Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Local Privilege Escalation (LPE) for Windows 11 x64 23H2 (https://forum.exetools.com/showthread.php?t=21268)

HarrySpoofer 05-23-2025 05:54
Local Privilege Escalation (LPE) for Windows 11 x64 23H2
 
Does anyone know of a working Local Privilege Escalation (LPE) for Windows 11 x64 23H2 from an Authenticated User to Admin or System ?

The goal is to gain write access to HKEY_CURRENT_USER\Software from an Authenticated User's account.

I don't need a working tool. I just need a pointer in the right direction.
I already tried the obvious methods like misconfigured services and HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated.

P.S.
It is not my choice to deal with Windows 11. My boss has railroaded me into it at work...

wx69wx2023 05-23-2025 07:34
LPE in CLFS.sys (Win11 23H2)
https://github.com/MrAle98/CVE-2024-49138-POC

https://web.archive.org/web/20250130103933/https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/

HarrySpoofer 05-23-2025 08:34
Thanks, ...but patched on May 13 :( See:
https://windowsforum.com/threads/cve-2025-32706-critical-windows-kernel-vulnerability-in-clfs-driver-enables-privilege-escalation.366026/

The SHA256 hashes for my files are:
clfs.sys: 84e53db33939e67dcafa75c3aadb4c56303a5f7f537a601174734589a085ea22
ntoskrnl.exe: 1fa89be1e7f4cab6a4ee176eccf3c00ca3395ab158773aa6c71c867d19b30dd4

wx69wx2023 05-24-2025 08:41
if a target computer remain in an win updated state,It's hard, because 0day are not likely to be released free to the public,It will be reported to Microsoft for a reward, or sold on the black market...

sendersu 05-24-2025 14:03
this is true
a good viable 0day costs huge amount of money...

sendersu 05-25-2025 01:43
just take a look how much it might cost -

https://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results

HarrySpoofer 05-25-2025 16:27
Obviously I don't have that kind of money, so I have to rely on my wits.
A while ago I stumbled on a BSOD (0xC0000005) in win32k.sys that can be reliably triggered on Win11. I wonder if that can be weaponized for LPE.

Can IDA be made to step through kernel mode code and react to breakpoints placed there ?

sendersu 05-25-2025 16:48
no, IDA is user mode debugger
try kernel mode one...
there are some

HarrySpoofer 05-25-2025 23:46
Yes, I was once using SofIce for KM debugging and IDA for UM debugging but I think that recently I have seen someone use IDA for KM debugging with some plugin to WinDbg or some other KM debugger.

Larry 05-26-2025 00:02
Try to look this one:
h*t*t*p*s://docs.hex-rays.com/user-guide/debugger/debugger-tutorials/windbg_tut


All times are GMT +8. The time now is 17:12.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX