[chillywilly]

ready to go insane?

[RebeLHeX]

Good luck everyone, unfortunately I will not be around but I will tomorrow night, is going to be a hard to crack one for what I hear... so I wish for the best

[peRd1]

Found: support.corporate.htb Status: 200 [Size: 1725]
Found: git.corporate.htb Status: 403 [Size: 159]
Found: sso.corporate.htb Status: 302 [Size: 38] [--> /login?redirect=]
Found: people.corporate.htb Status: 502 [Size: 163]

[iagree1337]

hi !!

Let's do it guys.
Someone found something ?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Scammer. Email Address: kevindurifda@gmail.com Registration IP: 46.18.99.42 Last Known IP: 2001:861:3dc6:de60:b92b:2e08:ec4a:94f5

[iagree1337]

http://support.corporate.htb/ That looks fishy already got in contact with another user. Who is hack!?

what did you find ?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Scammer. Email Address: kevindurifda@gmail.com Registration IP: 46.18.99.42 Last Known IP: 2001:861:3dc6:de60:b92b:2e08:ec4a:94f5

[Azad23]

http://sso.corporate.htb/services
http://sso.corporate.htb/reset-password
http://support.corporate.htb/ticket/XXXXXXXXX
http://support.corporate.htb/socket.io/XXXXXXXX

http://people.corporate.htb/chat
http://people.corporate.htb/sharing
http://people.corporate.htb/news
http://people.corporate.htb/calendar
http://people.corporate.htb/dashboard
http://people.corporate.htb/holiday
http://people.corporate.htb/employee
http://people.corporate.htb/payroll

---

http://corporate.htb/assets/js/analytics...ctionpoint

I'm thinking XSS guys

Prob... but there issues whit arena instances ... aaaanddd i cant inject nothing i only got in return 502 .. and totally dont want mess whit pubic instances full of retards resetting every 2 min ... ill wait ...
[

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.

[Azad23]

http://sso.corporate.htb/services
http://sso.corporate.htb/reset-password
http://support.corporate.htb/ticket/XXXXXXXXX
http://support.corporate.htb/socket.io/XXXXXXXX

http://people.corporate.htb/chat
http://people.corporate.htb/sharing
http://people.corporate.htb/news
http://people.corporate.htb/calendar
http://people.corporate.htb/dashboard
http://people.corporate.htb/holiday
http://people.corporate.htb/employee
http://people.corporate.htb/payroll

---

http://corporate.htb/assets/js/analytics...ctionpoint

I'm thinking XSS guys

Prob... but there issues whit arena instances ... aaaanddd i cant inject nothing i only got in return 502 .. and totally dont want mess whit pubic instances full of retards resetting every 2 min ... ill wait ...
[

There are some issues with the Corporate Release. At this time, we believe it is only on Release Arena boxes. We are working on understanding the issue and providing a fix. We are unaware of the issue manifesting in free, VIP, or VIP+ labs. 

Sorry for y'all

//Edit: Just a guess for next step. Trick the bot somehow to open a ticket so we can login to sso. But this bot is just going through the same routine and I haven't firgure out our to escapt it

---

ill start working on it tomorrow morning... tonight at this point i want finish some irl  projects  ... in those fucking "safe environments" machine you can learn a lot but at the same those "academical" style let grow and make you comfy whit really really  bad habits 

see ya all tomorrow  ... good luck , have fun and don't get jailed

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.

[jahman]

Nothing very useful but the following javascript file maybe interresting for bypass CORS
http://people.corporate.htb/static/js/chat.js

and i can xss myself in the chat with
<LINK REL="stylesheet" HREF="http://x.x.x.x/xss-32.css">

[ajasjas]

const sendButton = document.getElementById("send-message");
const messageInput = document.getElementById("message");
const messageContainer = document.getElementById("message-container");
const activeContainer = document.getElementById("active-container");
const closedAlert = document.getElementById("closed-alert");
const typingAlert = document.getElementById("typing-alert");
const alertMessageContainer = document.getElementById("alert-message");
function getCookie(_0x28b736) {
  let _0xc00034 = {};
  document.cookie.split(';').forEach(function (_0x4e620c) {
    let [_0x8a7c26, _0x26dfeb] = _0x4e620c.split('=');
    _0xc00034[_0x8a7c26.trim()] = _0x26dfeb;
  });
  return _0xc00034[_0x28b736];
}
const socket = io("ws://support.corporate.htb", {
  'auth': {
    'token': getCookie("CorporateSSO")
  }
});
const ticketId = document.getElementById("ticket-id").value;
const addMessage = _0x5a6688 => {
  const _0xe6d2fc = !_0x5a6688.name;
  messageContainer.insertAdjacentHTML("beforeend", "<div class=\"row mb-2\">\n    <div class=\"col-9 text-light " + (_0xe6d2fc ? "bg-success offset-3" : "bg-primary") + "\">\n      <div class=\"py-3 px-2\">\n        <strong>" + (_0xe6d2fc ? "You" : _0x5a6688.name) + "</strong><br />" + _0x5a6688.message + "\n      </div>\n    </div>\n    <div class=\"text-muted " + (_0xe6d2fc ? "text-end" : '') + "\">\n          Sent at: " + _0x5a6688.sentAt + "\n        </div>\n  </div>");
};
const alertMessage = _0x5591c8 => {
  if (!_0x5591c8) {
    alertMessageContainer.style.display = "none";
  } else {
    alertMessageContainer.innerText = _0x5591c8;
    alertMessageContainer.style.display = '';
  }
};
socket.emit("join", {
  'id': ticketId
});
socket.on("status", ({
  status: _0x513b5b,
  inQueue: _0x4a8f9f
}) => {
  if (_0x513b5b === "queue") {
    alertMessage("There's currently " + _0x4a8f9f + " people in queue.");
  } else {
    if (_0x513b5b === "active") {
      activeContainer.style.display = '';
    } else if (_0x513b5b === "closed") {
      alertMessage('');
      closedAlert.style.display = '';
      sendButton.setAttribute("disabled", "disabled");
      messageInput.setAttribute("disabled", "disabled");
    }
  }
});
socket.on("typing", ({
  isTyping: _0x49cbcc
}) => {
  typingAlert.style.display = _0x49cbcc ? '' : "none";
});
socket.on("joined", ({
  name: _0x29606f
}) => {
  alertMessage(_0x29606f + " has joined the chat.");
});
messageInput.addEventListener("focus", () => {
  socket.emit("typing", {
    'id': ticketId,
    'isTyping': true
  });
});
messageInput.addEventListener("blur", () => {
  socket.emit("typing", {
    'id': ticketId,
    'isTyping': false
  });
});
sendButton.addEventListener("click", () => {
  socket.emit("message", {
    'id': ticketId,
    'message': messageInput.value
  });
  messageInput.value = '';
});
socket.on("message", _0x57cc44 => {
  addMessage(_0x57cc44);
});

[take1312]

Still no user firstblood

cookie hijacking does not seem to be the way in. Anyone else tried and failed?
Anyone get anything with the SSO in use? maybe someone got the peope.corporate.htb

looks like you can do smth this way
http://corporate.htb/assets/js/analytics...=<Payload>

at least got it to retrieve files but thats it