Vulnerable Cloud Labs

GitHub - RhinoSecurityLabs/cloudgoat: CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment toolGitHub

GitHub - ine-labs/AzureGoat: AzureGoat : A Damn Vulnerable Azure InfrastructureGitHub

GitHub - ine-labs/GCPGoat: GCPGoat : A Damn Vulnerable GCP InfrastructureGitHub

☁️ Vulnerable Cloud Labs & Environments

1. CloudGoat (by Rhino Security Labs)

• Purpose-built vulnerable AWS environment.

• Scenarios include:

  • IAM privilege escalation

  • S3 bucket misconfig

  • Lambda exploitation

• Deploys via Terraform in your AWS account.

• GitHub: https://github.com/RhinoSecurityLabs/cloudgoat

---

2. Flaws.Cloud (by Scott Piper)

• Legendary AWS pentest challenge — step-by-step privilege escalation path.

• Teaches real-world misconfig exploitation like EC2 metadata abuse and S3 leaks.

• https://flaws.cloud

---

3. Metasploit for Cloud (via Attack Workbench)

• Cloud-focused attack chains using familiar tools like Metasploit.

• Built into newer modules in Metasploit Pro and via community plugins.

---

4. CloudHound (Active Directory + AWS Hybrid Lab)

• Designed for hybrid cloud environments:

  • AWS + on-prem AD + IAM abuse

  • EC2 lateral movement

• GitHub: https://github.com/Orange-Cyberdefense/CloudHound

---

5. BadBlood + Cloud Combo

• Simulate a realistic on-prem Active Directory environment with cloud extensions.

• Deploy alongside CloudGoat or Azure vulnerable services for hybrid attack testing.

• GitHub: https://github.com/davidprowe/BadBlood

---

🛠️ Tools for Cloud Penetration Testing

Tool	Cloud	Purpose
Pacu	AWS	Post-exploitation framework (like Metasploit for AWS)
ScoutSuite	AWS/Azure/GCP	Cloud environment auditing and misconfig detection
CloudSploit	AWS	Security scanning for known misconfigurations
s3scanner / slurp	AWS	Public S3 bucket discovery
CloudBrute	Multi	Subdomain and storage brute-force
GCPBucketBrute	GCP	GCP storage brute-forcing tool
Azucar / MicroBurst	Azure	Azure enumeration, secrets discovery
Enumerate-IAM	AWS	IAM privilege escalation paths
Cloudfox	AWS	Offensive cloud reconnaissance tool
CredMaster	AWS	Tests leaked AWS creds for privilege escalation

---

🧪 Online Platforms for Cloud Security Practice

🔹 TryHackMe – Cloud Rooms

• Rooms like:

  • “IAM is not enough”

  • “Hacking the Cloud”

  • “Cloud Fundamentals”

• Interactive and beginner-friendly.

• https://tryhackme.com

---

🔹 HackTheBox – Cloud Machines

• Realistic cloud-based challenges with AWS and Azure setups.

• Some pro labs simulate hybrid environments.

• https://hackthebox.com

---

🔹 Pentester Academy Cloud Labs (Now INE)

• Hands-on labs in:

  • AWS privilege escalation

  • SSRF → credential theft

  • Misconfigured S3/EC2/CloudTrail

• https://ine.com

---

🔹 Hacking the Cloud Knowledge Base

• Comprehensive, attacker-oriented cloud knowledge base with techniques mapped to MITRE ATT&CK.

• Great for real-world attack chains.

• https://hackingthe.cloud

---

🧱 Cloud Provider-Specific Pentesting Targets

Cloud	Resource
AWS	CloudGoat, flaws.cloud, Pacu
Azure	Azucar, MicroBurst, Azure Goat
GCP	GCPBucketBrute, gcp_enum, InSecurity by BishopFox

---

🧠 Cloud Pentesting Learning Path

Phase	Focus	Tools & Labs
1	☁️ Enumeration	CloudFox, ScoutSuite
2	🔐 Identity & Access	Pacu, Enumerate-IAM, MicroBurst
3	💣 Exploitation	S3 exploitation, metadata abuse, SSRF
4	🧬 Privilege Escalation	IAM abuse, Lambda role takeover
5	🔄 Lateral Movement	STS assume-role, hybrid pivoting
6	🧹 Persistence & Cleanup	Hidden roles, logging bypass, deleting trails

6. IAM Vulnerable (AWS)

• What it is: A focused lab on exploiting IAM misconfigurations in AWS.

• Practice:

  • Policy misconfig

  • Privilege escalation

  • Role chaining

• GitHub: https://github.com/RhinoSecurityLabs/IAM-Vulnerable

---

7. AWSGoat (by Madhu Akula)

• A multi-scenario vulnerable AWS deployment to simulate real-world insecure cloud setups.

• Use for:

  • Pentesting EC2, Lambda, IAM, CloudFormation

• GitHub: https://github.com/madhuakula/awsgoat

---

8. AzureGoat

• Azure’s version of AWSGoat.

• Deploy intentionally vulnerable Azure services:

  • Key Vault misconfig

  • Azure Functions

  • Role assignments

• GitHub: https://github.com/Cloud-Architekt/AzureGoat

---

9. GOATStack (Multi-Cloud Lab)

• Full-featured lab with:

  • AWS + Azure + GCP

  • Insecure APIs

  • Serverless misconfigs

  • OAuth abuse

• Great for enterprise-level hybrid environment testing.

• GitHub: https://github.com/ine-labs/GOATStack

---

⚙️ More Specialized & Underused Tools for Cloud Hacking

Tool	Cloud	Purpose
IAMFinder	AWS	Enumerates trust policies to find privilege chains
Principal Mapper (principal-mapper)	AWS	Maps AWS IAM relationships visually
S3ReverseShell	AWS	Use S3 bucket events to trigger reverse shell via Lambda
AWSBucketDump	AWS	Bruteforce tool for S3 bucket discovery
Cloudlist	Multi	Open-source tool to enumerate cloud assets (great for recon)
Go365	M365	Enumerate and exploit Microsoft 365 misconfigurations
PowerZure	Azure	Privilege escalation and reconnaissance for Azure AD

---

📦 Real-World Cloud Exploit Repositories

Resource	What's Inside
Cloud Security Exploits (by BishopFox)	Active Azure/GCP/AWS attack chains
Red Canary Threat Detection for Cloud	Real telemetry + known bad behavior in cloud
MAD.cloud (MITRE ATT&CK for Cloud)	Mapping of cloud attack techniques to MITRE
NCC Group GitHub	Scripts and case studies for Azure and AWS red teaming
CloudSecList	GitHub list of up-to-date cloud security and pentest resources

---

🧬 Hybrid & Federated Cloud Attack Vectors

Cloud pentesting isn’t just about one provider. Many enterprises run hybrid environments. Here are cross-cloud attack chains:

Attack Chain	Description
Azure AD → AWS STS AssumeRole	Federated identity configured improperly — Azure user can pivot into AWS
GCP IAM → GKE Compromise → Metadata Theft	Abusing service accounts to elevate
Okta SSO Abuse	Exploiting misconfigured identity federation
On-prem AD → ADFS → Cloud Control	Attack Active Directory → Abuse federated login to Azure or AWS

Tools like BloodHound for Azure (AzureHound) and CloudFox are great for mapping these hybrid paths.

---

📚 Deep-Dive Research, Reports & Guidance

Resource	Why It’s Useful
MITRE ATT&CK: Cloud Matrix	Official attack tactics for cloud systems
NSA Cloud Security Guidance	Defense + attack surface breakdowns
Rhino Security Labs Blog	Deep dives into AWS-specific exploits
Wiz Research	Real-world cloud privilege escalation case studies
Google's Cloud Threat Intelligence Team	New GCP attack simulations and telemetry
Project Aurora (by NCC)	End-to-end cloud security architecture + exploit scenarios

---

🧭 Advanced Cloud Pentesting Roadmap (Expert-Level)

Stage	Focus	Tools/Resources
🔹 Recon	Passive discovery, subdomain enum	cloudlist, amass, CloudBrute
🔹 Initial Access	Misconfig abuse, leaked creds	Pacu, Go365, GH Dorks
🔹 Enumeration	IAM, buckets, services	ScoutSuite, CloudFox, Azucar
🔹 Privilege Escalation	Misused policies, chaining roles	Enumerate-IAM, MicroBurst
🔹 Lateral Movement	Lambda, Function Apps, GKE abuse	Custom scripts, Pacu modules
🔹 Persistence	Role creation, logging disablement	awscli, azcli, Terraform abuse
🔹 Data Exfil	Snapshot stealing, S3 dumps	aws s3 cp, GCP gsutil, scripting

---

💥 Want a Fully-Loaded Cloud Pentest Lab Setup?

I can generate a ready-to-go lab setup with:

• ✅ AWS: CloudGoat + Pacu + custom scripts

• ✅ Azure: AzureGoat + MicroBurst

• ✅ GCP: GCPBucketBrute + simulated misconfigs

• ✅ Hybrid: Federated SSO misconfig with Okta/ADFS

• ✅ Monitoring: GuardDuty, CloudTrail, or Sentinel for blue team feedback