The Challenge URL :

The Big IAM Challenge

Screenshot 2023-06-25 at 2.42.42 AM.png

BigIAM Challenge is about 6 challanges created by wiz.io for AWS re:inforce 2023.

Challenge 1 (Buckets of Fun)

First we should view the policy to see what permissions we have

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::thebigiamchallenge-storage-9979f4b",
      "Condition": {
        "StringLike": {
          "s3:prefix": "files/*"
        }
      }
    }
  ]
}

We can see that we have access to list objects with the prefix files/* and then we can get any object in the bucket.

aws s3api list-objects --bucket thebigiamchallenge-storage-9979f4b --prefix files

Screenshot 2023-06-25 at 2.47.16 AM.png

From the output we can see there are two files logo.png and flag1.txt

aws s3api get-object --bucket thebigiamchallenge-storage-9979f4b --key files/flag1.txt flag1.txt

cat flag1.txt