubtract(mach_port_t server_port, uint32_t n1, uint32_t n2)
|
||||||
|
{
|
||||||
|
printf("Received: %d - %d = %d\n", n1, n2, n1 - n2);
|
||||||
|
return KERN_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
|
||||||
|
mach_port_t port;
|
||||||
|
kern_return_t kr;
|
||||||
|
|
||||||
|
// Register the mach service
|
||||||
|
kr = bootstrap_check_in(bootstrap_port, "xyz.hacktricks.mig", &port);
|
||||||
|
if (kr != KERN_SUCCESS) {
|
||||||
|
printf("bootstrap_check_in() failed with code 0x%x\n", kr);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// myipc_server is the function that handles incoming messages (check previous exlpanation)
|
||||||
|
mach_msg_server(myipc_server, sizeof(union __RequestUnion__SERVERPREFmyipc_subsystem), port, MACH_MSG_TIMEOUT_NONE);
|
||||||
|
}
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
|
|
||||||
|
{% tab title="myipc_client.c" %}
|
||||||
|
```c
|
||||||
|
// gcc myipc_client.c myipcUser.c -o myipc_client
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#include <mach/mach.h>
|
||||||
|
#include <servers/bootstrap.h>
|
||||||
|
#include "myipcUser.h"
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
|
||||||
|
// Lookup the receiver port using the bootstrap server.
|
||||||
|
mach_port_t port;
|
||||||
|
kern_return_t kr = bootstrap_look_up(bootstrap_port, "xyz.hacktricks.mig", &port);
|
||||||
|
if (kr != KERN_SUCCESS) {
|
||||||
|
printf("bootstrap_look_up() failed with code 0x%x\n", kr);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
printf("Port right name %d\n", port);
|
||||||
|
USERPREFSubtract(port, 40, 2);
|
||||||
|
}
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
|
{% endtabs %}
|
||||||
|
|
||||||
|
## Binary Analysis
|
||||||
|
|
||||||
|
As many binaries now use MIG to expose mach ports, it's interesting to know how to **identify that MIG was used** and the **functions that MIG executes** with each message ID.
|
||||||
|
|
||||||
|
[**jtool2**](../../macos-apps-inspecting-debugging-and-fuzzing/#jtool2) can parse MIG information from a Mach-O binary indicating the message ID and identifying the function to execute:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
jtool2 -d __DATA.__const myipc_server | grep MIG
|
||||||
|
```
|
||||||
|
|
||||||
|
It was previously mentioned that the function that will take care of **calling the correct function depending on the received message ID** was `myipc_server`. However, you usually won't have the symbols of the binary (no functions names), so it's interesting to **check how it looks like decompiled** as it will always be very similar (the code of this function is independent from the functions exposed):
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
{% tabs %}
|
||||||
|
{% tab title="myipc_server decompiled 1" %}
|
||||||
|
<pre class="language-c"><code class="lang-c">int _myipc_server(int arg0, int arg1) {
|
||||||
|
var_10 = arg0;
|
||||||
|
var_18 = arg1;
|
||||||
|
// Initial instructions to find the proper function ponters
|
||||||
|
*(int32_t *)var_18 = *(int32_t *)var_10 & 0x1f;
|
||||||
|
*(int32_t *)(var_18 + 0x8) = *(int32_t *)(var_10 + 0x8);
|
||||||
|
*(int32_t *)(var_18 + 0x4) = 0x24;
|
||||||
|
*(int32_t *)(var_18 + 0xc) = 0x0;
|
||||||
|
*(int32_t *)(var_18 + 0x14) = *(int32_t *)(var_10 + 0x14) + 0x64;
|
||||||
|
*(int32_t *)(var_18 + 0x10) = 0x0;
|
||||||
|
if (*(int32_t *)(var_10 + 0x14) <= 0x1f4 && *(int32_t *)(var_10 + 0x14) >= 0x1f4) {
|
||||||
|
rax = *(int32_t *)(var_10 + 0x14);
|
||||||
|
// Call to sign_extend_64 that can help to identifyf this function
|
||||||
|
// This stores in rax the pointer to the call that needs to be called
|
||||||
|
// Check the used of the address 0x100004040 (functions addresses array)
|
||||||
|
// 0x1f4 = 500 (the strating ID)
|
||||||
|
<strong> rax = *(sign_extend_64(rax - 0x1f4) * 0x28 + 0x100004040);
|
||||||
|
</strong> var_20 = rax;
|
||||||
|
// If - else, the if returns false, while the else call the correct function and returns true
|
||||||
|
<strong> if (rax == 0x0) {
|
||||||
|
</strong> *(var_18 + 0x18) = **_NDR_record;
|
||||||
|
*(int32_t *)(var_18 + 0x20) = 0xfffffffffffffed1;
|
||||||
|
var_4 = 0x0;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
// Calculated address that calls the proper function with 2 arguments
|
||||||
|
<strong> (var_20)(var_10, var_18);
|
||||||
|
</strong> var_4 = 0x1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
*(var_18 + 0x18) = **_NDR_record;
|
||||||
|
*(int32_t *)(var_18 + 0x20) = 0xfffffffffffffed1;
|
||||||
|
var_4 = 0x0;
|
||||||
|
}
|
||||||
|
rax = var_4;
|
||||||
|
return rax;
|
||||||
|
}
|
||||||
|
</code></pre>
|
||||||
|
{% endtab %}
|
||||||
|
|
||||||
|
{% tab title="myipc_server decompiled 2" %}
|
||||||
|
This is the same function decompiled in a difefrent Hopper free version:
|
||||||
|
|
||||||
|
<pre class="language-c"><code class="lang-c">int _myipc_server(int arg0, int arg1) {
|
||||||
|
r31 = r31 - 0x40;
|
||||||
|
saved_fp = r29;
|
||||||
|
stack[-8] = r30;
|
||||||
|
var_10 = arg0;
|
||||||
|
var_18 = arg1;
|
||||||
|
// Initial instructions to find the proper function ponters
|
||||||
|
*(int32_t *)var_18 = *(int32_t *)var_10 & 0x1f | 0x0;
|
||||||
|
*(int32_t *)(var_18 + 0x8) = *(int32_t *)(var_10 + 0x8);
|
||||||
|
*(int32_t *)(var_18 + 0x4) = 0x24;
|
||||||
|
*(int32_t *)(var_18 + 0xc) = 0x0;
|
||||||
|
*(int32_t *)(var_18 + 0x14) = *(int32_t *)(var_10 + 0x14) + 0x64;
|
||||||
|
*(int32_t *)(var_18 + 0x10) = 0x0;
|
||||||
|
r8 = *(int32_t *)(var_10 + 0x14);
|
||||||
|
r8 = r8 - 0x1f4;
|
||||||
|
if (r8 > 0x0) {
|
||||||
|
if (CPU_FLAGS & G) {
|
||||||
|
r8 = 0x1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ((r8 & 0x1) == 0x0) {
|
||||||
|
r8 = *(int32_t *)(var_10 + 0x14);
|
||||||
|
r8 = r8 - 0x1f4;
|
||||||
|
if (r8 < 0x0) {
|
||||||
|
if (CPU_FLAGS & L) {
|
||||||
|
r8 = 0x1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ((r8 & 0x1) == 0x0) {
|
||||||
|
r8 = *(int32_t *)(var_10 + 0x14);
|
||||||
|
// 0x1f4 = 500 (the strating ID)
|
||||||
|
<strong> r8 = r8 - 0x1f4;
|
||||||
|
</strong> asm { smaddl x8, w8, w9, x10 };
|
||||||
|
r8 = *(r8 + 0x8);
|
||||||
|
var_20 = r8;
|
||||||
|
r8 = r8 - 0x0;
|
||||||
|
if (r8 != 0x0) {
|
||||||
|
if (CPU_FLAGS & NE) {
|
||||||
|
r8 = 0x1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// Same if else as in the previous version
|
||||||
|
// Check the used of the address 0x100004040 (functions addresses array)
|
||||||
|
<strong> if ((r8 & 0x1) == 0x0) {
|
||||||
|
</strong><strong> *(var_18 + 0x18) = **0x100004000;
|
||||||
|
</strong> *(int32_t *)(var_18 + 0x20) = 0xfffffed1;
|
||||||
|
var_4 = 0x0;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
// Call to the calculated address where the function should be
|
||||||
|
<strong> (var_20)(var_10, var_18);
|
||||||
|
</strong> var_4 = 0x1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
*(var_18 + 0x18) = **0x100004000;
|
||||||
|
*(int32_t *)(var_18 + 0x20) = 0xfffffed1;
|
||||||
|
var_4 = 0x0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
*(var_18 + 0x18) = **0x100004000;
|
||||||
|
*(int32_t *)(var_18 + 0x20) = 0xfffffed1;
|
||||||
|
var_4 = 0x0;
|
||||||
|
}
|
||||||
|
r0 = var_4;
|
||||||
|
return r0;
|
||||||
|
}
|
||||||
|
|
||||||
|
</code></pre>
|
||||||
|
{% endtab %}
|
||||||
|
{% endtabs %}
|
||||||
|
|
||||||
|
Actually if you go to the function **`0x100004000`** you will find the array of **`routine_descriptor`** structs, the first element of the struct is the address where the function is implemented and the **struct takes 0x28 bytes**, so each 0x28 bytes (starting from byte 0) you can get 8 bytes and that be the **address of the function** that will be called:
|
||||||
|
|
||||||
|
<figure><img src="../../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
<figure><img src="../../../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
This data can be extracted [**using this Hopper script**](https://github.com/knightsc/hopper/blob/master/scripts/MIG%20Detect.py).
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html)
|
* [https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html)
|
||||||
|
|
|
@ -302,7 +302,7 @@ authenticate-session-owner, authenticate-session-owner-or-admin, authenticate-se
|
||||||
|
|
||||||
If you find the function: **`[HelperTool checkAuthorization:command:]`** it's probably the the process is using the previously mentioned schema for authorization:
|
If you find the function: **`[HelperTool checkAuthorization:command:]`** it's probably the the process is using the previously mentioned schema for authorization:
|
||||||
|
|
||||||
<figure><img src="../../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Thisn, if this function is calling functions such as `AuthorizationCreateFromExternalForm`, `authorizationRightForCommand`, `AuthorizationCopyRights`, `AuhtorizationFree`, it's using [**EvenBetterAuthorizationSample**](https://github.com/brenwell/EvenBetterAuthorizationSample/blob/e1052a1855d3a5e56db71df5f04e790bfd4389c4/HelperTool/HelperTool.m#L101-L154).
|
Thisn, if this function is calling functions such as `AuthorizationCreateFromExternalForm`, `authorizationRightForCommand`, `AuthorizationCopyRights`, `AuhtorizationFree`, it's using [**EvenBetterAuthorizationSample**](https://github.com/brenwell/EvenBetterAuthorizationSample/blob/e1052a1855d3a5e56db71df5f04e790bfd4389c4/HelperTool/HelperTool.m#L101-L154).
|
||||||
|
|
||||||
|
|
|
@ -22,7 +22,7 @@ Obviamente, esto es tan poderoso que es complicado cargar una extensión de kern
|
||||||
|
|
||||||
* Al entrar en **modo de recuperación**, las extensiones de kernel deben estar **permitidas para ser cargadas**:
|
* Al entrar en **modo de recuperación**, las extensiones de kernel deben estar **permitidas para ser cargadas**:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
* La extensión de kernel debe estar **firmada con un certificado de firma de código de kernel**, que solo puede ser otorgado por **Apple**. Quien revisará en detalle la **empresa** y las **razones** por las que se necesita.
|
* La extensión de kernel debe estar **firmada con un certificado de firma de código de kernel**, que solo puede ser otorgado por **Apple**. Quien revisará en detalle la **empresa** y las **razones** por las que se necesita.
|
||||||
* La extensión de kernel también debe estar **notarizada**, Apple podrá verificarla en busca de malware.
|
* La extensión de kernel también debe estar **notarizada**, Apple podrá verificarla en busca de malware.
|
||||||
|
|
|
@ -50,6 +50,9 @@ jtool2 -D /bin/ls # Decompile binary
|
||||||
|
|
||||||
# Get signature information
|
# Get signature information
|
||||||
ARCH=x86_64 jtool2 --sig /System/Applications/Automator.app/Contents/MacOS/Automator
|
ARCH=x86_64 jtool2 --sig /System/Applications/Automator.app/Contents/MacOS/Automator
|
||||||
|
|
||||||
|
# Get MIG information
|
||||||
|
jtool2 -d __DATA.__const myipc_server | grep MIG
|
||||||
```
|
```
|
||||||
|
|
||||||
### Codesign
|
### Codesign
|
||||||
|
|
|
@ -21,7 +21,7 @@ It creates a 2 of names pipes per .Net process in [dbgtransportsession.cpp#L127]
|
||||||
|
|
||||||
So, if you go to the users **`$TMPDIR`** you will be able to find **debugging fifos** you could use to debug .Net applications:
|
So, if you go to the users **`$TMPDIR`** you will be able to find **debugging fifos** you could use to debug .Net applications:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
The function [**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) will handle the communication from a debugger.
|
The function [**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) will handle the communication from a debugger.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -149,7 +149,7 @@ You can see that in [the next tutorial](frida-tutorial-2.md).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -52,15 +52,15 @@ Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you n
|
||||||
|
|
||||||
1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
|
1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" width="164"><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" width="164"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
* Check that the certificate was correctly stored going to `Trusted credentials` -> `USER`
|
* Check that the certificate was correctly stored going to `Trusted credentials` -> `USER`
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" width="334"><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt="" width="334"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
|
2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1).png" alt="" width="345"><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1) (1).png" alt="" width="345"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
* After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there
|
* After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there
|
||||||
|
|
||||||
|
|
|
@ -36,7 +36,7 @@ It runs along with the Objective-C Runtime. The runtime environments run on top
|
||||||
|
|
||||||
The below-given diagram depicts this architecture:
|
The below-given diagram depicts this architecture:
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### What is .Net Runtime and Mono Framework?
|
### What is .Net Runtime and Mono Framework?
|
||||||
|
|
||||||
|
@ -70,7 +70,7 @@ If you encounter a Full AOT compiled application, and if the IL Assembly files a
|
||||||
|
|
||||||
Just **unzip the apk/ipa** file and copy all the files present under the assemblies directory:
|
Just **unzip the apk/ipa** file and copy all the files present under the assemblies directory:
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
In case of Android **APKs these dll files are compressed** and cannot be directly used for decompilation. Luckily there are tools out there that we can use to **uncompress these dll files** like [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) and [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress).
|
In case of Android **APKs these dll files are compressed** and cannot be directly used for decompilation. Luckily there are tools out there that we can use to **uncompress these dll files** like [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) and [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -60,7 +60,7 @@ Content-Length: 267
|
||||||
|
|
||||||
* `port:15672 http`
|
* `port:15672 http`
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -313,7 +313,7 @@ id_rsa
|
||||||
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
|
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
|
||||||
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
|
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -40,7 +40,7 @@ You can expose **management servlets** via the following paths within JBoss (dep
|
||||||
inurl:status EJInvokerServlet
|
inurl:status EJInvokerServlet
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -120,7 +120,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
|
||||||
/usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"
|
/usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -249,7 +249,7 @@ The best prevention technique is to not use users input directly inside response
|
||||||
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
|
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
|
||||||
* [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
|
* [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -237,7 +237,7 @@ out of band request with the current username
|
||||||
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
||||||
* [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
|
* [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -89,7 +89,7 @@ php vuln.php
|
||||||
|
|
||||||
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
|
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -52,7 +52,7 @@ Note that It **doesn't work for static files** on certain servers but as static
|
||||||
|
|
||||||
Using this technique, you can make 20-30 requests arrive at the server simultaneously - regardless of network jitter:
|
Using this technique, you can make 20-30 requests arrive at the server simultaneously - regardless of network jitter:
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Adapting to the target architecture**
|
**Adapting to the target architecture**
|
||||||
|
|
||||||
|
@ -72,7 +72,7 @@ If connection warming doesn't make any difference, there are various solutions t
|
||||||
|
|
||||||
Using Turbo Intruder, you can introduce a short client-side delay. However, as this involves splitting your actual attack requests across multiple TCP packets, you won't be able to use the single-packet attack technique. As a result, on high-jitter targets, the attack is unlikely to work reliably regardless of what delay you set.
|
Using Turbo Intruder, you can introduce a short client-side delay. However, as this involves splitting your actual attack requests across multiple TCP packets, you won't be able to use the single-packet attack technique. As a result, on high-jitter targets, the attack is unlikely to work reliably regardless of what delay you set.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Instead, you may be able to solve this problem by abusing a common security feature.
|
Instead, you may be able to solve this problem by abusing a common security feature.
|
||||||
|
|
||||||
|
@ -141,7 +141,7 @@ Content-Length: 0
|
||||||
* For **delaying** the process **between** processing **one request and another** in a 2 substates steps, you could **add extra requests between** both requests.
|
* For **delaying** the process **between** processing **one request and another** in a 2 substates steps, you could **add extra requests between** both requests.
|
||||||
* For a **multi-endpoint** RC you could start sending the **request** that **goes to the hidden state** and then **50 requests** just after it that **exploits the hidden state**.
|
* For a **multi-endpoint** RC you could start sending the **request** that **goes to the hidden state** and then **50 requests** just after it that **exploits the hidden state**.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### Raw BF
|
### Raw BF
|
||||||
|
|
||||||
|
@ -238,7 +238,7 @@ Operations that edit existing data (such as changing an account's primary email
|
||||||
|
|
||||||
Most endpoints operate on a specific record, which is looked up using a 'key', such as a username, password reset token, or filename. For a successful attack, we need two operations that use the same key. For example, picture two plausible password reset implementations:
|
Most endpoints operate on a specific record, which is looked up using a 'key', such as a username, password reset token, or filename. For a successful attack, we need two operations that use the same key. For example, picture two plausible password reset implementations:
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
2. **Probe for clues**
|
2. **Probe for clues**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -168,7 +168,7 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc
|
||||||
[dcsync.md](dcsync.md)
|
[dcsync.md](dcsync.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -243,7 +243,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -351,7 +351,7 @@ Find more Autoruns like registries in [https://www.microsoftpressstore.com/artic
|
||||||
* [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
|
* [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
|
||||||
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
|
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|