Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Amazon Web Services (AWS) Lambda is described as a compute service that enables the execution of code without the necessity for server provision or management. It is characterized by its ability to automatically handle resource allocation needed for code execution, ensuring features like high availability, scalability, and security. A significant aspect of Lambda is its pricing model, where charges are based solely on the compute time utilized, eliminating the need for initial investments or long-term obligations.
To call a lambda it's possible to call it as frequently as you wants (with Cloudwatch), expose an URL endpoint and call it, call it via API Gateway or even based on events such as changes to data in a S3 bucket or updates to a DynamoDB table.
The code of a lambda is stored in /var/task.
A Lambda can have several versions. And it can have more than 1 version exposed via aliases. The weights of each of the versions exposed inside and alias will decide which alias receive the invocation (it can be 90%-10% for example). If the code of one of the aliases is vulnerable you can send requests until the vulnerable versions receives the exploit.
Lambda resource policies allow to give access to other services/accounts to invoke the lambda for example. For example this is the policy to allow anyone to access a lambda exposed via URL:
Or this to allow an API Gateway to invoke it:
When there are hundreds of concurrent lambda requests, if each of them need to connect and close a connection to a database, it's just not going to work (lambdas are stateless, cannot maintain connections open). Then, if your Lambda functions interact with RDS Proxy instead of your database instance. It handles the connection pooling necessary for scaling many simultaneous connections created by concurrent Lambda functions. This allows your Lambda applications to reuse existing connections, rather than creating new connections for every function invocation.
To preserve and even share data Lambdas can access EFS and mount them, so Lambda will be able to read and write from it.
A Lambda layer is a .zip file archive that can contain additional code or other content. A layer can contain libraries, a custom runtime, data, or configuration files.
It's possible to include up to five layers per function. When you include a layer in a function, the contents are extracted to the /opt directory in the execution environment.
By default, the layers that you create are private to your AWS account. You can choose to share a layer with other accounts or to make the layer public. If your functions consume a layer that a different account published, your functions can continue to use the layer version after it has been deleted, or after your permission to access the layer is revoked. However, you cannot create a new function or update functions using a deleted layer version.
Functions deployed as a container image do not use layers. Instead, you package your preferred runtime, libraries, and other dependencies into the container image when you build the image.
Lambda extensions enhance functions by integrating with various monitoring, observability, security, and governance tools. These extensions, added via .zip archives using Lambda layers or included in container image deployments, operate in two modes: internal and external.
Internal extensions merge with the runtime process, manipulating its startup using language-specific environment variables and wrapper scripts. This customization applies to a range of runtimes, including Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1.
External extensions run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1, and custom runtimes.
Now it's time to find out possible lambda functions to execute:
A lambda function called "Level6" is available. Lets find out how to call it:
Now, that you know the name and the ID you can get the Name:
And finally call the function accessing (notice that the ID, Name and function-name appears in the URL): https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6
URL:https://<rest-api-id>.execute-api.<region>.amazonaws.com/<stageName>/<funcName>
There are a lot of other sources that can trigger a lambda
In the following page you can check how to abuse Lambda permissions to escalate privileges:
AWS - Lambda PrivescLearn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
