Exfilling Lambda RCE Results

[wdahlenburg]

A few of the challenges use Lambdas that are vulnerable to remote code execution vulnerabilities. Lambda environments don't typically come with many libraries and the system binaries are usually limited. This means that common tools like the aws-cli, curl, wget, etc. aren't available.

I'd be interested to hear what techniques people have used to obtain the output of their RCE payloads.

For example:

I ended up referring to the logs of the Lambda functions to view my command output. Per https://hackingthe.cloud/aws/exploitation/lambda-steal-iam-credentials/, you can usually manage to read /proc/self/environ, which will output temporary role credentials.

I'll note that either this requires a higher privileged role or a read-only role with logs:DescribeLogGroups, logs:DescribeLogStreams, and logs:GetLogEvents (which ctf-starting-user doesn't currently have logs:Get*).

[T0w3ntum]

I went with the /dev/tcp method with a listener setup to catch the output. While the lambda environment might be lacking in certain tools like curl or wget, /dev/tcp can be used to pull down scripts, or open a reverse shell.

[wdahlenburg]

I went with the /dev/tcp method with a listener setup to catch the output. While the lambda environment might be lacking in certain tools like curl or wget, /dev/tcp can be used to pull down scripts, or open a reverse shell.

++

@sethsec-bf let me know he used the same technique. I decided to research some other payloads and came up with this: https://github.com/wdahlenburg/aws-native-rce/blob/main/Lambda.md. Hopefully it can be helpful to others here