The Big IAM Challenge Cloud Security CTF Challenge

The Big IAM Challenge Cloud Security CTF Challenge

Today, we will take a look at the CTF challenge on cloud security, The Big IAM Challenge, which aims to allow white hats to identify and utilize IAM misconfigurations and learn from real-life scenarios to better understand and understand IAM-related risks. The competition includes 6 scenarios, each focusing on common IAM configuration errors across various AWS services.

Challenge address:bigiamchallenge.com

Buckets of Fun

We all know that public buckets are risky. But can you find the flag?

After we enter the question homepage, the first question is called Buckets of Fun. We click View IAM Policy to start the question.

The first question gives the Policy content of a Bucket. Check the prompts to obtain the IAM policy for this level as follows:

{
    
    
    "Version": "2012-10-17",
    "Statement": [
        {
    
    
            "Effect": "Allow", //Effect（效果）设置为Allow（允许）
            "Principal": "*",  //Principal（主体）是所有用户（"*"）
            "Action": "s3:GetObject",  //获取对象
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"  //指定S3存储桶中的所有对象
        },
        {
    
    
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",    //列出存储桶
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
            "Condition": {
    
           //条件是通过前缀限制只能列出以"files/"为前缀的对象
                "StringLike": {
    
    
                    "s3:prefix": "files/*"
                }
            }
        }
    ]
}

This policy allows any user to list objects in the "thebigiamchallenge-storage-9979f4b" bucket that match the prefix condition "files/". This strategy has the following security risks:

1. Allow any user to perform the GetObject operation on the specified S3 bucket to obtain the contents of the object.

2. Allow any user to perform the ListBucket operation on the specified S3 bucket to list the objects in the bucket that meet the specified prefix conditions.

As you can see from the given content, this bucket has public column objects and public read permissions. Since the Bucket name has been given in the question, the permission verification for the s3 bucket is not strict. List the bucket resource objects and Use the view object content to get the flag

aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/

At this time, we learned that there is still a flag1.txt folder in the files directory. Since the Bucket name has been given in the question, we directly spliced ​​the complete URL as:https://thebigiamchallenge-storage-9979f4b.s3.amazonaws.com/files/flag1.txt

By directly accessing this address, you can see the Key corresponding to FLAG

Then copy this flag and click Submit

Google Analytics

We created our own analytics system specifically for this challenge. We think it’s so good that we even used it on this page. What could go wrong?

Join our queue and get the secret flag.

The second question is called Google Analytics. Let’s continue to click View IAM Policy.

Check the prompts to obtain the IAM policy for this level as follows:

{
    
    
    "Version": "2012-10-17",
    "Statement": [
        {
    
    
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "sqs:SendMessage",   //发送消息
                "sqs:ReceiveMessage"   //接收消息
            ],
            "Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
        }
    ]
}

This IAM policy allows any user to perform SendMessage and ReceiveMessage operations on a specific SQS queue, that is, send and receive messages. This strategy has the following security risks:

1. This policy grants operation permissions to all users ("*"), which means that any user or role with this policy can send and receive messages.

2. This policy does not limit the users, roles or other conditions that allow access. It allows all users to perform SendMessage and ReceiveMessage operations.

SQS (Simple Queue Service) can be used to help reliable message delivery between different applications. It is like a message relay station that can send messages from one place to another to ensure the safe delivery and delivery of messages. processing to enable better communication and collaboration between applications

The Account ID and Queue values ​​are given in the policy of the question, then we can construct this Queue URL. The constructed Queue URL is:

https://queue.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2

Finally, use the receive-message interface in the SQS service of the AWS CLI to specify the URL address of the queue using the –queue-url parameter:

aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2

Next, we enter the URL address in the browser and obtain the content of the flag:

Click submit

Admin only?

We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?

The name of question 4 is "Admin only?". Check the prompts and obtain the IAM policy for this level as follows:

{
    
    
    "Version": "2012-10-17",
    "Statement": [
        {
    
    
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
        },
        {
    
    
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
            "Condition": {
    
    
                "StringLike": {
    
    
                    "s3:prefix": "files/*"
                },
                "ForAllValues:StringLike": {
    
    
                    "aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
                }
            }
        }
    ]
}

As you can see, this question is related to S3. The idea is still the same as the first question. First find the Key of FLAG, and then splice it to access the address of FLAG.

So, the current goal is to obtain the Key of this FLAG, but we can see from the Policy that this bucket only grants ListBucket permission to the arn:aws:iam::133713371337:user/admin subject, so the problem to be solved now That is, how to bypass this restriction.

Consulting the official documentation, we can get this information: For ForAllValues, if there is no key in the request or the key value resolves to an empty data set (such as an empty string), true will also be returned. Do not use ForAllValues ​​with the Allow effect. Because that might be too lenient.

In other words, if we set aws:PrincipalArn in the request to be empty, True will be returned here, so we can bypass it.

At this point we first send a request containing aws:PrincipalArn.

aws s3api list-objects --bucket thebigiamchallenge-admin-storage-abf1321 --prefix 'files/' 

You can see the prompt An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied, which shows that access is denied, and then try adding --no-sign-request.

aws s3api list-objects --bucket thebigiamchallenge-admin-storage-abf1321 --prefix 'files/' --no-sign-request

This parameter can be used to perform requests without authentication. Use this parameter to skip the steps of signing and authenticating the request, allowing you to perform operations that do not require verification in some cases.

aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request
aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt /tmp/flag4.txt
cat /tmp/flag4.txt

The flag to obtain this question is as follows:

{
    
    wiz:principal-arn-is-not-what-you-think}