GITBOOK-4075: change request with no subject merged in GitBook

HackTricks-wiki · Sep 10, 2023 · c7997fc · c7997fc
1 parent 51bcb61
commit c7997fc
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 24 deletions.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/README.md b/macos-hardening/macos-security-and-privilege-escalation/README.md
@@ -63,6 +63,8 @@ If you are not familiar with macOS, you should start learning the basics of macO
 [macos-protocols.md](macos-protocols.md)
 {% endcontent-ref %}
 
+* **Opensource** macOS: [https://opensource.apple.com/](https://opensource.apple.com/)
+
 ### MacOS MDM
 
 In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**:

diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md b/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md
@@ -19,7 +19,7 @@ APFS, or Apple File System, is a modern file system developed by Apple Inc. that
 Some notable features of APFS include:
 
 1. **Space Sharing**: APFS allows multiple volumes to **share the same underlying free storage** on a single physical device. This enables more efficient space utilization as the volumes can dynamically grow and shrink without the need for manual resizing or repartitioning.
-   1. This means, compared with traditional partitions in file disks, t**hat in APFS different partitions (volumes) shares all the disk space**, while a regular partition usually had a fixed size.
+   1. This means, compared with traditional partitions in file disks, **that in APFS different partitions (volumes) shares all the disk space**, while a regular partition usually had a fixed size.
 2. **Snapshots**: APFS supports **creating snapshots**, which are **read-only**, point-in-time instances of the file system. Snapshots enable efficient backups and easy system rollbacks, as they consume minimal additional storage and can be quickly created or reverted.
 3. **Clones**: APFS can **create file or directory clones that share the same storage** as the original until either the clone or the original file is modified. This feature provides an efficient way to create copies of files or directories without duplicating the storage space.
 4. **Encryption**: APFS **natively supports full-disk encryption** as well as per-file and per-directory encryption, enhancing data security across different use cases.

diff --git a/...os-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md b/...os-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md
@@ -82,6 +82,20 @@ Basically, a bundle is a **directory structure** within the file system. Interes
 [macos-bundles.md](macos-bundles.md)
 {% endcontent-ref %}
 
+## Dyld Shared Cache
+
+On macOS (and iOS) all system shared libraries, like frameworks and dylibs, are **combined into a single file**, called the **dyld shared cache**. This improved performance, since code can be loaded faster.
+
+Similar to the dyld shared cache, the kernel and the kernel extensions are also compiled into a kernel cache, which is loaded at boot time.
+
+In order to extract the libraries from the single file dylib shared cache it was possible to use the binary  [dyld\_shared\_cache\_util](https://www.mbsplugins.de/files/dyld\_shared\_cache\_util-dyld-733.8.zip) which migh not be working nowadays:
+
+{% code overflow="wrap" %}
+```bash
+dyld_shared_cache_util -extract ~/shared_cache/ /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e
+```
+{% endcode %}
+
 ## Special File Permissions
 
 ### Folder permissions

diff --git a/...rity-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md b/...rity-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md
@@ -24,17 +24,11 @@ The types of resources contained within a bundle may consist of applications, li
 ls -lR /Applications/Safari.app/Contents
 ```
 
-*   `Contents/_CodeSignature`
-
-    Contains **code-signing information** about the application (i.e., hashes, etc.).
-*   `Contents/MacOS`
-
-    Contains the **application’s binary** (which is executed when the user double-clicks the application icon in the UI).
-*   `Contents/Resources`
-
-    Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces).
-* `Contents/Info.plist`\
-  The application’s main “**configuration file.**” Apple notes that “the system relies on the presence of this file to identify relevant information about \[the] application and any related files”.
+* `Contents/_CodeSignature` -> Contains **code-signing information** about the application (i.e., hashes, etc.).
+  * `openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64`
+* `Contents/MacOS` -> Contains the **application’s binary** (which is executed when the user double-clicks the application icon in the UI).
+* `Contents/Resources` -> Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces).
+* `Contents/Info.plist` -> The application’s main “**configuration file.**” Apple notes that “the system relies on the presence of this file to identify relevant information about \[the] application and any related files”.
   * **Plist** **files** contains configuration information. You can find find information about the meaning of they plist keys in [https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html)
   *   Pairs that may be of interest when analyzing an application include:\\
 

diff --git a/...macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md b/...macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md
@@ -26,7 +26,7 @@ The protection rules for these directories and their subdirectories are specifie
 For instance, the following configuration:
 
 ```javascript
-javascriptCopy code/usr
+/usr
 * /usr/libexec/cups
 * /usr/local
 * /usr/share/man
@@ -41,7 +41,7 @@ ls -lOd /usr/libexec/cups
 drwxr-xr-x  11 root  wheel  sunlnk 352 May 13 00:29 /usr/libexec/cups
 ```
 
-In this case, the **`sunlnk`** flag signifies that the `/usr/libexec/cups` directory itself cannot be deleted, though files within it can be created, modified, or deleted.
+In this case, the **`sunlnk`** flag signifies that the `/usr/libexec/cups` directory itself **cannot be deleted**, though files within it can be created, modified, or deleted.
 
 On the other hand:
 
@@ -147,31 +147,41 @@ The command **`diskutil apfs list`** lists the **details of the APFS volumes** a
 |   |
 |   +-> Volume disk3s1 7A27E734-880F-4D91-A703-FB55861D49B7
 |   |   ---------------------------------------------------
-|   |   APFS Volume Disk (Role):   disk3s1 (System)
-|   |   Name:                      Macintosh HD (Case-insensitive)
-|   |   Mount Point:               /System/Volumes/Update/mnt1
-|   |   Capacity Consumed:         12819210240 B (12.8 GB)
+<strong>|   |   APFS Volume Disk (Role):   disk3s1 (System)
+</strong>|   |   Name:                      Macintosh HD (Case-insensitive)
+<strong>|   |   Mount Point:               /System/Volumes/Update/mnt1
+</strong>|   |   Capacity Consumed:         12819210240 B (12.8 GB)
 |   |   Sealed:                    Broken
 |   |   FileVault:                 Yes (Unlocked)
 |   |   Encrypted:                 No
 |   |   |
 |   |   Snapshot:                  FAA23E0C-791C-43FF-B0E7-0E1C0810AC61
 |   |   Snapshot Disk:             disk3s1s1
-|   |   Snapshot Mount Point:      /
-<strong>|   |   Snapshot Sealed:           Yes
+<strong>|   |   Snapshot Mount Point:      /
+</strong><strong>|   |   Snapshot Sealed:           Yes
 </strong>[...]
++-> Volume disk3s5 281959B7-07A1-4940-BDDF-6419360F3327
+    |   ---------------------------------------------------
+    |   APFS Volume Disk (Role):   disk3s5 (Data)
+    |   Name:                      Macintosh HD - Data (Case-insensitive)
+<strong>    |   Mount Point:               /System/Volumes/Data
+</strong><strong>    |   Capacity Consumed:         412071784448 B (412.1 GB)
+</strong>    |   Sealed:                    No
+    |   FileVault:                 Yes (Unlocked)
 </code></pre>
 
-In the previous output it's possible to see that **macOS System volume snapshot is sealed** (cryptographically signed by the OS). SO, if SIP is bypassed and modifies it, the **OS won't boot anymore**.
+In the previous output it's possible to see that **user-accessible locations** are mounted under `/System/Volumes/Data`.
 
-It's also possible to verify that seal is enabled by running:
+Moreover, **macOS System volume snapshot** is mounted in `/` and it's **sealed** (cryptographically signed by the OS). So, if SIP is bypassed and modifies it, the **OS won't boot anymore**.
 
-```
+It's also possible to **verify that seal is enabled** by running:
+
+```bash
 csrutil authenticated-root status
 Authenticated Root status: enabled
 ```
 
-Moreover, it's mounted as **read-only**:
+Moreover, the snapshot disk is also mounted as **read-only**:
 
 ```
 mount