Jump to content

Title: Spring and Autumn Cloud Mirror-[Simulation Scene] Exchange writeup

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

0x00 Intro

OSCP penetration style, leaving tools like C2 and MSF is not difficult

0x01 Info

Tag: JDBC, Exchange, NTLM, Coerce Authentication, DCSync 21cfb2rjqce19141.png

0x02 Recon

Target external IP39.98.179.149Nmap results 5q3bxkwp52e19142.png directly follow the 8000 port. I have already missed 80 before, and I have nothing to pass directly.ic4sfanre3219143.png Huaxia ERP, there are many loopholes, the entry point has been stuck for a long time, and I saw JDBC later, and I directly searched for my brother's articles after Google searches.

Fastjson's high-version magic tricks - Bmth (bmth666.cn)(http://www.bmth666.cn/bmth_blog/2022/10/19/Fastjson%E9%AB%98%E7%89%88%E6%9C%AC%E7%9A%84%E5%A5%87%E6%8A%80%E6%B7%AB%E5%B7%A7/#%E8%93%9D%E5%B8%BD%E6%9D%AF2022%E5%86%B3%E8%B5%9B-%E8%B5%8C%E6%80%AA)Construction payload gqj014wzq3519144.pngConfigure MySQL_Fake_Server rzshm04dqmp19145.png Unauthorized + MySQL Connector JDBC deserialization combination punch Direct RCE g5igos1gomg19146.pngRCE after direct acquisition Flag01 offfd5vhgqz19147.png

0x03 Entry point: 172.22.3.12

SMB scans the intranet host, sees the Exchange keyword (EXC01), and tries to access gxwij4amhvy19148.png172.22.3.9. Beat the Exchange yd4a2l5ivni19149.pngProxylogon directly to obtain system permissions ugqo0q23bf219150.png sqesomsju4d19151.pngflag02 (short subsequent credential collection) ubarn0sz3lg19152.png

0x04 Entry point: 172.22.3.9

Fast forward 1: Hash of the exchange machine account has been collected 2: At the same time, a domain account credential was collected: Zhangtong has collected the exchange machine account hash through the above operation. The exchange machine account has writtenacl permissions for the entire domain-object in the domain. Then we directly use dacledit.py to add dcsync permissions to Zhangtong (in fact, you can also add dcsync to yourself) qopgf5pfgim19153.pngDcsync to get the hashes of the domain manager and user lumia cb4j3iuribp19154.png to enter 172.22.3.2 to get flag04 ysj0d2ecgxe19155.png

0x05 Final: 172.22.3.26

There is a secret.zip in the Lumia user folder above 172.22.3.26 dejsotwvain19156.png Direct PTH Exchange exports all emails and attachments in Lumia mailbox t110orb41yt19157.pngitem-0.eml, prompting that the password is mobile phone number p2j00mfgniy19158.png There is a csv in the exported attachment, which is full of mobile phone number klvrerp2gfx19159.png Regular operation, convert to a hash in pkzip format and runs the dictionary, and runs out the password msfqkntbice19160.png oiekt4ki1nr19161.png aq3snxvqeft19162.pngflag03 jawnw2cien219163.png jdv25l41a2p19164.png

0x06 Outro

After Exchange, the author's original intention is to let us use NTLM Relay to complete the DCSync upgrade, obtain Exchange SYSTEM permissions, and trigger the webdav to relay to ldap. If you are interested, you can read my previous article Spoofing 2. Lumia user logs in to exchange. The author also wants you to change the password of Lumia user, but I am lazy. Direct PTH original link: https://www.anquanke.com/post/id/286967

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.