From 2188a0927d8609f6c5e635da84038b479b0de2e5 Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 11 Dec 2023 09:39:35 +0000 Subject: [PATCH] GITBOOK-4184: change request with no subject merged in GitBook --- .../external-recon-methodology/README.md | 8 +++++++- .../macos-security-protections/macos-fs-tricks/README.md | 6 ++++++ .../macos-sandbox-debug-and-bypass/README.md | 2 ++ .../macos-tcc/macos-tcc-bypasses/README.md | 4 +++- .../android-app-pentesting/frida-tutorial/README.md | 6 ++++++ 5 files changed, 24 insertions(+), 2 deletions(-) diff --git a/generic-methodologies-and-resources/external-recon-methodology/README.md b/generic-methodologies-and-resources/external-recon-methodology/README.md index e0cf7578..a5711021 100644 --- a/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -365,12 +365,18 @@ shodan search "http.html:help.domain.com" * [**Censys subdomain finder**](https://github.com/christophetd/censys-subdomain-finder) -``` +```bash export CENSYS_API_ID=... export CENSYS_API_SECRET=... python3 censys-subdomain-finder.py tesla.com ``` +* [**DomainTrail.py**](https://github.com/gatete/DomainTrail) + +```bash +python3 DomainTrail.py -d example.com +``` + * [**securitytrails.com**](https://securitytrails.com/) has a free API to search for subdomains and IP history * [**chaos.projectdiscovery.io**](https://chaos.projectdiscovery.io/#/) diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md index b14663b7..633c9d38 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md @@ -264,6 +264,12 @@ Just generate the script `/Applications/Scripts/privesc.sh` with the **commands* If you have **arbitrary write**, you could create a file inside the folder **`/etc/sudoers.d/`** granting yourself **sudo** privileges. +### PATH files + +The file **`/etc/paths`** is one of the main places that populates the PATH env variable. You must be root to overwrite it, but if a script from **privileged process** is executing some **command without the full path**, you might be able to **hijack** it modifying this file. + + You can also write files in **`/etc/paths.d`** to load new folders into the `PATH` env variable. + ## References * [https://theevilbit.github.io/posts/exploiting\_directory\_permissions\_on\_macos/](https://theevilbit.github.io/posts/exploiting\_directory\_permissions\_on\_macos/) diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md index 7ca02928..9dfe4002 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md @@ -33,6 +33,8 @@ This is what was done in [**CVE-2023-32364**](https://gergelykalman.com/CVE-2023 {% hint style="danger" %} Therefore, at the moment, if you are just capable of creating a folder with a name ending in **`.app`** without a quarantine attribute, you can scape the sandbox because macOS only **checks** the **quarantine** attribute in the **`.app` folder** and in the **main executable** (and we will point the main executable to **`/bin/bash`**). + +Note that if an .app bundle has already been authorized to run (it has a quarantine xttr with the authorized to run flag on), you could also abuse it... except that now you cannot write inside **`.app`** bundles unless you have some privileged TCC perms (which you won't have inside a sandbox high). {% endhint %} ### Abusing Open functionality diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md index 6ab0ad80..47f18caf 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md @@ -279,7 +279,7 @@ Several Apple applications were vulnerable to this. ### Firefox -The Firefox application is still vulnerable having the `com.apple.security.cs.disable-library-validation` entitlement: +The Firefox application had the `com.apple.security.cs.disable-library-validation` and `com.apple.security.cs.allow-dyld-environment-variables` entitlements: ```xml codesign -d --entitlements :- /Applications/Firefox.app @@ -293,6 +293,8 @@ Executable=/Applications/Firefox.app/Contents/MacOS/firefox com.apple.security.cs.disable-library-validation + com.apple.security.cs.allow-dyld-environment-variables + com.apple.security.device.audio-input com.apple.security.device.camera diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md index 09a5b4b7..9696f412 100644 --- a/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md +++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md @@ -208,6 +208,12 @@ Java.choose("com.example.a11x256.frida_test.my_activity" , { }); ``` +## Other Frida tutorials + +* [https://github.com/DERE-ad2001/Frida-Labs](https://github.com/DERE-ad2001/Frida-Labs) + + +
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!