Since it is a local exploit, it acts like a post-exploit module and requires an active session. Take this file and transfer it to your Kali system.ĮDIT: A module has been added to Metasploit that does all this for you, so if you want to use this exploit without having to compile it yourself on a Mac, search for the exploit in called osx/local/tpwn in Metasploit. It should produce a new executable file in the same directory called "tpwn". Now that we are in the directory, we need to give ourselves the right to execute Makefile, which will (as the name so clearly implies) make the file for us. For example, if it is in my Downloads folder, I might type into terminal: In the terminal, set your current directory to that of the folder containing the source. Now save and close main.m and open a new terminal. Make sure the quotation marks are straight, otherwise the compiler will complain that there are non-ASCII characters in the file. It is best to just leave the ones that are there because you may end up entering the "curly" quotation marks, which will make the file uncompilable. Tip: If you are using TextEdit, be careful with the quotation marks. All we have to do is change the system command to the following: Let's say our Kali system's IP address is 10.211.55.3 and we want to send back a reverse shell with this on port 6660. This is the piece we really want to edit because this is what will be run if we gain root privilege. This is checking the uid again after messing with the kernel and attempting to set the UID to 0 (as seen on the line just before this block of code). Now, if you scroll to the very bottom of the page, you will see a similar conditional statement: Scroll down until you see the line int main(int argc, char** argv, char** envp)), envp) Įssentially, this is just saying "If the function getuid() returns a uid of 0, execute /bin/sh and exit with a status of 0, meaning everything went as expected." That's just a way of stopping the rest of the program because it would be pointless to run if the user is already root. For those of you who are not familiar with C, the function called "main" is the function that will be run upon execution. Using the Tpwn Privilege Escalation Step 1: Edit the Exploitĭownload the files on this GitHub page onto your Mac and open up the main.m file. If you haven't already, check out this tutorial I wrote on implementing Meterpreter on OS X. In this tutorial, I will assume that you already have a shell or Meterpreter open on an OS X system connected to a Kali system and also have direct access to OS X in order to compile the code. Given that this is a local privilege escalation exploit, we might want to use this after already penetrating an OS X system for which we have only the privilege of the current user. This source code can very easily be changed to make it do more than just the system("/bin/sh") that the current code executes. If you check out the file main.m you can see where most of the magic is happening. I've tested it and it works on both OS X 10.9 Mavericks and OS X 10.10 Yosemite, but appears to have been patched with OS X 10.11 El Capitan. Check out this GitHub page for a recent privilege escalation exploit that was recently discovered. Hello all! In this tutorial, I'd like to show you one way of getting root on OS X.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |