From 38c1f7fd873f46c89604f26f3cc244e6f5d119ac Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 17 Mar 2026 02:07:33 +0000 Subject: [PATCH] Add content from: RegPwn BOF --- .../README.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/src/windows-hardening/windows-local-privilege-escalation/README.md b/src/windows-hardening/windows-local-privilege-escalation/README.md index 6d063ff500a..51018ba70d0 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/README.md @@ -652,6 +652,38 @@ To change the Path of the binary executed: reg add HKLM\SYSTEM\CurrentControlSet\services\ /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f ``` +### Registry symlink race to arbitrary HKLM value write (ATConfig) + +Some Windows Accessibility features create per-user **ATConfig** keys that are later copied by a **SYSTEM** process into an HKLM session key. A registry **symbolic link race** can redirect that privileged write into **any HKLM path**, giving an arbitrary HKLM **value write** primitive. + +Key locations (example: On-Screen Keyboard `osk`): + +- `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs` lists installed accessibility features. +- `HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\` stores user-controlled configuration. +- `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session\ATConfig\` is created during logon/secure-desktop transitions and is writable by the user. + +Abuse flow (CVE-2026-24291 / ATConfig): + +1. Populate the **HKCU ATConfig** value you want to be written by SYSTEM. +2. Trigger the secure-desktop copy (e.g., **LockWorkstation**), which starts the AT broker flow. +3. **Win the race** by placing an **oplock** on `C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml`; when the oplock fires, replace the **HKLM Session ATConfig** key with a **registry link** to a protected HKLM target. +4. SYSTEM writes the attacker-chosen value to the redirected HKLM path. + +Once you have arbitrary HKLM value write, pivot to LPE by overwriting service configuration values: + +- `HKLM\SYSTEM\CurrentControlSet\Services\\ImagePath` (EXE/command line) +- `HKLM\SYSTEM\CurrentControlSet\Services\\Parameters\ServiceDll` (DLL) + +Pick a service that a normal user can start (e.g., **`msiserver`**) and trigger it after the write. **Note:** the public exploit implementation **locks the workstation** as part of the race. + +Example tooling (RegPwn BOF / standalone): + +```bash +beacon> regpwn C:\payload.exe SYSTEM\CurrentControlSet\Services\msiserver ImagePath +beacon> regpwn C:\evil.dll SYSTEM\CurrentControlSet\Services\SomeService\Parameters ServiceDll +net start msiserver +``` + ### Services registry AppendData/AddSubdirectory permissions If you have this permission over a registry this means to **you can create sub registries from this one**. In case of Windows services this is **enough to execute arbitrary code:** @@ -1981,5 +2013,7 @@ C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the - [Unit 42 – Privileged File System Vulnerability Present in a SCADA System](https://unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921/) - [Symbolic Link Testing Tools – CreateSymlink usage](https://github.com/googleprojectzero/symboliclink-testing-tools/blob/main/CreateSymlink/CreateSymlink_readme.txt) - [A Link to the Past. Abusing Symbolic Links on Windows](https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20James%20Forshaw%20-%20A%20Link%20to%20the%20Past.pdf) +- [RIP RegPwn – MDSec](https://www.mdsec.co.uk/2026/03/rip-regpwn/) +- [RegPwn BOF (Cobalt Strike BOF port)](https://github.com/Flangvik/RegPwnBOF) {{#include ../../banners/hacktricks-training.md}}