Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use the Lambda function to attack and test the AWS account. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Preface

On August 3, 2018, I received a mysterious LinkedIn message from Caleb Sima, which read as follows:

I have to admit, I didn't realize what Caleb was trying to say to me at first, but after looking at URL (which includes Lambda and Shell), I felt like he was trying to tell me that he had developed a technique for executing Shell commands through the Lambda function. I've seen something like this before, such as Lambdash. A few seconds later, I was going to click in and take a look at this Web page, and found out:

After reading this, I first had to figure out Caleb's motive, so I sent him a message:

Well, Caleb is going to let someone else attack his AWS account through the Lambda function, and finally run the Shell command. It sounds like it's worth a try, after all, it's hard for anyone to give their account to others to "ravage" for free, which makes me very excited!

Step 1: gather intelligence

First, I run the "ls-IF" command from the current directory (/ var/task) to extract the filename of the function handler:

After getting the file name (index.js), I get the source code of the function by running the "cat index.js" command:

In fact, the original source code didn't surprise me, because it's a normal piece of code that uses the Lambda function to execute Shell commands, and I've seen a lot of similar code before.

I said to myself, "well, I can run the Shell command now, but then what? how can I pose a real threat to this account?"

So, I'm going to collect more information, and then I list all the environment variables, and I want to see if Caleb leaves anything useful, here you can use the 'env' command:

Step 2: impersonate the Lambda function

After infiltrating the environment variables, I found that when an AWS Lambda function is executed, it uses a temporary security certificate provided by the developer (IAM role). At this point, you need to receive the following three parameters from AWS STS (Security token Service):

AWS_SECRET_ACCESS_KEYAWS_ACCESS_KEY_IDAWS_SESSION_TOKEN

These are three very sensitive tokens, but they are printed directly on my screen as environment variables.

If you are not familiar with the AWS IAM security model, I can tell you that this is a very powerful and fine-grained security permission model. For a specific description of the model, please refer to the IAM role document provided by AWS: [portal].

Now that we have the token generated by AWS STS for the function, it's easy to do it. Here I can use tokens directly to invoke AWS's command line interface on the local device. At this point, I need to set these environment variables locally by calling the following command:

/ > export AWS_SECRET_ACCESS_KEY = … .. / > export AWS_ACCESS_KEY_ID =... . / > export AWS_SESSION_TOKEN =.

To test these tokens, I intend to invoke the AWS STS command line utility to obtain the current caller identity:

/ > aws sts get-caller-identity

After a few seconds, the command line tool returns the following information to me:

{"UserId": "AROA*GL4SXW:exec", "Account": "123200446", "Arn": "arn:aws:sts::1232*446:assumed-role/lambda_basic_execution/exec"}

Very good, now I can run the AWS command line tool locally, and I can pretend to be an IAM character.

When you look at the AWS Lambda Web terminal, you will see:

As you can see, Caleb doesn't actually use environment variables to store any application privacy data, which makes me "angry". But I have to remind you that many developers do make such mistakes, which is a cautionary point.

On how to use the Lambda function to attack the AWS account to test here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.