A Lambda function URL can be used to expose a Lambda function to the internet without an API gateway or another load balancer. This is really handy for builders, but can also be really handy for offensive security folk, as it’s ripe for misconfiguration.
Use cloudfox to find the furls1 FunctionURL and find the flag.
I’ll start off by enumerating the lambda functions in this account.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| adicpnn@laboratory cloud % aws lambda list-functions --profile cloudfoxable
...
{
"FunctionName": "furls1",
"FunctionArn": "arn:aws:lambda:eu-central-1:129323993607:function:furls1",
"Runtime": "nodejs18.x",
"Role": "arn:aws:iam::129323993607:role/aaronson",
"Handler": "index.handler",
"CodeSize": 341,
"Description": "",
"Timeout": 3,
"MemorySize": 128,
"LastModified": "2026-03-11T15:44:13.331+0000",
"CodeSha256": "NJIC8ugwDL7yoVLREQtcAxMsjM/7Hl25TOIBUV9YAC0=",
"Version": "$LATEST",
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "d915e7d5-f4a3-46c4-a27e-5d8a8f089cfc",
"PackageType": "Zip",
"Architectures": [
"x86_64"
],
"EphemeralStorage": {
"Size": 512
},
"SnapStart": {
"ApplyOn": "None",
"OptimizationStatus": "Off"
},
"LoggingConfig": {
"LogFormat": "Text",
"LogGroup": "/aws/lambda/furls1"
}
},
...
|
Then try to find it’s URL.
1
2
3
4
5
6
7
8
9
| adicpnn@laboratory cloud % aws lambda get-function-url-config --function-name furls1 --profile cloudfoxable
{
"FunctionUrl": "https://u3yz7t3bxqhg66hkj5po4e3mdi0agomz.lambda-url.eu-central-1.on.aws/",
"FunctionArn": "arn:aws:lambda:eu-central-1:129323993607:function:furls1",
"AuthType": "NONE",
"CreationTime": "2026-03-11T15:44:25.226873470Z",
"LastModifiedTime": "2026-03-11T15:44:25.226873470Z",
"InvokeMode": "BUFFERED"
}
|
Execution#
All that’s left to do now is visit the URL :)
1
2
| adicpnn@laboratory cloud % curl https://u3yz7t3bxqhg66hkj5po4e3mdi0agomz.lambda-url.eu-central-1.on.aws/
{"flag":"FLAG{furls1::function_urls_can_be_accidentally_expose_internal_data}"}
|