[HUGE BREAKTHROUGH!] Employee Panel Bypass? #348
Comments
I AM VERY EXCITED LEMME EXPIREMENT |
this may actually be something |
however, it will be hard to forge the requests in-game |
also remember there's a we should use tampermonkey or something to change it to also prodigy is still "temporarily offline" for me and i gtg so i cant do more rn |
alright, we can work on it |
im back kidssss |
also we should totally bruteforce this https://sso.prodigygame.com/employee/login we have a lot of prodigy employee emails |
bruh so the prodigy gives their employees more security on just a basic login screen than they do their actual customers lmfao |
also this domain contains resources for prodigy's customer support: https://cs.prodigygame.com/ maybe bruteforce URLs for something interesting?? |
https://cs.prodigygame.com/index.php doesnt exist so the home is an html file |
ok so when you send prodigy an email to support there's this thing where it says like "Press yes if these links solved your issue and we will close the ticket" "Yes" links to this: https://www.prodigygame.com/actions/resolveZendeskTicket.php?ticketID=923925 the ticket ID is just my "test" ticket but theoretically we could close every ticket on the zendesk by just going up a number each time |
im getting off-topic rn tho ik |
Major breakthrough!!! |
i theoritically just marked like 20 tickets as resolved but no way to tell if it worked |
yep |
Use the dev tools and inspect the data sent when you go to that page, make sure no cookies are sent for verification or anything. |
kk |
I just checked, and nope!! |
absolutely nothing! |
why did you close lmao? misclick? |
Yup. |
brb |
back, and will hasnt been active on github lately so i unassigned him. if he actually comments here i'll re-assign him |
hmm so what if we just find a prodigy employee who's email is in a data breach exposing plain-text passwords (there are quite a few) and like use that to login to the employee dashboard? |
Possibly? |
ye hmmm |
Found a list of all the help center API endpoints. |
Get all tickets - https://prodigygame.zendesk.com/api/v2/tickets.json |
This endpoint is for agents only |
Here's the entire API documentation for zendesk support pages, https://developer.zendesk.com/rest_api/docs/support/tickets#list-tickets. The API base URL for Prodigy is https://prodigygame.zendesk.com/api/v2/ |
ok that's everything RocketReach lets me search, feel free to plug the emails into HaveIBeenPwned |
I posted a comment, look at it. |
oooh ok |
fuck i just realized i lost my canva combolist and one of the prodigy employees is in that breach |
Nathaniel Groce's Gmail is in a bunch of breaches, which looks pretty useful to me ngl. A lot of the breaches had weak hashing so we might get some passwords from this. Now for the hard part: Finding the breaches. |
YESS HES ON NEOPETS BREACH WHICH EXPOSED PLAIN TEXT PASSWORDS |
oooh he's on wattpad too |
Cracked.to or RaidForums are both good places to look for breach combolists. I suggest using a VPN, though. |
kk so im thinking that if prodigy finds this they'll fix the issues and we're screwed. should we take this to Telegram or something similar? |
https://t.me/joinchat/AAAAAFSe3mFvwKnySnBd2w join then add me as a contact and I'll create a "secret" (aka end-to-end encrypted) group dm for the employee hack |
I'm going to close this, this is just an API endpoint that doesn't give away employee panel access. |
Working on accessing Prodigy employee panel.
Original post:
https://prnt.sc/v6jvlb
The text was updated successfully, but these errors were encountered: