A Lambda function URL can be used to expose a Lambda function to the internet without an API gateway or another load balancer. This is really handy for builders, but can also be really handy for offensive security folk, as it’s ripe for misconfiguration. Use cloudfox to find the furls1 FunctionURL and find the flag. Information Gathering I’ll start off by enumerating the lambda functions in this account. ...
This Lambda Function URL doesn’t just give you the key like furls1. You have to work a little harder for this one. CloudFox can definitely help you here. Information Gathering This time around, I don’t know which lambda function to target, since there’s no “furls2” function. Instead, I will list all the function URLs in the AWS account. (minus the one I’ve already exploited) ...
You’ve just gained access to the role viniciusjr. At first glance, this role appears to only have some SNS read-only access? But I don’t think that’s accurate. See if you can get to the flag /cloudfoxable/flag/executioner in the SSM parameter store. Information Gathering First things first, set up the profile, and test access. 1 2 3 4 5 6 7 8 9 10 11 12 13 adicpnn@laboratory cloud % cat ~/.aws/config | tail [profile vini] region = eu-central-1 role_arn = arn:aws:iam::129323993607:role/viniciusjr source_profile = cloudfoxable adicpnn@laboratory cloud % aws sts get-caller-identity --profile vini { "UserId": "AROAR4HCPRIDXMLFGL22G:botocore-session-1773327029", "Account": "129323993607", "Arn": "arn:aws:sts::129323993607:assumed-role/viniciusjr/botocore-session-1773327029" } Then, enumerating attached policies. ...