0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GITBOOK-4125: change request with no subject merged in GitBook

This commit is contained in:
CPol 2023-10-15 15:23:24 +00:00 committed by gitbook-bot
parent feebc0c63d
commit c383ffed62
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
7 changed files with 86 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
View File

@ -79,6 +79,8 @@ However, at the moment there are 2 limitations:
Making this attack path more complicated (or impossible).
{% endhint %}
Note that it's possible to bypass the requirement of **`kTCCServiceSystemPolicyAppBundles`** by copying the application to another directory (like **`/tmp`**), renaming the folder **`app.app/Contents`** to **`app.app/NotCon`**, **modifying** the **asar** file with your **malicious** code, renaming it back to **`app.app/Contents`** and executing it.
## RCE with `ELECTRON_RUN_AS_NODE` <a href="#electron_run_as_node" id="electron_run_as_node"></a>
According to [**the docs**](https://www.electronjs.org/docs/latest/api/environment-variables#electron\_run\_as\_node), if this env variable is set, it will start the process as a normal Node.js process.

67
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md
View File

@ -22,19 +22,6 @@ More information in:
[macos-gatekeeper.md](macos-gatekeeper.md)
{% endcontent-ref %}
## MRT - Malware Removal Tool
The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**.
Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded (it looks like the rules MRT has to detect malware are inside the binary).
While both XProtect and MRT are part of macOS's security measures, they perform different functions:
* **XProtect** is a preventative tool. It **checks files as they're downloaded** (via certain applications), and if it detects any known types of malware, it **prevents the file from opening**, thereby preventing the malware from infecting your system in the first place.
* **MRT**, on the other hand, is a **reactive tool**. It operates after malware has been detected on a system, with the goal of removing the offending software to clean up the system.
The MRT application is located in **`/Library/Apple/System/Library/CoreServices/MRT.app`**
## Processes Limitants
### SIP - System Integrity Protection
@ -59,13 +46,7 @@ MacOS Sandbox **limits applications** running inside the sandbox to the **allowe
[macos-tcc](macos-tcc/)
{% endcontent-ref %}
## Trust Cache
The Apple macOS trust cache, sometimes also referred to as the AMFI (Apple Mobile File Integrity) cache, is a security mechanism in macOS designed to **prevent unauthorized or malicious software from running**. Essentially, it is a list of cryptographic hashes that the operating system uses to v**erify the integrity and authenticity of the software**.
When an application or executable file tries to run on macOS, the operating system checks the AMFI trust cache. If the **hash of the file is found in the trust cache**, the system **allows** the program to run because it recognises it as trusted.
## Launch Constraints
### Launch Constraints
It controls **from where and what** can launch an **Apple signed binary**:
@ -86,6 +67,52 @@ Then, you could use a script such as [**this one**](https://gist.github.com/xpn/
From that data you can check the Apps with a **launch constraints value of `0`** , which are the ones that aren't constrained ([**check here**](https://gist.github.com/LinusHenze/4cd5d7ef057a144cda7234e2c247c056) for what each value is).
## MRT - Malware Removal Tool
The Malware Removal Tool (MRT) is another part of macOS's security infrastructure. As the name suggests, MRT's main function is to **remove known malware from infected systems**.
Once malware is detected on a Mac (either by XProtect or by some other means), MRT can be used to automatically **remove the malware**. MRT operates silently in the background and typically runs whenever the system is updated or when a new malware definition is downloaded (it looks like the rules MRT has to detect malware are inside the binary).
While both XProtect and MRT are part of macOS's security measures, they perform different functions:
* **XProtect** is a preventative tool. It **checks files as they're downloaded** (via certain applications), and if it detects any known types of malware, it **prevents the file from opening**, thereby preventing the malware from infecting your system in the first place.
* **MRT**, on the other hand, is a **reactive tool**. It operates after malware has been detected on a system, with the goal of removing the offending software to clean up the system.
The MRT application is located in **`/Library/Apple/System/Library/CoreServices/MRT.app`**
## Background Tasks Management
**macOS** now **alerts** every time a tool uses a well known **technique to persist code execution** (such as Login Items, Daemons...), so the user knows better **which software is persisting**.
It's possible to **enumerate all** the configured background items running the Apple cli tool:
```bash
# The tool will always ask for the users password
sfltool dumpbtm
```
Moreover, it's also possible to list this information with [**DumpBTM**](https://github.com/objective-see/DumpBTM).
```bash
# You need to grant the Terminal Full Disk Access for this to work
chmod +x dumpBTM
xattr -rc dumpBTM # Remove quarantine attr
./dumpBTM
```
This information is being stored in **`/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v4.btm`** and the Terminal needs FDA.
You can find more information:
* [https://www.patreon.com/posts/new-developer-77420730?l=fr](https://www.patreon.com/posts/new-developer-77420730?l=fr)
* [https://support.apple.com/en-gb/guide/deployment/depdca572563/web](https://support.apple.com/en-gb/guide/deployment/depdca572563/web)
## Trust Cache
The Apple macOS trust cache, sometimes also referred to as the AMFI (Apple Mobile File Integrity) cache, is a security mechanism in macOS designed to **prevent unauthorized or malicious software from running**. Essentially, it is a list of cryptographic hashes that the operating system uses to v**erify the integrity and authenticity of the software**.
When an application or executable file tries to run on macOS, the operating system checks the AMFI trust cache. If the **hash of the file is found in the trust cache**, the system **allows** the program to run because it recognises it as trusted.
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

6
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md
View File

@ -319,6 +319,12 @@ python3 -m http.server
Check the [**original report**](https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/) for more information.
## [2023-27943](https://blog.f-secure.com/discovery-of-gatekeeper-bypass-cve-2023-27943/)
It was discovered that **Google Chrome wasn't setting the quarantine attribute** to downloaded files because of some macOS internal problems.
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

8
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md
View File

@ -36,7 +36,7 @@ ps -ef | grep tcc
Permissions are **inherited from the parent** application and the **permissions** are **tracked** based on the **Bundle ID** and the **Developer ID**.
### TCC DatabaseS
### TCC Databases
The selections is then stored in the TCC system-wide database in **`/Library/Application Support/com.apple.TCC/TCC.db`** or in **`$HOME/Library/Application Support/com.apple.TCC/TCC.db`** for per-user preferences. The databases are **protected from editing with SIP**(System Integrity Protection), but you can read them.
@ -135,6 +135,12 @@ tccutil reset All app.some.id
tccutil reset All
```
### Privesc from User TCC DB to FDA
Obtaining **write permissions** over the **user TCC** database you **can'**t grant yourself **`FDA`** permissions, only the one that lives in the system database can grant that.
But you can **can** give yourself **`Automation rights to Finder`, and since `Finder` has `FDA`, so do you.**
### TCC Signature Checks
The TCC **database** stores the **Bundle ID** of the application, but it also **stores** **information** about the **signature** to **make sure** the App asking to use the a permission is the correct one.

9
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
View File

@ -157,6 +157,15 @@ The binary `/usr/libexec/lsd` with the library `libsecurity_translocate` had the
It was possible to add the quarantine attribute to "Library", call the **`com.apple.security.translocation`** XPC service and then it would map Library to **`$TMPDIR/AppTranslocation/d/d/Library`** where all the documents inside Library could be **accessed**.
## CVE-2023-38571 - Music & TV <a href="#cve-2023-38571-a-macos-tcc-bypass-in-music-and-tv" id="cve-2023-38571-a-macos-tcc-bypass-in-music-and-tv"></a>
**`Music`** has an interesting feature: When it's running, it will **import** the files dropped to **`~/Music/Music/Media.localized/Automatically Add to Music.localized`** into the user's "media library". Moreover, it calls something like: **`rename(a, b);`** where `a` and `b` are:
* `a = "~/Music/Music/Media.localized/Automatically Add to Music.localized/myfile.mp3"`
* `b = "~/Music/Music/Media.localized/Automatically Add to Music.localized/Not Added.localized/2023-09-25 11.06.28/myfile.mp3`
This **`rename(a, b);`** bevabiour is vulnerable to a **Race Condition**, as it's possible to put inside the `Automatically Add to Music.localized` folder a fake **TCC.db** file and then when the new forder(b) is created to copy the file, delete it, and point it to **`~/Library/Application Support/com.apple.TCC`**/.
### SQL Tracing
If the environment variable **`SQLITE_AUTO_TRACE`** is set, the library **`libsqlite3.dylib`** will start **logging** all the SQL queries. Many applications used this library, so it was possible to log all their SQLite queries.

11
network-services-pentesting/pentesting-web/403-and-401-bypasses.md
View File

@ -87,6 +87,15 @@ If _/path_ is blocked:
* {"user\_id":"\<legit\_id>","user\_id":"\<victims\_id>"} (JSON Parameter Pollution)
* user\_id=ATTACKER\_ID\&user\_id=VICTIM\_ID (Parameter Pollution)
## **Parameter Manipulation**
* Change **param value**: From **`id=123` --> `id=124`**
* Add additional parameters to the URL: `?`**`id=124` —-> `id=124&isAdmin=true`**
* Remove the parameters
* Re-order parameters
* Use special characters.
* Perform boundary testing in the parameters — provide values like _-234_ or _0_ or _99999999_ (just some example values).
## **Protocol version**
If using HTTP/1.1 **try to use 1.0** or even test if it **supports 2.0**.
@ -104,7 +113,6 @@ If using HTTP/1.1 **try to use 1.0** or even test if it **supports 2.0**.
* [**Brute force**](../../generic-methodologies-and-resources/brute-force.md#http-brute)**:** Try basic, digest and NTLM auth.
{% code title="Common creds" %}
````
```
admin admin
admin password
@ -115,7 +123,6 @@ root toor
test test
guest guest
```
````
{% endcode %}
## Automatic Tools

11
pentesting-web/websocket-attacks.md
View File

@ -17,7 +17,7 @@
WebSocket connections are initiated over **HTTP** and are typically **long-lived**. Messages can be sent in **either direction at any time** and are not transactional in nature. The connection will normally stay open and idle until either the client or the server is ready to send a message.\
WebSockets are particularly useful in situations where **low-latency or server-initiated messages** are required, such as real-time feeds of financial data.
## How are WebSocket connections established?
### How are WebSocket connections established?
(Here you will find a summary but a **more detailed guide about how a web socket connection** is created can be found [**here**](https://infosecwriteups.com/cross-site-websocket-hijacking-cswsh-ce2a6b0747fc)).\
WebSocket connections are normally created using client-side JavaScript like the following:
@ -64,7 +64,7 @@ The **`Sec-WebSocket-Key`** header contains a **random value** to prevent errors
### Linux console
You can use `websocat` to stablish a raw connection with a websocket.
You can use `websocat` to establish a raw connection with a websocket.
```bash
websocat --insecure wss://10.10.10.10:8000 -v
@ -76,7 +76,7 @@ Or to create a websocat server:
websocat -s 0.0.0.0:8000 #Listen in port 8000
```
## MitM websocket connections
### MitM websocket connections
If you find that clients are connected to a **HTTP websocket** from your current local network you could try an [ARP Spoofing Attack ](../generic-methodologies-and-resources/pentesting-network/#arp-spoofing)to perform a MitM attack between the client and the server.\
Once the client is trying to connect to you can then use:
@ -85,13 +85,14 @@ Once the client is trying to connect to you can then use:
websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v
```
## Websockets enumeration
### Websockets enumeration
You can use the **tool** [**https://github.com/PalindromeLabs/STEWS**](https://github.com/PalindromeLabs/STEWS) **to discover, fingerprint and search for known** **vulnerabilities** in websockets automatically.
## Websocket Debug tools
### Websocket Debug tools
* **Burp Suite** supports MitM websockets communication in a very similar way it does it for regular HTTP communication.
* The [**socketsleuth**](https://github.com/snyk/socketsleuth) **Burp Suite extension** will allow you to manage better Websocket communications in Burp by getting the **history**, setting **interception rules**, using **match and replace** rules, using **Intruder** and **AutoRepeater.**
* [**WSSiP**](https://github.com/nccgroup/wssip)**:** Short for "**WebSocket/Socket.io Proxy**", this tool, written in Node.js, provides a user interface to **capture, intercept, send custom** messages and view all WebSocket and Socket.IO communications between the client and server.
* [**wsrepl**](https://github.com/doyensec/wsrepl) is an **interactive websocket REPL** designed specifically for penetration testing. It provides an interface for observing **incoming websocket messages and sending new ones**, with an easy-to-use framework for **automating** this communication.&#x20;
* [**https://websocketking.com/**](https://websocketking.com/) it's a **web to communicate** with other webs using **websockets**.