Escalate Privileges on Mac OS X

This is a rewrite of the article from Hackszine on 2/13/2009.

Introduction

Mac OS X has very few core differences in operation from a standard Unix operating system. In many cases, a trick that works on Linux or FreeBSD will work, with little modification, on Mac OS X. We'll apply this to escalation of privileges. We do this the same way a root password is recovered on Linux or BSD systems.

How To

1. First, reboot the machine into single-user mode. Do this by holding the Command-S key combination until the machine has booted.
2. Once booted, mount the file systems read-write. Most default-installed Mac OS X systems only have one partition:

   :/ root# mount /

3. Now. we need to launch directory services.

   :/ root# launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

4. Add the user to the admin group. To add the group membership to a user, use the following command:

   :/ root# dscl . append groups/admin users <username>

5. Using one of the two following commands, verify the user has been added to the admin group:
   1. groups <username> -or-
   2. dscl . read groups/admin users (there is a space on either side of the period)

Lock it Down

In Mac OS X 10.4 and later, simply setting an Open Firmware, or EFI firmware password will prevent booting into single-user mode without the firmware password. You can view Apple's Knowledge Base articles here:

• Setting up firmware password protection in Mac OS X