Accessing Admin Privileges: A Quest Through One of Mac's Backdoors
by NerveGas Jr.
0x1 - Using Security Against Itself
Modern Apple computers boot up straight to the volume "Macintosh HD OS X, [version number]".
By accessing this volume through single-user mode, one can reset passwords on an admin account without the initial admin password and without needing to get knee-deep into coding. This feature is usually used to troubleshoot problems in an easier way, but one could also access administrator privileges without a password. Below is a way one can go about it.
0x2 - Resetting an Admin Password
First, reboot the computer.
After the screen lights up, hold down "CMD + R" as the screen shows the loading up of the system. It is crucial to start pressing "CMD + R" before the Apple icon shows up with the loading bar. If you don't do it in time, the computer will most likely boot into the default mode.
After this, the system recovery partition shows.
The dialogue box should be asking you to select a country and/or language. Double-click on the desired option. Then, another dialogue box will appear with different utilities one can use in the different cases of crap that need attention. Let us ignore this. Instead, click on "Utilities" in the menu bar.
Three things will appear: "Firmware Password Utility", "Network Utility", and "Terminal". Double-click on "Terminal".
In this specific mode, the Bash commands are different from those when the computer is booted up into the multiple-user mode. Keeping that in mind, type in the following:
That, my fellow people, is the only amount of coding you must do to reset a password.
You will not even be prompted for the initial password of the admin! After this, a new dialogue box will show up. Select the volume for which you are changing passwords. Usually there will only be one, which is "Macintosh HD OS X, [version number]". I am doing this on Macintosh HD OS X, 10.10.5.
This is where you get to change passwords.
Click on the admin account that you want a new password for. It will prompt you for the new password, and then again to verify it. The great thing is that if you forget this new password, then you can go through the process again, resetting the password once more. After this is done, you can enter a password hint, but if you do this, then the true administrator will more easily discover that the password was reset. If there was a hint before you restarted the password, then it would be wise to set the new hint to that one.
A dialogue box will show up after you press reset. Press okay on this after reading it.
Now go back to Terminal and type in this command:
After rebooting, you should be able to access the admin account!
0x3 - Accessing Admin Privileges Through Root
Rather than changing the password for the admin account, you can instead set a password with the System Administrator (root) account.
This will automatically enable it to show up in the login screen. Eureka!
One can enable and deactivate this by going back to the dialogue box where they changed the user's password, and then deactivate it that way. Sadly, this take a long time, and some suspicion can be aroused if the true admin is shoulder surfing at the time.
Also, one could enable it through Terminal in the already hacked admin account. This is easier and more efficient. In order to do this, go into Terminal and type in the following command:
After this, you will be prompted for the admin password.
Type in the password, carefully. Then, you will be prompted for the root password. If you have not set up the root account, then type it in. Neither a hash code nor the text letters/numbers will show up. This is great for security purposes, but if you screw up, then you have to type in the command again, and enter the password again. The only problem with this is that you cannot enable the root account through any other user besides that of an admin user.
0x4 - Disguising the Root User as a "Non-Administrator"
If you want to take the most precautions possible in resetting the passwords, you can choose to disguise the root account as a "non-administrator" account.
You can start this by changing the name and profile picture of it. After doing that, you can deactivate the password on the root account, unless the legitimate Administrator is fine with you putting a password on your account. Doing these things enables you to have control over the restrictions of your account, furthermore concealing the fact that you did anything.
0x5 - Using a Firmware Password
Apple created the ability to have a firmware, or BIOS, password so as to "[prevent] your Mac from starting up from any device other than your startup disk."
You can set this up easily through recovery mode. First, boot-up the computer to Recovery Mode. After this, click on the "Utilities" section. Rather than going into Terminal, double-click on the "Firmware Password Utility". From this you can set up a firmware password that will make it even harder to get into the BIOS settings.
The firmware password has not been successfully cracked into without taking apart the computer (as of October, at least).
There must be a backdoor through this and with the new Mac update OS X El Capitan, I am positive that many of you who read this will take up the challenge to crack into the firmware password without having to take the system apart.
0x6 - Conclusion
This hack is surprisingly not known as well as one would be led to think.
The best thing to do with this knowledge is to tell other people about the backdoor and attempt to get them to use the firmware passwords.
It would be nice to figure out how to reset the password without needing to either break it apart or take it to an Apple store in case someone forgets the firmware password.