Lambda on security ?!

Cloudfoxable - Furls1

Thu, 12 Mar 2026 00:00:00 +0000

A Lambda function URL can be used to expose a Lambda function to the internet without an API gateway or another load balancer. This is really handy for builders, but can also be really handy for offensive security folk, as it’s ripe for misconfiguration.

Use cloudfox to find the furls1 FunctionURL and find the flag.

Information Gathering

I’ll start off by enumerating the lambda functions in this account.

Cloudfoxable - Furls2

Thu, 12 Mar 2026 00:00:00 +0000

This Lambda Function URL doesn’t just give you the key like furls1. You have to work a little harder for this one. CloudFox can definitely help you here.

Information Gathering

This time around, I don’t know which lambda function to target, since there’s no “furls2” function. Instead, I will list all the function URLs in the AWS account. (minus the one I’ve already exploited)

Cloudfoxable - The topic is execution

Thu, 12 Mar 2026 00:00:00 +0000

You’ve just gained access to the role viniciusjr. At first glance, this role appears to only have some SNS read-only access? But I don’t think that’s accurate. See if you can get to the flag /cloudfoxable/flag/executioner in the SSM parameter store.

Information Gathering

First things first, set up the profile, and test access.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


adicpnn@laboratory cloud % cat ~/.aws/config | tail

[profile vini]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/viniciusjr
source_profile = cloudfoxable

adicpnn@laboratory cloud % aws sts get-caller-identity --profile vini
{
 "UserId": "AROAR4HCPRIDXMLFGL22G:botocore-session-1773327029",
 "Account": "129323993607",
 "Arn": "arn:aws:sts::129323993607:assumed-role/viniciusjr/botocore-session-1773327029"
}

Then, enumerating attached policies.