From 98ba9a38ccfa95e1bfaaa9a4bcd10746e71e4074 Mon Sep 17 00:00:00 2001 From: Idar Lund Date: Tue, 14 Jan 2025 13:08:50 +0100 Subject: [PATCH] added powershell command to show wsus config admins tend to disable "registry editing" on computers. this makes reg query spit out an error message. PowerShell get item property however still works. --- .../README.md | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/src/windows-hardening/windows-local-privilege-escalation/README.md b/src/windows-hardening/windows-local-privilege-escalation/README.md index f32121647..cabf2c78f 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/README.md @@ -174,20 +174,34 @@ Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| You can compromise the system if the updates are not requested using http**S** but http. -You start by checking if the network uses a non-SSL WSUS update by running the following: +You start by checking if the network uses a non-SSL WSUS update by running the following in cmd: ``` reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer ``` -If you get a reply such as: +Or the following in PowerShell: + +``` +Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -Name "WUServer" +``` + +If you get a reply such as one of these: ```bash HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate WUServer REG_SZ http://xxxx-updxx.corp.internal.com:8535 ``` +```bash +WUServer : http://xxxx-updxx.corp.internal.com:8530 +PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate +PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows +PSChildName : windowsupdate +PSDrive : HKLM +PSProvider : Microsoft.PowerShell.Core\Registry +``` -And if `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer` is equals to `1`. +And if `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer` or `Get-ItemProperty -Path hklm:\software\policies\microsoft\windows\windowsupdate\au -name "usewuserver"` is equals to `1`. Then, **it is exploitable.** If the last registry is equals to 0, then, the WSUS entry will be ignored.