# Vulnerable Cloud Labs {% embed url="" %} {% embed url="" %} {% embed url="" %} ### ☁️ Vulnerable Cloud Labs & Environments #### 1. **CloudGoat (by Rhino Security Labs)** * **Purpose-built vulnerable AWS environment**. * Scenarios include: * IAM privilege escalation * S3 bucket misconfig * Lambda exploitation * Deploys via Terraform in your AWS account. * GitHub: *** #### 2. **Flaws.Cloud (by Scott Piper)** * **Legendary AWS pentest challenge** — step-by-step privilege escalation path. * Teaches real-world misconfig exploitation like EC2 metadata abuse and S3 leaks. * [https://flaws.cloud](https://flaws.cloud/) *** #### 3. **Metasploit for Cloud (via Attack Workbench)** * Cloud-focused attack chains using familiar tools like Metasploit. * Built into newer modules in Metasploit Pro and via community plugins. *** #### 4. **CloudHound (Active Directory + AWS Hybrid Lab)** * Designed for hybrid cloud environments: * AWS + on-prem AD + IAM abuse * EC2 lateral movement * GitHub: *** #### 5. **BadBlood + Cloud Combo** * Simulate a realistic on-prem Active Directory environment with cloud extensions. * Deploy alongside CloudGoat or Azure vulnerable services for hybrid attack testing. * GitHub: *** ### 🛠️ Tools for Cloud Penetration Testing | Tool | Cloud | Purpose | | ----------------------- | ------------- | ----------------------------------------------------- | | **Pacu** | AWS | Post-exploitation framework (like Metasploit for AWS) | | **ScoutSuite** | AWS/Azure/GCP | Cloud environment auditing and misconfig detection | | **CloudSploit** | AWS | Security scanning for known misconfigurations | | **s3scanner / slurp** | AWS | Public S3 bucket discovery | | **CloudBrute** | Multi | Subdomain and storage brute-force | | **GCPBucketBrute** | GCP | GCP storage brute-forcing tool | | **Azucar / MicroBurst** | Azure | Azure enumeration, secrets discovery | | **Enumerate-IAM** | AWS | IAM privilege escalation paths | | **Cloudfox** | AWS | Offensive cloud reconnaissance tool | | **CredMaster** | AWS | Tests leaked AWS creds for privilege escalation | *** ### 🧪 Online Platforms for Cloud Security Practice #### 🔹 **TryHackMe – Cloud Rooms** * **Rooms like:** * “IAM is not enough” * “Hacking the Cloud” * “Cloud Fundamentals” * Interactive and beginner-friendly. * [https://tryhackme.com](https://tryhackme.com/) *** #### 🔹 **HackTheBox – Cloud Machines** * Realistic cloud-based challenges with AWS and Azure setups. * Some pro labs simulate hybrid environments. * [https://hackthebox.com](https://hackthebox.com/) *** #### 🔹 **Pentester Academy Cloud Labs (Now INE)** * Hands-on labs in: * AWS privilege escalation * SSRF → credential theft * Misconfigured S3/EC2/CloudTrail * [https://ine.com](https://ine.com/) *** #### 🔹 **Hacking the Cloud Knowledge Base** * Comprehensive, attacker-oriented cloud knowledge base with techniques mapped to MITRE ATT\&CK. * Great for real-world attack chains. * [https://hackingthe.cloud](https://hackingthe.cloud/) *** ### 🧱 Cloud Provider-Specific Pentesting Targets | Cloud | Resource | | --------- | -------------------------------------------------- | | **AWS** | CloudGoat, flaws.cloud, Pacu | | **Azure** | Azucar, MicroBurst, Azure Goat | | **GCP** | GCPBucketBrute, gcp\_enum, InSecurity by BishopFox | *** ### 🧠 Cloud Pentesting Learning Path | Phase | Focus | Tools & Labs | | ----- | ------------------------ | --------------------------------------------- | | 1 | ☁️ Enumeration | CloudFox, ScoutSuite | | 2 | 🔐 Identity & Access | Pacu, Enumerate-IAM, MicroBurst | | 3 | 💣 Exploitation | S3 exploitation, metadata abuse, SSRF | | 4 | 🧬 Privilege Escalation | IAM abuse, Lambda role takeover | | 5 | 🔄 Lateral Movement | STS assume-role, hybrid pivoting | | 6 | 🧹 Persistence & Cleanup | Hidden roles, logging bypass, deleting trails | #### 6. **IAM Vulnerable (AWS)** * **What it is:** A focused lab on exploiting **IAM misconfigurations** in AWS. * Practice: * Policy misconfig * Privilege escalation * Role chaining * **GitHub:** *** #### 7. **AWSGoat (by Madhu Akula)** * A **multi-scenario vulnerable AWS deployment** to simulate real-world insecure cloud setups. * Use for: * Pentesting EC2, Lambda, IAM, CloudFormation * **GitHub:** *** #### 8. **AzureGoat** * Azure’s version of AWSGoat. * Deploy intentionally vulnerable Azure services: * Key Vault misconfig * Azure Functions * Role assignments * **GitHub:** *** #### 9. **GOATStack (Multi-Cloud Lab)** * Full-featured lab with: * AWS + Azure + GCP * Insecure APIs * Serverless misconfigs * OAuth abuse * Great for enterprise-level hybrid environment testing. * **GitHub:** *** ### ⚙️ **More Specialized & Underused Tools for Cloud Hacking** | Tool | Cloud | Purpose | | ----------------------------------------- | ----- | ------------------------------------------------------------ | | **IAMFinder** | AWS | Enumerates trust policies to find privilege chains | | **Principal Mapper** (`principal-mapper`) | AWS | Maps AWS IAM relationships visually | | **S3ReverseShell** | AWS | Use S3 bucket events to trigger reverse shell via Lambda | | **AWSBucketDump** | AWS | Bruteforce tool for S3 bucket discovery | | **Cloudlist** | Multi | Open-source tool to enumerate cloud assets (great for recon) | | **Go365** | M365 | Enumerate and exploit Microsoft 365 misconfigurations | | **PowerZure** | Azure | Privilege escalation and reconnaissance for Azure AD | *** ### 📦 Real-World Cloud Exploit Repositories | Resource | What's Inside | | ------------------------------------------ | -------------------------------------------------------------- | | **Cloud Security Exploits (by BishopFox)** | Active Azure/GCP/AWS attack chains | | **Red Canary Threat Detection for Cloud** | Real telemetry + known bad behavior in cloud | | **MAD.cloud (MITRE ATT\&CK for Cloud)** | Mapping of cloud attack techniques to MITRE | | **NCC Group GitHub** | Scripts and case studies for Azure and AWS red teaming | | **CloudSecList** | GitHub list of up-to-date cloud security and pentest resources | *** ### 🧬 **Hybrid & Federated Cloud Attack Vectors** Cloud pentesting isn’t just about one provider. Many enterprises run **hybrid environments**. Here are **cross-cloud attack chains**: | Attack Chain | Description | | --------------------------------------------- | ------------------------------------------------------------------------ | | **Azure AD → AWS STS AssumeRole** | Federated identity configured improperly — Azure user can pivot into AWS | | **GCP IAM → GKE Compromise → Metadata Theft** | Abusing service accounts to elevate | | **Okta SSO Abuse** | Exploiting misconfigured identity federation | | **On-prem AD → ADFS → Cloud Control** | Attack Active Directory → Abuse federated login to Azure or AWS | Tools like **BloodHound for Azure (AzureHound)** and **CloudFox** are great for mapping these hybrid paths. *** ### 📚 Deep-Dive Research, Reports & Guidance | Resource | Why It’s Useful | | ------------------------------------------- | ---------------------------------------------------------- | | **MITRE ATT\&CK: Cloud Matrix** | Official attack tactics for cloud systems | | **NSA Cloud Security Guidance** | Defense + attack surface breakdowns | | **Rhino Security Labs Blog** | Deep dives into AWS-specific exploits | | **Wiz Research** | Real-world cloud privilege escalation case studies | | **Google's Cloud Threat Intelligence Team** | New GCP attack simulations and telemetry | | **Project Aurora (by NCC)** | End-to-end cloud security architecture + exploit scenarios | *** ### 🧭 Advanced Cloud Pentesting Roadmap (Expert-Level) | Stage | Focus | Tools/Resources | | ----------------------- | ---------------------------------- | ------------------------------------ | | 🔹 Recon | Passive discovery, subdomain enum | `cloudlist`, `amass`, `CloudBrute` | | 🔹 Initial Access | Misconfig abuse, leaked creds | `Pacu`, `Go365`, GH Dorks | | 🔹 Enumeration | IAM, buckets, services | `ScoutSuite`, `CloudFox`, `Azucar` | | 🔹 Privilege Escalation | Misused policies, chaining roles | `Enumerate-IAM`, `MicroBurst` | | 🔹 Lateral Movement | Lambda, Function Apps, GKE abuse | Custom scripts, `Pacu` modules | | 🔹 Persistence | Role creation, logging disablement | `awscli`, `azcli`, Terraform abuse | | 🔹 Data Exfil | Snapshot stealing, S3 dumps | `aws s3 cp`, `GCP gsutil`, scripting | *** ### 💥 Want a Fully-Loaded Cloud Pentest Lab Setup? I can generate a ready-to-go lab setup with: * ✅ AWS: CloudGoat + Pacu + custom scripts * ✅ Azure: AzureGoat + MicroBurst * ✅ GCP: GCPBucketBrute + simulated misconfigs * ✅ Hybrid: Federated SSO misconfig with Okta/ADFS * ✅ Monitoring: GuardDuty, CloudTrail, or Sentinel for blue team feedback --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sudoninja.gitbook.io/sudoninjabook/security-area/cloud-security/vulnerable-cloud-labs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.