(Mac pentest series) Install apps of dmg and pkg types without admin password

Chenny Ren
4 min readJun 6, 2023

--

Continuing from the previous post (Mac pentest series): Installing Homebrew without sudo privilege

Today, I’d like to share a method for installing applications on macOS without requiring an admin password. This approach is particularly useful in cases where the Apple App Store is disabled to prevent users from directly downloading apps.

If the application supports drag and drop installation, you can simply drag it to the Applications folder within your user directory or anywhere else within your user folder. However, if the app utilizes Apple’s Installer, you will need to provide an admin username and password.

Installing DMG files without an admin password is another option to explore.

Now, let’s proceed with the installation of Steam on the MacBook OS, despite the presence of extensive restrictions.

Download the dmg , if we drag the steam.app to Application folders , we will need admin user name and password.

Instead, I drag the Steam.app to Desktop (the folder that we have rwx rights)

It is successfully installed , games could be downloaded and let’s launch the Games!

Install the Applications like these are relative easy, now let’s work on some thing more difficult

Install .PKG without Admin password (macOS)

What if the package is not a DMG but a PKG, which cannot be simply dragged and dropped?

A PKG file is a package that contains compressed installer files designed for installing software programs. It is frequently utilized for software installations in Mac OS X. PKG files can be installed individually or referenced by an installer script included with the software.

Let’s consider attempting to install a keylogger as an example (please note that this is a malicious package chosen solely for testing endpoint solutions and should not be used for any malicious purposes). First, we need to unzip the package.

Create an empty folder on desktop and let’s just name it ‘game’

In the terminal

pkgutil --expand /Users/qianni.ren/Desktop/SpyderXElite\\ 5.9.pkg /Users/qianni.ren/Desktop/game​

Now there will be an error pops up telling us the folder already exists. Just delete the folder and run the command again, the error will be solved

from game folder we see the package resources

click show package contents on the pkg file

The payload is a compressed file, so we have to extract it out. Create a folder on desktop named extract_payload

In the terminal type

tar -xvf /Users/qianni.ren/Desktop/game/SpyderXElite.pkg/Payload -C /Users/qianni.ren/Desktop/extract_payload​

The app will be extracted

and we can successfully run the keylogger on a restricted mac

run the app and we will pop up to the activation page

--

--

Chenny Ren
Chenny Ren

Written by Chenny Ren

OSCP | OSWP | OSEP | CRTP |CRTE | CRTO | Red Team Professional | SOC engineer

Responses (1)