t2

src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md

@@ -71,3 +71,4 @@ macos-system-extensions.md
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md

@@ -851,3 +851,4 @@ For more info check:
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md

@@ -150,3 +150,4 @@ nm -a binaries/com.apple.security.sandbox | wc -l
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md

@@ -10,3 +10,4 @@
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md

@@ -83,3 +83,4 @@ At the end this was fixed by giving the new permission **`kTCCServiceEndpointSec
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md

@@ -635,3 +635,4 @@ litefuzz -s -a tcp://localhost:5900 -i input/screenshared-session --reportcrash
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md

@@ -797,3 +797,4 @@ call_execve:
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.md

@@ -444,3 +444,4 @@ dup2:
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.md

@@ -153,3 +153,4 @@ During runtime and additional structure `class_rw_t` is used containing pointers
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md

@@ -270,3 +270,4 @@ The directory `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md

@@ -44,3 +44,4 @@ For more detailed information on `Info.plist` keys and their meanings, the Apple
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md

@@ -166,3 +166,4 @@ productbuild --distribution dist.xml --package-path myapp.pkg final-installer.pk
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md

@@ -55,3 +55,4 @@ cd /tmp; wget https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md

@@ -275,3 +275,4 @@ These are notifications that the user should see in the screen:
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md

@@ -414,3 +414,4 @@ In `__DATA` segment (rw-):
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md

@@ -277,3 +277,4 @@ Note that to call that function you need to be **the same uid** as the one runni
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md

@@ -120,3 +120,4 @@ The full POC code for injection into PowerShell is accessible [here](https://gis
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.md

@@ -35,3 +35,4 @@ Find more examples in the tools links
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md

@@ -73,3 +73,4 @@ From macOS Sonoma onwards, modifications inside App bundles are restricted. Howe
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md

@@ -270,3 +270,4 @@ Shell binding requested. Check `nc 127.0.0.1 12345`
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.md

@@ -378,3 +378,4 @@ static void customConstructor(int argc, const char **argv) {
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md

@@ -1287,3 +1287,4 @@ macos-mig-mach-interface-generator.md
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md

@@ -404,3 +404,4 @@ The code generated by MIG also calles `kernel_debug` to generate logs about oper
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md

@@ -177,3 +177,4 @@ By adhering to these guidelines and utilizing the `threadexec` library, one can
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md

@@ -486,3 +486,4 @@ It's possible to find thee communications using `netstat`, `nettop` or the open
 {{#include ../../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md

@@ -442,3 +442,4 @@ int main(void) {
 {{#include ../../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md

@@ -95,3 +95,4 @@ if ((csFlags & (cs_hard | cs_require_lv)) {
 {{#include ../../../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md

@@ -292,3 +292,4 @@ int main(int argc, const char * argv[]) {
 {{#include ../../../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md

@@ -125,3 +125,4 @@ Below is a visual representation of the described attack scenario:
 {{#include ../../../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.md

@@ -174,3 +174,4 @@ Note how interesting is that Android Studio in this example is trying to load th
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md

@@ -339,3 +339,4 @@ DYLD_INSERT_LIBRARIES=inject.dylib ./hello-signed # Won't work
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md

@@ -166,3 +166,4 @@ sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md

@@ -316,3 +316,4 @@ find . -type f | xargs grep strcmp| grep key,\ \" | cut -d'"' -f2 | sort -u
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md

@@ -72,3 +72,4 @@ For example, if a script is importing **`use File::Basename;`** it would be poss
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-python-applications-injection.md

@@ -20,3 +20,4 @@ BROWSER="/bin/sh -c 'touch /tmp/hacktricks' #%s" python3 -I -W all:0:antigravity
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md

@@ -33,3 +33,4 @@ RUBYOPT="-I/tmp -rinject" ruby hello.rb --disable-rubyopt
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md

@@ -145,3 +145,4 @@ References and **more information about BTM**:
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.md

@@ -131,3 +131,4 @@ iOS AMFI maintains a lost of known hashes which are signed ad-hoc, called the **
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.md

@@ -88,3 +88,4 @@ That will fork and exec `/usr/libexec/security_authtrampoline /bin/ls` as root,
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.md

@@ -370,3 +370,4 @@ struct cs_blob {
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md

@@ -171,3 +171,4 @@ Allow the process to **ask for all the TCC permissions**.
 </details>
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md

@@ -469,3 +469,4 @@ This feature is particularly useful for preventing certain classes of security v
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md

@@ -182,3 +182,4 @@ xattr -l protected
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md

@@ -476,3 +476,4 @@ In an ".app" bundle if the quarantine xattr is not added to it, when executing i
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.md

@@ -178,3 +178,4 @@ Even if it's required that the application has to be **opened by LaunchService**
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md

@@ -253,3 +253,4 @@ __END_DECLS
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md

@@ -401,3 +401,4 @@ Sandbox also has a user daemon running exposing the XPC Mach service `com.apple.
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-default-sandbox-debug.md

@@ -115,3 +115,4 @@ codesign --remove-signature SandboxedShellApp.app
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md

@@ -501,3 +501,4 @@ Process 2517 exited with status = 0 (0x00000000)
 {{#include ../../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md

@@ -52,3 +52,4 @@ The thing is that even if **`python`** was signed by Apple, it **won't execute**
 {{#include ../../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md

@@ -281,3 +281,4 @@ mount
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md

@@ -604,3 +604,4 @@ macos-tcc-bypasses/
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-events.md

@@ -22,3 +22,4 @@ Sandboxed applications requires privileges like `allow appleevent-send` and `(al
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md

@@ -538,3 +538,4 @@ Another way using [**CoreGraphics events**](https://objectivebythesea.org/v2/tal
 {{#include ../../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md

@@ -34,3 +34,4 @@ However, there are still some tools that can be used to understand this kind of
 {{#include ../../../../../banners/hacktricks-training.md}}
 
 
+

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md

@@ -930,3 +930,4 @@ int main() {
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
+

src/misc/references.md

@@ -49,3 +49,4 @@
 {{#include ../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/README.md

@@ -777,3 +777,4 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/adb-commands.md

@@ -354,3 +354,4 @@ If you want to inspect the content of the backup:
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/android-applications-basics.md

@@ -398,3 +398,4 @@ if (dpm.isAdminActive(adminComponent)) {
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/android-task-hijacking.md

@@ -47,3 +47,4 @@ To prevent such attacks, developers can set `taskAffinity` to an empty string an
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/apk-decompilers.md

@@ -62,3 +62,4 @@ This tool can be used to dump the DEX of a running APK in memory. This helps to
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md

@@ -230,3 +230,4 @@ You can **use the GUI** to take a snapshot of the VM at any time:
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md

@@ -78,3 +78,4 @@ There are specialized tools and scripts designed to test and bypass authenticati
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/content-protocol.md

@@ -92,3 +92,4 @@ Proof-of-Concept HTML:
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md

@@ -299,3 +299,4 @@ run app.package.debuggable
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md

@@ -202,3 +202,4 @@ Vulnerable Providers:
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md

@@ -91,3 +91,4 @@ This example demonstrated how the behavior of a debuggable application can be ma
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md

@@ -205,3 +205,4 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md

@@ -137,3 +137,4 @@ You can see that in [the next tutorial](frida-tutorial-2.md).
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md

@@ -221,3 +221,4 @@ There is a part 5 that I am not going to explain because there isn't anything ne
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md

@@ -280,3 +280,4 @@ exit
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md

@@ -123,3 +123,4 @@ Java.perform(function () {
 {{#include ../../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md

@@ -69,3 +69,4 @@ You need to do this inside a physical device as (I don't know why) this doesn't
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md

@@ -154,3 +154,4 @@ nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/intent-injection.md

@@ -5,3 +5,4 @@
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md

@@ -48,3 +48,4 @@ Finally, you need just to **sign the new application**. [Read this section of th
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md

@@ -40,3 +40,4 @@ By executing the code in a controlled environment, dynamic analysis **allows for
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/react-native-application.md

@@ -41,3 +41,4 @@ To search for sensitive credentials and endpoints, follow these steps:
 {{#include ../../banners/hacktricks-training.md}}
 
 
+

src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md

@@ -46,3 +46,4 @@ Android apps can use native libraries, typically written in C or C++, for perfor
 {{#include ../../banners/hacktricks-training.md}}
 
 
+