Find your cloud security lab

Search for a lab, or just browse
  • Welcome! We hope that this introductory lab will be enjoyed by red and blue alike. Purple-teaming FTW! It showcases using AWS CloudTrail logs to detect malicious activity, as well as S3 enumeration.

    Tags: AWS, CLOUDTRAIL, S3, IAM

    Button - Learn more

  • We have created this fun lab to highlight alternate forms of credential that can be abused to get access and move laterally in Azure. Get ready to leverage service principals, web app managed identities and administrative units as we look to go from external access to the top of the tree!

    Tags: Azure, Web App, Service Principal, Certificate, Managed Identity, Blob Storage, Key Vault, Administrative Unit

    Button - Learn more

     

  • We created this beginner-friendly lab to showcase how attackers can leverage common services to move laterally in an Azure environment. You'll get hands-on experience with Azure Key Vault and Storage tables, understand what made this attack path possible and how it could have been prevented.

    Tags: AZURE, KEY VAULT, ENTRA ID, STORAGE TABLE

    Button - Learn more

     

  • We created this beginner-friendly and hand-on lab to teach about Amazon Macie, and how this powerful service can be used to improve the security of deployed S3 buckets. The lab covers discovery of sensitive data as well as highlighting buckets that are world-readable and world-writable.

    Tags: AWS, MACIE, S3

    Button - Learn more

     

  • We created this beginner-friendly lab to teach about the potential dangers of S3 bucket versioning, if the admins have not sufficiently restricted who can access them, and about the dangers of inadequate data segregation and storing secrets in plain text fields. Advice on remediation is also included.

    Tags: S3, Web, AWS, Versioning

    Button - Learn more

     

  • We created this beginner-friendly lab to showcase how an OS command injection vulnerability can result in attackers compromising cloud infrastructure.

    Tags: aws, web, ec2, iam, command injection, userdata, privilege escalation, linux

    Button - Learn more

     

  • We created this beginner-friendly lab to showcase how both attackers and defenders can use BloodHound and the AzureHound collector to better understand Azure environments and the potentially abusable relationships and attack paths that may exist. You'll get hands-on experience with BloodHound, as well as enumerating custom security attributes and virtual machine user data using the command line and the Azure portal.

    Tags: azure, entra id, bloodhound, virtual machine

    Button - Learn more

     

  • The lab introduces a fun scenario where our red team needs to access the secret algorithm of Mega Big Tech's social media app. Along the way you will learn how to abuse dynamic security group membership, and much more!

    Tags: azure, sas token, dynamic group, administrative unit, key vault, github, CTF

    Button - Learn more

     

  • We have created this beginner-friendly lab to showcase how accidental commits to public git repositories can result in threat actors getting a foothold in a GCP environment. It introduces GCP services and moving laterally between them. It also provides an awareness of how this scenario could have been prevented.

    Tags: gcp, iam, gitlab, cloud sql, secret manager, CTF

    Button - Learn more

     

  • We created this beginner-friendly lab to showcase the GraphRunner Microsoft 365 post-exploitation toolset, and how it can be used to loot data from Exchange Online, Teams, SharePoint and OneDrive. You'll also get hands-on experience with MFASweep, PowerShell and Azure SQL Database.

    Tags: azure, entra id, graphrunner, azure sql database, exchange, teams, sharepoint, onedrive, CTF

    Button - Learn more

     

  • We created this fun and beginner-friendly lab to highlight how serverless apps are not immune to vulnerabilities affecting traditional web apps. It also showcases how a managed identity assigned to a compromised web app can be leveraged for lateral movement. We'll also learn how this scenario could have been mitigated.

    Tags: azure, managed identity, app service, function app, sql injection, web

    Button - Learn more

     

  • This fun, intermediate-level lab explores a scenario where social engineering is used to gain access to a target environment. This lab simulates techniques that real attackers use to bypass hardened perimeters by targeting the human layer and chaining together often overlooked paths to compromise. This lab also helps defenders to harden their environments against such attacks.

    Tags: azure, azure devops, social engineering, key vault, encryption, blob storage

    Button - Learn more

     

  • In this red team lab, you’ll pivot from a compromised Windows jumpbox into Google Workspace and GCP. Using browser-stored credentials, you’ll enumerate services like Drive, Keep, and Gmail, uncover a service account key, and exploit misconfigured Pub/Sub and Cloud Storage to access a web application running on Cloud Run.

    Tags: google workspace, gcp, firebase, cloud run, cloud storage, service account, windows

    Button - Learn more

     

  • This hands-on lab guides students through the process of understanding this attack technique and implementing defenses against AWS SNS service abuse for data exfiltration by gaining practical experience that emphasizes real-world scenarios and provides students with both the technical knowledge and practical skills needed to identify and mitigate similar cloud service exploitation techniques.

    Tags: aws, iam, sns, lambda, secrets manager, api gateway

    Button - Learn more

     

  • This intermediate-level lab involves getting hands on with web exploitation to compromise the application, underlying host and cloud environment. You'll infiltrate the GCP environment, gain situational awareness and abuse dangerous permissions, learning new tricks along the way!

    Tags: gcp, iam, create hmac, sql injection, service account, cloud storage, cloud function

    Button - Learn more

     

  • In this lab, you’ll simulate the compromise of a low-privilege service account and explore how to abuse dangerous IAM permissions to move laterally and escalate privileges in a GCP environment. You'll also gain an understanding of how to detect service account abuse using Cloud Logging.

    Tags: gcp, iam, signjwt, hmac, implicit delegation, secret manager, service account, cloud storage

    Button - Learn more

     

  • We created this lab to continue understanding how to interact with AWS services using Python3 and the boto3 module. We will leverage the AWS command line, Burp Suite, and Python3 to further enumerate STS, S3, and SecretsManager.

    Tags: boto3, python, s3, secretsmanager, aws, scripting

    Button - Learn more

     

  • Azure Service Firewalls enforce network access controls, giving them an appearance of strong security. However, subtle configuration discrepancies may introduce firewall gaps, potentially creating hidden paths that allow attackers to slide through defenses.

    Tags: azure, firewall, postgres, key vault, cosmos db, blob storage

    Button - Learn more

     

  • We can often come up against MFA on engagements. This intermediate lab showcases a technique for bypassing MFA, and also highlights how we can use native API calls to our advantage.

    Tags: azure, token abuse, web app, blob storage, bypass mfa

    Button - Learn more

     

  • This lab showcases realistic tradecraft and techniques that we have seen on penetration tests for our clients. The lab showcases three different tools and techniques for identifying permissions, leveraging AWS resources and code repositories as we tunnel further into the environment!

    Tags: aws, s3 hijack, ec2, iam, github

    Button - Learn more

     

  • Ransomware attacks in cloud environments can be made more severe by misconfigured AWS IAM and KMS services. In this hands-on lab, you will analyze a ransomware incident - detecting and following the trail of malicious activity in AWS CloudTrail logs using Splunk.

    Tags: aws, splunk, ransomware, kms, s3

    Button - Learn more

     

  • Learn how to leverage defensive infrastructure to achieve our objectives in this intermediate lab. Get hands on with creating a malicious Splunk add-in, take control of the underlying OS and increase AWS access!

    Tags: aws, splunk, iam, web, ec2

    Button - Learn more

     

  • We created this intermediate-level lab to demonstrate how threat actors can use Certificate-Based Authentication (CBA), Privileged Identity Management (PIM) and Azure Container Registry to escalate privileges and access sensitive data. This lab also showcases tactics such as user and service principal impersonation via JWT assertion, Key Vault and Microsoft Graph API abuse.

    Tags: azure, ACR, CBA, PIM, JWT Assertion, graphrunner, SATO

    Button - Learn more

     

  • Device code phishing is a dangerous technique, both in seeming legitimate to end users and in evading detection. In this lab you'll get hands on with real phishing, enumerate Azure resources, exploit an active Windows user and establish command and control (C2). This lab is good for both red and blue. Strap in!

    Tags: azure, m365, phishing, web, virtual machine, c2, social engineering

    Button - Learn more

     

  • Coding is fun, and creating our own tools allows us to better understand what is happening when we run them and of the environment in which we run them. In this lab we'll create a Python script for our AWS security toolbox, that allows us to enumerate and exfiltrate S3 bucket contents.

    Tags: aws, python, scripting, s3

    Button - Learn more

     

  • We all want to automate tasks, and focus on more enjoyable problems! However, we have to be careful to restrict access to the automation to only those who need it and be wary of user-provided data. This fun lab explores a realistic Azure Logic App that automates tasks across the Microsoft Cloud, and beyond!

    Tags: azure, entra id, logic app, teams, credential stuffing

    Button - Learn more

     

  • Join us as we explore how to enhance the security and compliance of our Kubernetes clusters using Open Policy Agent (OPA) and the OPA Gatekeeper project. OPA Gatekeeper provides a powerful way to enforce policies and to ensure that Kubernetes environments adhere to organizational and security standards.

    Tags: kubernetes, opa gatekeeper

    Button - Learn more

     

  • Join us as we explore the risks of overly permissive Role-Based Access Control (RBAC) in Kubernetes with this hands-on lab. Learn how misconfigurations can expose your cluster to security threats, and gain the skills to identify, exploit, and remediate RBAC vulnerabilities, ensuring your clusters remain locked down and secure.

    Tags: kubernetes

    Button - Learn more

     

  • IAM is at the heart of nearly every AWS compromise. This beginner-friendly CTF lab teaches the fundamentals of enumerating AWS IAM.

    Tags: AWS, IAM, CTF

    Button - Learn more

  • New to cloud? This beginner-friendly lab teaches the fundamentals of enumerating AWS S3, the service behind a large share of real-world cloud data exposure.

    Tags: AWS, S3, CTF

    Button - Learn more

  • A public S3 bucket can reveal more than its contents. This quick lab shows how to identify the owning AWS account ID from a public bucket.

    Tags: AWS, S3, Scripting

    Button - Learn more

  • Server-side request forgery is one of the most reliable routes into a cloud environment. Exploit SSRF to reach the EC2 metadata service, steal credentials, and get pwned.

    Tags: AWS, SSRF, EC2, IMDS, S3, Metadata, Web, CTF

    Button - Learn more

  • Secrets in git history are a gift to attackers. Use TruffleHog and git-secrets to hunt exposed AWS credentials in this beginner-friendly lab.

    Tags: AWS, Git, TruffleHog, git-secrets, CTF

    Button - Learn more

  • Misconfigured OIDC trust between GitLab CI/CD and AWS is a fast route to the cloud. Abuse a pipeline to assume an AWS role, then plunder Secrets Manager, S3 and EC2.

    Tags: AWS, GitLab, CI/CD, OIDC, Secrets Manager, S3, IAM, EC2, CTF

    Button - Learn more

  • An unauthenticated API endpoint can leak more than you would expect. Discover exposed data, recover a GitHub PAT, and pivot into AWS through a misconfigured API Gateway.

    Tags: AWS, API Gateway, IAM, GitHub PAT, git-secrets

    Button - Learn more

  • Access controls on an API are only as strong as their weakest path. This CTF-style lab shows how to bypass restrictions in AWS API Gateway and reach protected functionality.

    Tags: AWS, API Gateway, IAM, CTF

    Button - Learn more

  • Data exfiltration does not always look like data exfiltration. Abuse S3 replication and batch operations to quietly move data out of an AWS account while blending into normal activity.

    Tags: AWS, S3, Replication, Batch Ops, IAM, Secrets Manager, CTF

    Button - Learn more

  • Once you have a foothold, situational awareness is everything. Use CloudFox to rapidly map IAM, Lambda, SSM, DynamoDB and S3 attack paths across an AWS account.

    Tags: AWS, CloudFox, Lambda, IAM, SSM, Secrets Manager, DynamoDB, S3

    Button - Learn more

  • Exposed database instances are an attacker's shortcut to sensitive data. Discover and pillage a misconfigured Amazon RDS instance in this hands-on lab.

    Tags: AWS, RDS, IAM, Secrets Manager

    Button - Learn more

  • Server-side JavaScript injection gives an attacker code execution where defenders least expect it. Escalate from SSJI through IAM and IDOR weaknesses to reach an Amazon EKS cluster.

    Tags: AWS, EKS, SSJI, IAM, DynamoDB, IDOR, Web

    Button - Learn more

  • A single prototype pollution flaw in a Node.js app can cascade into remote code execution and a full Amazon EKS cluster takeover. Chain the web bug through container breakout and RBAC abuse.

    Tags: AWS, EKS, Prototype Pollution, Command Injection, RBAC, IMDS, S3, SSM

    Button - Learn more

  • Hidden privilege is everywhere in Azure. Use ROADrecon to unmask privileged access across Entra ID, then abuse an automation account and Key Vault.

    Tags: Azure, Entra ID, ROADrecon, Key Vault, Virtual Machine, Automation Account

    Button - Learn more

  • Public Azure Blob containers are a recurring source of leaks. In this beginner-friendly lab you will turn an exposed container into initial access to an Entra ID tenant.

    Tags: Azure, Blob Storage, Entra ID, CTF

    Button - Learn more

  • Practice the full early kill chain in Azure: recon an exposed app, use credential stuffing to gain a foothold, and work through Azure SQL Database and App Service toward your objective.

    Tags: Azure, Entra ID, Azure SQL Database, App Service, Credential Stuffing, PowerShell, CTF

    Button - Learn more

  • Phishing remains the most reliable route in. Use social engineering to gain initial access to Azure, then steal tokens and crack your way to Key Vault secrets.

    Tags: Azure, Phishing, Social Engineering, Tokens, Key Vault, Exfiltration, CTF

    Button - Learn more

  • Adversary-in-the-middle frameworks like Evilginx can exploit even the smallest gaps to gain a foothold. Phish for credentials, bypass MFA, and abuse tokens and a managed identity in Azure.

    Tags: Azure, Evilginx, Entra ID, GraphRunner, Token Abuse, Container App, Cosmos DB, Social Engineering

    Button - Learn more

  • This intermediate red team lab shows how threat actors abuse certificate-based JWT assertions to authenticate as a service principal, then leverage ACR, PIM and GraphRunner to escalate inside an Azure tenant.

    Tags: Azure, ACR, CBA, PIM, JWT Assertion, GraphRunner, SATO

    Button - Learn more

  • Indirect prompt injection lets attacker-controlled content hijack an AI workflow. Use it to reach Azure, then abuse SAS tokens, a web app and a VM scale set to expand access.

    Tags: Azure, Prompt Injection, SAS Token, Web App, Service Principal, VM Scale Set, Blob Storage

    Button - Learn more

  • AI features are a new part of the attack surface. Use prompt injection to breach the perimeter, then abuse SAS tokens, a service principal and Key Vault to move cross-tenant in Azure.

    Tags: Azure, Prompt Injection, Cross-Tenant, SAS Token, Service Principal, Key Vault, Blob Storage

    Button - Learn more

  • Azure DevOps pipelines are a treasure trove of secrets. Hunt through repositories, service connections and CI/CD configuration to harvest credentials and pivot into the wider Azure estate.

    Tags: Azure, Azure DevOps, CI/CD, Azure SQL Database, Service Principal, Blob Storage

    Button - Learn more

  • An overlooked open redirect can seed a convincing phishing chain. Steal tokens, abuse a function app and service principal, recover secrets with DPAPI, and pivot across a hybrid Active Directory and Azure environment.

    Tags: Azure, Hybrid, Active Directory, Open Redirect, Token Stealing, Function App, DPAPI, Service Principal, Storage Table

    Button - Learn more

  • Storm-0501 is known for hybrid cloud intrusions that end in extortion. Emulate their tradecraft, from password spraying and managed identity abuse to Microsoft 365 data exfiltration.

    Tags: Azure, M365, Entra ID, Password Spraying, Managed Identity, Function App, Blob Storage, Prompt Injection

    Button - Learn more

  • Server-side request forgery plus the Gopher protocol is a powerful combination. Use it to reach the GCP metadata service, steal a service account token, and gain initial access.

    Tags: GCP, SSRF, Gopher, Service Account, Google Storage, CTF

    Button - Learn more

  • Not everything in a Google Cloud Storage bucket is meant to be found. Use ffuf and Hashcat to reveal hidden files in this beginner-friendly CTF lab.

    Tags: GCP, Cloud Storage, ffuf, Hashcat, CTF

    Button - Learn more

  • You cannot exploit what you cannot see. Fuzz GCP IAM permissions to reveal what a compromised identity can actually do, then abuse Artifact Registry and Docker.

    Tags: GCP, IAM, Artifact Registry, Docker, Fuzzing

    Button - Learn more

  • Implicit delegation is a subtle GCP privilege escalation path. Abuse service account token creation and a Cloud Function to climb the IAM ladder in this CTF-style lab.

    Tags: GCP, IAM, Implicit Delegation, Create Token, Cloud Function, Service Account, CTF

    Button - Learn more

  • Forge your way deeper into Google Cloud. Abuse a service account to forge JWTs, set instance metadata, and tunnel through to a Cloud SQL database.

    Tags: GCP, JWT Forgery, Service Account, Cloud SQL, Virtual Machine, Set Metadata, Web

    Button - Learn more

  • Server-side template injection opens the door and Identity-Aware Proxy tunneling widens it. Chain SSTI to code execution and tunnel through GCP IAP to reach Cloud SQL and beyond.

    Tags: GCP, SSTI, IAP Tunnel, Cloud SQL, Cloud Run, Cloud Build, Google Storage

    Button - Learn more

  • Oracle Cloud Infrastructure is unfamiliar ground for many teams. In this free lab, practice initial compromise, IAM and object storage recon, and data exfiltration in a live OCI tenant.

    Tags: OCI, IAM, Object Storage

    Button - Learn more

  • A local file inclusion bug is rarely the end of the story. Turn LFI into remote code execution, then abuse OCI IAM and Vault to expand your access.

    Tags: OCI, LFI, Command Injection, OCI Vault, Object Storage, IAM

    Button - Learn more

  • Go on defense and catch attackers in the act. In this blue team lab you will deploy AWS honey tokens and wire up CloudTrail, CloudWatch and Lambda to alert on malicious activity.

    Tags: AWS, Honey Tokens, CloudTrail, CloudWatch, Lambda, IAM

    Button - Learn more

  • Build practical detection skills on the blue team by shipping AWS CloudTrail logs into an ELK stack and hunting for threats in the cloud.

    Tags: AWS, ELK Stack, CloudTrail

    Button - Learn more

  • Switch to the blue team and build something useful: an automated malware scanning pipeline in AWS using S3, Lambda, SNS and VirusTotal.

    Tags: AWS, VirusTotal, SNS, Lambda, S3, Secrets Manager

    Button - Learn more

  • Take the defender's seat and get ahead of attackers. Use AWS IAM Access Analyzer to find and close down risky external access to S3, IAM and EBS snapshots.

    Tags: AWS, IAM Access Analyzer, S3, IAM, EBS Snapshot

    Button - Learn more

  • Find and fix cloud risk at scale. In this blue team lab you will use Prowler and AWS Security Hub with Lambda and EventBridge to detect misconfigurations and drive automated remediation.

    Tags: AWS, Prowler, Security Hub CSPM, Lambda, S3, EventBridge

    Button - Learn more

  • Vulnerability management is a core cloud defense skill. In this blue team lab you will use Amazon Inspector to find and remediate vulnerabilities across EC2 and container images.

    Tags: AWS, Amazon Inspector, EC2, ECR

    Button - Learn more

  • This beginner-friendly red team lab walks you through the Azure kill chain, showing how attackers work their way to privileged access by repeating cycles of enumeration, lateral movement, and privilege escalation. Starting from a single leaked password, you perform the classic credential shuffle across Entra ID, service principals, an Azure VM, and storage accounts until you reach sensitive data. It reinforces how password reuse and hardcoded credentials remain just as dangerous in Azure as they are on-premises.

    Tags: Azure, Entra ID, Azure AD, Service Principal, RBAC, Storage Accounts, Lateral Movement, Privilege Escalation

    Button - Learn more

  • This beginner-friendly lab shows how a simple path traversal flaw in an Azure App Service web app can lead to full authentication bypass. You enumerate the target with the Az PowerShell module, exploit a vulnerable file-inclusion parameter to read source code, and use Burp Suite to discover hidden directories and pages. It is a practical reminder that managed hosting does not make an application immune to classic web vulnerabilities.

    Tags: Azure, App Service, Web App, Path Traversal, Burp Suite, Authentication Bypass, Information Disclosure

    Button - Learn more

  • This intermediate lab teaches how permissive Amazon Cognito User Pool and Identity Pool configurations let attackers gain a foothold and then pivot deeper into a cloud environment. Starting from leaked mobile app source code, you obtain unauthenticated and authenticated AWS credentials, then abuse an over-permissive IAM role and a vulnerable Lambda function to move laterally and vertically. A key outcome is understanding how each link in the chain could have been prevented.

    Tags: AWS, Cognito, IAM, Lambda, S3, SSRF, Privilege Escalation, Lateral Movement

    Button - Learn more

  • This hard lab demonstrates that serverless applications are just as vulnerable to classic web flaws such as SQL injection as traditional stacks. Starting with leaked AWS keys, you enumerate IAM permissions, brute force a hidden Lambda event parameter, and craft messages to an SQS queue that a Lambda consumes and passes into a database query. The result is a second-order SQL injection that exfiltrates sensitive customer data.

    Tags: AWS, Lambda, SQS, SQL Injection, IAM, RDS, MySQL

    Button - Learn more

  • This beginner-friendly lab shows how overly permissive S3 bucket policies can leak and expose object contents even when listing the bucket is denied. Starting from hardcoded AWS credentials found in a shipping application, you enumerate the target website, read the bucket policy to discover accessible files, exfiltrate a password-protected spreadsheet, and crack it to recover credentials. Those credentials then unlock a hidden CRM containing sensitive customer data.

    Tags: AWS, S3, Bucket Policy, Hashcat, Gobuster, Password Cracking, Red Team, Data Exfiltration

    Button - Learn more

  • This intermediate lab walks through a full credential abuse attack chain in AWS and then pivots to the blue team to detect it. Starting from a public S3 bucket, you extract leaked IAM credentials, enumerate permissions, exfiltrate DynamoDB records, crack SHA-256 password hashes, and reuse the recovered passwords in a console credential stuffing attack. You then use CloudTrail and Amazon Athena to identify the compromised IAM user.

    Tags: AWS, IAM, S3, DynamoDB, CloudTrail, Athena, Credential Stuffing, Pacu

    Button - Learn more

  • This beginner-friendly lab demonstrates how an exposed configuration file and the use of a production account to test policies can be chained to assume a privileged role protected by an External ID. Starting from a single IP address, you fuzz for an exposed config.json containing AWS keys, enumerate permissions, extract credentials from Secrets Manager, and inspect IAM policies and role trust relationships. You then assume a cost-optimization partner role using its required External ID to retrieve protected payment card data.

    Tags: AWS, IAM, STS, Secrets Manager, S3, AssumeRole, Privilege Escalation, Red Team

    Button - Learn more

  • This beginner-friendly lab shows how backup files on accessible cloud storage can be leveraged to pivot across a cloud environment and into an on-premise Active Directory domain. Starting from AWS keys found on a compromised workstation, you enumerate IAM and S3 bucket policies, download an SSH key backup, recover a Windows EC2 administrator password, and connect over WinRM. From the host you harvest further AWS credentials, download an Active Directory backup, and extract and crack domain NT hashes.

    Tags: AWS, IAM, S3, EC2, WinRM, Active Directory, NTDS.dit, Hashcat

    Button - Learn more

  • This beginner-friendly lab demonstrates how the dangerous IAM permission iam:SetDefaultPolicyVersion can be abused to self-escalate privileges in AWS. Starting from leaked credentials, you enumerate an attached IAM policy, discover a more permissive older version, and roll the default back to it to unlock access to an S3 bucket holding sensitive data.

    Tags: AWS, IAM, Privilege Escalation, S3, Password Cracking, John The Ripper, Cloud Security, Red Team

    Button - Learn more

  • This beginner lab shows how a JetBrains TeamCity server deployed in AWS can be fully compromised through common bad practices and default settings. You pivot from AWS keys to EC2 user data, reuse a leaked database password over SSH, abuse the default super user login, gain root code execution via a build step, and finally decrypt stored TeamCity secrets to reach an S3 bucket.

    Tags: AWS, TeamCity, EC2, Pacu, Reverse Shell, Privilege Escalation, S3, Red Team

    Button - Learn more

  • This beginner-friendly lab highlights the common problem of leaked credentials in public Docker images. You discover and pull a company image from Docker Hub, extract hardcoded AWS keys from its environment variables, then pivot into AWS CodeCommit to reconstruct commit history and recover a second set of keys leading to sensitive S3 data.

    Tags: AWS, Docker, CodeCommit, S3, Secrets, Trufflehog, Cloud Security, Red Team

    Button - Learn more

  • This beginner-friendly lab teaches how predictable S3 bucket naming conventions can expose sensitive data and enable a full cloud attack chain. Starting from one known bucket, you brute force additional buckets, recover leaked AWS keys, retrieve a secret from SSM Parameter Store, and finally invoke a Lambda function that returns crew PII.

    Tags: AWS, S3, ffuf, SSM Parameter Store, Lambda, IAM, Cloud Security, Red Team

    Button - Learn more

  • This beginner lab shows how insecure S3 bucket permissions combined with weak web server security can lead to takeover of a privileged admin account. Starting from a single IP address, you enumerate a web application, discover a world-writable S3 bucket serving its static assets, and tamper with a hosted JavaScript file to steal an administrator's session cookie. You then hijack the admin session to reach an export feature that leaks sensitive IAM and service account credentials.

    Tags: AWS, S3, Session Hijacking, Web Enumeration, Cross-Site Scripting, Cloud Security, Red Team, Amazon Macie

    Button - Learn more

  • This beginner lab demonstrates how an XML External Entity (XXE) vulnerability in a file upload feature can lead to cloud infrastructure compromise. You test a document processing system that parses XML-based files, weaponize an SVG upload to read a Lambda function's environment file, and exfiltrate the temporary AWS credentials it exposes. Those credentials are then used to enumerate S3 and pull sensitive customer data from a SQLite database.

    Tags: AWS, XXE, Lambda, S3, SVG, Burp Suite, SQLite, Red Team

    Button - Learn more

  • This foundations lab shows how leaked secrets committed to a public repository can let an attacker pwn a cloud environment and access personally identifiable information. You discover a committed .env file containing database credentials and an AWS access key, recover the AWS account ID, and reuse the password to log in to the AWS console. From there you pivot through Secrets Manager to an RDS database holding sensitive employee and dependent data.

    Tags: AWS, Secrets Manager, RDS, IAM, Git, TruffleHog, Gitleaks, Red Team

    Button - Learn more

  • This beginner lab shows how a cloud-based Jenkins instance can be abused through common misconfigurations and bad practices. You find an unauthenticated Jenkins server, harvest AWS keys exposed by the S3 Explorer plugin, and decrypt a concealed secret key using the built-in Script Console. You then use a Groovy reverse shell to gain a foothold as the jenkins user and escalate to root by exploiting password reuse.

    Tags: AWS, Jenkins, S3, Groovy, Reverse Shell, Privilege Escalation, CI/CD, Red Team

    Button - Learn more

  • This beginner-friendly lab shows how a path traversal (dot-dot-slash) vulnerability in a web application can be leveraged to gain a foothold in a cloud environment. You enumerate a Flask-based invoicing portal, exploit a file download parameter to read arbitrary files off the underlying EC2 instance, and recover AWS credentials that lead to a target S3 bucket.

    Tags: AWS, S3, Path Traversal, Web Application Security, Burp Suite, Flask, Credential Access, EC2

    Button - Learn more

  • This beginner-friendly lab teaches several unauthenticated, cross-account techniques for enumerating IAM principals (users and roles) in other AWS accounts. It exploits the fact that AWS returns different responses depending on whether a referenced principal exists, allowing you to confirm valid names and then pivot into the target account.

    Tags: AWS, IAM, S3, Lambda, Pacu, Enumeration, Privilege Escalation, CloudTrail

    Button - Learn more

  • This beginner-friendly lab demonstrates the risk of publicly shared Amazon EBS snapshots and how an attacker can exploit them. Starting as a low-privileged intern user, you enumerate an unencrypted public snapshot, create a volume from it in your own account, mount it, and recover hardcoded credentials that unlock a sensitive S3 bucket.

    Tags: AWS, EBS, S3, IAM, EC2, Data Exfiltration, Credential Access, Cloud Enumeration

    Button - Learn more

  • This foundations-level lab shows the danger of publicly shared Amazon RDS snapshots and how an attacker can exploit them. Starting from only an AWS account ID, you discover a public PostgreSQL snapshot, restore it in your own account, reset the master password, and connect to extract sensitive customer data.

    Tags: AWS, RDS, EC2, PostgreSQL, Data Exfiltration, Cloud Enumeration, Snapshot Exposure

    Button - Learn more

  • This beginner-friendly lab walks through discovering a GCP service account key in an exposed .git directory and using it to break into a Google Cloud project. You then escalate through service account impersonation, read a Cloud Source repository, and reach a Cloud SQL database holding sensitive data.

    Tags: GCP, IAM, Service Account Impersonation, Cloud SQL, Git Exposure, Privilege Escalation, PostgreSQL, Credential Access

    Button - Learn more

Pwned Labs
Your cloud security training ground

Experience, real-world, byte sized cloud security labs for training cyber warriors. From beginners to pros, our engaging platform allows you to secure your defenses, ignite your career and stay ahead of threats.

Join us at any stage of your journey.