Skip to content

RegPwn BOF#2015

Open
carlospolop wants to merge 1 commit intomasterfrom
update_RegPwn_BOF_20260317_020432
Open

RegPwn BOF#2015
carlospolop wants to merge 1 commit intomasterfrom
update_RegPwn_BOF_20260317_020432

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Mar 17, 2026

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://github.com/Flangvik/RegPwnBOF
  • Blog Title: RegPwn BOF
  • Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (new page for CVE-2026-24291 / ATConfig registry symlink race -> arbitrary HKLM value write -> service ImagePath/ServiceDll hijack; optionally cross-link from 'Cobalt Strike' tooling section for BOF operationalization)

🎯 Content Summary

Title/Repo: RegPwn BOF is a Cobalt Strike Beacon Object File (BOF) reimplementation/port (in C) of the original RegPwn exploit (original vulnerability research and C# exploit by Filip Dragovic / MDSec ActiveBreach).


CVE: CVE-2026-24291


Core issue (what is vulnerable): A registry symlink race condition in the Windows Accessibility ATConfig ...

🔧 Technical Details

Trick 1 — Convert a privileged registry write into an arbitrary HKLM value write via a registry symlink race (CVE-2026-24291): If a Windows component performs a privileged registry operation under a path that a low-privileged user can influence through a race condition involving registry symlinks, an attacker can redirect the privileged operation to a protected target (e.g., HKLM\SYSTEM\CurrentControlSet\...). Winning the race yields an “arbitrary HKLM registry value write” primitive from a standard-user context, which is enough to reconfigure privileged system behavior.


Trick 2 — Turn an HKLM write primitive into SYSTEM code execution by hijacking service configuration: If an attacker can write to protected service registry keys, they can set HKLM\SYSTEM\CurrentControlSet\Services\<svc>\ImagePath to an attacker-controlled command/EXE (or set ...\Parameters\ServiceDll to an attacker D...

🤖 Agent Actions

Summary:

  • Added a new Windows LPE subsection documenting the ATConfig registry symlink race (CVE-2026-24291), its exploitation flow, and how to pivot the HKLM write into service ImagePath/ServiceDll hijack.
  • Added example RegPwn BOF usage and appended references to the MDSec writeup and RegPwnBOF repo.

Files changed:

  • src/windows-hardening/windows-local-privilege-escalation/README.md

Tests:

  • Not run (documentation-only change).

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

carlospolop commented Mar 17, 2026

🔗 Additional Context

Original Blog Post: https://github.com/Flangvik/RegPwnBOF

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (new page for CVE-2026-24291 / ATConfig registry symlink race -> arbitrary HKLM value write -> service ImagePath/ServiceDll hijack; optionally cross-link from 'Cobalt Strike' tooling section for BOF operationalization)".

Repository Maintenance:

  • MD Files Formatting: 954 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlospolop