WSUS
/Practice/Hokkaido/4-Post_Enumeration/attachments/{A7E6C47C-189B-4D0A-B184-28BA7F69048C}.png)
presence of windows server update services (WSUS) was initially suspected from the beginning of the engagement due to the relevant shares found in the SMB server as well as the generated groups.
Additionally, WSUS process was identified.
According to the official Microsoft documentation,
windows server update services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network. This article provides an overview of this server role and more information about how to deploy and maintain WSUS.
/Practice/Hokkaido/4-Post_Enumeration/attachments/Pasted-image-20250425184508.png)
According to another online resource:
Typically, the architecture of WSUS deployments is quite simple, although they can be configured in more complex ways. The most common deployment consists of one WSUS server within the corporate network. This server will reach out to Microsoft over HTTP and HTTPS to download Microsoft patches. After downloading these, the WSUS server will deploy the patch to clients as they check in to the WSUS server. Communication between the WSUS server and the clients will occur on port 8530 for HTTP and 8531 for HTTPS. An example of this deployment is below:
The current user, molly.smith is indeed part of the WSUS administrators group.
PS C:\Users\molly.smith> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
PS C:\Users\molly.smith> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions REG_DWORD 0x3It would appear that the WSUS is NOT configured in the target system
App
Checking the WSUS installation through the dedicated app
/Practice/Hokkaido/4-Post_Enumeration/attachments/{EF0C9586-FC87-45B6-9200-FDB80AE90711}.png)
/Practice/Hokkaido/4-Post_Enumeration/attachments/{AEFC9B3E-DA1F-4F47-8FF3-FA7609A6B3E7}.png)
UAC prompts for administrator’s credential.
The user is part of the tier1-admins group.
/Practice/Hokkaido/4-Post_Enumeration/attachments/{589A25BF-9CE9-42CF-B97C-75E714E0C4C1}.png)
There is nothing registered
/Practice/Hokkaido/4-Post_Enumeration/attachments/Pasted-image-20250425214923.png)
It’s configured to fetch update from the official Microsoft repo