-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] An exception occurred while trying to decrypt policy response #39
Comments
unfortunately, I have the same problem :( |
Hey, sorry for the massive delay, but I finally have time to work on this next week and have the same issue in one of my labs, so I think I should be able to figure it out. |
Thank you, @Mayyhem . Much appreciated. In my case, the local commands worked perfectly, which allowed to extract the NAA account, which has local admin privileges on the SCCM main box :) Not sure, how much different info I would get from the 'get secrets', but it would be great to check. thanks again for great tool! |
Eyyyy that's awesome to hear it worked well for you and you were able to get on the site server @0xElessar, thanks for sharing! It's very likely the info would be the same from |
Also it's absolute madness how many reports I get on that account having SCCM admin privs... it's like mailing your house keys to everyone in your city. |
Fantastic. Thank you. Great to know! |
Just wanted to post an update. I see this issue in my lab running ConfigMgr 2303 on one system but not others and don't see it at all in another lab running 2309. I have not been able to identify the root cause and resolve it yet, but I will keep you posted. |
I think the issue may be fixed in https://github.com/Mayyhem/SharpSCCM/tree/2.0.4, so check that out if you need a quick fix, but I need to do further testing before merging into main. I think maybe in some cases the same certificate can be used for signing and encryption and in some cases it can't. |
Thank you, @Mayyhem . I will check that as soon as possible. UPDATE: unfortunately, the new version kills my beacon for some reason (event viewer reports unhandled exception in the decompressXMLNodes). Running through a beacon, is the only way for me to check. |
@0xElessar Thanks for checking it out! I'll run it through beacon next chance I have and see if I can reproduce and fix the issue you're seeing. Really appreciate you putting an extra pair of eyes on this! |
My pleasure @Mayyhem. To be honest, I don't think this is a beacon fault. I used Brute-Ratel C2 in this case. But I am suspecting the SCCM config on the customer site is unusual/old, which triggers the exception in the decompressXMLNodes function/method. This exception was clearly logged in the Application Event Log. If you don't mind checking the exception handler in this function, that would be great :) Thank you for the tool, again! Extremely helpful. |
@0xElessar does running SharpSCCM with the Another idea I have is to compile the version of SharpSCCM just before Carsten implemented the built-in NAA decryption (where DecompressXMLNodes was introduced) to see if there are issues (https://github.com/Mayyhem/SharpSCCM/blob/54aaccdfeeca92b5264f2c1fc244c9368fdfd040/lib/MgmtPointMessaging.cs). Recovered credentials can be deobfuscated using https://github.com/Mayyhem/SharpSCCM/tree/main/DeobfuscateSecretString. |
I will take a look at implementing better exception handling as well, although I'm not sure how to get the output needed to fix the issue before the agent crashes. I could probably create a branch that just dumps the XML and skips the rest of the function so we can see if it's compressed in some unexpected way? If we can get the XML that decompression fails on, I should be able to debug more thoroughly on my end. |
@Mayyhem , I really appreciate your effort here. Big thank you! I will come back to that environment in a few weeks and will make more tests definitely. For now, I don't have access unfortunately. I think the SharpSCCM crashes first, because I could find the application crash in the Event Log (with references to the decompressXMLNodes). I will use the --debug option next time I run it definitely. EDR is running there, so dropping the binary will be challenging and require additional time to implement some obfuscation. :/ |
As long as stealth isn't a huge issue, I could write a stub that only includes the code necessary to request and dump the XML pretty quickly, which would be unlikely to trigger default EDR detections. When you're back in the environment, please let me know and I'd be happy to troubleshoot further if you have the time. I'm also available as Mayyhem on the BloodHoundGang Slack if you want to chat in real time. Thanks for all your help! |
Thank you, @Mayyhem . Much appreciated. I will do that :) |
Merge version 2.0.4 to address Issue #39
I tested this in two labs today and a colleague's testing was successful as well, so I merged this fix into main in PR #48. Thanks again for the report! |
Describe the bug
Hi,
I get an error when running get secrets. It seems the server response is invalid (pkcs7EnvelopedCms.Decode raises an ASN1 related issue).
** SharpSCCM version**
Last version compiled with VS Version 17.4.4.
** Management point server specs (please complete the following information):**
Client specs (please complete the following information):
Additional context
The text was updated successfully, but these errors were encountered: