SharpSCCM icon indicating copy to clipboard operation
SharpSCCM copied to clipboard
verified publisher icon Mayyhem

Update MgmtPointMessaging.cs

Open HexRav3n opened this issue 1 year ago • 7 comments

Description

Fixes an issue with "get secrets" in which the provided mediaGUID displays incorrect password due to the formatting stripping off the last character and keeping the "{" in the front of the parameter. Found from copying over pxethiefy output to sharpsccm to extract secrets from policies.

Type of Change

  • [ X ] Bug fix (non-breaking change which fixes an issue)

Testing

This changes the substring value from 0 to 1 to prevent cutting off the password to decrypt the hex encoded certificate

download https://github.com/csandker/pxethiefy python3 pxethiefy.py explore -i eth0 -a 10.0.0.5

copy and paste output to SharpSCCM.exe

SharpSCCM.exe get secrets -i "" -m "" -c "" -sc "" -mp ""

The -m parameter will be truncated properly to allow for certificate decryption

Bonus Points:

  • [ X ] This changes a single value from 0 to 1

HexRav3n avatar Dec 30 '24 18:12 HexRav3n

Hey @HexRav3n , sorry for the massive delay! I've tried a few times to get pxethiefy working in my lab and finally got it. However, when I change that value from 0 to 1 in my lab, I get the following error:

[-] Provided password for encoded certificate (Encoded String:3082073E02...) is not correct.
[+] Completed execution in 00:00:00.2901970

Maybe this differs between versions of SCCM? I'm running 2309 in this particular lab.

Mayyhem avatar Apr 30 '25 18:04 Mayyhem

Hi @Mayyhem , I setup the code in a debugger and traced the variables as they get processed. For this instance of SCCM I'm not sure of the version since it was in a client environment but the mediaGUID is 36 characters long. There might be some different lengths between versions?

In Visual Studio these are the variables with the fix implemented and this successfully decrypts the cert szMediaGUIDCurlyBrackets.Substring(1, 31)) image The cert password ready to decrypt the cert image

In this debugging session this is with the original code and does not decrypt the cert, you can see the extra curl brace and missing the b at the end szMediaGUIDCurlyBrackets.Substring(0, 31)) image

HexRav3n avatar Apr 30 '25 21:04 HexRav3n

This is very strange -- here's what the debugger looks like when I implement your change:

image

The exception occurs when the highlighted line with the breakpoint is executed. What's strange is that the encodedCertPassword should be correct here -- it's the value between the curly braces.

However, when the start index is 0, removing the trailing curly brace AND the final character -- there is no exception and the password is used to decrypt the cert successfully.

image

Bizarre... I'll see if I can get PXE working in a lab that's been upgraded to the latest version and test again.

Mayyhem avatar May 01 '25 11:05 Mayyhem

I tried this with blurbdust's PXEThief PR/fork that has full Linux support for this technique (https://github.com/MWR-CyberSec/PXEThief/pull/11) and it also uses characters 0-31 (media GUID string minus the trailing curly brace AND last character) as the certificate password:

[+] Successfully decrypted media variables file with the provided password!
[!] Writing media variables to variables.xml
[!] Writing _SMSTSMediaPFX to PS1_{09821541-3BE2-421C-AA13-D1E0AD_SMSTSMediaPFX.pfx. Certificate password is {09821541-3BE2-421C-AA13-D1E0AD
[+] Identifying Management Point URL from media variables (Subsequent requests may fail if DNS does not resolve!)
[+] Management Point URL set to: http://SITE-SERVER.APERTURE.LOCAL
[+] Generating Client Authentication headers using PFX File...
[+] CCMClientID Signature Generated

Mayyhem avatar May 01 '25 12:05 Mayyhem

Hi @Mayyhem I cant 100% confirm this but it may be due to the type of media configured on the SCCM server. So one vs the other the mediaGUID would be handled differently. However I would need to test this theory in my lab.

TsPxe.dll (PXE Boot Media) VS TsMedia.dll (Removable Media/StandAlone)

Defcon Slides: https://web.archive.org/web/20230321065235/https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Christopher%20Panayi%20-%20Pulling%20Passwords%20out%20of%20Configuration%20Manager%20Practical%20Attacks%20against%20Microsofts%20Endpoint%20Management%20Software.pdf

StandAlone Media Creation: https://www.anoopcnair.com/sccm-configmgr-create-standalone-media/

HexRav3n avatar May 01 '25 16:05 HexRav3n

I'm standing up a new lab right now to mess with this in a vacuum. I'll let you know what I find! Thanks!

Mayyhem avatar May 01 '25 18:05 Mayyhem

Thank you!

HexRav3n avatar May 02 '25 15:05 HexRav3n