Now it’s ambankinn, a bank! We can try the previous solutions but they will all fail but if you look at the code for this challange you will notice they are not validating the certificate is legit. So we can try and make our own and send and use that oen to sign it, this is called the Self-signing vulnerability. I have not made a cert myself for this kind of exploit until this challange so that was new. But I used a tool that made it easy.

The tool is called called SAML Raider and is an extenuation in BurpSuite. Could I have used it for the whole thing? Probably? But didn’t need it until this point. This time around we need to self sign and SAML Raider makes that easy, but lets walk through it.

1. First thing you do is in BurpSuite go to Extensions and install SAML Raider from there.
   • Now you should see a SAML Raider Certificates tap, click it
   • Change SAML Request Parm Name and response to token (two fields)
2. Then log in and find the call and send it to repeater.
3. You should now see a SAML Raider tab in repeater, select it.
4. On the SAML Attacks Send Certificate to SAML Raider Certificates
   • Go back to the SAML Raider Certificates tab
   • Select the cert and scroll down
   • Select “Save and Self-Sign”
5. Go back to Repeater and on the SAML Attacks tab select remove signature.
6. Then at the bottom change the Kennitala and Name to that of admin
7. Then make sure the cert is selected under signature attacks and select Re-Sign Message
8. Send it
9. Now back ot the pretty tab and right click show response in browser
10. Copy the link and open in browser

We did it, we are in! 💸⛳️ ✅
Just look at all them moneys and ofcours our flag that we can use to mark the challenge as completed. If you want to see it yourself you will just have to do the challenge 😉