Posts

Showing posts from January, 2019

Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv

Image
TL;DR: A new take on the recently released Exchange privilege escalation attack allowing for   remote usage without needing to drop files to disk, local admin rights, or knowing any passwords at all.   Any shell on a user account with a mailbox = domain admin.  I wrote a PowerShell implementation of PrivExchange that uses the credentials of the current user to authenticate to exchange.  Find it here:  https://github.com/G0ldenGunSec/PowerPriv   The Exchange attack that @_dirkjan released last week ( https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin ) provides an extremely quick path to full domain control on most networks, especially those on which we already have a device that we can run our tools on, such as during an internal network penetration test.   However, I saw a bit of a gap from the point of a more red-team focused attack scenario, in which we often wouldn’t have a box on the internal client network that w...

Popular posts from this blog

No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA

Executing Macros From a DOCX With Remote Template Injection

One Click to Compromise -- Fun With ClickOnce Deployment Manifests