I’m about to show you how you can recover admin on any Mac by deleting one file. Are you frightened yet? You probably should be. I was, when I first learned of this trick. It works on almost any version of OS X and macOS, including the High Sierra beta.
Reasons to Know This Trick
If you’ve ever found yourself forgetting the administrator’s password on a Mac, this trick is a good thing. It resets OS X or macOS to the state it was in right after installation. You’ll go through all of the normal steps you would take when installing a Mac. It will ask for your time zone, to enable Find My Mac, etc.
Then it will guide you through creating a new user, with administrative privileges. Once that’s complete, you’ll be able to log into macOS or OS X as that user. Even better, you’ll be able to recover admin on that Mac.
How to Recover Admin On a Mac by Deleting One File
The first thing you need to do for this is boot into single-user mode. This means rebooting the Mac, and pressing Command-S at the startup chime. Keep the keys pressed until you see a black screen with white text. This is single-user mode.
Next, you need to mount the file system and make it accessible. Type in this command:
/sbin/mount -uw /
Once that’s done, you can delete the file that tells your operating system the initial setup process is complete. Type this command:
rm /var/db/.AppleSetupDone
Now, when you reboot your Mac, it will run the Setup Assistant all over again. Rebooting is easy. Type this.
reboot
Your Mac will restart and boot normally, running the Setup Assistant before it reaches the login screen. You’ll be able to set up a new user account with admin privileges
Now That I’ve got You Freaked Out …
It’s time to tell you how to prevent someone from doing this to you. The key here is to turn on FileVault. Go to System Preferences -> Security & Privacy -> FileVault. Once that’s done, estimates are it would take 34 years of brute force attacks to crack the encryption.
Once you’re in the correct System Preferences pane, click the lock icon to make changes. Then click Turn On FileFault, and you’ll be asked to provide a way to unlock your disk and reset your password. You can use your iCloud account, or create a recovery key.
Physical Security Matters, Too
If there ever was a reason to turn on FileVault, this is it. If you ever lose your Mac or it’s stolen, it’s all too easy for the thief to delete that file and get your Mac back into the Setup Assistant.
Does this retain the current user accounts?
I agree that this sounds scary, but if you have physical possession of the machine, unless it’s fully encrypted, all bets are off. You can mount a drive via target disk mode and copy the entire drive if it’s not encrypted and (as Anna pointed out) there is no firmware password set.
I guess the real issue is that someone (a roommate etc) could do this, and you would continue using the machine without knowing.
Or far simpler – set a firmware password:
https://support.apple.com/en-gb/HT204455
Only when in physical possession. When you boot into single-user mode, there are no network drivers loaded.
Can this exploit be done over the Internet?
Or only when in physical possession of the Mac?