Hello! I am angelystor and I like 🥔 and 🦆

These posts are mostly notes of things that I’ve encountered from doing security things and red teaming. They are here so I can refer to them one day and I hope it can be of use to other people trying to find a solution to their problems.

Hopefully you’ll find it useful!

Using SSL Certificates for Red Team Payloads

SSL certs can be used to insert extended data that can be useful for transmitting information

CVE-2023-40299 TCC Bypass with Kong Insomnia in MacOS

Introduction TCC (Transparency, Consent and Control) is a mechanism in MacOS that helps restrict access to protected folders on a system. This helps a user make informed consent whenever an application seeks to access files in a folder (eg Desktop). A more indepth discussion about TCE can be found here. From an attacker’s perspective, he would want to find out as much information that belongs to the victim when he manages to get a RAT (Remote Access Trojan) on the system....

Understanding TCC

Introduction TCC (Transparency, Consent and Control), is built into MacOS as a means to protect sensitive user data from access by applications. The idea is such that no application can access such user data without the user’s permission (but asked only once). TCC covers a wide spectrum of data within the OS. To find out what’s under TCC, you can go to System Preferences -> Privacy and Security. Applications that appear in the list usually show up due to them having requested for such a permission....

July 11, 2023 2844 words 14 min

Phishing with Evilnginx2

Introduction Evilginx 2 is this super cool proxy framework that helps hardworking red teamers do phishing with ease. Gone are the days where you would have to painstakingly craft the website to look exactly like the target website manually. The diagram below is where Evilginx sits. It transparently proxies the connection between the user and the legitimate site, so that both user and site would think that they are talking to each other....

July 10, 2023 1397 words 7 min

Using RASP to look for evil in Java programs

Introduction Welcome to Part 2 of my previous post on loading a Java class in Tomcat. A possible way to stop this kind of attack would be to dynamically instrument the JVM to ensure that unknown classes are either prevented from loading or flagged to the SOC team. This mechanism is also known as Runtime Application Self Protection or RASP. What is RASP? RASP hooks into an application and actively monitors the program flow during runtime....

Dynamically loading Java implant from a remote source to Tomcat

Introduction I had a situation where I could do JNDI injection into a Tomcat server leading to RCE. While off the shelf solutions such as this Github repo could work and invoke system commands, I wanted to take advantage of this unique vulnerability and push harder to create a unique implant that could live in Tomcat’s memory for opsec, stealth purposes, and make the blue team work a little harder....

Reversing an enterprise Golang application

Introduction Recently I needed to reverse engineer an application as I needed to figure out its login mechanisms. The diagram below is a high level diagram of its layout and it shall henceforth be collectively referred to as The Application. The primary question I wanted to answer was: Could I clone a logged in user’s session stored by The Service? Spoiler: Yes. With the spoiler out of the way, the following section will provide some background on The Application and its constituent parts....

How to create a MacOS virtual machine for VMWare

Create MacOS virtual machine for VMWare, only works on Intel Macs

May 20, 2023 342 words 2 min