Web
Nmap discovered a supposed Web server on the target port 443
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ curl -i https://$IP:443/
curl: (35) Recv failure: Connection reset by peerIt would appear that there is nothing hosted on the port 443
AD Federation
It was discovered that the port 443 hosts a AD Federation authentication endpoint
I don’t have any valid domain credentials for now
<?xml version="1.0"?>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_b70a3566df9d606cf7ad3151df1a7a7b81d4050e" Version="2.0" IssueInstant="2024-07-18T12:25:53.061Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://federation.ghost.htb/adfs/ls/" AssertionConsumerServiceURL="https://core.ghost.htb:8443/adfs/saml/postResponse">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://core.ghost.htb:8443
</saml:Issuer>
<samlp:NameIDPolicy
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true"/>
<samlp:RequestedAuthnContext
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>Using the SAML Raider extension, I can decode and read the SAML request