mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 22:20:43 +00:00
170 lines
8.6 KiB
Markdown
170 lines
8.6 KiB
Markdown
# macOS Security & Privilege Escalation
|
|
|
|
<details>
|
|
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Other ways to support HackTricks:
|
|
|
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
|
|
<figure><img src="../../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
|
|
|
|
**Hacking Insights**\
|
|
Engage with content that delves into the thrill and challenges of hacking
|
|
|
|
**Real-Time Hack News**\
|
|
Keep up-to-date with fast-paced hacking world through real-time news and insights
|
|
|
|
**Latest Announcements**\
|
|
Stay informed with the newest bug bounties launching and crucial platform updates
|
|
|
|
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
|
|
|
|
## Basic MacOS
|
|
|
|
If you are not familiar with macOS, you should start learning the basics of macOS:
|
|
|
|
* Special macOS **files & permissions:**
|
|
|
|
{% content-ref url="macos-files-folders-and-binaries/" %}
|
|
[macos-files-folders-and-binaries](macos-files-folders-and-binaries/)
|
|
{% endcontent-ref %}
|
|
|
|
* Common macOS **users**
|
|
|
|
{% content-ref url="macos-users.md" %}
|
|
[macos-users.md](macos-users.md)
|
|
{% endcontent-ref %}
|
|
|
|
* **AppleFS**
|
|
|
|
{% content-ref url="macos-applefs.md" %}
|
|
[macos-applefs.md](macos-applefs.md)
|
|
{% endcontent-ref %}
|
|
|
|
* The **architecture** of the k**ernel**
|
|
|
|
{% content-ref url="mac-os-architecture/" %}
|
|
[mac-os-architecture](mac-os-architecture/)
|
|
{% endcontent-ref %}
|
|
|
|
* Common macOS n**etwork services & protocols**
|
|
|
|
{% content-ref url="macos-protocols.md" %}
|
|
[macos-protocols.md](macos-protocols.md)
|
|
{% endcontent-ref %}
|
|
|
|
* **Opensource** macOS: [https://opensource.apple.com/](https://opensource.apple.com/)
|
|
* To download a `tar.gz` change a URL such as [https://opensource.apple.com/**source**/dyld/](https://opensource.apple.com/source/dyld/) to [https://opensource.apple.com/**tarballs**/dyld/**dyld-852.2.tar.gz**](https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz)
|
|
|
|
### MacOS MDM
|
|
|
|
In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**:
|
|
|
|
{% content-ref url="../macos-red-teaming/macos-mdm/" %}
|
|
[macos-mdm](../macos-red-teaming/macos-mdm/)
|
|
{% endcontent-ref %}
|
|
|
|
### MacOS - Inspecting, Debugging and Fuzzing
|
|
|
|
{% content-ref url="macos-apps-inspecting-debugging-and-fuzzing/" %}
|
|
[macos-apps-inspecting-debugging-and-fuzzing](macos-apps-inspecting-debugging-and-fuzzing/)
|
|
{% endcontent-ref %}
|
|
|
|
## MacOS Security Protections
|
|
|
|
{% content-ref url="macos-security-protections/" %}
|
|
[macos-security-protections](macos-security-protections/)
|
|
{% endcontent-ref %}
|
|
|
|
## Attack Surface
|
|
|
|
### File Permissions
|
|
|
|
If a **process running as root writes** a file that can be controlled by a user, the user could abuse this to **escalate privileges**.\
|
|
This could occur in the following situations:
|
|
|
|
* File used was already created by a user (owned by the user)
|
|
* File used is writable by the user because of a group
|
|
* File used is inside a directory owned by the user (the user could create the file)
|
|
* File used is inside a directory owned by root but user has write access over it because of a group (the user could create the file)
|
|
|
|
Being able to **create a file** that is going to be **used by root**, allows a user to **take advantage of its content** or even create **symlinks/hardlinks** to point it to another place.
|
|
|
|
For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers**:
|
|
|
|
{% content-ref url="macos-files-folders-and-binaries/macos-installers-abuse.md" %}
|
|
[macos-installers-abuse.md](macos-files-folders-and-binaries/macos-installers-abuse.md)
|
|
{% endcontent-ref %}
|
|
|
|
### File Extension & URL scheme app handlers
|
|
|
|
Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols
|
|
|
|
{% content-ref url="macos-file-extension-apps.md" %}
|
|
[macos-file-extension-apps.md](macos-file-extension-apps.md)
|
|
{% endcontent-ref %}
|
|
|
|
## macOS TCC / SIP Privilege Escalation
|
|
|
|
In macOS **applications and binaries can have permissions** to access folders or settings that make them more privileged than others.
|
|
|
|
Therefore, an attacker that wants to successfully compromise a macOS machine will need to **escalate its TCC privileges** (or even **bypass SIP**, depending on his needs).
|
|
|
|
These privileges are usually given in the form of **entitlements** the application is signed with, or the application might requested some accesses and after the **user approving them** they can be found in the **TCC databases**. Another way a process can obtain these privileges is by being a **child of a process** with those **privileges** as they are usually **inherited**.
|
|
|
|
Follow these links to find different was to [**escalate privileges in TCC**](macos-security-protections/macos-tcc/#tcc-privesc-and-bypasses), to [**bypass TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/) and how in the past [**SIP has been bypassed**](macos-security-protections/macos-sip.md#sip-bypasses).
|
|
|
|
## macOS Traditional Privilege Escalation
|
|
|
|
Of course from a red teams perspective you should be also interested in escalating to root. Check the following post for some hints:
|
|
|
|
{% content-ref url="macos-privilege-escalation.md" %}
|
|
[macos-privilege-escalation.md](macos-privilege-escalation.md)
|
|
{% endcontent-ref %}
|
|
|
|
## References
|
|
|
|
* [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS)
|
|
* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
|
|
* [**https://github.com/NicolasGrimonpont/Cheatsheet**](https://github.com/NicolasGrimonpont/Cheatsheet)
|
|
* [**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ**](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ)
|
|
* [**https://www.youtube.com/watch?v=vMGiplQtjTY**](https://www.youtube.com/watch?v=vMGiplQtjTY)
|
|
|
|
<figure><img src="../../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
|
|
|
|
**Hacking Insights**\
|
|
Engage with content that delves into the thrill and challenges of hacking
|
|
|
|
**Real-Time Hack News**\
|
|
Keep up-to-date with fast-paced hacking world through real-time news and insights
|
|
|
|
**Latest Announcements**\
|
|
Stay informed with the newest bug bounties launching and crucial platform updates
|
|
|
|
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
|
|
|
|
<details>
|
|
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Other ways to support HackTricks:
|
|
|
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|