SCCM - General

Setup

Ludus SCCM - (SpecterOps one not the GOAD version). Similar but it also has ADCS which enables Takeover 3.

10.2.10.10 - DC01
10.2.10.11 - Workstation
10.2.10.12 - Distro point
10.2.10.13 - SQL server
10.2.10.14 - management point
10.2.10.15 - Siteserver
10.2.10.99 - Kali
 
10.2.10.13    SCCM-SQL.ludus.domain SCCM-SQL
10.2.10.11    WORKSTATION.ludus.domain WORKSTATION
10.2.10.14    SCCM-MGMT.ludus.domain SCCM-MGMT
10.2.10.10    DC01.ludus.domain ludus.domain DC01
10.2.10.15    SCCM-SITESRV.ludus.domain SCCM-SITESRV
10.2.10.12    SCCM-DISTRO.ludus.domain SCCM-DISTRO

Open the configuration manager console with Full Administrator privs (RDP to 10.2.10.15 with domainadmin:password)

If Elevate 2 has been executed, the push account will authenticate to your attacker machine every hour.

SCCM lab Credentials:

• Domain admin creds: domainadmin:password
• Domain user creds: domainuser:password

Tools needed:

Sccmhunter, dploot and Netexec:

pipx install git+https://github.com/garrettfoster13/sccmhunter/
pipx install git+https://github.com/zblurx/dploot.git
pipx install git+https://github.com/Pennyw0rth/NetExec

Netexec - If you get aardwolf errors:

rustup default stable
pip3 install aardwolf --break-system-packages
pipx install git+https://github.com/Pennyw0rth/NetExec --force

Ldeep for easy LDAP queries:

sudo apt-get install -y libkrb5.dev krb5.config gcc python3.dev
pipx install git+https://github.com/franc-pentest/ldeep

gets4uticket.py (for Takeover-2): https://github.com/dirkjanm/PKINITtools.git

dnstool.py (for Elevate-3): https://github.com/dirkjanm/krbrelayx.git

PXEThief only works from Windows. Get this fork to run it from Linux: https://github.com/blurbdust/PXEThief/tree/main

If you get a get_if_raw_hwadd error:

pip uninstall scapy
pip install scapy==2.5.0

On Linux you also need to give it the following permissions:

realpath $(which python3)
sudo setcap cap_net_raw+ep /usr/bin/python3.13

Or use this Linux version of the tool (limited functionality compared to PXEthief): https://github.com/csandker/pxethiefy

SCCMSecrets.py: https://github.com/synacktiv/SCCMSecrets

sccm-http-looter: https://github.com/badsectorlabs/sccm-http-looter

Certipy (for Takeover 3): https://github.com/ly4k/Certipy

Coercer: https://github.com/p0dalirius/Coercer

Petitpotam: https://github.com/topotam/PetitPotam

The following from Misconfiguration Manager is covered

https://github.com/subat0mik/Misconfiguration-Manager/tree/main

Recommendations are provided throughout the walkthrough. It is also advisable to check the documentation for the corresponding PREVENT and DETECT sections.

Recon (5/7)

• Recon 1 — Enumerate SCCM Site Information via LDAP
• Recon 2 — Enumerate SCCM roles via SMB
• Recon 3 — Enumerate SCCM roles via HTTP
• Recon 4 — Query client devices via CMPivot
• Recon 5 — Locate users via SMS Provider

Recon 6 and 7 are not that interesting.

Cred (6/6)

• Cred 1 — Retrieve secrets from PXE boot media
• Cred 2 — Request computer policy and deobfuscate secrets
• Cred 3 — Dump currently deployed secrets via WMI
• Cred 4 — Retrieve legacy secrets from the CIM repository
• Cred 5 — Dump credentials from the site database
• Cred 6 — Loot domain credentials, SSH keys, and more from SCCM Distribution Points (DP) > (you can enable this in the lab, see CRED-6 recommendation)

Elevate (3/3)

• Elevate 1 — NTLM relay site server to SMB on site systems
• Elevate 2 — NTLM relay via automatic client push installation
• Elevate 3 — Coerce NTLM relay via automatic client push installation and AD System Discovery

Exec (2/2)

• Exec 1 — Application Deployment
• Exec 2 — PowerShell script execution

Takeover (4/9)

• Takeover 1 — Hierarchy takeover via NTLM coercion and relay to MSSQL on remote site database
• Takeover 2 — Hierarchy takeover via NTLM coercion and relay to SMB on remote site database
• Takeover 3 — Hierarchy takeover via NTLM coercion and relay to HTTP on AD CS
• Takeover 8 — Hierarchy takeover via NTLM coercion and relay HTTP to LDAP on domain controller

Other

• Other - Request policies without authentication - Automatic device approval enabled (Unauth CRED-2 variant)
• Other - Pivoting across collections by impersonating compromised SCCM clients
• Other - Windows Session Hijacking via CcmExec
• Other - Microsoft Configuration Manager - Unauthenticated SQL injections (CVE-2024-43468).

Quick permission overview

Unauthenticated:

• Recon 1 (if anonymous LDAP allowed)

• Recon 2 (if anonymous/guest access to shares)

• Recon 3

• Cred 1 (with PXE password and no password)

• Cred 6 (if anonymous DP access allowed; non-default setting)

• Other - Unauthenticated – Automatic device approval enabled (unauth CRED-2 variant))

• Other - Microsoft Configuration Manager - Unauthenticated SQL injections (CVE-2024-43468)

Low priv (Domain user):

• Recon 1

• Recon 2

• Recon 3

• Cred 1

• Cred 2

• Cred 6

• Elevate 1

• Elevate 2

• Elevate 3

• Takeover 1

• Takeover 2

• Takeover 3

• Takeover 8

• Rest of the takovers?

Local admin on any SCCM client:

• Cred 3

• Cred 4

• Other - Pivoting across collections by impersonating compromised SCCM clients

SCCM admin privs (such as SCCM Full administrator):

• Recon 4

• Recon 5

• Cred 5

• Exec 1

• Exec 2