.. | ||
mac-os-architecture | ||
macos-apps-inspecting-debugging-and-fuzzing | ||
macos-files-folders-and-binaries | ||
macos-proces-abuse | ||
macos-security-protections | ||
macos-applefs.md | ||
macos-basic-objective-c.md | ||
macos-bypassing-firewalls.md | ||
macos-defensive-apps.md | ||
macos-dyld-hijacking-and-dyld_insert_libraries.md | ||
macos-file-extension-apps.md | ||
macos-gcd-grand-central-dispatch.md | ||
macos-privilege-escalation.md | ||
macos-protocols.md | ||
macos-users.md | ||
README.md |
macOS Security & Privilege Escalation
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!
Hacking Insights
Engage with content that delves into the thrill and challenges of hacking
Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights
Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates
Join us on Discord and start collaborating with top hackers today!
Basic MacOS
If you are not familiar with macOS, you should start learning the basics of macOS:
- Special macOS files & permissions:
{% content-ref url="macos-files-folders-and-binaries/" %} macos-files-folders-and-binaries {% endcontent-ref %}
- Common macOS users
{% content-ref url="macos-users.md" %} macos-users.md {% endcontent-ref %}
- AppleFS
{% content-ref url="macos-applefs.md" %} macos-applefs.md {% endcontent-ref %}
- The architecture of the kernel
{% content-ref url="mac-os-architecture/" %} mac-os-architecture {% endcontent-ref %}
- Common macOS network services & protocols
{% content-ref url="macos-protocols.md" %} macos-protocols.md {% endcontent-ref %}
- Opensource macOS: https://opensource.apple.com/
- To download a
tar.gz
change a URL such as https://opensource.apple.com/source/dyld/ to https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz
- To download a
MacOS MDM
In companies macOS systems are highly probably going to be managed with a MDM. Therefore, from the perspective of an attacker is interesting to know how that works:
{% content-ref url="../macos-red-teaming/macos-mdm/" %} macos-mdm {% endcontent-ref %}
MacOS - Inspecting, Debugging and Fuzzing
{% content-ref url="macos-apps-inspecting-debugging-and-fuzzing/" %} macos-apps-inspecting-debugging-and-fuzzing {% endcontent-ref %}
MacOS Security Protections
{% content-ref url="macos-security-protections/" %} macos-security-protections {% endcontent-ref %}
Attack Surface
File Permissions
If a process running as root writes a file that can be controlled by a user, the user could abuse this to escalate privileges.
This could occur in the following situations:
- File used was already created by a user (owned by the user)
- File used is writable by the user because of a group
- File used is inside a directory owned by the user (the user could create the file)
- File used is inside a directory owned by root but user has write access over it because of a group (the user could create the file)
Being able to create a file that is going to be used by root, allows a user to take advantage of its content or even create symlinks/hardlinks to point it to another place.
For this kind of vulnerabilities don't forget to check vulnerable .pkg
installers:
{% content-ref url="macos-files-folders-and-binaries/macos-installers-abuse.md" %} macos-installers-abuse.md {% endcontent-ref %}
File Extension & URL scheme app handlers
Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols
{% content-ref url="macos-file-extension-apps.md" %} macos-file-extension-apps.md {% endcontent-ref %}
macOS TCC / SIP Privilege Escalation
In macOS applications and binaries can have permissions to access folders or settings that make them more privileged than others.
Therefore, an attacker that wants to successfully compromise a macOS machine will need to escalate its TCC privileges (or even bypass SIP, depending on his needs).
These privileges are usually given in the form of entitlements the application is signed with, or the application might requested some accesses and after the user approving them they can be found in the TCC databases. Another way a process can obtain these privileges is by being a child of a process with those privileges as they are usually inherited.
Follow these links to find different was to escalate privileges in TCC, to bypass TCC and how in the past SIP has been bypassed.
macOS Traditional Privilege Escalation
Of course from a red teams perspective you should be also interested in escalating to root. Check the following post for some hints:
{% content-ref url="macos-privilege-escalation.md" %} macos-privilege-escalation.md {% endcontent-ref %}
References
- OS X Incident Response: Scripting and Analysis
- https://taomm.org/vol1/analysis.html
- https://github.com/NicolasGrimonpont/Cheatsheet
- https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ
- https://www.youtube.com/watch?v=vMGiplQtjTY
Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!
Hacking Insights
Engage with content that delves into the thrill and challenges of hacking
Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights
Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates
Join us on Discord and start collaborating with top hackers today!
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.