During an examination of how JAMF Self Service authenticated to the domain I discovered that Self Service not just keeps Domain Credentials in memory in plaintext, but does not appear to free them after they are initially used. To prove this I developed a Proof of Concept exploit that will search for a running Self Service process, make a local copy of the processes memory, and search for the username and password strings. So long as the user has at one point authenticated within Self Service the credentials will be able to be harvested, even if they have logged off. This has been tested on Self Service Version 9.93, but may work on other versions.
Step 1: First Self Service needs to be started and the user needs to authenticate. Log Into Self Service
Step 2: Run PoC (Requires root access) Run PoC
Step 3: Profit Get Creds
Code and Build Instructions All up on GitHub.