GITBOOK-4408: No subject

HackTricks-wiki · Sep 21, 2024 · dede0e4 · dede0e4
1 parent 430c630
commit dede0e4
Show file tree

Hide file tree

Showing 5 changed files with 364 additions and 19 deletions.
diff --git a/SUMMARY.md b/SUMMARY.md
@@ -196,9 +196,10 @@
         * [macOS Apple Scripts](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.md)
       * [macOS TCC Payloads](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.md)
     * [macOS Dangerous Entitlements & TCC perms](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md)
+    * [macOS MACF](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf.md)
     * [macOS FS Tricks](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md)
       * [macOS xattr-acls extra stuff](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.md)
-  * [macOS Users](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
+  * [macOS Users & External Accounts](macos-hardening/macos-security-and-privilege-escalation/macos-users.md)
 * [macOS Red Teaming](macos-hardening/macos-red-teaming/README.md)
   * [macOS MDM](macos-hardening/macos-red-teaming/macos-mdm/README.md)
     * [Enrolling Devices in Other Organisations](macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md)

diff --git a/macos-hardening/macos-auto-start-locations.md b/macos-hardening/macos-auto-start-locations.md
@@ -1,8 +1,8 @@
 # macOS Auto Start
 
 {% hint style="success" %}
-Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
-Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 
 <details>
 
@@ -119,7 +119,7 @@ One of the first things `launchd` would do is to **start** all the **daemons** l
   * crond (`com.apple.systemstats.daily.plist`): Has `StartCalendarInterval` to start at 00:15
 * **Network daemons** like:
   * `org.cups.cups-lpd`: Listens in TCP (`SockType: stream`) with `SockServiceName: printer`
-    * &#x20;SockServiceName must be either a port or a service from `/etc/services`
+    * SockServiceName must be either a port or a service from `/etc/services`
   * `com.apple.xscertd.plist`: Listens on TCP in port 1640
 * **Path daemons** that are executed when a specified path changes:
   * `com.apple.postfix.master`: Checking the path `/etc/postfix/aliases`
@@ -1406,6 +1406,19 @@ And therefore any attempt to use **`sudo` will work**.
 Note that this directory is protected by TCC so it's highly probably that the user will get a prompt asking for access.
 {% endhint %}
 
+Another nice example is su, were you can see that it's also possible to give parameters to the PAM modules (and you coukd also backdoor this file):
+
+```bash
+cat /etc/pam.d/su
+# su: auth account session
+auth       sufficient     pam_rootok.so
+auth       required       pam_opendirectory.so
+account    required       pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
+account    required       pam_opendirectory.so no_check_shell
+password   required       pam_opendirectory.so
+session    required       pam_launchd.so
+```
+
 ### Authorization Plugins
 
 Writeup: [https://theevilbit.github.io/beyond/beyond\_0028/](https://theevilbit.github.io/beyond/beyond\_0028/)\
@@ -1830,8 +1843,8 @@ RunService ()
 * [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA)
 
 {% hint style="success" %}
-Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
-Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 
 <details>
 

diff --git a/...vilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md b/...vilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md
@@ -1,8 +1,8 @@
 # macOS Sensitive Locations & Interesting Daemons
 
 {% hint style="success" %}
-Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
-Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 
 <details>
 
@@ -38,6 +38,12 @@ sudo bash -c 'for i in $(find /var/db/dslocal/nodes/Default/users -type f -regex
 ```
 {% endcode %}
 
+Another way to obtain the `ShadowHashData` of a user is by using `dscl`: ``sudo dscl . -read /Users/`whoami` ShadowHashData``
+
+### /etc/master.passwd
+
+This file is **only used** when the system id running in **single-user mode** (so not very frequently).
+
 ### Keychain Dump
 
 Note that when using the security binary to **dump the passwords decrypted**, several prompts will ask the user to allow this operation.
@@ -187,12 +193,50 @@ for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.s
 
 ## Preferences
 
-In macOS apps preferences are located in **`$HOME/Library/Preferences`** and in iOS they are in `/var/mobile/Containers/Data/Application/<UUID>/Library/Preferences`.&#x20;
+In macOS apps preferences are located in **`$HOME/Library/Preferences`** and in iOS they are in `/var/mobile/Containers/Data/Application/<UUID>/Library/Preferences`.
 
 In macOS the cli tool **`defaults`** can be used to **modify the Preferences file**.
 
 **`/usr/sbin/cfprefsd`** claims the XPC services `com.apple.cfprefsd.daemon` and `com.apple.cfprefsd.agent` and can be called to perform actions such as modify preferences.
 
+## OpenDirectory permissions.plist
+
+The file `/System/Library/OpenDirectory/permissions.plist` contains permissions applied on node attributes and is protected by SIP.\
+This file grants permissions to specific users by UUID (and not uid) so they are able to access specific sensitive information like `ShadowHashData`, `HeimdalSRPKey` and `KerberosKeys` among others:
+
+```xml
+[...]
+<key>dsRecTypeStandard:Computers</key>
+<dict>
+	<key>dsAttrTypeNative:ShadowHashData</key>
+	<array>
+		<dict>
+			<!-- allow wheel even though it's implicit -->
+			<key>uuid</key>
+			<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string>
+			<key>permissions</key>
+			<array>
+				<string>readattr</string>
+				<string>writeattr</string>
+			</array>
+		</dict>
+	</array>
+	<key>dsAttrTypeNative:KerberosKeys</key>
+	<array>
+		<dict>
+			<!-- allow wheel even though it's implicit -->
+			<key>uuid</key>
+			<string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000</string>
+			<key>permissions</key>
+			<array>
+				<string>readattr</string>
+				<string>writeattr</string>
+			</array>
+		</dict>
+	</array>
+[...]
+```
+
 ## System Notifications
 
 ### Darwin Notifications
@@ -251,8 +295,8 @@ These are notifications that the user should see in the screen:
 * **`NSUserNotificationCenter`**: This is the iOS bulletin board in MacOS. The database with the notifications in located in `/var/folders/<user temp>/0/com.apple.notificationcenter/db2/db`
 
 {% hint style="success" %}
-Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
-Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/arte.png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 
 <details>