TL;DR how to automate Exchange deployment and mailbox configuration for a range.
Background
I had been meaning to try out automating Exchange deployment and figure out a way to work it into the escalation path in Mishky’s AD Range. The range already covers Name Poisoning, Kerberoasting, scraping share drives for interesting information, DACL abuse in both NTFS and AD, credential dumping from multiple different places in Windows, PTH, forging tickets, moving across forests, enumeration & abuse of MSSQL and AD CS, etc.
However it kinda bothered me that the only services in the range are AD DS itself, a share drive, MSSQL, and AD CS. Therefore I wanted to eventually work Exchange and maybe an IIS server into it. Since the range’s setup is automated this means Exchange’s deployment and configuration must also be automated. We can’t simply use the GUI.
Automating Exchange Deployment
I Googled around and found Ali Tajran’s extremely helpful blog here. It goes very in depth on deploying and configuring Exchange. Ali showed an incomplete command to deploy Exchange, but Google and trial and error filled in the rest. The most useful part of his blog post is that he listed all the pre-reqs required for Exchange. I simply used Google and figured out how to install the pre-reqs with PowerShell.
Working Exchange into the range
Rather than give Dave a method to compromise SQL.Admin’s account via AD DACL abuse I figured it would be interesting to work Exchange in here. After all we used DACL enumeration and abuse in both AD and NTFS heavily in the us.lab.local forest. The second forest, research.local, should be more original.
In the end after some trial and error and lots of Google I gave Dave rights over SQL.Admin’s inbox.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://Research-SQL.research.local/PowerShell/ -Authentication Kerberos -Credential $CousinDomainAdminCredObject
Import-PSSession $Session -DisableNameChecking
Invoke-Command -Session $Session -ScriptBlock {Enable-Mailbox -Identity Dave}
Invoke-Command -Session $Session -ScriptBlock {Enable-Mailbox -Identity SQL.Admin}
Invoke-Command -Session $Session -ScriptBlock {Add-MailboxPermission -Identity "SQL.Admin" -User "Dave" -AccessRights FullAccess -InheritanceType All}This code snippet is run from a PS1 on the Hypervisor via PowerShell Direct. The PS1 at large also creates inboxes for a couple users and removes the previous lateral movement from Dave to SQL.Admin.
Essentially the new escalation path forces the range user to enumerate Exchange rights as well and realize they can access another user’s inbox. Once they do they can see something like the below screenshot.
I am posting the Exchange setup as a separate, ‘expansion pack’ to the ‘cousin domain’. This is because while it takes 30–45 minutes each to spin up both forests in Mishky’s AD Range, it took well over an hour to spin up Exchange.
Simply adding Exchange to the range more than doubles the time required to spin it up.
If you do want to use the Exchange add on to the range then simply run Extract-Exchange_ISO.ps1. This downloads the ISO, extracts the files from it, and creates a ZIP to use in the range. It also takes an hour or so to run, mostly because the Exchange ISO is a little over 6GBs.
Once that runs just run Install-Exchange.ps1. This pulls down the pre-reqs for Exchange and installs them, installs Exchange itself, creates some inboxes, works Exchange into the escalation path, and removes the prior link in the escalation path.
Please note that you must run Create-Cousin.ps1 first. The Exchange add on doesn’t work without the second forest, research.local, being spun up first.
Checking for this
This right doesn’t show up in AD DACLs on the user’s account. The easiest way to check is to simply use Exchange Online PowerShell:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://Research-SQL.research.local/PowerShell/ -Authentication Kerberos -Credential $CousinDomainAdminCredObject
Import-PSSession $Session –DisableNameChecking
Get-MailboxPermission SQL.Admin | Where-Object {$_.User –like "*Dave*"}
Summary
I can see while GOAD only includes MSSQL. They stated that Exchange had too much overhead to include in their range (It is currently in the extensions). The ISO is 6.1 GB, the ZIP file is 2 GB, pulling down the ISO and creating the ZIP file takes about an hour, and spinning up Exchange in the range takes around another hour. MSSQL took a fraction of that time by comparison.
Regardless I wanted to automate spinning it up and figure out a way to work it into the range.
References
Exchange setup: https://www.alitajran.com/install-exchange-server/
Potential issue:
https://fphkb.com/index.php/2020/10/16/0x80070015-error-when-using-copy-vmfile/
Enable-Mailbox:
https://learn.microsoft.com/en-us/powershell/module/exchange/enable-mailbox?view=exchange-ps
SelfADSI: http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm
Connecting to Exchange PS: https://medium.com/@happycamper84/chatgpt-gets-who-can-modify-domain-admins-wrong-10bf9481989b
Send an email from PS: https://medium.com/@happycamper84/the-poor-mans-honeypot-howto-flag-password-spraying-in-a-homelab-ba11efb679ff
Using Get-ADPermission: https://happycamper84.medium.com/get-adpermission-vs-get-acl-dsacls-cheatsheet-a13f69afd3f1
Add-MailboxPermission: https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission?view=exchange-ps
New-MailMessage: https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailmessage?view=exchange-ps
