Local Privilege Escalation (LPE) for Windows 11 x64 23H2

HarrySpoofer · #1 05-23-2025, 05:54

Does anyone know of a working Local Privilege Escalation (LPE) for Windows 11 x64 23H2 from an Authenticated User to Admin or System ?

The goal is to gain write access to HKEY_CURRENT_USER\Software from an Authenticated User's account.

I don't need a working tool. I just need a pointer in the right direction.
I already tried the obvious methods like misconfigured services and HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated.

P.S.
It is not my choice to deal with Windows 11. My boss has railroaded me into it at work...

wx69wx2023 · #2 05-23-2025, 07:34

LPE in CLFS.sys (Win11 23H2)
https://github.com/MrAle98/CVE-2024-49138-POC

https://web.archive.org/web/20250130103933/https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/

HarrySpoofer · #3 05-23-2025, 08:34

Thanks, ...but patched on May 13

See:
https://windowsforum.com/threads/cve-2025-32706-critical-windows-kernel-vulnerability-in-clfs-driver-enables-privilege-escalation.366026/

The SHA256 hashes for my files are:
clfs.sys: 84e53db33939e67dcafa75c3aadb4c56303a5f7f537a601174734589a085ea22
ntoskrnl.exe: 1fa89be1e7f4cab6a4ee176eccf3c00ca3395ab158773aa6c71c867d19b30dd4

wx69wx2023 · #4 05-24-2025, 08:41

if a target computer remain in an win updated state,It's hard, because 0day are not likely to be released free to the public,It will be reported to Microsoft for a reward, or sold on the black market...

sendersu · #5 05-24-2025, 14:03

this is true
a good viable 0day costs huge amount of money...

sendersu · #6 05-25-2025, 01:43

just take a look how much it might cost -

https://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results

HarrySpoofer · #7 05-25-2025, 16:27

Obviously I don't have that kind of money, so I have to rely on my wits.
A while ago I stumbled on a BSOD (0xC0000005) in win32k.sys that can be reliably triggered on Win11. I wonder if that can be weaponized for LPE.

Can IDA be made to step through kernel mode code and react to breakpoints placed there ?

sendersu · #8 05-25-2025, 16:48

no, IDA is user mode debugger
try kernel mode one...
there are some

HarrySpoofer · #9 05-25-2025, 23:46

Yes, I was once using SofIce for KM debugging and IDA for UM debugging but I think that recently I have seen someone use IDA for KM debugging with some plugin to WinDbg or some other KM debugger.

Larry · #10 05-26-2025, 00:02

Try to look this one:
h*t*t*p*s://docs.hex-rays.com/user-guide/debugger/debugger-tutorials/windbg_tut

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
struct as local var in ida	upb	General Discussion	3	03-03-2005 17:29

The Following User Says Thank You to wx69wx2023 For This Useful Post:
HarrySpoofer (05-23-2025)

The Following User Says Thank You to HarrySpoofer For This Useful Post:
wx69wx2023 (05-24-2025)

The Following User Says Thank You to wx69wx2023 For This Useful Post:
niculaita (05-25-2025)

The Following User Gave Reputation+1 to sendersu For This Useful Post:
Fyyre (08-13-2025)