Hinson's blog

𝕰𝖝𝖈𝖊𝖑𝖑𝖊𝖓𝖈𝖊 𝖎𝖓 𝖈𝖑𝖔𝖚𝖉 𝖆𝖗𝖈𝖍𝖎𝖙𝖊𝖈𝖙𝖚𝖗𝖊 𝖆𝖓𝖉 𝖘𝖊𝖈𝖚𝖗𝖎𝖙𝖞 𝖉𝖔𝖒𝖆𝖎𝖓𝖘 𝖎𝖘 𝖙𝖍𝖊 𝖊𝖙𝖊𝖗𝖓𝖆𝖑 𝖕𝖚𝖗𝖘𝖚𝖎𝖙 𝖔𝖋 𝖒𝖞 𝖕𝖗𝖔𝖋𝖊𝖘𝖘𝖎𝖔𝖓𝖆𝖑 𝖌𝖗𝖔𝖜𝖙𝖍

Capture the Flag: The Big IAM Challenge 2

By hinsonOn
Spread the love

This series of posts captures the footprints of my journey to Capture The Flag on The Big IAM Challenge – Round 2

Challenge 2


Upon above iam policy, the IAM policy applied to the SQS queue is very permissive in terms of the principal ("Principal": "*") allowed to perform actions on the queue.

Upon checking the page source code, I find below script

<script>
// Initialize the Amazon Cognito credentials provider
  AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({IdentityPoolId: 'us-east-1:c6f3eb2e-3cb5-404e-93bc-f0bdf7ad042e'});
// Set the region
AWS.config.update({region: 'us-east-1'});

// Create an SQS service object for Web Analytics.
// Log trafic from all users into SQS.
var sqs = new AWS.SQS({apiVersion: '2012-11-05'});

var params = {
  DelaySeconds: 0,
  MessageBody: JSON.stringify({"URL": document.location.href, "User-Agent": navigator.userAgent, "IsAdmin": false}),
  QueueUrl: "https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2"
};

sqs.sendMessage(params, function(err, data) {
  if (err) {
    console.log("Error", err);
  } else {
    console.log("Success", data.MessageId);
  }
});
</script>

This script instructs to use AWS Cognito to initialize a temporary authenticated access to AWS SQS, and the script exposes the Identity pool ID to authenticate.

Hence, I can use aws cli aws cognito-identity get-id --identity-pool-id "us-east-1:c6f3eb2e-3cb5-404e-93bc-f0bdf7ad042e" to retrieve Cognito identity id.



Next step is to use this identitly id to retrieve temporary AWS crendentials by command aws cognito-identity get-credentials-for-identity --identity-id "<cognito-identity-id>"


With the access credential retrieved, I am trying to add it to an AWS profile, but it seems this website does not provide a way to add credentials to AWS configuration.

Instead, I export those credentials as Linux environment variables


I tried to write a message “Hinson captures the FLAG!” to the sqs queue and it seems to be working!


Next, I try to receive any messages from sqs to see if I am presented with flag by command "aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 --region us-east-1"

I can see there is a URL presented, and I can see the flag presented on the page.

Happily cracked the second challenge!

Leave a Reply

Your email address will not be published. Required fields are marked *