🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸ€– HackTricks / iOS How to Connect to Corellium

iOS How to Connect to Corellium

{{#include ../../banners/hacktricks-training.md}}

Prereqs

  • A Corellium iOS VM (jailbroken or not). In this guide we assume you have access to Corellium.
  • Local tools: ssh/scp.
  • (Optional) SSH keys added to your Corellium project for passwordless logins.

Connect to the iPhone VM from localhost

A) Quick Connect (no VPN)

0) Add you ssh key in /admin/projects (recommended).
1) Open the device page β†’ Connect
2) Copy the Quick Connect SSH command shown by Corellium and paste it in your terminal.
3) Enter the password or use your key (recommended).

B) VPN β†’ direct SSH

0) Add you ssh key in /admin/projects (recommended).
1) Device page β†’ CONNECT β†’ VPN β†’ download .ovpn and connect with any VPN client that supports TAP mode. (Check https://support.corellium.com/features/connect/vpn if you have issues.)
2) SSH to the VM’s 10.11.x.x address:

ssh root@10.11.1.1

Upload a native binary & execute it

2.1 Upload

  • If Quick Connect gave you a host/port:

    scp -J <domain> ./mytool root@10.11.1.1:/var/root/mytool

  • If using VPN (10.11.x.x):

    scp ./mytool -J <domain> root@10.11.1.1:/var/root/mytool

Upload & install an iOS app (.ipa)

Path A β€” Web UI (fastest)

1) Device page β†’ Apps tab β†’ Install App β†’ pick your .ipa.
2) From the same tab you can launch/kill/uninstall.

Path B β€” Scripted via Corellium Agent

1) Use the API Agent to upload then install:

// Node.js (pseudo) using Corellium Agent
await agent.upload("./app.ipa", "/var/tmp/app.ipa");
await agent.install("/var/tmp/app.ipa", (progress, status) => {
  console.log(progress, status);
});

Path C β€” Non-jailbroken (proper signing / Sideloadly)

  • If you don’t have a provisioning profile, use Sideloadly to re-sign with your Apple ID, or sign in Xcode.

  • You can also expose the VM to Xcode using USBFlux (see Β§5).

  • For quick logs/commands without SSH, use the device Console in the UI.

Extras

  • Port-forwarding (make the VM feel local for other tools):

    # Forward local 2222 -> device 22
ssh -N -L 2222:127.0.0.1:22 root@10.11.1.1
# Now you can: scp -P 2222 file root@10.11.1.1:/var/root/

  • LLDB remote debugging: use the LLDB/GDB stub address shown at the bottom of the device page (CONNECT β†’ LLDB).

  • USBFlux (macOS/Linux): present the VM to Xcode/Sideloadly like a cabled device.

Common pitfalls

  • Proper signing is required on non-jailbroken devices; unsigned IPAs won’t launch.
  • Quick Connect vs VPN: Quick Connect is simplest; use VPN when you need the device on your local network (e.g., local proxies/tools).
  • No App Store on Corellium devices; bring your own (re)signed IPAs.

{{#include ../../banners/hacktricks-training.md}}