GITBOOK-3963: change request with no subject merged in GitBook
This commit is contained in:
parent
ff4a3d95b7
commit
90af824f9f
24
SUMMARY.md
24
SUMMARY.md
@ -142,27 +142,31 @@
|
||||
* [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
|
||||
* [macOS Files, Folders & Binaries](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md)
|
||||
* [macOS Bundles](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md)
|
||||
* [Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md)
|
||||
* [macOS Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md)
|
||||
* [macOS Proces Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md)
|
||||
* [macOS IPC - Inter Process Communication](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md)
|
||||
* [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md)
|
||||
* [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-pid-reuse.md)
|
||||
* [macOS XPC Authorization](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc-authorization.md)
|
||||
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.md)
|
||||
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
|
||||
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||
* [macOS AppleFS](macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md)
|
||||
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||
* [macOS Kernel](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md)
|
||||
* [macOS IPC - Inter Process Communication](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md)
|
||||
* [macOS XPC Connecting Process Check](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-connecting-process-check.md)
|
||||
* [macOS PID Reuse](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md)
|
||||
* [macOS XPC Authorization](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md)
|
||||
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md)
|
||||
* [macOS Kernel Extensions](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md)
|
||||
* [macOS MDM](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md)
|
||||
* [Enrolling Devices in Other Organisations](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md)
|
||||
* [macOS Serial Number](macos-hardening/macos-security-and-privilege-escalation/macos-mdm/macos-serial-number.md)
|
||||
* [macOS Basic Objective-C](macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md)
|
||||
* [macOS Objective-C](macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md)
|
||||
* [macOS Network Services & Protocols](macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md)
|
||||
* [macOS Red Teaming](macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md)
|
||||
* [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-tcc.md)
|
||||
* [macOS File Extension Apps](macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md)
|
||||
* [macOS TCC](macos-hardening/macos-security-and-privilege-escalation/macos-tcc/README.md)
|
||||
* [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-tcc/macos-apple-scripts.md)
|
||||
* [macOS Sandbox](macos-hardening/macos-security-and-privilege-escalation/macos-sandbox/README.md)
|
||||
* [macOS Sandbox Debug & Bypass](macos-hardening/macos-security-and-privilege-escalation/macos-sandbox/macos-sandbox-debug-and-bypass.md)
|
||||
* [macOS Apps - Inspecting, debugging and Fuzzing](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md)
|
||||
* [Introduction to ARM64](macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||||
* [macOS Red Teaming](macos-hardening/macos-red-teaming.md)
|
||||
|
||||
## 🪟 Windows Hardening
|
||||
|
||||
|
@ -21,30 +21,30 @@ If you manage to **compromise admin credentials** to access the management platf
|
||||
|
||||
For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work:
|
||||
|
||||
{% content-ref url="macos-mdm/" %}
|
||||
[macos-mdm](macos-mdm/)
|
||||
{% content-ref url="macos-security-and-privilege-escalation/macos-mdm/" %}
|
||||
[macos-mdm](macos-security-and-privilege-escalation/macos-mdm/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
And also about **MacOS** "special" **network** **protocols**:
|
||||
|
||||
{% content-ref url="macos-protocols.md" %}
|
||||
[macos-protocols.md](macos-protocols.md)
|
||||
{% content-ref url="macos-security-and-privilege-escalation/macos-protocols.md" %}
|
||||
[macos-protocols.md](macos-security-and-privilege-escalation/macos-protocols.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Active Directory
|
||||
|
||||
In some occasions you will find that the **MacOS computer is connected to an AD**. In this scenario you should try to **enumerate** the active directory as you are use to it. Find some **help** in the following pages:
|
||||
|
||||
{% content-ref url="../../network-services-pentesting/pentesting-ldap.md" %}
|
||||
[pentesting-ldap.md](../../network-services-pentesting/pentesting-ldap.md)
|
||||
{% content-ref url="../network-services-pentesting/pentesting-ldap.md" %}
|
||||
[pentesting-ldap.md](../network-services-pentesting/pentesting-ldap.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
{% content-ref url="../../windows-hardening/active-directory-methodology/" %}
|
||||
[active-directory-methodology](../../windows-hardening/active-directory-methodology/)
|
||||
{% content-ref url="../windows-hardening/active-directory-methodology/" %}
|
||||
[active-directory-methodology](../windows-hardening/active-directory-methodology/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
{% content-ref url="../../network-services-pentesting/pentesting-kerberos-88/" %}
|
||||
[pentesting-kerberos-88](../../network-services-pentesting/pentesting-kerberos-88/)
|
||||
{% content-ref url="../network-services-pentesting/pentesting-kerberos-88/" %}
|
||||
[pentesting-kerberos-88](../network-services-pentesting/pentesting-kerberos-88/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
Some **local MacOS tool** that may also help you is `dscl`:
|
||||
@ -110,7 +110,7 @@ More info in [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Dis
|
||||
|
||||
MacOS Red Teaming is different from a regular Windows Red Teaming as usually **MacOS is integrated with several external platforms directly**. A common configuration of MacOS is to access to the computer using **OneLogin synchronised credentials, and accessing several external services** (like github, aws...) via OneLogin:
|
||||
|
||||
![](<../../.gitbook/assets/image (563).png>)
|
||||
![](<../.gitbook/assets/image (563).png>)
|
||||
|
||||
###
|
||||
|
@ -92,7 +92,7 @@ Being able to **create a file** that is going to be **used by root**, allows a u
|
||||
|
||||
### Entitlements and Privileges abuse via process abuse
|
||||
|
||||
If a process can **inject code in another process with better privileges or entitlements** or contact it to perform privileges actions, he could escalate privileges and bypass defensive meassures such as [Sandbox](macos-sandbox/) or [TCC](macos-tcc.md).
|
||||
If a process can **inject code in another process with better privileges or entitlements** or contact it to perform privileges actions, he could escalate privileges and bypass defensive meassures such as [Sandbox](macos-sandbox/) or [TCC](macos-tcc/).
|
||||
|
||||
{% content-ref url="broken-reference" %}
|
||||
[Broken link](broken-reference)
|
||||
|
@ -84,8 +84,8 @@ kextunload com.apple.iokit.IOReportFamily
|
||||
|
||||
### IPC - Inter Process Communication
|
||||
|
||||
{% content-ref url="macos-ipc-inter-process-communication/" %}
|
||||
[macos-ipc-inter-process-communication](macos-ipc-inter-process-communication/)
|
||||
{% content-ref url="../macos-proces-abuse/macos-ipc-inter-process-communication/" %}
|
||||
[macos-ipc-inter-process-communication](../macos-proces-abuse/macos-ipc-inter-process-communication/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## macOS Kernel Extensions
|
||||
|
@ -0,0 +1,76 @@
|
||||
# macOS File Extension Apps
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
### File Extensions Apps
|
||||
|
||||
The following line can be useful to find the applications that can open files depending on the extension:
|
||||
|
||||
```
|
||||
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -E "path:|bindings:|name:"
|
||||
```
|
||||
|
||||
Or use something like [**SwiftDefaultApps**](https://github.com/Lord-Kamina/SwiftDefaultApps):
|
||||
|
||||
```
|
||||
./swda getSchemes #Get all the available schemes
|
||||
./swda getApps #Get all the apps declared
|
||||
./swda getUTIs #Get all the UTIs
|
||||
./swda getHandler --URL ftp #Get ftp handler
|
||||
```
|
||||
|
||||
You can also check the extensions supported by an application doing:
|
||||
|
||||
```
|
||||
cd /Applications/Safari.app/Contents
|
||||
grep -A3 CFBundleTypeExtensions Info.plist | grep string
|
||||
<string>css</string>
|
||||
<string>pdf</string>
|
||||
<string>webarchive</string>
|
||||
<string>webbookmark</string>
|
||||
<string>webhistory</string>
|
||||
<string>webloc</string>
|
||||
<string>download</string>
|
||||
<string>safariextz</string>
|
||||
<string>gif</string>
|
||||
<string>html</string>
|
||||
<string>htm</string>
|
||||
<string>js</string>
|
||||
<string>jpg</string>
|
||||
<string>jpeg</string>
|
||||
<string>jp2</string>
|
||||
<string>txt</string>
|
||||
<string>text</string>
|
||||
<string>png</string>
|
||||
<string>tiff</string>
|
||||
<string>tif</string>
|
||||
<string>url</string>
|
||||
<string>ico</string>
|
||||
<string>xhtml</string>
|
||||
<string>xht</string>
|
||||
<string>xml</string>
|
||||
<string>xbl</string>
|
||||
<string>svg</string>
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
@ -0,0 +1,53 @@
|
||||
# macOS Proces Abuse
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## MacOS Process Abuse
|
||||
|
||||
MacOS, like any other operating system, provides a variety of methods and mechanisms for **processes to interact, communicate, and share data**. While these techniques are essential for efficient system functioning, they can also be abused by threat actors to **perform malicious activities**.
|
||||
|
||||
### Library Injection
|
||||
|
||||
Library Injection is a technique wherein an attacker **forces a process to load a malicious library**. Once injected, the library runs in the context of the target process, providing the attacker with the same permissions and access as the process.
|
||||
|
||||
{% content-ref url="macos-library-injection/" %}
|
||||
[macos-library-injection](macos-library-injection/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Function Hooking
|
||||
|
||||
Function Hooking involves **intercepting function calls** or messages within a software code. By hooking functions, an attacker can **modify the behavior** of a process, observe sensitive data, or even gain control over the execution flow.
|
||||
|
||||
{% content-ref url="macos-function-hooking.md" %}
|
||||
[macos-function-hooking.md](macos-function-hooking.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Inter Process Communication
|
||||
|
||||
Inter Process Communication (IPC) refers to different methods by which separate processes **share and exchange data**. While IPC is fundamental for many legitimate applications, it can also be misused to subvert process isolation, leak sensitive information, or perform unauthorized actions.
|
||||
|
||||
{% content-ref url="macos-ipc-inter-process-communication/" %}
|
||||
[macos-ipc-inter-process-communication](macos-ipc-inter-process-communication/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
@ -256,7 +256,7 @@ int main(int argc, const char * argv[]) {
|
||||
|
||||
In this page different ways to hook functions were discussed. However, they involved **running code inside the process to attack**.
|
||||
|
||||
In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](../macos-dyld-hijacking-and-dyld\_insert\_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port).
|
||||
In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](macos-library-injection/macos-dyld-hijacking-and-dyld\_insert\_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port).
|
||||
|
||||
However, both options are **limited** to **unprotected** binaries/processes. Check each technique to learn more about the limitations.
|
||||
|
@ -411,8 +411,8 @@ It was possible to **inject a simple shellcode** to execute a command because it
|
||||
|
||||
You can find **example dylibs** in (for example the one that generates a log and then you can listen to it):
|
||||
|
||||
{% content-ref url="../../macos-dyld-hijacking-and-dyld_insert_libraries.md" %}
|
||||
[macos-dyld-hijacking-and-dyld\_insert\_libraries.md](../../macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||
{% content-ref url="../macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md" %}
|
||||
[macos-dyld-hijacking-and-dyld\_insert\_libraries.md](../macos-library-injection/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
<details>
|
@ -0,0 +1,191 @@
|
||||
# macOS Library Injection
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
The code of **dyld is open source** and can be found in [https://opensource.apple.com/source/dyld/](https://opensource.apple.com/source/dyld/) and cab be downloaded a tar using a **URL such as** [https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz](https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz)
|
||||
{% endhint %}
|
||||
|
||||
## **DYLD\_INSERT\_LIBRARIES**
|
||||
|
||||
> This is a colon separated **list of dynamic libraries** to l**oad before the ones specified in the program**. This lets you test new modules of existing dynamic shared libraries that are used in flat-namespace images by loading a temporary dynamic shared library with just the new modules. Note that this has no effect on images built a two-level namespace images using a dynamic shared library unless DYLD\_FORCE\_FLAT\_NAMESPACE is also used.
|
||||
|
||||
This is like the [**LD\_PRELOAD on Linux**](../../../../linux-hardening/privilege-escalation#ld\_preload).
|
||||
|
||||
This technique may be also **used as an ASEP technique** as every application installed has a plist called "Info.plist" that allows for the **assigning of environmental variables** using a key called `LSEnvironmental`.
|
||||
|
||||
{% hint style="info" %}
|
||||
Since 2012 **Apple has drastically reduced the power** of the **`DYLD_INSERT_LIBRARIES`**.
|
||||
|
||||
Go to the code and **check `src/dyld.cpp`**. In the function **`pruneEnvironmentVariables`** you can see that **`DYLD_*`** variables are removed.
|
||||
|
||||
In the function **`processRestricted`** the reason of the restriction is set. Checking that code you can see that the reasons are:
|
||||
|
||||
* The binary is `setuid/setgid`
|
||||
* Existence of `__RESTRICT/__restrict` section in the macho binary.
|
||||
* The software has entitlements (hardened runtime) without [`com.apple.security.cs.allow-dyld-environment-variables`](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_allow-dyld-environment-variables) entitlement or [`com.apple.security.cs.disable-library-validation`](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_disable-library-validation).
|
||||
* Check **entitlements** of a binary with: `codesign -dv --entitlements :- </path/to/bin>`
|
||||
* If the lib is signed with a different certificate as the binary
|
||||
* If the lib & the bin are signed with the same cert, this will bypass the previous restrictions
|
||||
* Programs with the entitlements **`system.install.apple-software`** and **`system.install.apple-software.standar-user`** can **install software** signed by Apple without asking the user for a password (privesc)
|
||||
|
||||
In more updated versions you can find this logic at the second part of the function **`configureProcessRestrictions`.** However, what is executed in newer versions is the **beginning checks of the function** (you can remove the ifs related to iOS or simulation as those won't be used in macOS.
|
||||
{% endhint %}
|
||||
|
||||
You can check if a binary has **hardenend runtime** with `codesign --display --verbose <bin>` checking the flag runtime in **`CodeDirectory`** like: **`CodeDirectory v=20500 size=767 flags=0x10000(runtime) hashes=13+7 location=embedded`**
|
||||
|
||||
Find a example on how to (ab)use this and check the restrictions in:
|
||||
|
||||
{% content-ref url="macos-dyld-hijacking-and-dyld_insert_libraries.md" %}
|
||||
[macos-dyld-hijacking-and-dyld\_insert\_libraries.md](macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Dylib Hijacking
|
||||
|
||||
{% hint style="danger" %}
|
||||
Remember that **previous restrictions also apply** to perform Dylib hijacking attacks.
|
||||
{% endhint %}
|
||||
|
||||
As in Windows, in MacOS you can also **hijack dylibs** to make **applications** **execute** **arbitrary** **code**.\
|
||||
However, the way **MacOS** applications **load** libraries is **more restricted** than in Windows. This implies that **malware** developers can still use this technique for **stealth**, but the probably to be able to **abuse this to escalate privileges is much lower**.
|
||||
|
||||
First of all, is **more common** to find that **MacOS binaries indicates the full path** to the libraries to load. And second, **MacOS never search** in the folders of the **$PATH** for libraries.
|
||||
|
||||
The **main** part of the **code** related to this functionality is in **`ImageLoader::recursiveLoadLibraries`** in `ImageLoader.cpp`.
|
||||
|
||||
However, there are **2 types of dylib hijacking**:
|
||||
|
||||
* **Missing weak linked libraries**: This means that the application will try to load a library that doesn't exist configured with **LC\_LOAD\_WEAK\_DYLIB**. Then, **if an attacker places a dylib where it's expected it will be loaded**.
|
||||
* The fact that the link is "weak" means that the application will continue running even if the library isn't found.
|
||||
* The **code related** to this is in the function `ImageLoaderMachO::doGetDependentLibraries` of `ImageLoaderMachO.cpp` where `lib->required` is only `false` when `LC_LOAD_WEAK_DYLIB` is true.
|
||||
* **Find weak liked libraries** in binaries with (you have later an example on how to create hijacking libraries):
|
||||
* ```
|
||||
otool -l </path/to/bin> | grep LC_LOAD_WEAK_DYLIB -A 5 cmd LC_LOAD_WEAK_DYLIB
|
||||
cmdsize 56
|
||||
name /var/tmp/lib/libUtl.1.dylib (offset 24)
|
||||
time stamp 2 Wed Jun 21 12:23:31 1969
|
||||
current version 1.0.0
|
||||
compatibility version 1.0.0
|
||||
```
|
||||
* **Configured with @rpath**: Mach-O binaries can have the commands **`LC_RPATH`** and **`LC_LOAD_DYLIB`**. Base on the **values** of those commands, **libraries** are going to be **loaded** from **different directories**.
|
||||
* **`LC_RPATH`** contains the paths of some folders used to load libraries by the binary.
|
||||
* **`LC_LOAD_DYLIB`** contains the path to specific libraries to load. These paths can contain **`@rpath`**, which will be **replaced** by the values in **`LC_RPATH`**. If there are several paths in **`LC_RPATH`** everyone will be used to search the library to load. Example:
|
||||
* If **`LC_LOAD_DYLIB`** contains `@rpath/library.dylib` and **`LC_RPATH`** contains `/application/app.app/Contents/Framework/v1/` and `/application/app.app/Contents/Framework/v2/`. Both folders are going to be used to load `library.dylib`**.** If the library doesn't exist in `[...]/v1/` and attacker could place it there to hijack the load of the library in `[...]/v2/` as the order of paths in **`LC_LOAD_DYLIB`** is followed.
|
||||
* **Find rpath paths and libraries** in binaries with: `otool -l </path/to/binary> | grep -E "LC_RPATH|LC_LOAD_DYLIB" -A 5`
|
||||
|
||||
{% hint style="info" %}
|
||||
**`@executable_path`**: Is the **path** to the directory containing the **main executable file**.
|
||||
|
||||
**`@loader_path`**: Is the **path** to the **directory** containing the **Mach-O binary** which contains the load command.
|
||||
|
||||
* When used in an executable, **`@loader_path`** is effectively the **same** as **`@executable_path`**.
|
||||
* When used in a **dylib**, **`@loader_path`** gives the **path** to the **dylib**.
|
||||
{% endhint %}
|
||||
|
||||
The way to **escalate privileges** abusing this functionality would be in the rare case that an **application** being executed **by** **root** is **looking** for some **library in some folder where the attacker has write permissions.**
|
||||
|
||||
{% hint style="success" %}
|
||||
A nice **scanner** to find **missing libraries** in applications is [**Dylib Hijack Scanner**](https://objective-see.com/products/dhs.html) or a [**CLI version**](https://github.com/pandazheng/DylibHijack).\
|
||||
A nice **report with technical details** about this technique can be found [**here**](https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x).
|
||||
{% endhint %}
|
||||
|
||||
**Example**
|
||||
|
||||
{% content-ref url="macos-dyld-hijacking-and-dyld_insert_libraries.md" %}
|
||||
[macos-dyld-hijacking-and-dyld\_insert\_libraries.md](macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Dlopen Hijacking
|
||||
|
||||
From **`man dlopen`**:
|
||||
|
||||
* When path **does not contain a slash character** (i.e. it is just a leaf name), **dlopen() will do searching**. If **`$DYLD_LIBRARY_PATH`** was set at launch, dyld will first **look in that director**y. Next, if the calling mach-o file or the main executable specify an **`LC_RPATH`**, then dyld will **look in those** directories. Next, if the process is **unrestricted**, dyld will search in the **current working directory**. Lastly, for old binaries, dyld will try some fallbacks. If **`$DYLD_FALLBACK_LIBRARY_PATH`** was set at launch, dyld will search in **those directories**, otherwise, dyld will look in **`/usr/local/lib/`** (if the process is unrestricted), and then in **`/usr/lib/`**.
|
||||
1. `$DYLD_LIBRARY_PATH`
|
||||
2. `LC_RPATH`
|
||||
3. `CWD`(if unrestricted)
|
||||
4. `$DYLD_FALLBACK_LIBRARY_PATH`
|
||||
5. `/usr/local/lib/` (if unrestricted)
|
||||
6. `/usr/lib/`
|
||||
* When path **looks like a framework** path (e.g. /stuff/foo.framework/foo), if **`$DYLD_FRAMEWORK_PATH`** was set at launch, dyld will first look in that directory for the framework partial path (e.g. foo.framework/foo). Next, dyld will try the **supplied path as-is** (using current working directory for relative paths). Lastly, for old binaries, dyld will try some fallbacks. If **`$DYLD_FALLBACK_FRAMEWORK_PATH`** was set at launch, dyld will search those directories. Otherwise, it will search **`/Library/Frameworks`** (on macOS if process is unrestricted), then **`/System/Library/Frameworks`**.
|
||||
1. `$DYLD_FRAMEWORK_PATH`
|
||||
2. supplied path (using current working directory for relative paths)
|
||||
3. `$DYLD_FALLBACK_FRAMEWORK_PATH`(if unrestricted)
|
||||
4. `/Library/Frameworks` (if unrestricted)
|
||||
5. `/System/Library/Frameworks`
|
||||
* When path **contains a slash but is not a framework path** (i.e. a full path or a partial path to a dylib), dlopen() first looks in (if set) in **`$DYLD_LIBRARY_PATH`** (with leaf part from path ). Next, dyld **tries the supplied path** (using current working directory for relative paths (but only for unrestricted processes)). Lastly, for older binaries, dyld will try fallbacks. If **`$DYLD_FALLBACK_LIBRARY_PATH`** was set at launch, dyld will search in those directories, otherwise, dyld will look in **`/usr/local/lib/`** (if the process is unrestricted), and then in **`/usr/lib/`**.
|
||||
1. `$DYLD_LIBRARY_PATH`
|
||||
2. supplied path (using current working directory for relative paths if unrestricted)
|
||||
3. `$DYLD_FALLBACK_LIBRARY_PATH`
|
||||
4. `/usr/local/lib/` (if unrestricted)
|
||||
5. `/usr/lib/`
|
||||
|
||||
Note: If the main executable is a **set\[ug]id binary or codesigned with entitlements**, then **all environment variables are ignored**, and only a full path can be used.
|
||||
|
||||
**Check paths**
|
||||
|
||||
Lets check all the options with the following code:
|
||||
|
||||
```c
|
||||
#include <dlfcn.h>
|
||||
#include <stdio.h>
|
||||
|
||||
int main(void)
|
||||
{
|
||||
void* handle;
|
||||
|
||||
handle = dlopen("just_name_dlopentest.dylib",1);
|
||||
if (!handle) {
|
||||
fprintf(stderr, "Error loading: %s\n", dlerror());
|
||||
}
|
||||
|
||||
handle = dlopen("a/framework/rel_framework_dlopentest.dylib",1);
|
||||
if (!handle) {
|
||||
fprintf(stderr, "Error loading: %s\n", dlerror());
|
||||
}
|
||||
|
||||
handle = dlopen("/a/abs/framework/abs_framework_dlopentest.dylib",1);
|
||||
if (!handle) {
|
||||
fprintf(stderr, "Error loading: %s\n", dlerror());
|
||||
}
|
||||
|
||||
handle = dlopen("a/folder/rel_folder_dlopentest.dylib",1);
|
||||
if (!handle) {
|
||||
fprintf(stderr, "Error loading: %s\n", dlerror());
|
||||
}
|
||||
|
||||
handle = dlopen("/a/abs/folder/abs_folder_dlopentest.dylib",1);
|
||||
if (!handle) {
|
||||
fprintf(stderr, "Error loading: %s\n", dlerror());
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
```
|
||||
|
||||
If you compile and execute it you can see **where each library was unsuccessfully searched for**. Also, you could **filter the FS logs**:
|
||||
|
||||
```bash
|
||||
sudo fs_usage | grep "dlopentest"
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
@ -178,16 +178,16 @@ Process 2517 exited with status = 0 (0x00000000)
|
||||
|
||||
If from then sandbox process you are able to **compromise other processes** running in less restrictive sandboxes (or none), you will be able to escape to their sandboxes:
|
||||
|
||||
{% content-ref url="broken-reference" %}
|
||||
[Broken link](broken-reference)
|
||||
{% content-ref url="../macos-proces-abuse/" %}
|
||||
[macos-proces-abuse](../macos-proces-abuse/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Interposting Bypass
|
||||
|
||||
For more information about **Interposting** check:
|
||||
|
||||
{% content-ref url="../mac-os-architecture/macos-function-hooking.md" %}
|
||||
[macos-function-hooking.md](../mac-os-architecture/macos-function-hooking.md)
|
||||
{% content-ref url="../macos-proces-abuse/macos-function-hooking.md" %}
|
||||
[macos-function-hooking.md](../macos-proces-abuse/macos-function-hooking.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
#### Interpost `_libsecinit_initializer` to prevent the sandbox
|
||||
|
@ -195,7 +195,7 @@ The **extended attribute `com.apple.macl`** is added to the new **file** to give
|
||||
|
||||
By default an access via **SSH** will have **"Full Disk Access"**. In order to disable this you need to have it listed but disabled (removing it from the list won't remove those privileges):
|
||||
|
||||
![](<../../.gitbook/assets/image (569).png>)
|
||||
![](<../../../.gitbook/assets/image (569).png>)
|
||||
|
||||
Here you can find examples of how some **malwares have been able to bypass this protection**:
|
||||
|
||||
@ -250,13 +250,13 @@ An app with the **`kTCCServiceAppleEvents`** permission will be able to **contro
|
||||
|
||||
For more info about Apple Scripts check:
|
||||
|
||||
{% content-ref url="broken-reference" %}
|
||||
[Broken link](broken-reference)
|
||||
{% content-ref url="macos-apple-scripts.md" %}
|
||||
[macos-apple-scripts.md](macos-apple-scripts.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
For example, if an App has **Automation permission over `iTerm`**, for example in this example **`Terminal`** has access over iTerm:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (2) (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (2) (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
#### Over iTerm
|
||||
|
||||
@ -300,8 +300,8 @@ I you manage to **inject code in a process** you will be able to abuse the TCC p
|
||||
|
||||
Check process abuse techniques in the following page:
|
||||
|
||||
{% content-ref url="broken-reference" %}
|
||||
[Broken link](broken-reference)
|
||||
{% content-ref url="../macos-proces-abuse/" %}
|
||||
[macos-proces-abuse](../macos-proces-abuse/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
See some examples in the following sections:
|
@ -0,0 +1,54 @@
|
||||
# macOS Apple Scripts
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## Apple Scripts
|
||||
|
||||
It's a scripting language used for task automation **interacting with remote processes**. It makes pretty easy to **ask other processes to perform some actions**. **Malware** may abuse these features to abuse functions exported by other processes.\
|
||||
For example, a malware could **inject arbitrary JS code in browser opened pages**. Or **auto click** some allow permissions requested to the user;
|
||||
|
||||
```
|
||||
tell window 1 of process “SecurityAgent”
|
||||
click button “Always Allow” of group 1
|
||||
end tell
|
||||
```
|
||||
|
||||
Here you have some examples: [https://github.com/abbeycode/AppleScripts](https://github.com/abbeycode/AppleScripts)\
|
||||
Find more info about malware using applescripts [**here**](https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/).
|
||||
|
||||
Apple scripts may be easily "**compiled**". These versions can be easily "**decompiled**" with `osadecompile`
|
||||
|
||||
However, this scripts can also be **exported as "Read only"** (via the "Export..." option):
|
||||
|
||||
<figure><img src="https://github.com/carlospolop/hacktricks/raw/master/.gitbook/assets/image%20(556).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
```
|
||||
file mal.scpt
|
||||
mal.scpt: AppleScript compiled
|
||||
```
|
||||
|
||||
and tin this case the content cannot be decompiled even with `osadecompile`
|
||||
|
||||
However, there are still some tools that can be used to understand this kind of executables, [**read this research for more info**](https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/)). The tool [**applescript-disassembler**](https://github.com/Jinmo/applescript-disassembler) with [**aevt\_decompile**](https://github.com/SentineLabs/aevt\_decompile) will be very useful to understand how the script works.
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
Loading…
Reference in New Issue
Block a user