JumpCloud is a Directory as a Service provider providing cloud native Directory service for cloud native companies. In a Red Team engagement or Pentest scenario, one may come across a API token which could have Administrative Privileges. Instead of going through the pain of reading Jumpcloud Documentation, why not use Jumpcloud console natively too! (If you want to see my repo directly, here it is: https://github.com/ahboon/JumpCloud-Proxy)
To view what permissions your current API key has, you can use this curl sample:
curl -i -s -k -X $'GET' \ -H $'Host: console.jumpcloud.com' -H $'X-Api-Key: <apiKey>' -H $'Content-Length: 2' \ --data-binary $'\x0d\x0a' \ $'https://console.jumpcloud.com/api/users/getSelf'
Full list of Admin User Types in Jumpcloud enabled with API key can be seen here: https://support.jumpcloud.com/s/article/JumpCloud-Roles
Next, download the Burp Project Configuration from here: https://raw.githubusercontent.com/ahboon/JumpCloud-Proxy/main/Jumpcloud-Proxy.json
Then follow the steps below:
- Register an account for jumpcloud at: https://console.jumpcloud.com/signup (skip this step if you already have)
- Open burp and load the Jumpcloud-Proxy.json Project Configuration file
- Under "Proxy" > "Proxy Settings" > "Match and replace rules", uncheck all boxes to stop match and replace
- Click on "Open Browser" using Burp's Proxy Browser, and login to your own Jumpcloud account at https://console.jumpcloud.com/login/admin
- Once logged in, go back to Burp. Under "Proxy" > "Proxy Settings" > "Match and replace rules", and check all boxes to enable the match and replace. At the same time, click on the line that says "x-api-key: <Jumpcloud api key>", and replace the "<Jumpcloud api key>" with your desired Jumpcloud API key
- Start using Jumpcloud as though you are the user of the API key!