MacOS "DirtyNIB" Vulnerability

While looking for avenues of injecting code into platform binaries back in macOS Monterey, I was able to identify a vulnerability which allowed the hijacking of Apple application entitlements. Recently I decided to revisit this vulnerability after a long time of trying to have it patched, and was surprised to see that it still works. There are some caveats introduced with later versions of macOS which we will explore, but in this post we’ll look at a vulnerability in macOS Sonoma which has been around for a long time, and remains an 0day, urm, to this day.... Read More »

Okta for Red Teamers

In this blog post, I'll discuss some of the post-exploitation techniques that I've found to be useful against Okta. Specifically, this post will look at how to use delegated authentication to our advantage, silver tickets, Okta AD agent spoofing, and finally how to deploy a fake SAML provider.... Read More »

LAPS 2.0 Internals

This year, LAPS 2.0 was released by Microsoft, and thankfully it now comes built-in to Windows. This time it comes ready for use with Active Directory, as well as being supported in Azure AD aka Entra ID. In this post, we’ll look at how LAPS 2.0 for Active Directory works under the hood, so you can make those fresh recommendations to your clients, and prepare yourself for the inevitable question... “But we just deployed LAPS.. what does LAPS 2.0 do differently?!”.... Read More »

PNG Steganography from First Principles

Steganography is experiencing a revival as a wrapper for delivering payloads. In this post we'll go back to basics and show just how steganography can be applied to a PNG image using the common least significant bit (LSB) encoding technique. No magic... just raw information... and a little C++.... Read More »

Building a Custom Mach-O Memory Loader for macOS - Part 1

In this blog we'll look at what it takes to construct an in-memory loader for Mach-O bundles within MacOS Ventura without using dyld. We'll walk though the lower-level details of what makes up a Mach-O file, how dyld processes load commands to map areas into memory, and how we can emulate this to avoid writing payloads to disk.... Read More »