MFA Bypassing Concept
user1@debian:~$ su
Password:
root@debian:/home/user1# curl -u example@gmail.com:example — silent “https://mail.google.com/mail/feed/atom" | tr -d ‘\n’ | awk -F ‘<entry>’ ‘{for (i=2; i<=NF; i++) {print $i}}’ | sed -n “s/<title>(.*)<\/title><name>(.*)<\/name>/\2 — \1/p”
sed: -e expression #1, char 50: invalid reference \2 on `s’ command’s RHS
root@debian:/home/user1# curl -u example@gmail.com:example — silent “https://mail.google.com/mail/feed/atom"
<HTML>
<HEAD>
<TITLE>Unauthorized</TITLE>
</HEAD>
<BODY BGCOLOR=”#FFFFFF” TEXT=”#000000">
<H1>Unauthorized</H1>
<H2>Error 401</H2>
</BODY>
</HTML>
root@debian:/home/user1# curl -u example@gmail.com:example — silent https://mail.google.com/mail/feed/atom
<HTML>
<HEAD>
<TITLE>Unauthorized</TITLE>
</HEAD>
<BODY BGCOLOR=”#FFFFFF” TEXT=”#000000">
<H1>Unauthorized</H1>
<H2>Error 401</H2>
</BODY>
</HTML>
root@debian:/home/user1# curl -u example@example:undapants — silent https://mail.google.com/mail/feed/
<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR=”#FFFFFF” TEXT=”#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF=”https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/feed/&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1#">here</A>.
</BODY>
</HTML>
root@debian:/home/user1# curl -u freshman@gmail.com:undapants — silent https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/feed/&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1#
[1] 825564
bash: amp: command not found
[2] 825566
bash: amp: command not found
[2]+ Done passive=true
[2] 825568
bash: amp: command not found
[2]+ Done rm=false
[2] 825570
bash: amp: command not found
[2]+ Done continue=https://mail.google.com/mail/feed/
[2] 825572
bash: amp: command not found
[2]+ Done ss=1
[2] 825574
bash: amp: command not found
[2]+ Done scc=1
[2] 825576
bash: amp: command not found
[2]+ Done ltmpl=default
[2] 825578
bash: amp: command not found
[2]+ Done ltmplcache=2
[2] 825580
bash: amp: command not found
[2]+ Done emr=1
root@debian:/home/user1# curl -i -v -ssl -u example@gmail.com:example — silent https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&am
p;continue=https://mail.google.com/mail/feed/&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1#
[2] 825587
bash: amp: command not found
[1] Done curl -u example@gmail.com:example — silent https://accounts.google.com/ServiceLogin?service=mail
[3] 825589
bash: amp: command not found
[3]+ Done passive=true
[3] 825591
bash: amp: command not found
[3]+ Done rm=false
[3] 825593
bash: amp: command not found
[3]+ Done continue=https://mail.google.com/mail/feed/
[3] 825595
bash: amp: command not found
[3]+ Done ss=1
[3] 825597
bash: amp: command not found
[3]+ Done scc=1
[3] 825599
bash: amp: command not found
[3]+ Done ltmpl=default
[3] 825601
bash: amp: command not found
[3]+ Done ltmplcache=2
[3] 825603
bash: amp: command not found
[3]+ Done emr=1
root@debian:/home/user1# * Trying 142.250.72.77:443…
* Connected to accounts.google.com (142.250.72.77) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=accounts.google.com
* start date: Sep 4 08:23:30 2023 GMT
* expire date: Nov 27 08:23:29 2023 GMT
* subjectAltName: host “accounts.google.com” matched cert’s “accounts.google.com”
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* using HTTP/2
* Server auth using Basic with user ‘example@gmail.com’
* h2h3 [:method: GET]
* h2h3 [:path: /ServiceLogin?service=mail]
* h2h3 [:scheme: https]
* h2h3 [:authority: accounts.google.com]
* h2h3 [authorization: Basic ZnJlc2htYW5AZ21haWwuY29tOnVuZGFwYW50cw==]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55f73de37c70)
> GET /ServiceLogin?service=mail HTTP/2
> Host: accounts.google.com
> authorization: Basic ZnJlc2htYW5AZ21haWwuY29tOnVuZGFwYW50cw==
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 302
HTTP/2 302
< content-type: application/binary
content-type: application/binary
< set-cookie: __Host-GAPS=1:Z3fLCxfkEmjuPXI8F-CK20y8ycdjcg:LoXy2KybckPHeIni; Expires=Fri, 26-Sep-2025 18:01:41 GMT; Path=/; Secure; HttpOnly; Priority=HIGH
set-cookie: __Host-GAPS=1:Z3fLCxfkEmjuPXI8F-CK20y8ycdjcg:LoXy2KybckPHeIni; Expires=Fri, 26-Sep-2025 18:01:41 GMT; Path=/; Secure; HttpOnly; Priority=HIGH
< cache-control: no-cache, no-store, max-age=0, must-revalidate
cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
pragma: no-cache
< expires: Mon, 01 Jan 1990 00:00:00 GMT
expires: Mon, 01 Jan 1990 00:00:00 GMT
< date: Wed, 27 Sep 2023 18:01:41 GMT
date: Wed, 27 Sep 2023 18:01:41 GMT
< location: https://accounts.google.com/InteractiveLogin?service=mail&ifkv=AYZoVhfrI-5oinE37-DbgrLiPWAjxu9irLqSXzqK0oXsLhOeNi0xIzmZ4BBAfinE0onPpw10pcHi
location: https://accounts.google.com/InteractiveLogin?service=mail&ifkv=AYZoVhfrI-5oinE37-DbgrLiPWAjxu9irLqSXzqK0oXsLhOeNi0xIzmZ4BBAfinE0onPpw10pcHi
< strict-transport-security: max-age=31536000; includeSubDomains
strict-transport-security: max-age=31536000; includeSubDomains
< cross-origin-opener-policy: unsafe-none
cross-origin-opener-policy: unsafe-none
< content-security-policy: require-trusted-types-for ‘script’;report-uri /_/AccountsSigninPassiveLoginHttp/cspreport
content-security-policy: require-trusted-types-for ‘script’;report-uri /_/AccountsSigninPassiveLoginHttp/cspreport
< content-security-policy: script-src ‘nonce-drIOHeYa5xCTVdGvXPH-aw’ ‘unsafe-inline’;object-src ‘none’;base-uri ‘self’;report-uri /_/AccountsSigninPassiveLoginHttp/cspreport;worker-src ‘self’
content-security-policy: script-src ‘nonce-drIOHeYa5xCTVdGvXPH-aw’ ‘unsafe-inline’;object-src ‘none’;base-uri ‘self’;report-uri /_/AccountsSigninPassiveLoginHttp/cspreport;worker-src ‘self’
< accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
< cross-origin-resource-policy: cross-origin
cross-origin-resource-policy: cross-origin
< permissions-policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
permissions-policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
< server: ESF
server: ESF
< content-length: 0
content-length: 0
< x-xss-protection: 0
x-xss-protection: 0
< x-content-type-options: nosniff
x-content-type-options: nosniff
< alt-svc: h3=”:443"; ma=2592000,h3–29=”:443"; ma=2592000
alt-svc: h3=”:443"; ma=2592000,h3–29=”:443"; ma=2592000
<
* Connection #0 to host accounts.google.com left intact
