Vulnerable Cloud Labs

GitHub - RhinoSecurityLabs/cloudgoat: CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment toolGitHub

GitHub - ine-labs/AzureGoat: AzureGoat : A Damn Vulnerable Azure InfrastructureGitHub

GitHub - ine-labs/GCPGoat: GCPGoat : A Damn Vulnerable GCP InfrastructureGitHub

☁️ Vulnerable Cloud Labs & Environments

1. CloudGoat (by Rhino Security Labs)

Purpose-built vulnerable AWS environment.
Scenarios include:
- IAM privilege escalation
- S3 bucket misconfig
- Lambda exploitation
Deploys via Terraform in your AWS account.
GitHub: https://github.com/RhinoSecurityLabs/cloudgoat

2. Flaws.Cloud (by Scott Piper)

Legendary AWS pentest challenge — step-by-step privilege escalation path.
Teaches real-world misconfig exploitation like EC2 metadata abuse and S3 leaks.
https://flaws.cloud

3. Metasploit for Cloud (via Attack Workbench)

Cloud-focused attack chains using familiar tools like Metasploit.
Built into newer modules in Metasploit Pro and via community plugins.

4. CloudHound (Active Directory + AWS Hybrid Lab)

Designed for hybrid cloud environments:
- AWS + on-prem AD + IAM abuse
- EC2 lateral movement
GitHub: https://github.com/Orange-Cyberdefense/CloudHound

5. BadBlood + Cloud Combo

Simulate a realistic on-prem Active Directory environment with cloud extensions.
Deploy alongside CloudGoat or Azure vulnerable services for hybrid attack testing.
GitHub: https://github.com/davidprowe/BadBlood

🛠️ Tools for Cloud Penetration Testing

Tool

Cloud

Purpose

Pacu

AWS

Post-exploitation framework (like Metasploit for AWS)

ScoutSuite

AWS/Azure/GCP

Cloud environment auditing and misconfig detection

CloudSploit

AWS

Security scanning for known misconfigurations

s3scanner / slurp

AWS

Public S3 bucket discovery

CloudBrute

Multi

Subdomain and storage brute-force

GCPBucketBrute

GCP

GCP storage brute-forcing tool

Azucar / MicroBurst

Azure

Azure enumeration, secrets discovery

Enumerate-IAM

AWS

IAM privilege escalation paths

Cloudfox

AWS

Offensive cloud reconnaissance tool

CredMaster

AWS

Tests leaked AWS creds for privilege escalation

🧪 Online Platforms for Cloud Security Practice

🔹 TryHackMe – Cloud Rooms

Rooms like:
- “IAM is not enough”
- “Hacking the Cloud”
- “Cloud Fundamentals”
Interactive and beginner-friendly.
https://tryhackme.com

🔹 HackTheBox – Cloud Machines

Realistic cloud-based challenges with AWS and Azure setups.
Some pro labs simulate hybrid environments.
https://hackthebox.com

🔹 Pentester Academy Cloud Labs (Now INE)

Hands-on labs in:
- AWS privilege escalation
- SSRF → credential theft
- Misconfigured S3/EC2/CloudTrail
https://ine.com

🔹 Hacking the Cloud Knowledge Base

Comprehensive, attacker-oriented cloud knowledge base with techniques mapped to MITRE ATT&CK.
Great for real-world attack chains.
https://hackingthe.cloud

🧱 Cloud Provider-Specific Pentesting Targets

Cloud

Resource

AWS

CloudGoat, flaws.cloud, Pacu

Azure

Azucar, MicroBurst, Azure Goat

GCP

GCPBucketBrute, gcp_enum, InSecurity by BishopFox

🧠 Cloud Pentesting Learning Path

Phase

Focus

Tools & Labs

☁️ Enumeration

CloudFox, ScoutSuite

🔐 Identity & Access

Pacu, Enumerate-IAM, MicroBurst

💣 Exploitation

S3 exploitation, metadata abuse, SSRF

🧬 Privilege Escalation

IAM abuse, Lambda role takeover

🔄 Lateral Movement

STS assume-role, hybrid pivoting

🧹 Persistence & Cleanup

Hidden roles, logging bypass, deleting trails

6. IAM Vulnerable (AWS)

What it is: A focused lab on exploiting IAM misconfigurations in AWS.
Practice:
- Policy misconfig
- Privilege escalation
- Role chaining
GitHub: https://github.com/RhinoSecurityLabs/IAM-Vulnerable

7. AWSGoat (by Madhu Akula)

A multi-scenario vulnerable AWS deployment to simulate real-world insecure cloud setups.
Use for:
- Pentesting EC2, Lambda, IAM, CloudFormation
GitHub: https://github.com/madhuakula/awsgoat

8. AzureGoat

Azure’s version of AWSGoat.
Deploy intentionally vulnerable Azure services:
- Key Vault misconfig
- Azure Functions
- Role assignments
GitHub: https://github.com/Cloud-Architekt/AzureGoat

9. GOATStack (Multi-Cloud Lab)

Full-featured lab with:
- AWS + Azure + GCP
- Insecure APIs
- Serverless misconfigs
- OAuth abuse
Great for enterprise-level hybrid environment testing.
GitHub: https://github.com/ine-labs/GOATStack

⚙️ More Specialized & Underused Tools for Cloud Hacking

Tool

Cloud

Purpose

IAMFinder

AWS

Enumerates trust policies to find privilege chains

Principal Mapper (principal-mapper)

AWS

Maps AWS IAM relationships visually

S3ReverseShell

AWS

Use S3 bucket events to trigger reverse shell via Lambda

AWSBucketDump

AWS

Bruteforce tool for S3 bucket discovery

Cloudlist

Multi

Open-source tool to enumerate cloud assets (great for recon)

Go365

M365

Enumerate and exploit Microsoft 365 misconfigurations

PowerZure

Azure

Privilege escalation and reconnaissance for Azure AD

📦 Real-World Cloud Exploit Repositories

Resource

What's Inside

Cloud Security Exploits (by BishopFox)

Active Azure/GCP/AWS attack chains

Red Canary Threat Detection for Cloud

Real telemetry + known bad behavior in cloud

MAD.cloud (MITRE ATT&CK for Cloud)

Mapping of cloud attack techniques to MITRE

NCC Group GitHub

Scripts and case studies for Azure and AWS red teaming

CloudSecList

GitHub list of up-to-date cloud security and pentest resources

🧬 Hybrid & Federated Cloud Attack Vectors

Cloud pentesting isn’t just about one provider. Many enterprises run hybrid environments. Here are cross-cloud attack chains:

Attack Chain

Description

Azure AD → AWS STS AssumeRole

Federated identity configured improperly — Azure user can pivot into AWS

GCP IAM → GKE Compromise → Metadata Theft

Abusing service accounts to elevate

Okta SSO Abuse

Exploiting misconfigured identity federation

On-prem AD → ADFS → Cloud Control

Attack Active Directory → Abuse federated login to Azure or AWS

Tools like BloodHound for Azure (AzureHound) and CloudFox are great for mapping these hybrid paths.

📚 Deep-Dive Research, Reports & Guidance

Resource

Why It’s Useful

MITRE ATT&CK: Cloud Matrix

Official attack tactics for cloud systems

NSA Cloud Security Guidance

Defense + attack surface breakdowns

Rhino Security Labs Blog

Deep dives into AWS-specific exploits

Wiz Research

Real-world cloud privilege escalation case studies

Google's Cloud Threat Intelligence Team

New GCP attack simulations and telemetry

Project Aurora (by NCC)

End-to-end cloud security architecture + exploit scenarios

🧭 Advanced Cloud Pentesting Roadmap (Expert-Level)

Stage

Focus

Tools/Resources

🔹 Recon

Passive discovery, subdomain enum

cloudlist, amass, CloudBrute

🔹 Initial Access

Misconfig abuse, leaked creds

Pacu, Go365, GH Dorks

🔹 Enumeration

IAM, buckets, services

ScoutSuite, CloudFox, Azucar

🔹 Privilege Escalation

Misused policies, chaining roles

Enumerate-IAM, MicroBurst

🔹 Lateral Movement

Lambda, Function Apps, GKE abuse

Custom scripts, Pacu modules

🔹 Persistence

Role creation, logging disablement

awscli, azcli, Terraform abuse

🔹 Data Exfil

Snapshot stealing, S3 dumps

aws s3 cp, GCP gsutil, scripting

💥 Want a Fully-Loaded Cloud Pentest Lab Setup?

I can generate a ready-to-go lab setup with:

✅ AWS: CloudGoat + Pacu + custom scripts
✅ Azure: AzureGoat + MicroBurst
✅ GCP: GCPBucketBrute + simulated misconfigs
✅ Hybrid: Federated SSO misconfig with Okta/ADFS
✅ Monitoring: GuardDuty, CloudTrail, or Sentinel for blue team feedback

PreviousAWS NextBug Bounty Hunting

Last updated 2 months ago

Was this helpful?