GITBOOK-4184: change request with no subject merged in GitBook
This commit is contained in:
parent
5fc9f17db4
commit
2188a0927d
|
@ -365,12 +365,18 @@ shodan search "http.html:help.domain.com"
|
|||
|
||||
* [**Censys subdomain finder**](https://github.com/christophetd/censys-subdomain-finder)
|
||||
|
||||
```
|
||||
```bash
|
||||
export CENSYS_API_ID=...
|
||||
export CENSYS_API_SECRET=...
|
||||
python3 censys-subdomain-finder.py tesla.com
|
||||
```
|
||||
|
||||
* [**DomainTrail.py**](https://github.com/gatete/DomainTrail)
|
||||
|
||||
```bash
|
||||
python3 DomainTrail.py -d example.com
|
||||
```
|
||||
|
||||
* [**securitytrails.com**](https://securitytrails.com/) has a free API to search for subdomains and IP history
|
||||
* [**chaos.projectdiscovery.io**](https://chaos.projectdiscovery.io/#/)
|
||||
|
||||
|
|
|
@ -264,6 +264,12 @@ Just generate the script `/Applications/Scripts/privesc.sh` with the **commands*
|
|||
|
||||
If you have **arbitrary write**, you could create a file inside the folder **`/etc/sudoers.d/`** granting yourself **sudo** privileges.
|
||||
|
||||
### PATH files
|
||||
|
||||
The file **`/etc/paths`** is one of the main places that populates the PATH env variable. You must be root to overwrite it, but if a script from **privileged process** is executing some **command without the full path**, you might be able to **hijack** it modifying this file.
|
||||
|
||||
 You can also write files in **`/etc/paths.d`** to load new folders into the `PATH` env variable.
|
||||
|
||||
## References
|
||||
|
||||
* [https://theevilbit.github.io/posts/exploiting\_directory\_permissions\_on\_macos/](https://theevilbit.github.io/posts/exploiting\_directory\_permissions\_on\_macos/)
|
||||
|
|
|
@ -33,6 +33,8 @@ This is what was done in [**CVE-2023-32364**](https://gergelykalman.com/CVE-2023
|
|||
|
||||
{% hint style="danger" %}
|
||||
Therefore, at the moment, if you are just capable of creating a folder with a name ending in **`.app`** without a quarantine attribute, you can scape the sandbox because macOS only **checks** the **quarantine** attribute in the **`.app` folder** and in the **main executable** (and we will point the main executable to **`/bin/bash`**).
|
||||
|
||||
Note that if an .app bundle has already been authorized to run (it has a quarantine xttr with the authorized to run flag on), you could also abuse it... except that now you cannot write inside **`.app`** bundles unless you have some privileged TCC perms (which you won't have inside a sandbox high).
|
||||
{% endhint %}
|
||||
|
||||
### Abusing Open functionality
|
||||
|
|
|
@ -279,7 +279,7 @@ Several Apple applications were vulnerable to this.
|
|||
|
||||
### Firefox
|
||||
|
||||
The Firefox application is still vulnerable having the `com.apple.security.cs.disable-library-validation` entitlement:
|
||||
The Firefox application had the `com.apple.security.cs.disable-library-validation` and `com.apple.security.cs.allow-dyld-environment-variables` entitlements:
|
||||
|
||||
```xml
|
||||
codesign -d --entitlements :- /Applications/Firefox.app
|
||||
|
@ -293,6 +293,8 @@ Executable=/Applications/Firefox.app/Contents/MacOS/firefox
|
|||
<true/>
|
||||
<key>com.apple.security.cs.disable-library-validation</key>
|
||||
<true/>
|
||||
<key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
|
||||
<true/>
|
||||
<key>com.apple.security.device.audio-input</key>
|
||||
<true/>
|
||||
<key>com.apple.security.device.camera</key>
|
||||
|
|
|
@ -208,6 +208,12 @@ Java.choose("com.example.a11x256.frida_test.my_activity" , {
|
|||
});
|
||||
```
|
||||
|
||||
## Other Frida tutorials
|
||||
|
||||
* [https://github.com/DERE-ad2001/Frida-Labs](https://github.com/DERE-ad2001/Frida-Labs)
|
||||
|
||||
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
|
Loading…
Reference in New Issue