var img = document.createElement('img'); img.src = "https://calabrone.net/piwik.php?idsite=2&rec=1&url=https://stinger.io" + location.pathname; img.style = "border:0"; img.alt = "tracker"; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(img,s);
Skip to main content

Information Gathering

Before attempting privilege escalation, you should gather as much information as possible about the system environment. This includes user information, kernel version, installed applications, and security feature and settings.

User & Group Information

Obtain a list of all users on the system, which can help identify misconfigured or unnecessary accounts. User accounts that start with an underscore "_", are daemon accounts.

whoami           				# Current user
id               				# Display user ID and groups
dscl . list /Users				# Display all users
dscl . -read /Users/user1/			# Details of a specific user account

Expected output of dscl . -list /Users:

# output is truncated...	
_windowserver
_www
_wwwproxy
_xserverdocs
daemon
nobody
root
admin
user1
user2

System Information

Gather basic information about the system architecture and kernel version.

sw_vers
uname -a

Expected output:

ProductName:    macOS
ProductVersion: 15.2
BuildVersion:   19C57
Darwin Kernel Version 19.2.0: Thu Nov  7 19:51:56 PST 2019; root:xnu-6153.81.4~1/RELEASE_X86_64

Additionally, the system_profiler command will provide verbose information about the host.

system_profiler SPHardwareDataType

# Example output:

      Model Name: MacBook Air
      Model Identifier: MacBookAir10,1
      Model Number: Z124000FKLL/A
      Chip: Apple M1
      Total Number of Cores: 8 (4 performance and 4 efficiency)
      Memory: 16 GB
      System Firmware Version: 11881.1.1
      OS Loader Version: 10151.140.19.700.2
      Serial Number (system): C02DQ257Q6LR
      Hardware UUID: EF84D2BC-8861-50D3-AC54-DF3C18E652B0
      Provisioning UDID: 00008103-001544DA01A2001E
      Activation Lock Status: Enabled

To get all data types similar to the SPHardwareDataType in the example above, run system_profiler -listDataTypes.

Kernel Version

uname -r

Example output

23.6.0

System Configuration

Note: System Integrity Protection (SIP) is enabled by default!

Check SIP (System Integrity Protection) status:

csrutil status

Example output:

System Integrity Protection status: enabled.

SIP being disabled allows for easier privilege escalation. However, if you are able to disable SIP, you probably already have the access that you seek!