nightmare-eclipse/greenplasma — explained in plain English
Analysis updated 2026-05-18
Study a real world Windows privilege escalation technique for security research.
Practice completing the missing exploit steps as a CTF style challenge.
Learn how SYSTEM trusted file paths can be abused on Windows.
Reference the CTFMON vulnerability mechanism in defensive security training.
| nightmare-eclipse/greenplasma | phjont/wallpaper-engine-live-wallpaper-engine | mark9-droid/tomodachipc | |
|---|---|---|---|
| Stars | 553 | 555 | 549 |
| Language | C++ | C++ | C++ |
| Setup difficulty | hard | easy | easy |
| Complexity | 5/5 | 1/5 | 1/5 |
| Audience | researcher | general | general |
Figures from each repo's GitHub metadata at analysis time.
The proof of concept is intentionally incomplete, missing the final step to reach a full SYSTEM shell.
GreenPlasma is a security research proof of concept that documents a Windows privilege escalation vulnerability involving a system component called CTFMON. CTFMON is a background Windows process related to text input and language services, and this repository shows how a flaw in it can be abused to gain higher privileges than a normal user should have. The core issue is that the vulnerability lets an attacker create an arbitrary memory section object inside a directory location that only the SYSTEM account, the most privileged account on Windows, should be able to write to. The author explains that many Windows services, and even kernel mode drivers, place blind trust in certain file paths because a standard user is not normally expected to have write access there. By influencing what gets placed in that newly created section, an attacker who is smart enough could potentially turn this into a full privilege escalation, reaching SYSTEM level access from a regular user account. The author has deliberately not published a complete working exploit. The code shared is stripped of the final piece needed to obtain a full SYSTEM shell, and the README frames this gap as an intentional challenge aimed at people who enjoy Capture the Flag competitions and security research. This is a common practice in the security research community, where enough detail is shared to demonstrate that a vulnerability is real and explain its mechanism, without handing over a ready to use attack tool. According to the README, the vulnerability has been confirmed to work on Windows 11, Windows Server 2022, and Windows Server 2026, though the author is unsure whether it also affects Windows 10. The repository includes a screenshot showing the arbitrary section object being created. This project is aimed at security researchers, penetration testers, and CTF participants studying Windows internals rather than at general software users.
A security research writeup showing a Windows privilege escalation bug in CTFMON, shared as a CTF style challenge.
Mainly C++. The stack also includes C++, Windows.
The README does not state license terms.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.