How can an attacker with local administrator privileges on vCenter gain access to the VCSA management panel?
An attacker extracts the IdP certificate from the /storage/db/vmware-vmdir/data.mdb file, then creates a SAML request for an administrator user. Using the vCenter server to authenticate, they obtain a valid JSESSIONID cookie, which allows them to log into the VCSA management panel as an administrator.
---
**Related reading:**
- vSphere Development Guide 6 - vCenter SAML Certificates — original article
- Covenant Utilization Analysis
- ADAudit Plus Exploitation Analysis — Data Encryption Analysis
- Domain Penetration - Executing Programs on Remote Systems Using DCOM
---
**Related reading:**
- vSphere Development Guide 6 - vCenter SAML Certificates — original article
- Covenant Utilization Analysis
- ADAudit Plus Exploitation Analysis — Data Encryption Analysis
- Domain Penetration - Executing Programs on Remote Systems Using DCOM
vCenterSAMLIdP certificatedata.mdbJSESSIONIDVCSA