Closed ghost closed 3 years ago
I AM VERY EXCITED LEMME EXPIREMENT
this may actually be something
however, it will be hard to forge the requests in-game
also remember /oauth2/userinfo
there's a employee
thing
we should use tampermonkey or something to change it to "employee": "true"
also prodigy is still "temporarily offline" for me and i gtg so i cant do more rn
alright, we can work on it
im back kidssss
also we should totally bruteforce this https://sso.prodigygame.com/employee/login
we have a lot of prodigy employee emails
bruh so the penis
captcha thing doesnt work on employee login but it does on student/parent login
prodigy gives their employees more security on just a basic login screen than they do their actual customers lmfao
also this domain contains resources for prodigy's customer support: https://cs.prodigygame.com/
maybe bruteforce URLs for something interesting??
https://cs.prodigygame.com/index.php doesnt exist so the home is an html file
ok so when you send prodigy an email to support there's this thing where it says like "Press yes if these links solved your issue and we will close the ticket"
"Yes" links to this: https://www.prodigygame.com/actions/resolveZendeskTicket.php?ticketID=923925
the ticket ID is just my "test" ticket
but theoretically we could close every ticket on the zendesk by just going up a number each time
im getting off-topic rn tho ik
Major breakthrough!!!
i theoritically just marked like 20 tickets as resolved but no way to tell if it worked
Major breakthrough!!!
yep
Use the dev tools and inspect the data sent when you go to that page, make sure no cookies are sent for verification or anything.
Use the dev tools and inspect the data sent when you go to that page, make sure no cookies are sent for verification or anything.
kk
I just checked, and nope!!
absolutely nothing!
I just checked, and nope!!
why did you close lmao? misclick?
Yup.
brb
back, and will hasnt been active on github lately so i unassigned him. if he actually comments here i'll re-assign him
hmm so what if we just find a prodigy employee who's email is in a data breach exposing plain-text passwords (there are quite a few) and like use that to login to the employee dashboard?
Possibly?
ye hmmm
Ok so Co-CEO email
a dev
Found a list of all the help center API endpoints.
Get all tickets - https://prodigygame.zendesk.com/api/v2/tickets.json
This endpoint is for agents only
Here's the entire API documentation for zendesk support pages, https://developer.zendesk.com/rest_api/docs/support/tickets#list-tickets. The API base URL for Prodigy is https://prodigygame.zendesk.com/api/v2/
More devs
ok that's everything RocketReach lets me search, feel free to plug the emails into HaveIBeenPwned
I posted a comment, look at it.
oooh ok
fuck i just realized i lost my canva combolist and one of the prodigy employees is in that breach
Nathaniel Groce's Gmail is in a bunch of breaches, which looks pretty useful to me ngl. A lot of the breaches had weak hashing so we might get some passwords from this. Now for the hard part: Finding the breaches.
YESS HES ON NEOPETS BREACH WHICH EXPOSED PLAIN TEXT PASSWORDS
oooh he's on wattpad too
Cracked.to or RaidForums are both good places to look for breach combolists. I suggest using a VPN, though.
kk so im thinking that if prodigy finds this they'll fix the issues and we're screwed. should we take this to Telegram or something similar?
https://t.me/joinchat/AAAAAFSe3mFvwKnySnBd2w join then add me as a contact and I'll create a "secret" (aka end-to-end encrypted) group dm for the employee hack
I'm going to close this, this is just an API endpoint that doesn't give away employee panel access.
Working on accessing Prodigy employee panel.
Original post:
https://prnt.sc/v6jvlb