# Vulnerable Cloud Labs {% embed url="" %} {% embed url="" %} {% embed url="" %} ### ☁️ Vulnerable Cloud Labs & Environments #### 1. **CloudGoat (by Rhino Security Labs)** * **Purpose-built vulnerable AWS environment**. * Scenarios include: * IAM privilege escalation * S3 bucket misconfig * Lambda exploitation * Deploys via Terraform in your AWS account. * GitHub: *** #### 2. **Flaws.Cloud (by Scott Piper)** * **Legendary AWS pentest challenge** — step-by-step privilege escalation path. * Teaches real-world misconfig exploitation like EC2 metadata abuse and S3 leaks. * [https://flaws.cloud](https://flaws.cloud/) *** #### 3. **Metasploit for Cloud (via Attack Workbench)** * Cloud-focused attack chains using familiar tools like Metasploit. * Built into newer modules in Metasploit Pro and via community plugins. *** #### 4. **CloudHound (Active Directory + AWS Hybrid Lab)** * Designed for hybrid cloud environments: * AWS + on-prem AD + IAM abuse * EC2 lateral movement * GitHub: *** #### 5. **BadBlood + Cloud Combo** * Simulate a realistic on-prem Active Directory environment with cloud extensions. * Deploy alongside CloudGoat or Azure vulnerable services for hybrid attack testing. * GitHub: *** ### 🛠️ Tools for Cloud Penetration Testing | Tool | Cloud | Purpose | | ----------------------- | ------------- | ----------------------------------------------------- | | **Pacu** | AWS | Post-exploitation framework (like Metasploit for AWS) | | **ScoutSuite** | AWS/Azure/GCP | Cloud environment auditing and misconfig detection | | **CloudSploit** | AWS | Security scanning for known misconfigurations | | **s3scanner / slurp** | AWS | Public S3 bucket discovery | | **CloudBrute** | Multi | Subdomain and storage brute-force | | **GCPBucketBrute** | GCP | GCP storage brute-forcing tool | | **Azucar / MicroBurst** | Azure | Azure enumeration, secrets discovery | | **Enumerate-IAM** | AWS | IAM privilege escalation paths | | **Cloudfox** | AWS | Offensive cloud reconnaissance tool | | **CredMaster** | AWS | Tests leaked AWS creds for privilege escalation | *** ### 🧪 Online Platforms for Cloud Security Practice #### 🔹 **TryHackMe – Cloud Rooms** * **Rooms like:** * “IAM is not enough” * “Hacking the Cloud” * “Cloud Fundamentals” * Interactive and beginner-friendly. * [https://tryhackme.com](https://tryhackme.com/) *** #### 🔹 **HackTheBox – Cloud Machines** * Realistic cloud-based challenges with AWS and Azure setups. * Some pro labs simulate hybrid environments. * [https://hackthebox.com](https://hackthebox.com/) *** #### 🔹 **Pentester Academy Cloud Labs (Now INE)** * Hands-on labs in: * AWS privilege escalation * SSRF → credential theft * Misconfigured S3/EC2/CloudTrail * [https://ine.com](https://ine.com/) *** #### 🔹 **Hacking the Cloud Knowledge Base** * Comprehensive, attacker-oriented cloud knowledge base with techniques mapped to MITRE ATT\&CK. * Great for real-world attack chains. * [https://hackingthe.cloud](https://hackingthe.cloud/) *** ### 🧱 Cloud Provider-Specific Pentesting Targets | Cloud | Resource | | --------- | -------------------------------------------------- | | **AWS** | CloudGoat, flaws.cloud, Pacu | | **Azure** | Azucar, MicroBurst, Azure Goat | | **GCP** | GCPBucketBrute, gcp\_enum, InSecurity by BishopFox | *** ### 🧠 Cloud Pentesting Learning Path | Phase | Focus | Tools & Labs | | ----- | ------------------------ | --------------------------------------------- | | 1 | ☁️ Enumeration | CloudFox, ScoutSuite | | 2 | 🔐 Identity & Access | Pacu, Enumerate-IAM, MicroBurst | | 3 | 💣 Exploitation | S3 exploitation, metadata abuse, SSRF | | 4 | 🧬 Privilege Escalation | IAM abuse, Lambda role takeover | | 5 | 🔄 Lateral Movement | STS assume-role, hybrid pivoting | | 6 | 🧹 Persistence & Cleanup | Hidden roles, logging bypass, deleting trails | #### 6. **IAM Vulnerable (AWS)** * **What it is:** A focused lab on exploiting **IAM misconfigurations** in AWS. * Practice: * Policy misconfig * Privilege escalation * Role chaining * **GitHub:** *** #### 7. **AWSGoat (by Madhu Akula)** * A **multi-scenario vulnerable AWS deployment** to simulate real-world insecure cloud setups. * Use for: * Pentesting EC2, Lambda, IAM, CloudFormation * **GitHub:** *** #### 8. **AzureGoat** * Azure’s version of AWSGoat. * Deploy intentionally vulnerable Azure services: * Key Vault misconfig * Azure Functions * Role assignments * **GitHub:** *** #### 9. **GOATStack (Multi-Cloud Lab)** * Full-featured lab with: * AWS + Azure + GCP * Insecure APIs * Serverless misconfigs * OAuth abuse * Great for enterprise-level hybrid environment testing. * **GitHub:** *** ### ⚙️ **More Specialized & Underused Tools for Cloud Hacking** | Tool | Cloud | Purpose | | ----------------------------------------- | ----- | ------------------------------------------------------------ | | **IAMFinder** | AWS | Enumerates trust policies to find privilege chains | | **Principal Mapper** (`principal-mapper`) | AWS | Maps AWS IAM relationships visually | | **S3ReverseShell** | AWS | Use S3 bucket events to trigger reverse shell via Lambda | | **AWSBucketDump** | AWS | Bruteforce tool for S3 bucket discovery | | **Cloudlist** | Multi | Open-source tool to enumerate cloud assets (great for recon) | | **Go365** | M365 | Enumerate and exploit Microsoft 365 misconfigurations | | **PowerZure** | Azure | Privilege escalation and reconnaissance for Azure AD | *** ### 📦 Real-World Cloud Exploit Repositories | Resource | What's Inside | | ------------------------------------------ | -------------------------------------------------------------- | | **Cloud Security Exploits (by BishopFox)** | Active Azure/GCP/AWS attack chains | | **Red Canary Threat Detection for Cloud** | Real telemetry + known bad behavior in cloud | | **MAD.cloud (MITRE ATT\&CK for Cloud)** | Mapping of cloud attack techniques to MITRE | | **NCC Group GitHub** | Scripts and case studies for Azure and AWS red teaming | | **CloudSecList** | GitHub list of up-to-date cloud security and pentest resources | *** ### 🧬 **Hybrid & Federated Cloud Attack Vectors** Cloud pentesting isn’t just about one provider. Many enterprises run **hybrid environments**. Here are **cross-cloud attack chains**: | Attack Chain | Description | | --------------------------------------------- | ------------------------------------------------------------------------ | | **Azure AD → AWS STS AssumeRole** | Federated identity configured improperly — Azure user can pivot into AWS | | **GCP IAM → GKE Compromise → Metadata Theft** | Abusing service accounts to elevate | | **Okta SSO Abuse** | Exploiting misconfigured identity federation | | **On-prem AD → ADFS → Cloud Control** | Attack Active Directory → Abuse federated login to Azure or AWS | Tools like **BloodHound for Azure (AzureHound)** and **CloudFox** are great for mapping these hybrid paths. *** ### 📚 Deep-Dive Research, Reports & Guidance | Resource | Why It’s Useful | | ------------------------------------------- | ---------------------------------------------------------- | | **MITRE ATT\&CK: Cloud Matrix** | Official attack tactics for cloud systems | | **NSA Cloud Security Guidance** | Defense + attack surface breakdowns | | **Rhino Security Labs Blog** | Deep dives into AWS-specific exploits | | **Wiz Research** | Real-world cloud privilege escalation case studies | | **Google's Cloud Threat Intelligence Team** | New GCP attack simulations and telemetry | | **Project Aurora (by NCC)** | End-to-end cloud security architecture + exploit scenarios | *** ### 🧭 Advanced Cloud Pentesting Roadmap (Expert-Level) | Stage | Focus | Tools/Resources | | ----------------------- | ---------------------------------- | ------------------------------------ | | 🔹 Recon | Passive discovery, subdomain enum | `cloudlist`, `amass`, `CloudBrute` | | 🔹 Initial Access | Misconfig abuse, leaked creds | `Pacu`, `Go365`, GH Dorks | | 🔹 Enumeration | IAM, buckets, services | `ScoutSuite`, `CloudFox`, `Azucar` | | 🔹 Privilege Escalation | Misused policies, chaining roles | `Enumerate-IAM`, `MicroBurst` | | 🔹 Lateral Movement | Lambda, Function Apps, GKE abuse | Custom scripts, `Pacu` modules | | 🔹 Persistence | Role creation, logging disablement | `awscli`, `azcli`, Terraform abuse | | 🔹 Data Exfil | Snapshot stealing, S3 dumps | `aws s3 cp`, `GCP gsutil`, scripting | *** ### 💥 Want a Fully-Loaded Cloud Pentest Lab Setup? I can generate a ready-to-go lab setup with: * ✅ AWS: CloudGoat + Pacu + custom scripts * ✅ Azure: AzureGoat + MicroBurst * ✅ GCP: GCPBucketBrute + simulated misconfigs * ✅ Hybrid: Federated SSO misconfig with Okta/ADFS * ✅ Monitoring: GuardDuty, CloudTrail, or Sentinel for blue team feedback