When landing a shell in MacOS environments, you’ll frequently want access to the files under your victim’s home folder. Some of these locations are TCC protected. Specifically
~/Desktop/ all require their own approvals which correspond to the
kTCCServiceSystemPolicyDesktopFolder service categories respectively. Depending on how you landed your initial access, you may not have the necessary TCC approvals. If your target has iTerm2 installed and they use it for day-to-day work, you may have a simple way around these TCC restrictions.
iTerm2 AutoLaunch Scripts
iTerm2 has support for autolaunching an AppleScript file at startup, if it’s placed at a predetermined path, as documented here. This technique was also discussed for persistence purposes by noncetonic in this post. Internally, this is done programmatically using NSUserAppleScriptTask.
This allows us to have iTerm2 send AppleEvents to itself (or other applications) to do things on our behalf. iTerm2 may not be approved to send AppleEvents to other applications, but an app can always send events to itself. So, anything iTerm2 is approved via TCC to do, we are also approved to do.
We can craft an
AutoLaunch.scpt that asks iTerm2 to exfiltrate the contents of protected directories like
~/Desktop when the user launches iTerm2 to a directory that we have full read access to.
Simple Proof of Concept
Write the following contents to
-- ~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt
tell application "iTerm"
do shell script "cp -R ~/Documents/ /tmp/"
An important note is that
AutoLaunch.scpt is only executed when iTerm2 first starts up. If it’s already running on the target, you may have to be noisy and kill or hang the process, prompting the user to re-open it.