0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GITBOOK-4075: change request with no subject merged in GitBook

Browse source
This commit is contained in:
CPol 2023-09-10 23:59:38 +00:00 committed by gitbook-bot
parent 51bcb61305
commit c7997fc427
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
5 changed files with 44 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
macos-hardening/macos-security-and-privilege-escalation/README.md
View file

@ -63,6 +63,8 @@ If you are not familiar with macOS, you should start learning the basics of macO
[macos-protocols.md](macos-protocols.md)
{% endcontent-ref %}
* **Opensource** macOS: [https://opensource.apple.com/](https://opensource.apple.com/)
### MacOS MDM
In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**:

2
macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md
View file

@ -19,7 +19,7 @@ APFS, or Apple File System, is a modern file system developed by Apple Inc. that
Some notable features of APFS include:
1. **Space Sharing**: APFS allows multiple volumes to **share the same underlying free storage** on a single physical device. This enables more efficient space utilization as the volumes can dynamically grow and shrink without the need for manual resizing or repartitioning.
1. This means, compared with traditional partitions in file disks, t**hat in APFS different partitions (volumes) shares all the disk space**, while a regular partition usually had a fixed size.
1. This means, compared with traditional partitions in file disks, **that in APFS different partitions (volumes) shares all the disk space**, while a regular partition usually had a fixed size.
2. **Snapshots**: APFS supports **creating snapshots**, which are **read-only**, point-in-time instances of the file system. Snapshots enable efficient backups and easy system rollbacks, as they consume minimal additional storage and can be quickly created or reverted.
3. **Clones**: APFS can **create file or directory clones that share the same storage** as the original until either the clone or the original file is modified. This feature provides an efficient way to create copies of files or directories without duplicating the storage space.
4. **Encryption**: APFS **natively supports full-disk encryption** as well as per-file and per-directory encryption, enhancing data security across different use cases.

14
macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md
View file

@ -82,6 +82,20 @@ Basically, a bundle is a **directory structure** within the file system. Interes
[macos-bundles.md](macos-bundles.md)
{% endcontent-ref %}
## Dyld Shared Cache
On macOS (and iOS) all system shared libraries, like frameworks and dylibs, are **combined into a single file**, called the **dyld shared cache**. This improved performance, since code can be loaded faster.
Similar to the dyld shared cache, the kernel and the kernel extensions are also compiled into a kernel cache, which is loaded at boot time.
In order to extract the libraries from the single file dylib shared cache it was possible to use the binary [dyld\_shared\_cache\_util](https://www.mbsplugins.de/files/dyld\_shared\_cache\_util-dyld-733.8.zip) which migh not be working nowadays:
{% code overflow="wrap" %}
```bash
dyld_shared_cache_util -extract ~/shared_cache/ /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e
```
{% endcode %}
## Special File Permissions
### Folder permissions

16
macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md
View file

@ -24,17 +24,11 @@ The types of resources contained within a bundle may consist of applications, li
ls -lR /Applications/Safari.app/Contents
```
* `Contents/_CodeSignature`
Contains **code-signing information** about the application (i.e., hashes, etc.).
* `Contents/MacOS`
Contains the **applications binary** (which is executed when the user double-clicks the application icon in the UI).
* `Contents/Resources`
Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces).
* `Contents/Info.plist`\
The applications main “**configuration file.**” Apple notes that “the system relies on the presence of this file to identify relevant information about \[the] application and any related files”.
* `Contents/_CodeSignature` -> Contains **code-signing information** about the application (i.e., hashes, etc.).
* `openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64`
* `Contents/MacOS` -> Contains the **applications binary** (which is executed when the user double-clicks the application icon in the UI).
* `Contents/Resources` -> Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces).
* `Contents/Info.plist` -> The applications main “**configuration file.**” Apple notes that “the system relies on the presence of this file to identify relevant information about \[the] application and any related files”.
* **Plist** **files** contains configuration information. You can find find information about the meaning of they plist keys in [https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html)
* Pairs that may be of interest when analyzing an application include:\\

34
macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md
View file

@ -26,7 +26,7 @@ The protection rules for these directories and their subdirectories are specifie
For instance, the following configuration:
```javascript
javascriptCopy code/usr
/usr
* /usr/libexec/cups
* /usr/local
* /usr/share/man
@ -41,7 +41,7 @@ ls -lOd /usr/libexec/cups
drwxr-xr-x 11 root wheel sunlnk 352 May 13 00:29 /usr/libexec/cups
```
In this case, the **`sunlnk`** flag signifies that the `/usr/libexec/cups` directory itself cannot be deleted, though files within it can be created, modified, or deleted.
In this case, the **`sunlnk`** flag signifies that the `/usr/libexec/cups` directory itself **cannot be deleted**, though files within it can be created, modified, or deleted.
On the other hand:
@ -147,31 +147,41 @@ The command **`diskutil apfs list`** lists the **details of the APFS volumes** a
| |
| +-> Volume disk3s1 7A27E734-880F-4D91-A703-FB55861D49B7
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk3s1 (System)
| | Name: Macintosh HD (Case-insensitive)
| | Mount Point: /System/Volumes/Update/mnt1
| | Capacity Consumed: 12819210240 B (12.8 GB)
<strong>| | APFS Volume Disk (Role): disk3s1 (System)
</strong>| | Name: Macintosh HD (Case-insensitive)
<strong>| | Mount Point: /System/Volumes/Update/mnt1
</strong>| | Capacity Consumed: 12819210240 B (12.8 GB)
| | Sealed: Broken
| | FileVault: Yes (Unlocked)
| | Encrypted: No
| | |
| | Snapshot: FAA23E0C-791C-43FF-B0E7-0E1C0810AC61
| | Snapshot Disk: disk3s1s1
| | Snapshot Mount Point: /
<strong>| | Snapshot Sealed: Yes
<strong>| | Snapshot Mount Point: /
</strong><strong>| | Snapshot Sealed: Yes
</strong>[...]
+-> Volume disk3s5 281959B7-07A1-4940-BDDF-6419360F3327
| ---------------------------------------------------
| APFS Volume Disk (Role): disk3s5 (Data)
| Name: Macintosh HD - Data (Case-insensitive)
<strong> | Mount Point: /System/Volumes/Data
</strong><strong> | Capacity Consumed: 412071784448 B (412.1 GB)
</strong> | Sealed: No
| FileVault: Yes (Unlocked)
</code></pre>
In the previous output it's possible to see that **macOS System volume snapshot is sealed** (cryptographically signed by the OS). SO, if SIP is bypassed and modifies it, the **OS won't boot anymore**.
In the previous output it's possible to see that **user-accessible locations** are mounted under `/System/Volumes/Data`.
It's also possible to verify that seal is enabled by running:
Moreover, **macOS System volume snapshot** is mounted in `/` and it's **sealed** (cryptographically signed by the OS). So, if SIP is bypassed and modifies it, the **OS won't boot anymore**.
```
It's also possible to **verify that seal is enabled** by running:
```bash
csrutil authenticated-root status
Authenticated Root status: enabled
```
Moreover, it's mounted as **read-only**:
Moreover, the snapshot disk is also mounted as **read-only**:
```
mount