Got pfx from server with client auth

[onSec-fr]

Hello,

During an engagement, I was surprised to find that the certificate retrieved by the tool from the SMSTSMediaPFX variable was the one of the PXE server, with its corresponding private key. In my case, the certificate is configured for both server and client authentication. So I used this pfx to request a TGT for the server machine account and I'm now SYSTEM on it.

• Have you encountered this before?
• Is it normal for the recovered certificate to contain the private key?
• Is it the default configuration for the certificate to allow client authentication?

Thanks for your feedback

[chrispanayi]

Hi @onSec-fr! Thanks for the issue; this has caused quite a stir over at the Bloodhound Gang Slack! 😂

We are busy looking into the full impact, but in the meantime to answer your questions:

1. In a lab environment, no. But this is because most SCCM labs don't get set up with AD CS. In production, the majority of environments that I have seen were also running over HTTP (hence PXEThief's incomplete implentation of TLS comms), but nowadays, I think you would see a proper mutual TLS set up much more regularly
2. Yes. In fact, it is necessary. You can not auth to the DP, or MP without the private key for the cert, which is what lets you sign the authentication headers for the HTTP traffic.
3. This is the golden question! I didn't think so in the past, but see point 1. In mTLS set ups, it very well might be, based on some of the MS documentation we are going through. Watch this space :D

Great find, by the way. And thank you for raising an issue for this!

[onSec-fr]

Hi, thank you for your reply!

indeed, it seems that this configuration is usual for mecm configured in PKI mode. I find it very dangerous, even if the PXE is password-protected. Anyway, my mecm assesment quickly turned into a full AD compromise :)