diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 1076b0b..ad0992d 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -530,9 +530,10 @@ table of CIDRs or Managed Prefix Lists. An attacker may add VPC endpoints to exfiltrate data to S3 buckets under his control. -List available endpoints via aws cli. +List available vpcs, and endpoints via aws cli. ```sh +aws ec2 describe-vpcs aws ec2 describe-vpc-endpoints ``` @@ -813,7 +814,14 @@ aws s3 sync --no-sign-request s3:// . #### Check Permissions of a bucket -Use a `PUT` method to see if the bucket may be writeable to upload a file via +Check the Policy of the bucket via aws cli. + +```sh +aws s3api get-bucket-policy --bucket --query Policy --output text | jq . +``` + +Or ghetto style, use a `PUT` method to see if the bucket may be writeable to +upload a file via ```sh curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions" @@ -849,6 +857,12 @@ The ARN of a the function invoked is structured in the following way. arn:aws:lambda:::function: ``` +List Lambda functions via aws cli. + +```sh +aws lambda list-functions | jq . +``` + Execute a lambda function via aws cli. ```sh @@ -875,9 +889,9 @@ aws lambda get-function --function-name arn:aws:lambda:::func #### Lambda Buildup The executed code is frequently stored in a zip file inside an S3 bucket. A -file name is set so the handler can execute it. The zip file is queried through -the API before a functions execution is triggered. The zip file contains a file -name which is called by the handler. +file name is set so the handler can execute it, e.g. `function.py`. +The zip file is queried through the API before a functions execution is +triggered. The zip file contains a file name which is called by the handler. Events can be tested through the web console. @@ -903,7 +917,41 @@ usual. Lambda functions have 500MB of disk space inside the container's /tmp directory or can have an Elastic File System attached (EFS). +Lambda has layers for code sharing. These layers can be found under `/opt`. +Lambda functions can be queried through HTTP. The scheme of such a uniquely +identified URL is like the following. The request has to be signed if +authentication is required. + +```sh +https://.lambda-url..on.aws +``` + +#### Lambda Vulnerabilities + +Vulnerabilities include + +* Missing input validation on the event sent as user input to the Lambda function +* Sensitive data written to stdout and stderr, which is then sent to CloudWatch +* Permissive roles for function execution +* Privilege escalation through access to environment variables `$AWS_ACCESS_KEY_ID`, `$AWS_SECRET_ACCESS_KEY` and `$AWS_SESSION_TOKEN` inside the Lambda container from function execution or from the webc console +* Access to the unencrypted secrets inside environment variables through function execution inside the container +* Use of `lambda:*` instead of `lambda:invokeFunction` as part of a resource policy +* Use of `Principal: *` inside an IAM policy + +Check invocation policies of lambda functions via aws cli. + +```sh +aws lambda get-policy --query Policy --output text --function-name arn:aws:lambda:::function: | jq . +``` + +* Modifying Lambda layers through malicious code +* Use the concurrency of Lambda functions as a DoS measurement +* Get the function ZIP file through the URL or the following aws cli line to iinspect the code for sensitive data + +```sh +aws lambda get-function --function-name arn:aws:lambda:::function: +``` ### CloudFront @@ -1304,7 +1352,8 @@ aws route53 list-hosted-zones A subdomain can be useful for regular users and an attacker alike. -Create a file named `create_record.json` containing certificate details from the aws acm desription. +Create a file named `create_record.json` containing certificate details from +the aws acm desription. ```json { @@ -1312,10 +1361,10 @@ Create a file named `create_record.json` containing certificate details from the "Changes": [ { "Action": "CREATE", - "ResourceRecordSet": + "ResourceRecordSet": { "Name": "", - "Type": "CNAME", + "Type": "CNAME", "TTL": 300, "ResourceRecords": [ {