#
Protections Test 2 Scenario
#
Step 0 - Setup
#
Procedures
Initiate an RDP session to the Kali attack host
driftmark (174.3.0.70)Initiate an RDP session to the Jumpbox host
dreadfort (10.26.3.125)☣️ From the Windows Jumpbox
dreadfort (10.26.3.125), open FireFox and browse tohttps://sso.vale.net/. Use the following credentials to log into the Single Sign-On (SSO) portal.☣️ When prompted for an MFA token, switch to the existing Kali RDP session, open a new terminal window, and run the following command and provide the following password when prompted. Copy the MFA code then switch back to the Windows jumpbox to enter the MFA code into the SSO login page
totp-cli generate --follow vale vale-gwormExpected Output
######
In the browser window click the three dots on the right hand side, select "More Tools", then select "Developer Tools". In the newly opened panel, select "Storage", then select "Cookies". Select the SSO domain sso.vale.net. Copy the
authentik_csrfandauthentik_sessioninto a text document for use later
#
Step 1 - Initial Access
#
Voice Track
Scattered Spider uses a previously compromised SSO cookie to log into the victims SSO dashboard.
#
Procedures
- ☣️ From the Kali attack host
driftmark (174.3.0.70), open FireFox and browse to the real SSO portal athttps://sso.vale.net/. Open the developer console and go to theStoragetab and then to theCookiesdrop-down menu. For the SSO portal site, replace theauthentik_csrfandauthentik_sessioncookie values with the values noted in the setup phase. After saving the cookie, replace the URL withhttps://sso.vale.net/and reload the page.
#
Reference Tables
#
Step 2 - Privilege Escalation and Persistence
#
Voice Track
After Scattered Spider logs into the SSO dashboard they configure a secondary IdP in the SSO admin interface. Scattered Spider then logs back into the SSO dashboard using a valid domain administrator account and the secondary IdP.
#
Procedures
☣️ Inside the SSO dashboard, click the "Admin interface" button at the top right. Under "Directory" on the left panel, select "Federation and Social login". Create a new source and select the "SAML Source" type. Click "Next" to reach the source configuration menu.
☣️ Set "Name" and "Slug" to
upstream, ensure the source is enabled, set "User matching mode" to "Link to a user with identical username", set "Group matching mode" to "Link to a group with identical name", and keep the default icon.☣️ Expand the Protocol settings, set the SSO URL to
https://idp.braavos.com/application/saml/victim/sso/binding/post/, and set binding type to "Post-auto binding".☣️ Expand the Advanced protocol settings, toggle on "Allow IDP-initiated logins", then set "NameID Policy" to "Windows". Expand the Flow settings and ensure "Pre-authentication flow" is set to
default-source-pre-authentication (Pre-Authentication). Click the Finish button to finish creating the source.☣️ Under "Flows and Stages" on the left panel, select "Flows". Select
default-authentication-flowand click the "Stage Bindings" tab. Click the "Edit Stage" button for the "default-authentication-identification" table entry.☣️ Scroll down and expand "Source settings". Confirm that the
upstreamsource you just created is listed as an available source. Select it and then click the single right arrow to add it to the "Select sources" list. Ensure that it is the only selected source on the right side then click "Update"☣️ Log out of the SSO dashboard and confirm that the secondary IdP icon appears in the login prompt window under the login button.
☣️ Open an incognito window to avoid using any previously established cookies and browse to https://sso.vale.net/. Click the secondary IdP icon below the login button to be redirected to the attacker-controlled secondary IdP. If prompted with a security warning, click "Advanced" > "Accept Security Risk" > "Resend". Log in using the attacker-created domain administrator credentials and confirm that you were successfully redirected to the victim SSO dashboard as the domain user and that the Guacamole application is available.
#
Reference Tables
#
Step 3 - Lateral Movement
#
Voice Track
After Scattered Spider logs into the SSO portal as the domain admin, they wait until the legitimate domain admin initiates a Guacamole session then hijacks the session to gain access to an endpoint in the victim environment.
#
Procedures
Return to the Windows Jumpbox
dreadfort (10.26.3.125), open FireFox and browse tohttps://sso.vale.net/. Use the following credentials to log into the Single Sign-On (SSO) portal.When prompted for an MFA token, switch to the existing Kali RDP session, open a new terminal window, and run the following command and provide the following password when prompted. Copy the MFA code then switch back to the Windows jumpbox to enter the MFA code into the SSO login page
totp-cli generate --follow vale vale-kdrogoExpected Output
######
From the SSO dashboard, right-click on the Guacamole application to Open in New Tab and access the Guacamole dashboard with available remote machines. Select
blacktydefrom the list and authenticate to the remote desktop session using the following credentials. ForDomainentervale☣️ Switch back to Kali. Inside the SSO dashboard, click the Guacamole application. In the top right, confirm a user is logged in by clicking Settings then under "Active Connections", observing text mentioning a "1 user is logged in" next to
blacktyde. Click theblacktydelink to hijack the session.
#
Reference Tables
#
End of Test
#
Voice Track
This step includes the shutdown procedures for the end of this Protections Test
#
Procedures
From Kali, close the browser to Guacamole
Return to the RDP to
dreadfort (10.26.3.125). Close the FireFox tabs with the SSO and Guacamole