AWS Penetration Testing – Lambda

Although AWS offers the ability for users to spin up full server instances, this can come with additional administrative requirements. This is where Lambda come in. The Lambda service enables users to run code functions without the need for a server.

Lambda is an event driven service which supports a wide range of programming languages and ensures seamless interaction with over 200 AWS services.

Lambda Enumeration

As with many other AWS services, a set valid AWS keys would be required to access and enumerate the Lambda service. Any enumeration can be done using the AWS command line tool.

With the Lambda get-account-settings command it’s possible to discover the amount of functions which are in use. As this command only produces a small amount of JSON data, this is often a great place to start out.

terminal$ aws --profile arctil lambda get-account-settings
{
    "AccountLimit": {
        "TotalCodeSize": 80530636800,
        "CodeSizeUnzipped": 262144000,
        "CodeSizeZipped": 52428800,
        "ConcurrentExecutions": 10,
        "UnreservedConcurrentExecutions": 10
    },
    "AccountUsage": {
        "TotalCodeSize": 958610,
        "FunctionCount": 1
    }
}

With the above JSON output, it appears that there is a single function currently set up. This function can enumerated with the use of the Lambda list-functions command.

terminal$ aws --profile arctil lambda list-functions
{    
"Functions": [
        {
            "FunctionName": "stock-checker",
            "FunctionArn": "arn:aws:lambda:us-east-1:4000015117:function:stock-checker",
            "Runtime": "ruby3.2",
            "Role": "arn:aws:iam::4000015117:role/service-role/stock-checker-role-pv66rywu",
            "Handler": "lambda_function.lambda_handler",
            "CodeSize": 279,
            "MemorySize": 128,
            "LastModified": "2023-11-26T20:56:17.862+0000",
            "CodeSha256": "uSUb/267shd9934y9l4+T6nOcdBAm8YOIOLBBUCH8=",
            "Version": "$LATEST",
            "PackageType": "Zip",
            "Architectures": [
                "x86_64"
            ]
        }
    ]
}

Using the Lambda list-function, it seems that the function has the name “stock-checker”. This is written in the Ruby programming language and runs on x86_64 architecture. It’s also apparent that this is only a small function as it has a total size of 279 bytes.

Although the discovered information is somewhat interesting, aside from the name or possibly description it doesn’t offer much insight into what the Lambda function does. However, using the command line tool it’s possible to retrieve a link to the raw source files.

terminal$ aws --profile arctil lambda get-function --function-name stock-checker
{
    "Configuration": {
        "FunctionName": "stock-checker",
        "FunctionArn": "arn:aws:lambda:us-east-1:4000015117:function:stock-checker",
        "Runtime": "ruby3.2",
        "Architectures": [
                "x86_64"
        ]
    },
    "Code": {
        "RepositoryType": "S3",
        "Location": "https://prod-iad-c1-djusa-tasks.s3.us-east-1.amazonaws.com/snapshots/4000015117/stock-checker-2c9d0ae177ec9ad49a2b80a2a251"
    }
}

With the Lambda get-function command, we’re able to enumerate even more information about a specified function. Similar to the previous list-function this displays JSON data relating to the function itself. However, this time we can also see the JSON key “Location”, this will be a URL to a zip file containing the Lambda code or binary.

As function source code can occasionally contain secrets or credentials, inspecting the contents can provide a way to authenticate to a database and move to another service.




Up Next “Secrets Manager”

Spread the love

Tags: