How i was able to chain bugs and gain access to internal okta instance

Hello all,

this writeup about how i was bale to chain some access to gain access into a private company internal OKTA

the story begin with searching on shodan and i found an host name of something called sudo , However when i click on it i being redirect to OKTA so nothing to do with right?! the host name was ` sudo-test-classic-.....amazonaws.com

i did another recon with censys and i found IP 18.208.x.x thi IP was allowing me to get directly into sudo web page (sudo allow admin to control slack invite user deactivate user …etc)

  • what can i do without admin access here? making a dirsearch using my word list i found endpoint /slack/invite
  • the response of this endpoint give the slack Chanel name
  • i made request

i got response 500 internal server error ,However i back to my email i got the invitation to their slack

opened the slack i found their OKTA credential on the chat

go back to the OKTA i gain access to their okta

done? no let’s back to the sudo page after login from OKTA we are admin now and we can convert/de-active anyone from slack

Impact

  1. allow attacker to access a slack dev channel
  2. allow attacker to access OKTA
  3. allow attacker to convert/de-active anyone from slack

timeline

reported on 15 dec

rewarded as critical on 19 dec

closed as resolved on 20 dec

Thanks