Merge pull request #99 from SternXD/master

[DOCS] Add SYSTEM shell access documentation to Artiface page
xboxoneresearch · Jul 23, 2024 · 2dea918 · 2dea918
2 parents 23983b0 + 238115b
commit 2dea918
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/docs/exploits/artifice-devmode-elevation.md b/docs/exploits/artifice-devmode-elevation.md
@@ -6,7 +6,7 @@
 |Release date                 |                                          10.09.2023 |
 |Author                       |                                         Kudayasu    |
 |Classification               |                      Devmode SystemOS privilege escalation |
-|Patched                      |                         No (as of October 1st 2023) |
+|Patched                      |                         No (as of July 23rd 2024) |
 |Patch date                   |                                          -          |
 |First patched system version | -                                                   |
 |Source                       |                   https://kudayasu.github.io/an-autopsy-of-artifice/ |
@@ -22,3 +22,21 @@ A completely privilege escalation exploit for Devmode, granting an admin account
 ## Instructions
 Download the artifice release, make sure your console is reachable from the host computer, run the program and type the console IP. Then launch the exploit.
 If it succeeds, an account called `admin` with password `admin` will be created in SystemOS. You can ssh to this account.
+
+### System Shell Access
+In order to gain SYSTEM shell access, we need to leverage `bootsh` to telnet into the Xbox, as described [here](https://xboxoneresearch.github.io/wiki/exploits/devmode-priv-escalation-vsprofiling/).
+
+1. SSH into your console using Command Prompt or PowerShell with the Admin account created by Artiface.
+2. Execute the following commands on the SSH connection as Admin:
+```
+REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "telnetd.exe cmd.exe 23" /f
+sc start bootsh
+```
+3. Wait around 10 seconds to ensure that the telnet service has started.
+4. Reset the registry key back to its original state:
+```
+REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "xrun.exe SystemBootTasks" /f
+```
+5. Now you can start a telnet session using [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) or a similar telnet client using Port 23
+6. Profit.
+