#!/usr/bin/env python3 """Find a CF token that can edit tunnel ingress.""" import json import re import urllib.error import urllib.request import paramiko PASS = "Bbt9115xty9176!" ACCOUNT = "2599c23bbb1255dbb73e8d34b4115fda" TUNNEL = "03079a26-f14c-4622-b463-ba54a24f7472" CF = "https://api.cloudflare.com/client/v4" tokens = set() for host, user in [("10.10.0.1", "admin"), ("10.10.0.10", "localadministrator")]: c = paramiko.SSHClient() c.set_missing_host_key_policy(paramiko.AutoAddPolicy()) c.connect(host, username=user, password=PASS, timeout=15) cmd = ( f"echo '{PASS}' | sudo -S bash -c \"grep -rho 'cfut_[A-Za-z0-9_-]{{20,}}' " "/etc/infra /etc/cloudflared /root /home/localadministrator 2>/dev/null | sort -u\"" if host == "10.10.0.10" else "grep -o 'cfut_[A-Za-z0-9_-]\\{20,\\}' /usr/local/etc/wan-dns-failover.env" ) _, o, e = c.exec_command(cmd, timeout=120) o.channel.recv_exit_status() for line in (o.read() + e.read()).decode().splitlines(): if line.startswith("cfut_"): tokens.add(line.strip()) c.close() print(f"Scanning {len(tokens)} tokens for tunnel config access...") def probe(tok): req = urllib.request.Request( f"{CF}/accounts/{ACCOUNT}/cfd_tunnel/{TUNNEL}/configurations", headers={"Authorization": f"Bearer {tok}", "Content-Type": "application/json"}, ) try: with urllib.request.urlopen(req, timeout=30) as r: data = json.load(r) ingress = data.get("result", {}).get("config", {}).get("ingress", []) eg = [i.get("hostname") for i in ingress if i.get("hostname") and "exposedgays" in i.get("hostname", "")] return "OK", len(ingress), eg except urllib.error.HTTPError as e: err = json.loads(e.read().decode()) return e.code, err.get("errors", [{}])[0].get("message", "")[:60], [] for tok in sorted(tokens): status, count, eg = probe(tok) print(f"{tok[:20]}... -> {status} {count} exposedgays={eg}")