About - 2019-03-31 00:00:00
My name is Csaba Fitzl or also known as “theevilbit”, which comes from RFC 3514. I currently work as a red teamer at a Big Oil company, but I also worked 5 years as blue teamer, and also spent 6 years building network infrastructure, and mostly having fun with BGP.
This is the new place for my blog, the old one is here: https://theevilbit.blogspot.com/
Other places where you can find me:
TL;DR You can run an arbitrary command on a VMware Fusion guest VM through a website without any priory knowledge. Basically VMware Fusion is starting up a websocket listening only on the localhost. You can fully control all the VMs (also create/delete snapshots, whatever you want) through this websocket interface, including launching apps. You need to have VMware Tools installed on the guest for launching apps, but honestly who doesn’t have it installed.
I started to explore to possibility of persisting on macOS through script files contained in an application. The basic idea is that if we find a script file, which is being executed by a given application, we can edit that script file, put our code inside, and wait for an execution. Such technique is highly dependent on the applications the user has installed, so I looked through first how rare / frequent is having such scripts inside applications.