PrivExchange : One Hop away from Domain Admin

Recently we have been on Internal Network Pentest with end goal to demonstrate the compromising Domain Admin account or be one of them. As usual customer placed us in the User VLAN segregated from Admin VLAN. Then we started using Responder in order to gather some hashes or cleartext credentials over the wire. At end of the day, we got multiple hashes and cracked them using Hashcat to use them on next following day. But most of the cracked credentials belongs to users of Business, HR, Payrolls, etc (i.e.non-IT Staff 😕) and customer infrastructure was mostly Windows 10/2012/2016 mix and patched too.

So we decided perform the privilege escalation in Microsoft Exchange setup i.e.; "PrivExchange" (Kudos to Dirk-jan for the attack). In our scenario we have compromised the user credentials and we would escalate the privileges of sample compromised user to perform DCSync attack.

Required details to perform attack
Compromised username : victim-user (should have mailbox created)
Domain Controller :
Exchange Server : (
Attacker Machine IP :
Domain Name :

Git clone the PrivExchange and Impacket from Github.

Step-1: In this step we setup Ntlmrelayx in relay mode with target as Domain Controller and user to escalate.
Step-2: Here we use the Privexchange script along with our user and exchange server. Note: API Call response should be Successful

Step-3: After one minute we receive the connection back from Ntlmrelayx and which adds Replication-Get-Changes-All privileges to our supplied user.

Step-4: Now we perform the DCSync attack with our existing user

Remediation :- Microsoft released Patch for this vulnerability (mentioned in Reference section) 

Reference :-

Happy Hacking !!


Popular Posts