Privilege Escalation in Rapid7 Velociraptor Admin.Client.UpdateClientConfig Artifact

This repository is a small operational helper for exploiting CVE-2025-6264 in Velociraptor. It is not a full exploit against the vulnerable artifact itself; instead, it automates attacker infrastructure setup needed to abuse the missing permission checks in Admin.Client.UpdateClientConfig. The repository contains two files: a README describing the vulnerability and attack flow, and a single Bash script, 2025-6264_setup.sh, which is the main entry point. The script installs Velociraptor v0.75.6 on a Linux host, generates a fresh server configuration, modifies the frontend bind address from 127.0.0.1 to 0.0.0.0, builds and installs the server .deb package, creates an administrator account with hardcoded credentials admin/admin, and extracts the Client section from the generated server config into a standalone client.config.yaml. It then replaces the default https://localhost:8000/ URL with the host's detected local IP so redirected clients will connect back to the attacker-controlled server. Operationally, the exploit capability is client redirection and takeover preparation: the generated YAML contains the CA certificate, nonce, and server URL needed to reconfigure vulnerable Velociraptor clients. Per the README, an attacker with Investigator-level access can insert this YAML into the vulnerable Admin.Client.UpdateClientConfig artifact, causing endpoints to rekey and reconnect to the malicious server. The script also supports a --client-only mode for environments where Velociraptor is already installed, in which case it only emits the client configuration. There is no standalone vulnerability trigger code in the repository; the actual abuse of the vulnerable artifact is assumed to be performed manually by the operator. Still, the repository clearly supports real exploitation by provisioning the malicious server and producing the exact configuration payload required for endpoint hijacking.