whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

more details on Lambda

This commit is contained in:
gurkenhabicht 2024-02-25 14:21:35 +01:00
parent 1293a6009b
commit 6982101821
1 changed files with 57 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
Enumeration/AWS.md
View File

@ -530,9 +530,10 @@ table of CIDRs or Managed Prefix Lists.
An attacker may add VPC endpoints to exfiltrate data to S3 buckets under his control. An attacker may add VPC endpoints to exfiltrate data to S3 buckets under his control.
List available endpoints via aws cli. List available vpcs, and endpoints via aws cli.
```sh ```sh
aws ec2 describe-vpcs
aws ec2 describe-vpc-endpoints aws ec2 describe-vpc-endpoints
``` ```
@ -813,7 +814,14 @@ aws s3 sync --no-sign-request s3://<bucket-name> .
#### Check Permissions of a bucket #### Check Permissions of a bucket
Use a `PUT` method to see if the bucket may be writeable to upload a file via Check the Policy of the bucket via aws cli.
```sh
aws s3api get-bucket-policy --bucket <bucketname> --query Policy --output text | jq .
```
Or ghetto style, use a `PUT` method to see if the bucket may be writeable to
upload a file via
```sh ```sh
curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions" curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions"
@ -849,6 +857,12 @@ The ARN of a the function invoked is structured in the following way.
arn:aws:lambda:<region>:<AccountId>:function:<functionName> arn:aws:lambda:<region>:<AccountId>:function:<functionName>
``` ```
List Lambda functions via aws cli.
```sh
aws lambda list-functions | jq .
```
Execute a lambda function via aws cli. Execute a lambda function via aws cli.
```sh ```sh
@ -875,9 +889,9 @@ aws lambda get-function --function-name arn:aws:lambda:<region>:<AccountId>:func
#### Lambda Buildup #### Lambda Buildup
The executed code is frequently stored in a zip file inside an S3 bucket. A The executed code is frequently stored in a zip file inside an S3 bucket. A
file name is set so the handler can execute it. The zip file is queried through file name is set so the handler can execute it, e.g. `function.py`.
the API before a functions execution is triggered. The zip file contains a file The zip file is queried through the API before a functions execution is
name which is called by the handler. triggered. The zip file contains a file name which is called by the handler.
Events can be tested through the web console. Events can be tested through the web console.
@ -903,7 +917,41 @@ usual.
Lambda functions have 500MB of disk space inside the container's /tmp directory Lambda functions have 500MB of disk space inside the container's /tmp directory
or can have an Elastic File System attached (EFS). or can have an Elastic File System attached (EFS).
Lambda has layers for code sharing. These layers can be found under `/opt`.
Lambda functions can be queried through HTTP. The scheme of such a uniquely
identified URL is like the following. The request has to be signed if
authentication is required.
```sh
https://<urlId>.lambda-url.<region>.on.aws
```
#### Lambda Vulnerabilities
Vulnerabilities include
* Missing input validation on the event sent as user input to the Lambda function
* Sensitive data written to stdout and stderr, which is then sent to CloudWatch
* Permissive roles for function execution
* Privilege escalation through access to environment variables `$AWS_ACCESS_KEY_ID`, `$AWS_SECRET_ACCESS_KEY` and `$AWS_SESSION_TOKEN` inside the Lambda container from function execution or from the webc console
* Access to the unencrypted secrets inside environment variables through function execution inside the container
* Use of `lambda:*` instead of `lambda:invokeFunction` as part of a resource policy
* Use of `Principal: *` inside an IAM policy
Check invocation policies of lambda functions via aws cli.
```sh
aws lambda get-policy --query Policy --output text --function-name arn:aws:lambda:<region>:<AccountId>:function:<functionName> | jq .
```
* Modifying Lambda layers through malicious code
* Use the concurrency of Lambda functions as a DoS measurement
* Get the function ZIP file through the URL or the following aws cli line to iinspect the code for sensitive data
```sh
aws lambda get-function --function-name arn:aws:lambda:<region>:<AccountId>:function:<functionName>
```
### CloudFront ### CloudFront
@ -1304,7 +1352,8 @@ aws route53 list-hosted-zones
A subdomain can be useful for regular users and an attacker alike. A subdomain can be useful for regular users and an attacker alike.
Create a file named `create_record.json` containing certificate details from the aws acm desription. Create a file named `create_record.json` containing certificate details from
the aws acm desription.
```json ```json
{ {
@ -1312,10 +1361,10 @@ Create a file named `create_record.json` containing certificate details from the
"Changes": [ "Changes": [
{ {
"Action": "CREATE", "Action": "CREATE",
"ResourceRecordSet": "ResourceRecordSet":
{ {
"Name": "<ResourceRecord/Name>", "Name": "<ResourceRecord/Name>",
"Type": "CNAME", "Type": "CNAME",
"TTL": 300, "TTL": 300,
"ResourceRecords": [ "ResourceRecords": [
{ {