Skip to content

Instantly share code, notes, and snippets.

Avatar

Samuel Keeley keeleysam

View GitHub Profile
@keeleysam
keeleysam / launchdaemon_programs_mutable.sql
Last active Jul 15, 2019
Sample queries for use with osquery (https://osquery.io/) to find executables which are writable by users other than root for simple root escalations. Presented at Objective by the Sea v2.0 (https://objectivebythesea.com/v2/)
View launchdaemon_programs_mutable.sql
/*
This query looks at the programs referenced by LaunchDaemons in order to find ones which are writable by non-root users.
Note that it is hard to tell what will actually be executed by launchd in some cases, and may return false positives. Reccomended to be used with process monitoring as well.
*/
select
distinct p.launchd_path as launchd_path,
p.launchd_label as launchd_label,
f.path,
View keybase.md

Keybase proof

I hereby claim:

  • I am keeleysam on github.
  • I am keeleysam (https://keybase.io/keeleysam) on keybase.
  • I have a public key ASBKqpVo2TGE26gR6fUNqL65zbZMy9d5gXPqRImzZRoojgo

To claim this, I am signing this object:

View gist:4219239
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppleUpdates</key>
<array>
<dict>
<key>blocking_applications</key>
<array>
<string>Xcode.app</string>
View gist:3933637
ST31000528AS:
Capacity: 1 TB (1,000,204,886,016 bytes)
Model: ST31000528AS
Revision: AP25
Serial Number: xxxxxxxx
Native Command Queuing: Yes
Queue Depth: 32
Removable Media: No
Detachable Drive: No
View gist:3802037
bplist00ÿ \groupmembersYmcx_flags\mcx_settingsXrealname\generateduidUusersSgidTname¢
_$99B537A8-4E10-4033-BBE7-E4594D452B95_$5D00747F-E320-4280-8C2B-50907C37F31C°
O‚<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>has_mcx_settings</key>
<true/>
</dict>
</plist>
View gist:3801496
sh-3.2# ./setupMCX2.sh
+ ./setupMCX2.sh
+ local_desktop_GUID=B4247B97-F249-4409-8EA3-BA8E168BA0DA
+ local_laptop_GUID=15BEE70A-A32D-4A33-B740-93CBE95F75A4
+ changedMCX=true
+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX
+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/users
+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/groups
+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/computers
+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/computergroups
View gist:3800649
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>dsAttrTypeStandard:CSPSearchPath</key>
<array>
<string>/Local/Default</string>
<string>/Local/MCX</string>
<string>/Active Directory/AD/All Domains</string>
</array>
View gist:3800593
sh-3.2# /usr/bin/dscl -plist /Search read / CSPSearchPath
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>dsAttrTypeStandard:CSPSearchPath</key>
<array>
<string>/Local/Default</string>
<string>/Active Directory/AD/All Domains</string>
</array>
View gist:3796679
$ /usr/bin/dscl /Search read / CSPSearchPath | /usr/bin/cut -d" " -f3-
CSPSearchPath:
Directory/DIRECTORY/All Domains
$ /usr/bin/dscl /Search read / CSPSearchPath | /usr/bin/cut -d" " -f4-
CSPSearchPath:
Domains
View gist:3796523
sudo ./setupMCX.sh
<main> attribute status: eDSNodeNotFound
<dscl_cmd> DS Error: -14008 (eDSNodeNotFound)
<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
Updating GUID for /Computers/local_desktop...
was:
now: B4247B97-F249-4409-8EA3-BA8E168BA0DA
Updating GUID for /Computers/local_laptop...
was:
You can’t perform that action at this time.