How does the attacker use the extracted SAML certificates to gain administrator access?
After extracting the IdP certificate and trusted certificates from data.mdb, the attacker creates a SAML authentication request for an administrator user on any host, then authenticates against the vCenter server. The server returns a valid JSESSIONID cookie that, when set in the browser, provides full administrator access to the VCSA management panel.
---
**Related reading:**
- vSphere Development Guide 6 - vCenter SAML Certificates — original article
- Penetration Techniques - Deleting Single Windows Log Entries
- Penetration Technique: Remote Access to Exchange PowerShell
- Zimbra SOAP API Development Guide 2
---
**Related reading:**
- vSphere Development Guide 6 - vCenter SAML Certificates — original article
- Penetration Techniques - Deleting Single Windows Log Entries
- Penetration Technique: Remote Access to Exchange PowerShell
- Zimbra SOAP API Development Guide 2
SAML requestadministrator cookieauthenticationVCSAJSESSIONID