Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Add SYSTEM shell access documentation to Artiface page #99

Merged
merged 2 commits into from
Jul 23, 2024
Merged

[DOCS] Add SYSTEM shell access documentation to Artiface page #99

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b0d3675
wiki: adds preliminary SYSTEM shell access for Artiface
SternXD Jul 23, 2024
238115b
feat: Add SYSTEM shell access instructions for Artiface exploit
SternXD Jul 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion docs/exploits/artifice-devmode-elevation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
|Release date | 10.09.2023 |
|Author | Kudayasu |
|Classification | Devmode SystemOS privilege escalation |
|Patched | No (as of October 1st 2023) |
|Patched | No (as of July 23rd 2024) |
|Patch date | - |
|First patched system version | - |
|Source | https://kudayasu.github.io/an-autopsy-of-artifice/ |
Expand All @@ -22,3 +22,21 @@ A completely privilege escalation exploit for Devmode, granting an admin account
## Instructions
Download the artifice release, make sure your console is reachable from the host computer, run the program and type the console IP. Then launch the exploit.
If it succeeds, an account called `admin` with password `admin` will be created in SystemOS. You can ssh to this account.

### System Shell Access
In order to gain SYSTEM shell access, we need to leverage `bootsh` to telnet into the Xbox, as described [here](https://xboxoneresearch.github.io/wiki/exploits/devmode-priv-escalation-vsprofiling/).

1. SSH into your console using Command Prompt or PowerShell with the Admin account created by Artiface.
2. Execute the following commands on the SSH connection as Admin:
```
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "telnetd.exe cmd.exe 23" /f
sc start bootsh
```
3. Wait around 10 seconds to ensure that the telnet service has started.
4. Reset the registry key back to its original state:
```
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "xrun.exe SystemBootTasks" /f
```
5. Now you can start a telnet session using [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) or a similar telnet client using Port 23
6. Profit.

Loading