Harvesting the credentials of a domain user during a red team operation can lead to execution of arbitrary code, persistence and domain escalation. However information that is stored over emails can be highly sensitive for an organisation and therefore actors focus can be to exfiltrate from emails. This can be achieved either by adding a rule to the mailbox of a target user that will forward emails to an inbox that the attacker controls or by delegating access of a mailbox to their Exchange account.

Dustin Childs from Zero Day Initiative discovered a in Microsoft Exchange that could allow an attacker to impersonate a target account. This exist because by design Microsoft Exchange allows any user to specify a URL for Push Subscription and Exchange will send notifications to this URL. NTLM hashes are also leaked and can be used to authenticate with Exchange Web Services via NTLM relay with the leaked NTLM . The technical details of the vulnerability has been covered into the Zero Day Initiative blog.

Email Forwarding

Accessing the compromised account from Outlook Web Access (OWA) portal and selecting the permissions of the inbox folder will open a new window that will contain the permissions of the mailbox.

- forwarding rule inbox permissions - Microsoft Exchange – Privilege Escalation
Inbox Permissions

The target account should be added to have permissions over the mailbox. This is required in order to retrieve the SID ( Identifier) of the account.

- forwarding rule permissions inbox folder - Microsoft Exchange – Privilege Escalation
Add Permissions for the Target Account

Opening the Network console in the browser and browsing a mailbox folder will generate a request that will be sent to the Microsoft Exchange server.

- forwarding rule request to exchange - Microsoft Exchange – Privilege Escalation
POST Request to Microsoft Exchange

Examining the HTTP Response of the request will unveil the SID of the Administrator account.

- forwarding rule administrator sid - Microsoft Exchange – Privilege Escalation
Administrator SID

The implementation of this attack requires two python scripts from the Zero Day Initiative GitHub repository. The serverHTTP_relayNTLM.py script requires the SID of the Administrator that has been retrieved, the IP address of the Exchange with the target port and the email account that has been compromised and is in control of the red team.

- forwarding rule relay ntlm script configuration - Microsoft Exchange – Privilege Escalation
Configuration serverHTTP_relayNTLM script

Once the script has the correct values it can be executed in order to start a relay server.

 python serverHTTP_relayNTLM.py 
- forwarding rule relay server - Microsoft Exchange – Privilege Escalation
Relay Server

The Exch_EWS_pushSubscribe.py requires the domain credentials and the domain of the compromised account and the IP address of the relay server.

- forwarding rule push subscribe - Microsoft Exchange – Privilege Escalation
Push Subscribe Script Configuration

Executing the python script will attempt to send the pushSubscribe requests to the Exchange via EWS (Exchange Web Services).

 python Exch_EWS_pushSubscribe.py 
- forwarding rule pushsubscribe - Microsoft Exchange – Privilege Escalation
pushSubscribe python script
- forwarding rule exchange response - Microsoft Exchange – Privilege Escalation
Exchange Response
- forwarding rule pushsubscription xml response - Microsoft Exchange – Privilege Escalation
XML Reponse

The NTLM hash of the Administrator will be relayed back to the Microsoft Exchange server.

- forwarding rule relay administrator ntlm - Microsoft Exchange – Privilege Escalation
Relay Administrator NTLM
- forwarding rule relay administrator ntlm to exchange - Microsoft Exchange – Privilege Escalation
Relay Administrator NTLM to Exchange

Emails tha will be sent to the mailbox of the target account (Administrator) will be forwarded automatically to the mailbox that is under the control of the red team.

- forwarding rule email to target account - Microsoft Exchange – Privilege Escalation
Email to target account

The email will be forwarded at the inbox of the account that the Red Team controls.

- forwarding rule email forwarded automatically - Microsoft Exchange – Privilege Escalation
Email forwarded automatically

A rule has been created to the target account by using NTLM relay to authenticate with the Exchange that will forward all the email messages to another inbox. This can be validated by checking the Inbox rules of the target account.

- forwarding rule rule to forward admin emails - Microsoft Exchange – Privilege Escalation
Rule – Forward Admin Emails

Delegate Access

Microsoft Exchange users can connect their account (Outlook or OWA) to other mailboxes (delegate access) if they have the necessary permissions assigned. Attempting to open directly a mailbox of another account withouth permissions will produce the following error.

- privilege escalation open another mailbox failed - Microsoft Exchange – Privilege Escalation
Open Another Mailbox – No Permissions

There is a python script which is exploiting the same vulnerability but instead of adding a forwarding rule is assigning permissions to the account to access any mailbox in the domain including domain administrator. The script requires valid credentials, the IP address of the Exchange server and the target email account.

- privilege escalation script configuration - Microsoft Exchange – Privilege Escalation
Script Configuration

Executing the python script will attempt to perform the elevation.

 python2 CVE-2018-881.py 
- microsoft exchange privilege escalation script - Microsoft Exchange – Privilege Escalation
Privilege Escalation Script

Once the script is finished a message will appear that will inform the user that the mailbox of the target account can be displayed via Outlook or Outlook Web Access portal.

- microsoft exchange privilege escalation script message - Microsoft Exchange – Privilege Escalation
Privilege Escalation Script – Delegation Complete

Authentication with Outlook Web Access is needed in order to be able to view the delegated mailbox.

- microsoft exchange owa authentication - Microsoft Exchange – Privilege Escalation
Outlook Web Access Authentication

Outlook Web Access has a functionality which allows an Exchange user to open the mailbox of another account if he has permissions.

- microsoft exchange open another mailbox - Microsoft Exchange – Privilege Escalation
Open Another Mailbox

The following Window will appear on the screen.

- microsoft exchange open another mailbox window - Microsoft Exchange – Privilege Escalation
Open Another Mailbox Window

The mailbox of the Administrator will open in another tab to confirm the elevation of privileges.

- microsoft exchange administrator mailbox - Microsoft Exchange – Privilege Escalation

References



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here