Local Privilege Escalation (LPE) for Windows 11 x64 23H2

HarrySpoofer · #1 05-23-2025, 05:54

Does anyone know of a working Local Privilege Escalation (LPE) for Windows 11 x64 23H2 from an Authenticated User to Admin or System ?

The goal is to gain write access to HKEY_CURRENT_USER\Software from an Authenticated User's account.

I don't need a working tool. I just need a pointer in the right direction.
I already tried the obvious methods like misconfigured services and HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated.

P.S.
It is not my choice to deal with Windows 11. My boss has railroaded me into it at work...

wx69wx2023 · #2 05-23-2025, 07:34

LPE in CLFS.sys (Win11 23H2)
https://github.com/MrAle98/CVE-2024-49138-POC

https://web.archive.org/web/20250130103933/https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/

HarrySpoofer · #3 05-23-2025, 08:34

Thanks, ...but patched on May 13

See:
https://windowsforum.com/threads/cve-2025-32706-critical-windows-kernel-vulnerability-in-clfs-driver-enables-privilege-escalation.366026/

The SHA256 hashes for my files are:
clfs.sys: 84e53db33939e67dcafa75c3aadb4c56303a5f7f537a601174734589a085ea22
ntoskrnl.exe: 1fa89be1e7f4cab6a4ee176eccf3c00ca3395ab158773aa6c71c867d19b30dd4

wx69wx2023 · #4 05-24-2025, 08:41

if a target computer remain in an win updated state,It's hard, because 0day are not likely to be released free to the public,It will be reported to Microsoft for a reward, or sold on the black market...

sendersu · #5 05-24-2025, 14:03

this is true
a good viable 0day costs huge amount of money...

sendersu · #6 05-25-2025, 01:43

just take a look how much it might cost -

https://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results

HarrySpoofer · #7 05-25-2025, 16:27

Obviously I don't have that kind of money, so I have to rely on my wits.
A while ago I stumbled on a BSOD (0xC0000005) in win32k.sys that can be reliably triggered on Win11. I wonder if that can be weaponized for LPE.

Can IDA be made to step through kernel mode code and react to breakpoints placed there ?

sendersu · #8 05-25-2025, 16:48

no, IDA is user mode debugger
try kernel mode one...
there are some

HarrySpoofer · #9 05-25-2025, 23:46

Yes, I was once using SofIce for KM debugging and IDA for UM debugging but I think that recently I have seen someone use IDA for KM debugging with some plugin to WinDbg or some other KM debugger.

Larry · #10 05-26-2025, 00:02

Try to look this one:
h*t*t*p*s://docs.hex-rays.com/user-guide/debugger/debugger-tutorials/windbg_tut

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
struct as local var in ida	upb	General Discussion	3	03-03-2005 17:29

The Following User Says Thank You to wx69wx2023 For This Useful Post:
HarrySpoofer (05-23-2025)

The Following User Says Thank You to HarrySpoofer For This Useful Post:
wx69wx2023 (05-24-2025)

The Following User Says Thank You to wx69wx2023 For This Useful Post:
niculaita (05-25-2025)

The Following User Gave Reputation+1 to sendersu For This Useful Post:
Fyyre (08-13-2025)