"Password provided for encoded certificate is not correct"

[7MinSec]

Hello!

On a recent pentest I ran pxethiefy and got:

[+] Blank password on PXE media file found!
[*] Attempting to decrypt it...
[+] Media variables file to decrypt: blah.{blah}.boot.var
[+] Password bytes provided: BIGSTRING
[+] Successfully decrypted media variables file with the provided password!

It went on to give me the string SharpSCCM should need to get secrets, but when I ran that in the environment I got:

 _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem

[-] Provided password for encoded certificate (Encoded String:xxxxxxx...) is not correct.
[+] Completed execution in 00:00:00.2791522

(xxxxxxx is the value of the long '-c` string).

Could you help troubleshoot this?

[Mayyhem]

Hey @7MinSec , I'm sorry for missing your open issue before! I'd be happy to help troubleshoot. This could be difficult without access to the environment you're assessing, so a conversation in the BloodHound Slack might be easiest so we can check a few things. Could you please hit me up there? My handle is Mayyhem. https://ghst.ly/BHSlack

[Mayyhem]

This PR may address this issue in some versions of SCCM: https://github.com/Mayyhem/SharpSCCM/pull/59

An alternative solution is to use this PXEThief PR that can also fetch policies from management points (full Linux support): https://github.com/MWR-CyberSec/PXEThief/pull/11

If operating through a SOCKS proxy, try Cred1Py: https://github.com/SpecterOps/cred1py

[l33tluigi]

I also encountered this but submitted the issue on the pxethiefy repo back in Nov https://github.com/csandker/pxethiefy/issues/6