Skip to main content

Physical Access

As mentioned in the beginning of this section, elevated privileges are required for the majority of credential access methods. There is one method to access credential files if there is physical access, plus the ability to boot from an external drive that is also running macOS. Even if all you have is a standard user account.

It is assumed that you will have administrative access to the macOS installation on the external drive. With FileVault enabled, you will need to have valid user credentials on the physical host. This is needed to unlock the disk so that you can copy the files off of the host.

For simplicity, this is how the setup will look:

  • External Disk is the disk that will boot the physical macOS host.

  • System Disk is the internal disk of the physical macOS host, which is running FileVault.

  • Once the System Disk is unlocked by any user, it will be mounted under /Volumes. Look for something along the lines of /Volumes/Macintosh\ HD/ which should be the System Disk.

Modifying /etc/sudoers

One straightforward way to escalate privileges for the standard user is to modify the /etc/sudoers file, which controls user permissions for executing commands as root via sudo.

Steps to Escalate Privileges via /etc/sudoers:

  1. Mount the System Disk:

    • Once you boot from the external disk, it should prompt you to unlock the system disk. If not, follow these steps:

    • Boot the system from the external disk and mount the internal system disk.

    • For example, mount it at /Volumes/SystemDisk:

    sudo mount -t hfs /dev/diskXsY /Volumes/SystemDisk

  2. Edit the /etc/sudoers File:

    • You can modify the /etc/sudoers file for the standard user (e.g., user1) to grant them passwordless sudo access.
    • Open the sudoers file using the visudo command for safety, but you’ll have to directly edit the file since visudo may not be available on the external system:
    sudo vi /Volumes/SystemDisk/etc/sudoers

    (Make sure to use sudo from the external system, as you’ll need root access to edit the sudoers file on the internal system.)

  3. Add the User to the Sudoers File:

    • Add a line to give the standard user (user1) unrestricted sudo access without requiring the user to enter their password:
    user1 ALL=(ALL) NOPASSWD: ALL

    • This grants user1 the ability to run any command with sudo without needing to provide a password.

    • Alternatively, add a line like this to give the standard user (user1) unrestricted sudo access that does require the user to enter their password:

    user1 ALL=(ALL) ALL

  4. Save the changes and exit the editor.

  5. Reboot from the system disk and verify access:

    • When the system reboots, the standard user will have sudo access, allowing them to escalate privileges whenever they need.

  6. Once you have booted from the system disk, verify the sudo access, then use that access to add a user to the admin group.

    sudo -l -U <username>
    sudo dscl . -append /Groups/admin GroupMembership <username>

    Note: Remember there is a difference between root access and admin access. Obtaining both is ideal!