or would this work?
----------------
Exploit
Step 1) Restart the computer (or turn it on if it's already off) while holding down the command and s keys at the same time. (If the computer is running Mac OS Public Beta, just press the s key.) They have root privileges at this moment, but now it's time to take advantage of these privileges.
Step 1.5) Type "/sbin/fsck -y". (Type this without the quotes, of course.) (This step really isn't necessary at all, but it just takes a second, and they might as well just do a quick check of the hard disk before mounting it.)
Step 2) Type "/sbin/mount -wu /" (This mounts the volume "/" with read/write access.)
Step 3) Type "/sbin/SystemStarter" (This starts the network services, which is necessary to gain access to NetInfo.)
Step 4) Here, one could now just type "passwd root" and override the existing root password with one of their own, or worse yet, someone could just get the current root password (and/or the administrative user account password) so the administrators of that computer don't know that their security has been compromised. One of the easiest ways to do this is to just type "nidump passwd ." and write down the root account's password hash. (The hash will be the text that looks like just a garbled mess of alphanumeric characters between two colons.)
Step 5) Now one can type up what they wrote down into a plain text file like the following example: "root:rQkFQ37SYveHw:0:0::0:0:System Administrator:/var/root:/bin/tcsh".
Step 6) Finally, they'll use a cracking program like John the Ripper for the PC, or the Meltino, a Classic Macintosh application, to crack the password hash.
And when it's finally cracked it, they've got the password
3) Capitalization Matters! "/sbin/SystemStarter"
Posted: February 27, 2004, 5:21 pm Post subject: