AdminService API

Theory

It appears that, with SCCM administrative rights, it is possible to directly interact with the AdminService API, without using CMPivot, for post SCCM exploitation purpose.

Prior to Configuration Manager version 2509, the AdminService API was vulnerable to NTLM relay attacks, allowing attackers to take over the SCCM hierarchy by relaying coerced NTLM authentication from site servers to remote SMS Providers. This vulnerability has been patched in version 2509, which now rejects NTLM authentication attempts. For more details, see TAKEOVER-5 and Microsoft's update notes.

For additional attack techniques and defense strategies related to AdminService API abuse in SCCM, refer to the following techniques from the Misconfiguration-Manager repository:

• RECON-4: CMPivot
• RECON-5: SMS Provider Enumeration
• CRED-7: AdminService API Credentials

Practice

From UNIX-like systems, sccmhunter (Python) can be used for this purpose.

sccmhunter.py admin -u "$USER" -p "$PASSWORD" -ip "site_server_IP"

Then, the help command can be typed in the opened shell to view all the CMPivot commands handled by sccmhunter.

() C:\ >> help

Documented commands (use 'help -v' for verbose/'help ' for details):

Database Commands
=================
get_collection get_device get_lastlogon get_puser get_user

Interface Commands
==================
exit interact

PostEx Commands
===============
add_admin backdoor backup delete_admin restore script

Situational Awareness Commands
==============================
administrators console_users ipconfig osinfo sessions
cat disk list_disk ps shares 
cd environment ls services software

Resources

https://learn.microsoft.com/fr-fr/mem/configmgr/core/servers/manage/cmpivot

https://github.com/subat0mik/Misconfiguration-Manager/tree/main/attack-techniques/RECON

https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-7/cred-7_description.md