Find your cloud security lab
-
We have created this fun lab to highlight alternate forms of credential that can be abused to get access and move laterally in Azure. Get ready to leverage service principals, web app managed identities and administrative units as we look to go from external access to the top of the tree!
Tags: Azure, Web App, Service Principal, Certificate, Managed Identity, Blob Storage, Key Vault, Administrative Unit
-
We created this beginner-friendly lab to showcase how attackers can leverage common services to move laterally in an Azure environment. You'll get hands-on experience with Azure Key Vault and Storage tables, understand what made this attack path possible and how it could have been prevented.
Tags: AZURE, KEY VAULT, ENTRA ID, STORAGE TABLE
-
We created this beginner-friendly and hand-on lab to teach about Amazon Macie, and how this powerful service can be used to improve the security of deployed S3 buckets. The lab covers discovery of sensitive data as well as highlighting buckets that are world-readable and world-writable.
Tags: AWS, MACIE, S3
-
We created this beginner-friendly lab to teach about the potential dangers of S3 bucket versioning, if the admins have not sufficiently restricted who can access them, and about the dangers of inadequate data segregation and storing secrets in plain text fields. Advice on remediation is also included.
Tags: S3, Web, AWS, Versioning
-
We created this beginner-friendly lab to showcase how both attackers and defenders can use BloodHound and the AzureHound collector to better understand Azure environments and the potentially abusable relationships and attack paths that may exist. You'll get hands-on experience with BloodHound, as well as enumerating custom security attributes and virtual machine user data using the command line and the Azure portal.
Tags: azure, entra id, bloodhound, virtual machine
-
The lab introduces a fun scenario where our red team needs to access the secret algorithm of Mega Big Tech's social media app. Along the way you will learn how to abuse dynamic security group membership, and much more!
Tags: azure, sas token, dynamic group, administrative unit, key vault, github, CTF
-
We have created this beginner-friendly lab to showcase how accidental commits to public git repositories can result in threat actors getting a foothold in a GCP environment. It introduces GCP services and moving laterally between them. It also provides an awareness of how this scenario could have been prevented.
Tags: gcp, iam, gitlab, cloud sql, secret manager, CTF
-
We created this beginner-friendly lab to showcase the GraphRunner Microsoft 365 post-exploitation toolset, and how it can be used to loot data from Exchange Online, Teams, SharePoint and OneDrive. You'll also get hands-on experience with MFASweep, PowerShell and Azure SQL Database.
Tags: azure, entra id, graphrunner, azure sql database, exchange, teams, sharepoint, onedrive, CTF
-
We created this fun and beginner-friendly lab to highlight how serverless apps are not immune to vulnerabilities affecting traditional web apps. It also showcases how a managed identity assigned to a compromised web app can be leveraged for lateral movement. We'll also learn how this scenario could have been mitigated.
Tags: azure, managed identity, app service, function app, sql injection, web
-
This fun, intermediate-level lab explores a scenario where social engineering is used to gain access to a target environment. This lab simulates techniques that real attackers use to bypass hardened perimeters by targeting the human layer and chaining together often overlooked paths to compromise. This lab also helps defenders to harden their environments against such attacks.
Tags: azure, azure devops, social engineering, key vault, encryption, blob storage
-
In this red team lab, you’ll pivot from a compromised Windows jumpbox into Google Workspace and GCP. Using browser-stored credentials, you’ll enumerate services like Drive, Keep, and Gmail, uncover a service account key, and exploit misconfigured Pub/Sub and Cloud Storage to access a web application running on Cloud Run.
Tags: google workspace, gcp, firebase, cloud run, cloud storage, service account, windows
-
This hands-on lab guides students through the process of understanding this attack technique and implementing defenses against AWS SNS service abuse for data exfiltration by gaining practical experience that emphasizes real-world scenarios and provides students with both the technical knowledge and practical skills needed to identify and mitigate similar cloud service exploitation techniques.
Tags: aws, iam, sns, lambda, secrets manager, api gateway
-
This intermediate-level lab involves getting hands on with web exploitation to compromise the application, underlying host and cloud environment. You'll infiltrate the GCP environment, gain situational awareness and abuse dangerous permissions, learning new tricks along the way!
Tags: gcp, iam, create hmac, sql injection, service account, cloud storage, cloud function
-
In this lab, you’ll simulate the compromise of a low-privilege service account and explore how to abuse dangerous IAM permissions to move laterally and escalate privileges in a GCP environment. You'll also gain an understanding of how to detect service account abuse using Cloud Logging.
Tags: gcp, iam, signjwt, hmac, implicit delegation, secret manager, service account, cloud storage
-
Azure Service Firewalls enforce network access controls, giving them an appearance of strong security. However, subtle configuration discrepancies may introduce firewall gaps, potentially creating hidden paths that allow attackers to slide through defenses.
Tags: azure, firewall, postgres, key vault, cosmos db, blob storage
-
This lab showcases realistic tradecraft and techniques that we have seen on penetration tests for our clients. The lab showcases three different tools and techniques for identifying permissions, leveraging AWS resources and code repositories as we tunnel further into the environment!
Tags: aws, s3 hijack, ec2, iam, github
-
Ransomware attacks in cloud environments can be made more severe by misconfigured AWS IAM and KMS services. In this hands-on lab, you will analyze a ransomware incident - detecting and following the trail of malicious activity in AWS CloudTrail logs using Splunk.
Tags: aws, splunk, ransomware, kms, s3
-
We created this intermediate-level lab to demonstrate how threat actors can use Certificate-Based Authentication (CBA), Privileged Identity Management (PIM) and Azure Container Registry to escalate privileges and access sensitive data. This lab also showcases tactics such as user and service principal impersonation via JWT assertion, Key Vault and Microsoft Graph API abuse.
Tags: azure, ACR, CBA, PIM, JWT Assertion, graphrunner, SATO
-
Device code phishing is a dangerous technique, both in seeming legitimate to end users and in evading detection. In this lab you'll get hands on with real phishing, enumerate Azure resources, exploit an active Windows user and establish command and control (C2). This lab is good for both red and blue. Strap in!
Tags: azure, m365, phishing, web, virtual machine, c2, social engineering
-
Coding is fun, and creating our own tools allows us to better understand what is happening when we run them and of the environment in which we run them. In this lab we'll create a Python script for our AWS security toolbox, that allows us to enumerate and exfiltrate S3 bucket contents.
Tags: aws, python, scripting, s3
-
We all want to automate tasks, and focus on more enjoyable problems! However, we have to be careful to restrict access to the automation to only those who need it and be wary of user-provided data. This fun lab explores a realistic Azure Logic App that automates tasks across the Microsoft Cloud, and beyond!
Tags: azure, entra id, logic app, teams, credential stuffing
-
Join us as we explore how to enhance the security and compliance of our Kubernetes clusters using Open Policy Agent (OPA) and the OPA Gatekeeper project. OPA Gatekeeper provides a powerful way to enforce policies and to ensure that Kubernetes environments adhere to organizational and security standards.
Tags: kubernetes, opa gatekeeper
-
Join us as we explore the risks of overly permissive Role-Based Access Control (RBAC) in Kubernetes with this hands-on lab. Learn how misconfigurations can expose your cluster to security threats, and gain the skills to identify, exploit, and remediate RBAC vulnerabilities, ensuring your clusters remain locked down and secure.
Tags: kubernetes
-
An overlooked open redirect can seed a convincing phishing chain. Steal tokens, abuse a function app and service principal, recover secrets with DPAPI, and pivot across a hybrid Active Directory and Azure environment.
Tags: Azure, Hybrid, Active Directory, Open Redirect, Token Stealing, Function App, DPAPI, Service Principal, Storage Table
-
This beginner-friendly red team lab walks you through the Azure kill chain, showing how attackers work their way to privileged access by repeating cycles of enumeration, lateral movement, and privilege escalation. Starting from a single leaked password, you perform the classic credential shuffle across Entra ID, service principals, an Azure VM, and storage accounts until you reach sensitive data. It reinforces how password reuse and hardcoded credentials remain just as dangerous in Azure as they are on-premises.
Tags: Azure, Entra ID, Azure AD, Service Principal, RBAC, Storage Accounts, Lateral Movement, Privilege Escalation
-
This beginner-friendly lab shows how a simple path traversal flaw in an Azure App Service web app can lead to full authentication bypass. You enumerate the target with the Az PowerShell module, exploit a vulnerable file-inclusion parameter to read source code, and use Burp Suite to discover hidden directories and pages. It is a practical reminder that managed hosting does not make an application immune to classic web vulnerabilities.
Tags: Azure, App Service, Web App, Path Traversal, Burp Suite, Authentication Bypass, Information Disclosure
-
This intermediate lab teaches how permissive Amazon Cognito User Pool and Identity Pool configurations let attackers gain a foothold and then pivot deeper into a cloud environment. Starting from leaked mobile app source code, you obtain unauthenticated and authenticated AWS credentials, then abuse an over-permissive IAM role and a vulnerable Lambda function to move laterally and vertically. A key outcome is understanding how each link in the chain could have been prevented.
Tags: AWS, Cognito, IAM, Lambda, S3, SSRF, Privilege Escalation, Lateral Movement
-
This hard lab demonstrates that serverless applications are just as vulnerable to classic web flaws such as SQL injection as traditional stacks. Starting with leaked AWS keys, you enumerate IAM permissions, brute force a hidden Lambda event parameter, and craft messages to an SQS queue that a Lambda consumes and passes into a database query. The result is a second-order SQL injection that exfiltrates sensitive customer data.
Tags: AWS, Lambda, SQS, SQL Injection, IAM, RDS, MySQL
-
This beginner-friendly lab shows how overly permissive S3 bucket policies can leak and expose object contents even when listing the bucket is denied. Starting from hardcoded AWS credentials found in a shipping application, you enumerate the target website, read the bucket policy to discover accessible files, exfiltrate a password-protected spreadsheet, and crack it to recover credentials. Those credentials then unlock a hidden CRM containing sensitive customer data.
Tags: AWS, S3, Bucket Policy, Hashcat, Gobuster, Password Cracking, Red Team, Data Exfiltration
-
This intermediate lab walks through a full credential abuse attack chain in AWS and then pivots to the blue team to detect it. Starting from a public S3 bucket, you extract leaked IAM credentials, enumerate permissions, exfiltrate DynamoDB records, crack SHA-256 password hashes, and reuse the recovered passwords in a console credential stuffing attack. You then use CloudTrail and Amazon Athena to identify the compromised IAM user.
Tags: AWS, IAM, S3, DynamoDB, CloudTrail, Athena, Credential Stuffing, Pacu
-
This beginner-friendly lab demonstrates how an exposed configuration file and the use of a production account to test policies can be chained to assume a privileged role protected by an External ID. Starting from a single IP address, you fuzz for an exposed config.json containing AWS keys, enumerate permissions, extract credentials from Secrets Manager, and inspect IAM policies and role trust relationships. You then assume a cost-optimization partner role using its required External ID to retrieve protected payment card data.
Tags: AWS, IAM, STS, Secrets Manager, S3, AssumeRole, Privilege Escalation, Red Team
-
This beginner-friendly lab shows how backup files on accessible cloud storage can be leveraged to pivot across a cloud environment and into an on-premise Active Directory domain. Starting from AWS keys found on a compromised workstation, you enumerate IAM and S3 bucket policies, download an SSH key backup, recover a Windows EC2 administrator password, and connect over WinRM. From the host you harvest further AWS credentials, download an Active Directory backup, and extract and crack domain NT hashes.
Tags: AWS, IAM, S3, EC2, WinRM, Active Directory, NTDS.dit, Hashcat
-
This beginner-friendly lab demonstrates how the dangerous IAM permission iam:SetDefaultPolicyVersion can be abused to self-escalate privileges in AWS. Starting from leaked credentials, you enumerate an attached IAM policy, discover a more permissive older version, and roll the default back to it to unlock access to an S3 bucket holding sensitive data.
Tags: AWS, IAM, Privilege Escalation, S3, Password Cracking, John The Ripper, Cloud Security, Red Team
-
This beginner lab shows how a JetBrains TeamCity server deployed in AWS can be fully compromised through common bad practices and default settings. You pivot from AWS keys to EC2 user data, reuse a leaked database password over SSH, abuse the default super user login, gain root code execution via a build step, and finally decrypt stored TeamCity secrets to reach an S3 bucket.
Tags: AWS, TeamCity, EC2, Pacu, Reverse Shell, Privilege Escalation, S3, Red Team
-
This beginner-friendly lab highlights the common problem of leaked credentials in public Docker images. You discover and pull a company image from Docker Hub, extract hardcoded AWS keys from its environment variables, then pivot into AWS CodeCommit to reconstruct commit history and recover a second set of keys leading to sensitive S3 data.
Tags: AWS, Docker, CodeCommit, S3, Secrets, Trufflehog, Cloud Security, Red Team
-
This beginner-friendly lab teaches how predictable S3 bucket naming conventions can expose sensitive data and enable a full cloud attack chain. Starting from one known bucket, you brute force additional buckets, recover leaked AWS keys, retrieve a secret from SSM Parameter Store, and finally invoke a Lambda function that returns crew PII.
Tags: AWS, S3, ffuf, SSM Parameter Store, Lambda, IAM, Cloud Security, Red Team
-
This beginner lab shows how insecure S3 bucket permissions combined with weak web server security can lead to takeover of a privileged admin account. Starting from a single IP address, you enumerate a web application, discover a world-writable S3 bucket serving its static assets, and tamper with a hosted JavaScript file to steal an administrator's session cookie. You then hijack the admin session to reach an export feature that leaks sensitive IAM and service account credentials.
Tags: AWS, S3, Session Hijacking, Web Enumeration, Cross-Site Scripting, Cloud Security, Red Team, Amazon Macie
-
This beginner lab demonstrates how an XML External Entity (XXE) vulnerability in a file upload feature can lead to cloud infrastructure compromise. You test a document processing system that parses XML-based files, weaponize an SVG upload to read a Lambda function's environment file, and exfiltrate the temporary AWS credentials it exposes. Those credentials are then used to enumerate S3 and pull sensitive customer data from a SQLite database.
Tags: AWS, XXE, Lambda, S3, SVG, Burp Suite, SQLite, Red Team
-
This foundations lab shows how leaked secrets committed to a public repository can let an attacker pwn a cloud environment and access personally identifiable information. You discover a committed .env file containing database credentials and an AWS access key, recover the AWS account ID, and reuse the password to log in to the AWS console. From there you pivot through Secrets Manager to an RDS database holding sensitive employee and dependent data.
Tags: AWS, Secrets Manager, RDS, IAM, Git, TruffleHog, Gitleaks, Red Team
-
This beginner lab shows how a cloud-based Jenkins instance can be abused through common misconfigurations and bad practices. You find an unauthenticated Jenkins server, harvest AWS keys exposed by the S3 Explorer plugin, and decrypt a concealed secret key using the built-in Script Console. You then use a Groovy reverse shell to gain a foothold as the jenkins user and escalate to root by exploiting password reuse.
Tags: AWS, Jenkins, S3, Groovy, Reverse Shell, Privilege Escalation, CI/CD, Red Team
-
This beginner-friendly lab shows how a path traversal (dot-dot-slash) vulnerability in a web application can be leveraged to gain a foothold in a cloud environment. You enumerate a Flask-based invoicing portal, exploit a file download parameter to read arbitrary files off the underlying EC2 instance, and recover AWS credentials that lead to a target S3 bucket.
Tags: AWS, S3, Path Traversal, Web Application Security, Burp Suite, Flask, Credential Access, EC2
-
This beginner-friendly lab teaches several unauthenticated, cross-account techniques for enumerating IAM principals (users and roles) in other AWS accounts. It exploits the fact that AWS returns different responses depending on whether a referenced principal exists, allowing you to confirm valid names and then pivot into the target account.
Tags: AWS, IAM, S3, Lambda, Pacu, Enumeration, Privilege Escalation, CloudTrail
-
This beginner-friendly lab demonstrates the risk of publicly shared Amazon EBS snapshots and how an attacker can exploit them. Starting as a low-privileged intern user, you enumerate an unencrypted public snapshot, create a volume from it in your own account, mount it, and recover hardcoded credentials that unlock a sensitive S3 bucket.
Tags: AWS, EBS, S3, IAM, EC2, Data Exfiltration, Credential Access, Cloud Enumeration
-
This foundations-level lab shows the danger of publicly shared Amazon RDS snapshots and how an attacker can exploit them. Starting from only an AWS account ID, you discover a public PostgreSQL snapshot, restore it in your own account, reset the master password, and connect to extract sensitive customer data.
Tags: AWS, RDS, EC2, PostgreSQL, Data Exfiltration, Cloud Enumeration, Snapshot Exposure
-
This beginner-friendly lab walks through discovering a GCP service account key in an exposed .git directory and using it to break into a Google Cloud project. You then escalate through service account impersonation, read a Cloud Source repository, and reach a Cloud SQL database holding sensitive data.
Tags: GCP, IAM, Service Account Impersonation, Cloud SQL, Git Exposure, Privilege Escalation, PostgreSQL, Credential Access
Pwned Labs
Your cloud security training ground
Experience, real-world, byte sized cloud security labs for training cyber warriors. From beginners to pros, our engaging platform allows you to secure your defenses, ignite your career and stay ahead of threats.