We created this beginner-friendly lab to showcase how an OS command injection vulnerability can result in attackers compromising cloud infrastructure.

After a successful smishing attack on your client, Huge Logistics, you've obtained AWS credentials for a user account. Your task is to use these initial credentials to explore and possibly expand your access within their cloud environment. Your objective is to demonstrate impact of smishing the user. Let the hunt begin.

• Basic Linux command line knowledge
• Basic web knowledge

• Basic web application enumeration
• Basic command injection testing and exploitation
• IAM role and policy and EC2 instance enumeration

With remote code execution (RCE), injected programming code is executed, whereas with a command injection, it’s an OS command that is being executed. This lab focuses on OS command injections, which are a common and significant real-world issue in software applications, occurring when untrusted user input is directly incorporated into system commands without proper validation or sanitization.