0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GITBOOK-4184: change request with no subject merged in GitBook

This commit is contained in:
CPol 2023-12-11 09:39:35 +00:00 committed by gitbook-bot
parent 5fc9f17db4
commit 2188a0927d
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
5 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
generic-methodologies-and-resources/external-recon-methodology/README.md
View File

@ -365,12 +365,18 @@ shodan search "http.html:help.domain.com"
* [**Censys subdomain finder**](https://github.com/christophetd/censys-subdomain-finder)
```
```bash
export CENSYS_API_ID=...
export CENSYS_API_SECRET=...
python3 censys-subdomain-finder.py tesla.com
```
* [**DomainTrail.py**](https://github.com/gatete/DomainTrail)
```bash
python3 DomainTrail.py -d example.com
```
* [**securitytrails.com**](https://securitytrails.com/) has a free API to search for subdomains and IP history
* [**chaos.projectdiscovery.io**](https://chaos.projectdiscovery.io/#/)

6
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
View File

@ -264,6 +264,12 @@ Just generate the script `/Applications/Scripts/privesc.sh` with the **commands*
If you have **arbitrary write**, you could create a file inside the folder **`/etc/sudoers.d/`** granting yourself **sudo** privileges.
### PATH files
The file **`/etc/paths`** is one of the main places that populates the PATH env variable. You must be root to overwrite it, but if a script from **privileged process** is executing some **command without the full path**, you might be able to **hijack** it modifying this file.
 You can also write files in **`/etc/paths.d`** to load new folders into the `PATH` env variable.
## References
* [https://theevilbit.github.io/posts/exploiting\_directory\_permissions\_on\_macos/](https://theevilbit.github.io/posts/exploiting\_directory\_permissions\_on\_macos/)

2
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
View File

@ -33,6 +33,8 @@ This is what was done in [**CVE-2023-32364**](https://gergelykalman.com/CVE-2023
{% hint style="danger" %}
Therefore, at the moment, if you are just capable of creating a folder with a name ending in **`.app`** without a quarantine attribute, you can scape the sandbox because macOS only **checks** the **quarantine** attribute in the **`.app` folder** and in the **main executable** (and we will point the main executable to **`/bin/bash`**).
Note that if an .app bundle has already been authorized to run (it has a quarantine xttr with the authorized to run flag on), you could also abuse it... except that now you cannot write inside **`.app`** bundles unless you have some privileged TCC perms (which you won't have inside a sandbox high).
{% endhint %}
### Abusing Open functionality

4
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
View File

@ -279,7 +279,7 @@ Several Apple applications were vulnerable to this.
### Firefox
The Firefox application is still vulnerable having the `com.apple.security.cs.disable-library-validation` entitlement:
The Firefox application had the `com.apple.security.cs.disable-library-validation` and `com.apple.security.cs.allow-dyld-environment-variables` entitlements:
```xml
codesign -d --entitlements :- /Applications/Firefox.app
@ -293,6 +293,8 @@ Executable=/Applications/Firefox.app/Contents/MacOS/firefox
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>

6
mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
View File

@ -208,6 +208,12 @@ Java.choose("com.example.a11x256.frida_test.my_activity" , {
});
```
## Other Frida tutorials
* [https://github.com/DERE-ad2001/Frida-Labs](https://github.com/DERE-ad2001/Frida-Labs)
<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!