From d9bba880f84aea8abc8c347457a94096794b11d3 Mon Sep 17 00:00:00 2001
From: Nick Frichette <nick@frichetten.com>
Date: Mon, 19 Aug 2024 20:29:51 -0500
Subject: [PATCH] Updated Lambda exploitation article

---
 content/aws/exploitation/lambda-steal-iam-credentials.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/aws/exploitation/lambda-steal-iam-credentials.md b/content/aws/exploitation/lambda-steal-iam-credentials.md
index 6471ad29..499fe16c 100644
--- a/content/aws/exploitation/lambda-steal-iam-credentials.md
+++ b/content/aws/exploitation/lambda-steal-iam-credentials.md
@@ -29,7 +29,7 @@ IAM credentials can be accessed via reading `/proc/self/environ`.
 !!! Note
     In the event that /proc/self/environ is blocked by a WAF, check if you can read the environment variables of other processes. This can be done by reading /proc/#/environ where '#' is some number often between 1 and 20.
 
-In addition to IAM credentials, Lambda functions also have event data that is passed to the function when it is started. This data is made available to the function via the [runtime interface](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html). Unlike IAM credentials, this data is accessible over standard SSRF at `http://localhost:9001/2018-06-01/runtime/invocation/next`.
+In addition to IAM credentials, Lambda functions also have event data that is passed to the function when it is started. This data is made available to the function via the [runtime interface](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html). Unlike IAM credentials, this data is accessible over standard SSRF at `http://169.254.100.1:9001/2018-06-01/runtime/invocation/next`. Additionally the environment variable `AWS_LAMBDA_RUNTIME_API` stores the IP address and port of the runtime interface as well.
 
 This will include information about what invoked the Lambda function and may be valuable depending on the context.