tl;dr The training was fantastic, but the exam was shocking.

I was recently in a position where I had code execution on an ADFS server, under the context of the ADFS service account, and wanted to use ADFSDump as part of a golden SAML attack. This post details the two hurdles I encountered and how they were overcome, namely:

The dump function of SharpSphere allows operators to dump LSASS from any powered on VM managed by vCenter or ESXI, without needing to authenticate to the guest OS and without needing VMware Tools to be installed.

Deployed by all Fortune 500 & Fortune Global 100 companies*, you’re pretty much guaranteed to come up against vSphere on your offensive engagments.

C2 over RDP with mapped drives is nothing new, however this post will show how SharpRDP and C3 can be used in tandem through a Cobalt Strike beacon to provide C2 when only 3389 is accessible.