[HELP] Get administrator privileges on Mac w/o access to sudo

Discussion in 'Computer Software and Operating Systems' started by Drew That Gamer, Sep 14, 2016.

  1. Drew That Gamer
    OP

    Drew That Gamer weeb

    Member
    589
    141
    Dec 29, 2015
    United States
    Arlington, VA
    Hey guys,

    I am a student looking to get the most out of his school issued mac, and was wondering how to get admin permissions without access to the "sudo" command since I cannot access the sudoers file to add myself to the list.

    I am on a MacBook Air running 10.11.5 (El Capitan)

    EDIT: sorry if this is the worng place to put this thread, I couldn't find a better place to put it. If an admin wants to move this thread somewhere else, please feel free to.
     
  2. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States
    This one should work: https://www.rapid7.com/db/modules/exploit/osx/local/rsh_libmalloc

    Don't do anything that would get you in trouble...
     
  3. Drew That Gamer
    OP

    Drew That Gamer weeb

    Member
    589
    141
    Dec 29, 2015
    United States
    Arlington, VA
  4. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States
    I misread the system version as (10.10.5). It doesn't look like there's a a public PoC out for 10.11.5.

    If you can't figure out how to use an exploit, you probably shouldn't have root access...
     
  5. Drew That Gamer
    OP

    Drew That Gamer weeb

    Member
    589
    141
    Dec 29, 2015
    United States
    Arlington, VA
    Well, it just was a description. No download/instructions.
     
  6. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States
    It's part of the Metasploit framework. Also, it is for an older version so it won't work.

    The Pegasus 0days used on iOS recently https://blog.lookout.com/blog/2016/08/25/trident-pegasus/ (that were patched on iOS 9.3.5) also applies to OSX as they are both based off of the XNU kernel. It does look like someone is current developing an exploit for the latest version 10.11.6 using these vulnerabilities: https://twitter.com/in7egral/status/776038618641104896
     
    Last edited by Relys, Sep 14, 2016
  7. Joom

    Joom  ❤❤❤

    Member
    4,215
    2,887
    Jan 8, 2016
    United States
    You could create an El Capitan USB installer using an El Capitan VM and Unibeast on a separate PC then just reinstall the OS. You'd just need to backup whatever app bundles your school installed on the target then drag and drop them back to Applications.
     
  8. Dr_Doom

    Dr_Doom Advanced Member

    Newcomer
    95
    28
    Mar 10, 2016
    Becoming a admin is very easy.

    Step 1 -- First you need to see if you can boot into Single Usermode

    This is very easy todo simply shutdown the mac and when you press the power button hold ⌘-S, after a few moments a command line will start to boot and then release the keys.

    After the command line has booted there is two commands you need to run the first command is.

    /sbin/mount -uw /


    This will mount the Macintosh HD so you can run the next command

    the second command you need to run is this.

    rm /var/db/.AppleSetupDone
    When you first buy a mac the apple setup assistant runs this lets you pickup your language and do all your other crap. But it is also where you make your account. Deleting this file lets you run it again and therefore creating a new admin account.



    There is one problem with this though some schools or people put firmware passwords on the mac so when you try to boot into single user mode it asks for a password there is a way around this but not needed yet


    You may also wan't to enable root which is a hidden user and then delete the admin account the root login is "root" and then what ever password you set with this command
    "dsenableroot"

    System prefs hack
     
    Last edited by Dr_Doom, Sep 15, 2016
    QuarkTheAwesome and Joom like this.
  9. Drew That Gamer
    OP

    Drew That Gamer weeb

    Member
    589
    141
    Dec 29, 2015
    United States
    Arlington, VA
    Yeah, my school blocked it with a firmware password. Thanks for your help though!
     
  10. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States
    Last edited by Relys, Oct 2, 2016
    Joom likes this.
  11. Red9419

    Red9419 GBAtemp Advanced Fan

    Member
    529
    710
    Apr 17, 2014
    I'm no mac expert, but can't you boot the laptop with a different amount of ram to bypass the firmware password?
     
  12. Originality

    Originality Chibi-neko

    Member
    5,350
    782
    Apr 21, 2008
    London, UK
    Most current macs have RAM hard soldered into the logic board so that's not an option. Also, I don't think that would work with any device in the first place.
     
  13. Red9419

    Red9419 GBAtemp Advanced Fan

    Member
    529
    710
    Apr 17, 2014
    It does, but it was an older trick that worked on macs that don't have the ram soldered on.
     
  14. Originality

    Originality Chibi-neko

    Member
    5,350
    782
    Apr 21, 2008
    London, UK
    I'll have to take your word on it then - I've only been learning about macs recently (over the last few months). :P
     
    Red9419 likes this.
  15. Joom

    Joom  ❤❤❤

    Member
    4,215
    2,887
    Jan 8, 2016
    United States
  16. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States
    Cleaner PoC and detailed writeup explaining the vulnerbility on the projects GitHub page: https://github.com/jndok/PegasusX
     
    Joom likes this.
  17. B_E_P_I_S_M_A_N

    B_E_P_I_S_M_A_N I have graced this thread with my presence.

    Member
    816
    3,040
    Jun 7, 2016
    United States
    Hell
    I got this: http://www.howtogeek.com/209672/any...-can-bypass-your-password-unless-you-do-this/ You may not want to do this, though, especially considering the Mac is school-issued.

    Also, just a thought, maybe you could create a bootable Linux drive and access your Mac hard drive through that? You could probably use the terminal on the USB Drive to reset the password, or simply punch superuser commands through Linux.