Privilege escalation through Lambda functions is relatively easy, depending on the setup that you encounter. We'll look at two separate scenarios: one where you have "lambda:*" permissions and "iam:PassRole" permissions, and one with just "lambda:*" permissions.
First, we are going to assume that we have the "iam:PassRole" permission in addition to our full Lambda access. We'll also assume that we can list IAM roles, but nothing more than that (iam:ListRoles). In this scenario, our target doesn't necessarily even need to be actively using Lambda for us to escalate our privileges. Because we have the IAM ListRoles permission, we can run the following AWS CLI command to see what IAM roles exist in the account (make sure ...