Open onSec-fr opened 4 days ago
Hi @onSec-fr! Thanks for the issue; this has caused quite a stir over at the Bloodhound Gang Slack! 😂
We are busy looking into the full impact, but in the meantime to answer your questions:
Great find, by the way. And thank you for raising an issue for this!
Hi, thank you for your reply!
indeed, it seems that this configuration is usual for mecm configured in PKI mode. I find it very dangerous, even if the PXE is password-protected. Anyway, my mecm assesment quickly turned into a full AD compromise :)
Hello,
During an engagement, I was surprised to find that the certificate retrieved by the tool from the SMSTSMediaPFX variable was the one of the PXE server, with its corresponding private key. In my case, the certificate is configured for both server and client authentication. So I used this pfx to request a TGT for the server machine account and I'm now SYSTEM on it.
Thanks for your feedback