[HELP] Get administrator privileges on Mac w/o access to sudo

drewby

Well-Known Member
OP
Member
Joined
Dec 29, 2015
Messages
674
Trophies
1
Age
22
Location
Virginia, USA
Website
www.instagram.com
XP
1,332
Country
United States
Hey guys,

I am a student looking to get the most out of his school issued mac, and was wondering how to get admin permissions without access to the "sudo" command since I cannot access the sudoers file to add myself to the list.

I am on a MacBook Air running 10.11.5 (El Capitan)

EDIT: sorry if this is the worng place to put this thread, I couldn't find a better place to put it. If an admin wants to move this thread somewhere else, please feel free to.
 

Relys

^(Software | Hardware) Exploit? Development.$
Member
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
Hey guys,

I am a student looking to get the most out of his school issued mac, and was wondering how to get admin permissions without access to the "sudo" command since I cannot access the sudoers file to add myself to the list.

I am on a MacBook Air running 10.11.5 (El Capitan)

EDIT: sorry if this is the worng place to put this thread, I couldn't find a better place to put it. If an admin wants to move this thread somewhere else, please feel free to.

This one should work: https://www.rapid7.com/db/modules/exploit/osx/local/rsh_libmalloc

Don't do anything that would get you in trouble...
 

drewby

Well-Known Member
OP
Member
Joined
Dec 29, 2015
Messages
674
Trophies
1
Age
22
Location
Virginia, USA
Website
www.instagram.com
XP
1,332
Country
United States

Relys

^(Software | Hardware) Exploit? Development.$
Member
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
Do you mind telling me how I would run and download this?

I misread the system version as (10.10.5). It doesn't look like there's a a public PoC out for 10.11.5.

If you can't figure out how to use an exploit, you probably shouldn't have root access...
 

drewby

Well-Known Member
OP
Member
Joined
Dec 29, 2015
Messages
674
Trophies
1
Age
22
Location
Virginia, USA
Website
www.instagram.com
XP
1,332
Country
United States
I misread the system version as (10.10.5). It doesn't look like there's a a public PoC out for 10.11.5.

If you can't figure out how to use an exploit, you probably shouldn't have root access...
Well, it just was a description. No download/instructions.
 

Relys

^(Software | Hardware) Exploit? Development.$
Member
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
Well, it just was a description. No download/instructions.

It's part of the Metasploit framework. Also, it is for an older version so it won't work.

The Pegasus 0days used on iOS recently https://blog.lookout.com/blog/2016/08/25/trident-pegasus/ (that were patched on iOS 9.3.5) also applies to OSX as they are both based off of the XNU kernel. It does look like someone is current developing an exploit for the latest version 10.11.6 using these vulnerabilities: https://twitter.com/in7egral/status/776038618641104896
 
Last edited by Relys,

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
6,067
Trophies
1
Location
US
Website
mogbox.net
XP
6,075
Country
United States
You could create an El Capitan USB installer using an El Capitan VM and Unibeast on a separate PC then just reinstall the OS. You'd just need to backup whatever app bundles your school installed on the target then drag and drop them back to Applications.
 

_112

Well-Known Member
Newcomer
Joined
Mar 10, 2016
Messages
96
Trophies
0
XP
169
Country
Australia
Becoming a admin is very easy.

Step 1 -- First you need to see if you can boot into Single Usermode

This is very easy todo simply shutdown the mac and when you press the power button hold ⌘-S, after a few moments a command line will start to boot and then release the keys.

After the command line has booted there is two commands you need to run the first command is.

/sbin/mount -uw /


This will mount the Macintosh HD so you can run the next command

the second command you need to run is this.

rm /var/db/.AppleSetupDone
When you first buy a mac the apple setup assistant runs this lets you pickup your language and do all your other crap. But it is also where you make your account. Deleting this file lets you run it again and therefore creating a new admin account.



There is one problem with this though some schools or people put firmware passwords on the mac so when you try to boot into single user mode it asks for a password there is a way around this but not needed yet


You may also wan't to enable root which is a hidden user and then delete the admin account the root login is "root" and then what ever password you set with this command
"dsenableroot"

If your school has blocked certain system preferences panes here is two easy way's to get access to them.

Way 1 -- Open system preferences at the top bar click view, then customize un-check the boxes you want to access. Then click done, quit system preferences and then re-open. Search the name of the pref pane you want to use in the search bar and click the name it will open tada.

Way 2 -- Right click system preferences then click show package contents. Now --> Contents --> Resources, and delete NSPrefPaneGroups.xml. open system preferences all the panes will be disappeared just search one you want in the search bar and tada it works.
 
Last edited by _112,

drewby

Well-Known Member
OP
Member
Joined
Dec 29, 2015
Messages
674
Trophies
1
Age
22
Location
Virginia, USA
Website
www.instagram.com
XP
1,332
Country
United States
Becoming a admin is very easy.

Step 1 -- First you need to see if you can boot into Single Usermode

This is very easy todo simply shutdown the mac and when you press the power button hold ⌘-S, after a few moments a command line will start to boot and then release the keys.

After the command line has booted there is two commands you need to run the first command is.

/sbin/mount -uw /


This will mount the Macintosh HD so you can run the next command

the second command you need to run is this.

rm /var/db/.AppleSetupDone
When you first buy a mac the apple setup assistant runs this lets you pickup your language and do all your other crap. But it is also where you make your account. Deleting this file lets you run it again and therefore creating a new admin account.



There is one problem with this though some schools or people put firmware passwords on the mac so when you try to boot into single user mode it asks for a password there is a way around this but not needed yet


You may also wan't to enable root which is a hidden user and then delete the admin account the root login is "root" and then what ever password you set with this command
"dsenableroot"

If your school has blocked certain system preferences panes here is two easy way's to get access to them.

Way 1 -- Open system preferences at the top bar click view, then customize un-check the boxes you want to access. Then click done, quit system preferences and then re-open. Search the name of the pref pane you want to use in the search bar and click the name it will open tada.

Way 2 -- Right click system preferences then click show package contents. Now --> Contents --> Resources, and delete NSPrefPaneGroups.xml. open system preferences all the panes will be disappeared just search one you want in the search bar and tada it works.
Yeah, my school blocked it with a firmware password. Thanks for your help though!
 

Red9419

Well-Known Member
Member
Joined
Apr 17, 2014
Messages
526
Trophies
0
XP
795
Country
I'm no mac expert, but can't you boot the laptop with a different amount of ram to bypass the firmware password?
 

Red9419

Well-Known Member
Member
Joined
Apr 17, 2014
Messages
526
Trophies
0
XP
795
Country
Most current macs have RAM hard soldered into the logic board so that's not an option. Also, I don't think that would work with any device in the first place.
It does, but it was an older trick that worked on macs that don't have the ram soldered on.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    LeoTCK @ LeoTCK: yes for nearly a month i was officially a wanted fugitive, until yesterday when it ended