Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Got pfx from server with client auth #8

Open
onSec-fr opened this issue Sep 23, 2024 · 5 comments
Open

Got pfx from server with client auth #8

onSec-fr opened this issue Sep 23, 2024 · 5 comments

Comments

@onSec-fr
Copy link

Hello,

During an engagement, I was surprised to find that the certificate retrieved by the tool from the SMSTSMediaPFX variable was the one of the PXE server, with its corresponding private key. In my case, the certificate is configured for both server and client authentication.
So I used this pfx to request a TGT for the server machine account and I'm now SYSTEM on it.

  • Have you encountered this before?
  • Is it normal for the recovered certificate to contain the private key?
  • Is it the default configuration for the certificate to allow client authentication?

Thanks for your feedback
@chrispanayi
Copy link
Collaborator

Hi @onSec-fr! Thanks for the issue; this has caused quite a stir over at the Bloodhound Gang Slack! 😂

We are busy looking into the full impact, but in the meantime to answer your questions:
1. In a lab environment, no. But this is because most SCCM labs don't get set up with AD CS. In production, the majority of environments that I have seen were also running over HTTP (hence PXEThief's incomplete implentation of TLS comms), but nowadays, I think you would see a proper mutual TLS set up much more regularly
2. Yes. In fact, it is necessary. You can not auth to the DP, or MP without the private key for the cert, which is what lets you sign the authentication headers for the HTTP traffic.
3. This is the golden question! I didn't think so in the past, but see point 1. In mTLS set ups, it very well might be, based on some of the MS documentation we are going through. Watch this space :D

Great find, by the way. And thank you for raising an issue for this!

@onSec-fr
Copy link
Author

onSec-fr commented Sep 27, 2024
edited
Loading

Hi, thank you for your reply!

indeed, it seems that this configuration is usual for mecm configured in PKI mode.
I find it very dangerous, even if the PXE is password-protected.
Anyway, my mecm assesment quickly turned into a full AD compromise :)

Edit : @chrispanayi how can I join this slack channel ? I'd love to exchange ideas on these subjects :)

@onSec-fr onSec-fr mentioned this issue Sep 30, 2024
Open
@Mayyhem
Copy link

Mayyhem commented Sep 30, 2024

@onSec-fr you can use this link -- https://ghst.ly/BHSlack

Search for the #sccm channel once you're in there and this thread -- https://bloodhoundhq.slack.com/archives/C03N78QCRKJ/p1727407568588989

@onSec-fr
Copy link
Author

@onSec-fr you can use this link -- https://ghst.ly/BHSlack

Search for the #sccm channel once you're in there and this thread -- https://bloodhoundhq.slack.com/archives/C03N78QCRKJ/p1727407568588989

The link doesn't work for me !

@Mayyhem
Copy link

Mayyhem commented Oct 8, 2024

Sorry for the delay @onSec-fr -- please try this one: https://join.slack.com/t/bloodhoundhq/shared_invite/zt-1tgq6ojd2-ixpx5nz9Wjtbhc3i8AVAWw

@Mayyhem Mayyhem mentioned this issue Oct 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Mayyhem @onSec-fr @chrispanayi