Skip to main content



PrivExchange : One Hop away from Domain Admin

Recently we have been on Internal Network Pentest with end goal to demonstrate the compromising Domain Admin account or be one of them. As usual customer placed us in the User VLAN segregated from Admin VLAN. Then we started using Responder in order to gather some hashes or cleartext credentials over the wire. At end of the day, we got multiple hashes and cracked them using Hashcat to use them on next following day. But most of the cracked credentials belongs to users of Business, HR, Payrolls, etc (i.e.non-IT Staff 😕) and customer infrastructure was mostly Windows 10/2012/2016 mix and patched too.

So we decided perform the privilege escalation in Microsoft Exchange setup i.e.; "PrivExchange" (Kudos to Dirk-jan for the attack). In our scenario we have compromised the user credentials and we would escalate the privileges of sample compromised user to perform DCSync attack.
Required details to perform attack
Compromised username : victim-user (should have mailbox created)

Latest posts

Bypassing PaloAlto Traps EDR Solution

BloodHound 2.0 walkthrough on Kali 2018

Mapping Network using Sharphound

Active Directory Attack - DCSync

Active Directory Attack - DCShadow

Machine Accounts in Pentest Engagement

LAPS Auditing for Pentesters

Adversary Emulation System - Flightsim

Process Doppelgänging - Giving Hard Time to AV Vendors