📄️ Introduction
Performing local privilege escalation on macOS requires an in-depth understanding of the OS’s security mechanisms, file system structure, and common misconfigurations. The following outline provides a comprehensive list of checks and steps for a Red Team engagement on macOS, including expected outputs where applicable.
📄️ Information Gathering
Before attempting privilege escalation, you should gather as much information as possible about the system environment. This includes user information, kernel version, installed applications, and security feature and settings.
📄️ Sudo Access
Sudo permissions often lead to privilege escalation opportunities if misconfigured.
📄️ Files and Directories
Misconfigured world-writable files and directories can allow for privilege escalation.
📄️ Kernel Vulnerabilities
Privilege escalation via unpatched kernel bugs and misconfigurations in kernel extensions (kexts) is one of the most advanced and risky techniques in penetration testing and red teaming, but it is highly effective when successful. macOS, like other Unix-based operating systems, has several kernel-level security mechanisms to prevent unauthorized access and tampering, but flaws in these mechanisms can still lead to privilege escalation.
📄️ Abuse Launch Daemons
Cron jobs or launch daemons running with root privileges could be misconfigured or exploited.