Welcome! We hope that this introductory lab will be enjoyed by red and blue alike. Purple-teaming FTW! It showcases using AWS CloudTrail logs to detect malicious activity, as well as S3 enumeration.

Tags: AWS, CLOUDTRAIL, S3, IAM

We have created this fun lab to highlight alternate forms of credential that can be abused to get access and move laterally in Azure. Get ready to leverage service principals, web app managed identities and administrative units as we look to go from external access to the top of the tree!

Tags: Azure, Web App, Service Principal, Certificate, Managed Identity, Blob Storage, Key Vault, Administrative Unit

We created this beginner-friendly lab to showcase how attackers can leverage common services to move laterally in an Azure environment. You'll get hands-on experience with Azure Key Vault and Storage tables, understand what made this attack path possible and how it could have been prevented.

Tags: AZURE, KEY VAULT, ENTRA ID, STORAGE TABLE

We created this beginner-friendly and hand-on lab to teach about Amazon Macie, and how this powerful service can be used to improve the security of deployed S3 buckets. The lab covers discovery of sensitive data as well as highlighting buckets that are world-readable and world-writable.

Tags: AWS, MACIE, S3

We created this beginner-friendly lab to teach about the potential dangers of S3 bucket versioning, if the admins have not sufficiently restricted who can access them, and about the dangers of inadequate data segregation and storing secrets in plain text fields. Advice on remediation is also included.

Tags: S3, Web, AWS, Versioning

We created this beginner-friendly lab to showcase how an OS command injection vulnerability can result in attackers compromising cloud infrastructure.

Tags: aws, web, ec2, iam, command injection, userdata, privilege escalation, linux

We created this beginner-friendly lab to showcase how both attackers and defenders can use BloodHound and the AzureHound collector to better understand Azure environments and the potentially abusable relationships and attack paths that may exist. You'll get hands-on experience with BloodHound, as well as enumerating custom security attributes and virtual machine user data using the command line and the Azure portal.

Tags: azure, entra id, bloodhound, virtual machine

The lab introduces a fun scenario where our red team needs to access the secret algorithm of Mega Big Tech's social media app. Along the way you will learn how to abuse dynamic security group membership, and much more!

Tags: azure, sas token, dynamic group, administrative unit, key vault, github, CTF

We have created this beginner-friendly lab to showcase how how accidental commits to public git repositories can result in threat actors getting a foothold in a GCP environment. It introduces GCP services and moving laterally between them. It also provides an awareness of how this scenario could have been prevented.

Tags: gcp, iam, gitlab, cloud sql, secret manager, CTF

We created this beginner-friendly lab to showcase the GraphRunner Microsoft 365 post-exploitation toolset, and how it can be used to loot data from Exchange Online, Teams, SharePoint and OneDrive. You'll also get hands-on experience with MFASweep, PowerShell and Azure SQL Database.

Tags: azure, entra id, graphrunner, azure sql database, exchange, teams, sharepoint, onedrive, CTF

We created this fun and beginner-friendly lab to highlight how serverless apps are not immune to vulnerabilities affecting traditional web apps. It also showcases how a managed identity assigned to a compromised web app can be leveraged for lateral movement. We'll also learn how this scenario could have been mitigated.

Tags: azure, managed identity, app service, function app, sql injection, web

Azure Service Firewalls enforce network access controls, giving them an appearance of strong security. However, subtle configuration discrepancies may introduce firewall gaps, potentially creating hidden paths that allow attackers to slide through defenses.

Tags: azure, firewall, postgres, key vault, cosmos db, blob storage

This fun, intermediate-level lab explores a scenario where social engineering is used to gain access to a target environment. This lab simulates techniques that real attackers use to bypass hardened perimeters by targeting the human layer and chaining together often overlooked paths to compromise. This lab also helps defenders to harden their environments against such attacks.

Tags: azure, azure devops, social engineering, key vault, encryption, blob storage

In this red team lab, you’ll pivot from a compromised Windows jumpbox into Google Workspace and GCP. Using browser-stored credentials, you’ll enumerate services like Drive, Keep, and Gmail, uncover a service account key, and exploit misconfigured Pub/Sub and Cloud Storage to access a web application running on Cloud Run.

Tags: google workspace, gcp, firebase, cloud run, cloud storage, service account, windows

This hands-on lab guides students through the process of understanding this attack technique and implementing defenses against AWS SNS service abuse for data exfiltration by gaining practical experience that emphasizes real-world scenarios and provides students with both the technical knowledge and practical skills needed to identify and mitigate similar cloud service exploitation techniques.

Tags: aws, iam, sns, lambda, secrets manager, api gateway

This intermediate-level lab involves getting hands on with web exploitation to compromise the application, underlying host and cloud environment. You'll infiltrate the GCP environment, gain situational awareness and abuse dangerous permissions, learning new tricks along the way!

Tags: gcp, iam, create hmac, sql injection, service account, cloud storage, cloud function

In this lab, you’ll simulate the compromise of a low-privilege service account and explore how to abuse dangerous IAM permissions to move laterally and escalate privileges in a GCP environment. You'll also gain an understanding of how to detect service account abuse using Cloud Logging.

Tags: gcp, iam, signjwt, hmac, implicit delegation, secret manager, service account, cloud storage

We created this lab to continue understanding how to interact with AWS services using Python3 and the boto3 module. We will leverage the AWS command line, Burp Suite, and Python3 to further enumerate STS, S3, and SecretsManager.

Tags: boto3, python, s3, secretsmanager, aws, scripting

Azure Service Firewalls enforce network access controls, giving them an appearance of strong security. However, subtle configuration discrepancies may introduce firewall gaps, potentially creating hidden paths that allow attackers to slide through defenses.

Tags: azure, firewall, postgres, key vault, cosmos db, blob storage

We can often come up against MFA on engagements. This intermediate lab showcases a technique for bypassing MFA, and also highlights how we can use native API calls to our advantage.

Tags: azure, token abuse, web app, blob storage, bypass mfa

This lab showcases realistic tradecraft and techniques that we have seen on penetration tests for our clients. The lab showcases three different tools and techniques for identifying permissions, leveraging AWS resources and code repositories as we tunnel further into the environment!

Tags: aws, s3 hijack, ec2, iam, github

Ransomware attacks in cloud environments can be made more severe by misconfigured AWS IAM and KMS services. In this hands-on lab, you will analyze a ransomware incident - detecting and following the trail of malicious activity in AWS CloudTrail logs using Splunk.

Tags: aws, splunk, ransomware, kms, s3

Learn how to leverage defensive infrastructure to achieve our objectives in this intermediate lab. Get hands on with creating a malicious Splunk add-in, take control of the underlying OS and increase AWS access!

Tags: aws, splunk, iam, web, ec2

We created this intermediate-level lab to demonstrate how threat actors can use Certificate-Based Authentication (CBA), Privileged Identity Management (PIM) and Azure Container Registry to escalate privileges and access sensitive data. This lab also showcases tactics such as user and service principal impersonation via JWT assertion, Key Vault and Microsoft Graph API abuse.

Tags: azure, ACR, CBA, PIM, JWT Assertion, graphrunner, SATO

Device code phishing is a dangerous technique, both in seeming legitimate to end users and in evading detection. In this lab you'll get hands on with real phishing, enumerate Azure resources, exploit an active Windows user and establish command and control (C2). This lab is good for both red and blue. Strap in!

Tags: azure, m365, phishing, web, virtual machine, c2, social engineering

Coding is fun, and creating our own tools allows us to better understand what is happening when we run them and of the environment in which we run them. In this lab we'll create a Python script for our AWS security toolbox, that allows us to enumerate and exfiltrate S3 bucket contents.

Tags: aws, python, scripting, s3

We all want to automate tasks, and focus on more enjoyable problems! However, we have to be careful to restrict access to the automation to only those who need it and be wary of user-provided data. This fun lab explores a realistic Azure Logic App that automates tasks across the Microsoft Cloud, and beyond!

Tags: azure, entra id, logic app, teams, credential stuffing

Join us as we explore how to enhance the security and compliance of our Kubernetes clusters using Open Policy Agent (OPA) and the OPA Gatekeeper project. OPA Gatekeeper provides a powerful way to enforce policies and to ensure that Kubernetes environments adhere to organisational and security standards.

Tags: kubernetes, opa gatekeeper

Join us as we explore the risks of overly permissive Role-Based Access Control (RBAC) in Kubernetes with this hands-on lab. Learn how misconfigurations can expose your cluster to security threats, and gain the skills to identify, exploit, and remediate RBAC vulnerabilities, ensuring your clusters remain locked down and secure.

Tags: kubernetes