How can we bypass the need for valid user credentials when exploiting CVE-2020-0688 via modified web.config?

By modifying `%ExchangeInstallPath%\FrontEnd\HttpProxy\owa\web.config` (or the ecp version) to set a custom `validationKey` and `decryptionKey` under `<system.web>`, you can eliminate the need for user credentials. The exploit then uses these keys to forge viewstate payloads. This approach leverages standard ASP.NET deserialization exploitation tools like zcgonvh's CVE-2020-0688 exploit, which also supports real-time command output. For a deeper understanding of credential extraction, see Penetration Technique - Extracting User Plaintext Passwords via CredSSP.