Clone of https://github.com/rmusser01/Infosec_Reference . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

86 KiB

macOS Privilege Escalation & Post-Exploitation


Table of Contents







Begin Unsorted Section

macOS sort https://github.com/cedowens/Spotlight-Enum-Kit https://themittenmac.com/the-esf-playground/ https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/ https://developer.apple.com/videos/play/wwdc2019/701/ https://www.slideshare.net/JustinBui5/red-teaming-macos-environments-with-hermes-the-swift-messenger https://objective-see.com/blog/blog_0x63.html https://objective-see.com/blog/blog_0x64.html https://objective-see.com/blog/blog_0x65.html https://cedowens.medium.com/spotlighting-your-tcc-access-permissions-ec6628d7a876 https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/ https://ssd-disclosure.com/ssd-advisory-macos-finder-rce/ https://cedowens.medium.com/interesting-macos-chrome-browser-files-4fd162d2561f bf7fe45e89/Library/Homebrew/cask/quarantine.rb https://medium.com/tenable-techblog/attacking-unattended-installs-on-macos-dfc1f57984e0 https://github.com/KhaosT/SimpleVM https://m1racles.com/ * Disclosure: Another macOS privacy protections bypass - Jeff Johnson(2020) https://labs.sentinelone.com/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/ https://github.com/create-dmg/create-dmg https://www.cdfinder.de/guide/blog/apple_hell.html https://github.com/0xmachos/CVE-2019-8561 https://www.youtube.com/watch?v=5nOxznrOK48 https://conference.hitb.org/hitbsecconf2021ams/materials/D1T1%20-%20MacOS%20Local%20Security%20-%20Escaping%20the%20Sandbox%20and%20Bypassing%20TCC%20-%20Thijs%20Alkemade%20&%20Daan%20Keuper.pdf https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 https://github.com/D00MFist/Mystikal https://www.kaspersky.com/blog/is-txt-file-safe/39256/ https://www.youtube.com/watch?v=Xvg3Ve8a_BM https://theevilbit.github.io/beyond/beyond_0019/ https://developer.apple.com/documentation/virtualization https://objective-see.com/blog/blog_0x5F.html https://github.com/ZecOps/public/blob/master/CVE-2021-30714/obts4_keynote.pdf https://labs.f-secure.com/blog/analysis-of-cve-2021-1810-gatekeeper-bypass/ https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/ https://github.com/wangtielei/Slides https://github.com/antman1p/JXA_Proc_Tree https://theevilbit.github.io/beyond/beyond_0020/ https://github.com/cedowens/Add-To-TCC-DB https://github.com/antman1p/PrintTCCdb https://wojciechregula.blog/post/learn-xpc-exploitation-part-1-broken-cryptography/ https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/ https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/ https://fliphtml5.com/mnts/yttd/basic https://www.synacktiv.com/publications/macos-xpc-exploitation-sandbox-share-case-study.html https://github.com/badd1e/Proof-of-Concept/tree/main/prl_not0day https://web.archive.org/web/20210430174716/https://zerodayengineering.com/blog/dont-share-your-home.html https://research.nccgroup.com/2020/05/28/exploring-macos-calendar-alerts-part-2-exfiltrating-data-cve-2020-3882/ https://wojciechregula.blog/post/when-vulnerable-library-is-actually-your-physical-book/ https://blog.chichou.me/2021/01/16/see-no-eval-runtime-code-execution-objc/ https://github.com/kendfinger/MacHack#profiles https://github.com/its-a-feature/loginItemManipulator https://github.com/its-a-feature/macOSCameraCapture https://securityboulevard.com/2021/04/making-macos-universal-apps-in-swift-with-universal-golang-static-libraries/ https://holdmybeersecurity.com/2020/01/03/poc-mail-app-the-boomerang-of-reverse-shells-on-macos/ https://labs.f-secure.com/blog/jamfing-for-joy-attacking-macos-in-enterprise https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html https://theevilbit.github.io/beyond/beyond_0001/ https://theevilbit.github.io/beyond/beyond_0002/ https://theevilbit.github.io/beyond/beyond_0003/ https://www.youtube.com/playlist?list=PLliknDIoYszujuE2j5YRJ3vLce39UlhSf https://github.com/hrbrmstr/extractor https://gist.github.com/monoxgas/c0b0f086fc7aa057a8256b42c66761c8 https://github.com/impost0r/Rotten-Apples https://github.com/create-dmg/create-dmg https://developer.apple.com/documentation/hypervisor https://github.com/cedowens/JXA-RemoveQuarantine https://github.com/cedowens/Add-To-TCC-DB https://lapcatsoftware.com/articles/sandbox-escape.html https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/ Slides https://themittenmac.com/publication_docs/OBTS_v1_Bradley.pdf https://www.slideshare.net/CodyThomas6/bashing-brittle-indicators-red-teaming-macos-without-bash-or-python https://www.slideshare.net/CodyThomas6/ready-player-2-multiplayer-red-teaming-against-macos https://www.slideshare.net/CodyThomas6/walking-the-bifrost-an-operators-guide-to-heimdal-kerberos-on-macos https://www.slideshare.net/CsabaFitzl/20-ways-to-bypass-your-mac-os-privacy-mechanisms Talks https://www.youtube.com/watch?v=5nOxznrOK48&list=PLliknDIoYszvTDaWyTh6SYiTccmwOsws8&index=5 https://themittenmac.com/publication_docs/OBTS_v2_Bradley.pdf https://github.com/opensource-apple/dyld/tree/master/unit-tests/test-cases/bundle-memory-load https://papers.put.as/ https://www.youtube.com/watch?v=UAkC-brF6iQ https://github.com/xorrior/macOSTools https://lockboxx.blogspot.com/2020/06/macos-post-summary.html https://github.com/LinusHenze/Unrootless-Kext https://theevilbit.github.io/posts/vmware_fusion_11_guest_vm_rce_cve-2019-5514/ https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c https://www.mdsec.co.uk/2019/12/macos-filename-homoglyphs-revisited/ https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html * https://twitter.com/Agarri_FR/status/1130736756431761408 * CVE-2019-5514 is a cool RCE in VMware Fusion 11, abusing an unauthenticated REST endpoint running on localhost https://objective-see.com/blog/blog_0x56.html * Offensive MacOS * This is a collection of macOS specific tooling, blogs, and other related information for offensive macOS assessments Stuff * XcodeGhost - Wikipedia * XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits - Trend Micro(2020) 3rd Party DruvaSync https://medium.com/tenable-techblog/getting-root-on-macos-via-3rd-party-backup-software-b804085f0c9 APFS https://www.irongeek.com/i.php?page=videos/bsidescharm2018/track-2-01-getting-saucy-with-apfs-the-state-of-apples-new-file-system-sarah-edwards Carbon Cred Attacks https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2 * Articles https://www.sprocketsecurity.com/blog/how-to-hijack-slack-sessions-on-macos * Tools * KeytabParser * Python script to parse macOS's Heimdal Keytab file (typically /etc/krb5.keytab) Code Injection https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/ https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/ https://knight.sc/malware/2019/03/15/code-injection-on-macos.html https://www.youtube.com/watch?v=1LSvGZCoAVc&list=PLLvAhAn5sGfiZKg9GTUzljNmuRupA8igX&index=6 * insert_dylib * Command line utility for inserting a dylib load command into a Mach-O binary Collection * Articles/Blogposts/Writeups * Tools Defense Evasion * * Exploiting XPC in AntiVirus - Csaba Fitz(NullCon2021) * In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services. * [Mojave’s security “hardening”

User protections could be bypassed - Phil Stokes(2018)] * Apple Events are blocked depending on origination, could be bypassed using SSH. Disco * Articles/Blogposts/Writeups * Always Watching: macOS Eavesdropping – Justin Bui (SO-CON 2020) * As macOS becomes more prevalent in modern enterprise environments, red teamers have had to adapt their tradecraft. Input monitoring and screenshots can provide a wealth of information for attacker on any operating system. In this talk, we’ll discuss macOS internals and dive into the various API calls necessary for keylogging, clipboard monitoring, and screenshots. The accompanying source code will be released to GitHub! * Tools DMG http://newosxbook.com/DMG.html DylibHijack https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x https://malwareunicorn.org/workshops/macos_dylib_injection.html#0 * Dylib-Hijack-Scanner * JavaScript for Automation (JXA) version of Patrick Wardle's tool that searches applications for dylib hijacking opportunities DYLD http://newosxbook.com/articles/DYLD.html Entitlements https://secret.club/2020/08/14/macos-entitlements.html Evasion * Articles/Blogposts/Writeups * Tools Execution https://github.com/CylanceVulnResearch/osx_runbin https://github.com/cedowens/JXA-Runner * 101 * Articles/Blogposts/Writeups https://antman1p-30185.medium.com/macos-native-api-calls-in-electron-d297d9a960af * Talks/Presentations/Videos * Tools * Bring-Your-Own-* https://blog.xpnsec.com/bring-your-own-vm-mac-edition/ Gatekeeper https://bouj33boy.com/gatekeeper-symlink-automount-bypass/ Hooking * subhook * SubHook is a super-simple hooking library for C and C++ that works on Windows, Linux and macOS. It supports x86 only (32-bit and 64-bit). * Function Hooking for Mac OSX and Linux - * Slides Injection https://en.wikipedia.org/wiki/Rpath https://github.com/djhohnstein/macos_shell_memory * InjectCheck * The tool enumerates the Hardened Runtime, Entitlements, and presence of Electron files to determine possible injection opportunities JAMF * An Attacker's Perpsective on JAMF Configurations - Luke Roberts, Calum Hall(ObjectiveByTheSeav3) * Jamfing for Joy: Attacking macOS in Enterprise - Calum Hall, Luke Roberts(2020) JXA https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 * PersistentJXA * Collection of macOS persistence methods and miscellaneous tools in JXA https://news.ycombinator.com/item?id=21803874 https://forum.keyboardmaestro.com/t/jxa-javascript-for-automation-from-the-start/4522 https://stackoverflow.com/questions/47940322/cant-find-jxa-documentation https://medium.com/@SteveBarbera/automating-chrome-with-jxa-javascript-application-scripting-6f9bc433216a https://pragli.com/blog/manage-macos-windows-with-jxa/ https://computers.tutsplus.com/tutorials/a-beginners-guide-to-javascript-application-scripting-jxa--cms-27171 https://wiki.nikitavoloboev.xyz/macos/jxa https://github.com/JXA-Cookbook/JXA-Cookbook LoLbins https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ Mach-O * So You Want To Be A Mach-O Man? - symbolcrash(2019) * Mach-O Universal / Fat Binaries - symbolcrash(2019) Malware https://objective-see.com/blog/blog_0x4E.html https://objective-see.com/blog/blog_0x4D.html https://www.irongeek.com/i.php?page=videos/derbycon6/104-macs-get-sick-too-tyler-halfpop-jacob-soo https://www.sentinelone.com/blog/2020/01/29/scripting-macs-with-malice-how-shlayer-and-other-malware-installers-infect-macos/ https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/ https://objective-see.com/blog/blog_0x5C.html Objective-C Payloads https://posts.specterops.io/sparkling-payloads-a2bd017095c https://posts.specterops.io/sparkling-payloads-a2bd017095c Persistence https://topic.alibabacloud.com/a/how-to-implement-persistent-access-on-macos-through-emond_3_75_32777033.html https://posts.specterops.io/are-you-docking-kidding-me-9aa79c24bdc1 https://posts.specterops.io/saving-your-access-d562bf5bf90b https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 https://theevilbit.github.io/posts/macos_persistence_spotlight_importers/ https://theevilbit.github.io/posts/macos_persisting_through-application_script_files/ https://github.com/cedowens/Persistent-Swift https://github.com/CyborgSecurity/PoisonApple * Persistent JXA - Leo Pitt(2020) * Operationalising Calendar Alerts: Persistence on macOS - Luke Roberts(2020) * Throughout the following blog post we provide insights into calendar alerts, a method of persisting on macOS. Building on the work of Andy Grant over at NCC (https://research.nccgroup.com/2020/05/05/exploring-macos-calendar-alerts-part-1-attempting-to-execute-code/), this post takes deeper look into weaponising the feature for use in offensive operations. This includes reversing Automator.app to find an undocumented API that enables the technique. * Hey, I'm Still In Here: An Overview of macOS Persistence Techniques – Leo Pitt (SO-CON 2020) * There is more to macOS persistence than Launch Agents. This talk goes over some lesser utilized macOS persistence methods. We will walk through how these methods work, how automation can be leveraged to quickly execute these from an offensive perspective, and how defenders can leverage indicators of these methods to assist in detection efforts. * Finder plugins https://github.com/D00MFist/InSync * Tools * CalendarPersist * JXA script to allow programmatic persistence via macOS Calendar.app alerts. plist Pkgs Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security Flaws - Andy Grant PkgInfo PopUps https://github.com/its-a-feature/macos-popups PostEx https://www.irongeek.com/i.php?page=videos/nolacon2018/nolacon-2018-107-your-mac-defenestrated-post-osxploitation-elevated-fuzzynop-noncetonic * macos_execute_from_memory Privileged Helper Tools https://www.offensivecon.org/speakers/2019/tyler-bohan.html https://github.com/blankwall/Offensive-Con https://theevilbit.github.io/posts/secure_coding_privilegedhelpertools_part1/ https://theevilbit.github.io/posts/secure_coding_privilegedhelpertools_part2/ PrivEsc https://xlab.tencent.com/en/2021/01/11/cve-2020-9971-abusing-xpc-service-to-elevate-privilege/ https://www.rapid7.com/db/vulnerabilities/apple-osx-systempreferences-cve-2020-9839 https://packetstormsecurity.com/files/159084/macOS-cfprefsd-Arbitrary-File-Write-Local-Privilege-Escalation.html https://book.hacktricks.xyz/linux-unix/privilege-escalation https://bradleyjkemp.dev/post/launchdaemon-hijacking/ https://research.nccgroup.com/2021/06/04/ios-user-enrollment-and-trusted-certificates/ https://github.com/djhohnstein/macos_shell_memory https://blogs.blackberry.com/en/2017/02/running-executables-on-macos-from-memory https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 https://www.offensive-security.com/offsec/macos-preferences-priv-escalation/ https://themittenmac.com/publication_docs/OBTS_v2_Bradley.pdf * Unauthd - Logic bugs FTW - A2nkF(2020) * [Privilege Escalation

macOS Malware & The Path to Root Part 2 - Phil Stokes(2019)](https://www.sentinelone.com/blog/privilege-escalation-macos-malware-the-path-to-root-part-2/) https://www.criticalstart.com/local-privilege-escalation-vulnerability-discovered-in-vmware-fusion/ Shellcode * 101 * Creating OSX shellcodes - theevilbit(2015) * Shellcode: Mac OSX amd64 - odzhan(2017) * Techniques * Talks/Presentations/Videos * Tools * Samples * OSX/x64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes) * OSX/x64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes) TCC https://blog.fleetsmith.com/tcc-a-quick-primer/ https://lapcatsoftware.com/articles/disclosure3.html https://eclecticlight.co/2018/10/10/watching-mojaves-privacy-protection-at-work/ https://eclecticlight.co/2020/11/25/macos-has-checked-app-signatures-online-for-over-2-years/ https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy https://www.macobserver.com/link/about-macos-transparency-consent-and-control-system/ https://www.theregister.com/2020/07/01/apple_macos_privacy_bypass/ https://lockboxx.blogspot.com/2019/04/macos-red-teaming-205-tcc-transparency.html https://blog.xpnsec.com/bypassing-macos-privacy-controls/ https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 https://eclecticlight.co/2019/07/22/mojaves-privacy-consent-works-behind-your-back/ https://lapcatsoftware.com/articles/disclosure2.html https://mjtsai.com/blog/tag/transparency-consent-and-control-tcc/ https://fpf.org/2020/07/06/ios-privacy-advances/ https://github.com/slyd0g/SwiftParseTCC https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-on-macos-10-14 https://eclecticlight.co/2018/10/10/watching-mojaves-privacy-protection-at-work/ https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 URL Schemes * Custom_URL_Scheme Workflows https://support.apple.com/guide/automator/use-quick-action-workflows-aut73234890a/mac XPC https://www.youtube.com/watch?v=KPzhTqwf0bA&list=PLYvhPWR_XYJmwgLkZbjoEOnf2I1zkylz8&index=7

End Unsorted Section







macOS Post-Exploitation General Notes

  • F



AppleScript, Objective-C & Swift

  • F



Post-Exploitation OS X



macOS Technologies



macOS Code Injection

  • 101
  • General Information
  • Articles/Blogposts/Writeups
  • Techniques