Home
Blacksun Hackers Club
Cancel

Bypassing TCC With iTerm2

Motivation When landing a shell in MacOS environments, you’ll frequently want access to the files under your victim’s home folder. Some of these locations are TCC protected. Specifically ~/Documen...

Looting Electron Apps Via The V8 Inspector

What Is The V8 Inspector? V8 is the JavaScript engine that ships as part of both Chromium (and derivatives) as well as Node (which is in turn included in Electron). V8 provides a debugging interfac...

Hijacking Web Traffic On MacOS and iOS With MDM Profiles

What Are MDM Profiles? MDM profiles allow organizations to deploy common device configurations across MacOS and iOS devices. They can be deployed by hand, or via 3rd party MDM solutions such as Jam...

HomeBrood 0x00 - Surreptitious hijacking of Homebrew on macOS

Foreward I thought it might be fun to poke at Homebrew and see what kind of things I could find. Welcome to the beginning of what I hope will be a small but fun series of posts on abusing HomeBrew...

Acquiring and Abusing Slack Legacy Tokens on macOS

Foreward Right on the tails of my last post that detailed a token theft attack on macOS, today I’m sharing yet another procedure for acquiring and abusing tokens found on a macOS system. Included...

iCloud Authentication Token acquisition on macOS

Foreward While this is by no means new or groundbreaking information I’ve been meaning to document a process known to the forensic and law enforcement community and provided as part of point-and-cl...

macOS Persistence via iTerm

Foreword macOS’s default Terminal.app is garbage, and everyone knows it; they also know iTerm is by and large the most popular terminal replacement for macOS. But did you know iTerm is also a fanta...

Scriptless Identification of Browsers

Foreword This is a fairly short post illustrating a technique for identifying a browser based on request headers. This technique is not reliant on any scripting support and sucessfully identifies b...

macOS Serial Console Login

Foreword This short post documents a technique for authenticating as root on macOS and provides procedures for bypassing the default configuration of macOS which explicitly disables the root user. ...

Chrome Arbitrary Javascript Injection Via AppleScript

Foreword I’ve had a PoC for this technique for a little while as part of research for a future talk on the subject of post-exploitation in MacOS, but as an article has surfaced detailing the adware...