Can anyone give a hint on what am I doing wrong? I’m pretty sure the last part is through the CVE for ADSS but I’m having a hard time to make it work…
So I’ve set chisel to bind my VM to the remote port and I’ve tried with both the POC found in github and also with the metasploit but both are failing with “[SSL: WRONG_VERSION_NUMBER] wrong version number” and “[-] Exploit failed [unreachable]: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 peeraddr=127.0.0.1:9251 state=error: wrong version number”
I’ve tried changing parameters… changing the SSL cert, changing the ISSUER_URL and nothing works! =/
Enumerate the app. You can login there as the controlled user so record all requests&responses there. Check out each & every of them. Not just the url link but the whole message. The answer is there.
As an alternative way you can try to google for the web app’s config files accessible from the browser. There is an article about troubleshooting that service which may help with it.
for others exploiting the last step, apart from port-forwarding, two key parameters are needed: guid and issuer-url
one can be found on the target, another needs to be found via auth flow (better research a bit on how saml sso works)
can someone nudge me in the right direction, im root on the linux container for 2 days now and dont know how to get out of the container.
found ntlm in keytab, tried logging in trough evil-winrm.
im scumming around the system for the last 6 hours but cant seem to find what i need.
meterpreter > sysinfo
Computer : DC
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : CERBERUS
Logged On Users : 10
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Special thanks to @lim8en1 for pointing me to a really basic error when using chisel… after that it’s not that difficult just need to go through the app and check what it requests and the answers it receives…
For the ones still struggling on this part I think there are 2 tips:
If your not forwarding all ports with tunneling, then you’ll need to manually forward 3 ports to make it work. 2 of them are pretty obvious and are required by the page/application to work. The 3rd port is from the issuer. It’s a pretty standard port!
Once you go through the application, do the login and check the flow. You can either use burp suite and check the requests/answers manually (“pro” tip: select the data and burp will automatically parse and DECODE it for you ) OR, even better, install a firefox extension: SAML Tracer and go through the app flow again… check the data the tool will highlight as SAML to find the needed info (“pro” tip: summary tab is your friend).
So after you got the GUID (from the application url normal usage) and ISSUER_URL, I recommend to use metasploit… it’s so much easier than manually doing a new reverse shell…
I managed to get a reverse shell to the Linux VM. However, whenever I try to download a file from my PC to the target (tried with wget and python), the process hung up in the middle. Anyone has/had this problem?
The saml tracker will work well if using proxychains otherwise you should be able to capture relevant info with burp. Disclaimer, if using chisel make sure you are using the same versions (apparently mine weren’t after snapshot) and created much hassle. Also, on final privesc I had issues when using brave versus firefox.
It’s over my skills 
) OR, even better, install a firefox extension: SAML Tracer and go through the app flow again… check the data the tool will highlight as SAML to find the needed info (“pro” tip: summary tab is your friend).