GITBOOK-588: change request with no subject merged in GitBook

pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md

@@ -9,12 +9,45 @@ Other ways to support HackTricks:
 * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>
 
-**You can check the original post in [https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/](https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/), but unfortunatelly this trick no longer works as lambda filesystem is now mounted as read-only.**
+## Lambda Flow
+
+<figure><img src="../../../../.gitbook/assets/image (152).png" alt=""><figcaption><p><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png">https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png</a></p></figcaption></figure>
+
+1. **Slicer** is a process outside the container that **send** **invocations** to the **init** process.
+2. The init process listens on port **9001** exposing some interesting endpoints:
+ * **`/2018-06-01/runtime/invocation/next`** – get the next invocation event
+ * **`/2018-06-01/runtime/invocation/{invoke-id}/response`** – return the handler response for the invoke
+ * **`/2018-06-01/runtime/invocation/{invoke-id}/error`** – return an execution error
+3. **bootstrap.py** has a loop getting invocations from the init process and calls the users code to handle them (**`/next`**).
+4. Finally, **bootstrap.py** sends to init the **response**
+
+Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process.
+
+## Stealing Lambda Requests
+
+The goal of this attack is to make the users code execute a malicious **`bootstrap.py`** process inside the **`bootstrap.py`** process that handle the vulnerable request. This way, the **malicious bootstrap** process will start **talking with the init process** to handle the requests while the **legit** bootstrap is **trapped** running the malicious one, so it won't ask for requests to the init process.&#x20;
+
+This is a simple task to achieve as the code of the user is being executed by the legit **`bootstrap.py`** process. So the attacker could:
+
+* **Send a fake result of the current invocation to the init process**, so init thinks the bootstrap process is waiting for more invocations.
+ * A request must be sent to **`/${invoke-id}/response`**&#x20;
+ * The invoke-id can be obtained from the stack of the legit **`bootstrap.py`** process using the [**inspect**](https://docs.python.org/3/library/inspect.html) python module (as [proposed here](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch\_runtime.py)) or just requesting it again to **`/2018-06-01/runtime/invocation/next`** (as [proposed here](https://github.com/Djkusik/serverless\_persistency\_poc/blob/master/gcp/exploit\_files/switcher.py)).
+* Execute a malicious **`boostrap.py`** which will handle the next invocations
+ * For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual.
+ * For this attack, it's enough to get the original code of **`bootstrap.py`** from the system, add the malicious code and run it from the current lambda invocation indicating the **`invoke-id`** as parameter.
+
+### Attack Steps
+
+
+
+## References
+
+* [https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/](https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/)
 
 <details>
 
@@ -25,7 +58,7 @@ Other ways to support HackTricks:
 * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>