☁️

Cloud / DevOps

Cloud challenges cover misconfigurations and vulnerabilities in AWS, Azure, GCP, Docker, and Kubernetes — from exposed S3 buckets and leaked credentials to container escapes and IAM privilege escalation.

What is it?

Cloud / DevOps security focuses on vulnerabilities specific to modern infrastructure: cloud platforms (AWS, Azure, GCP), container orchestration (Kubernetes, Docker), Infrastructure-as-Code (Terraform, CloudFormation), and CI/CD pipelines.

Unlike traditional security, the attack surface here is largely configuration-driven. A single IAM policy with excessive permissions or a publicly accessible S3 bucket can expose an entire organisation's data without any code vulnerability involved.

How it works in a CTF

In a CTF, cloud challenges give you credentials, a running cloud environment, a Docker image, or a Kubernetes config and ask you to escalate privileges, read a protected secret, or escape a container to reach the flag.

Common workflow: enumerate accessible resources (S3, EC2, IAM policies) → query the metadata service (169.254.169.254) → find misconfigured permissions → escalate → read the flag from a secrets manager or root volume.

Example challenge types
S3 bucket public read (list + download)EC2 instance metadata credential theftIAM privilege escalation (PassRole)Lambda function code leakDocker socket escape to hostKubernetes RBAC misconfigurationExposed .env in public repositorySSM Parameter Store secret readECS task role abuseTerraform state file leak (S3)GitHub Actions secret exfiltrationContainer image layer secret extraction

Sample Challenge

BucketList
Cloud Easy 125 pts
You have been given the domain name of a small startup: startup-assets.s3.amazonaws.com. The security team suspects the S3 bucket has a misconfigured ACL. Investigate and retrieve the flag.
How to solve it
  1. List the bucket without credentials: aws s3 ls s3://startup-assets --no-sign-request — it succeeds, confirming public-read ACL.
  2. Browse the listing — spot an interesting file: internal/config_backup.json.
  3. Download it: aws s3 cp s3://startup-assets/internal/config_backup.json . --no-sign-request.
  4. Open the JSON — it contains an aws_secret_access_key and a flag field.
  5. Read the flag value directly from the file.
FLAG{publ1c_s3_1s_n0t_priv4te}

Official Resources & Standards

AWS Security Documentation
Official AWS security best practices, IAM policy docs, and the Well-Architected Security Pillar.
OfficialAWS
Azure Security Center
Microsoft's security posture management platform — also the source of misconfig guidance.
OfficialAzure
GCP Security Command Center
Google Cloud's security and risk platform with documentation on common cloud vulnerabilities.
OfficialGCP
CNCF TAG Security
Cloud Native Computing Foundation security working group — Kubernetes and container security papers.
OfficialKubernetes

Free Training & Practice

flaws.cloud
Level-by-level challenges teaching real AWS S3, metadata service, and IAM misconfigurations through play.
FreeAWSHighly Recommended
flaws2.cloud
Sequel to flaws.cloud — attacker AND defender paths for AWS Lambda, ECS, and ECR misconfigs.
FreeAWS
CloudGoat (Rhino Security)
Intentionally vulnerable AWS environment with multi-step attack scenarios for privilege escalation.
FreeAWSLab App
TerraGoat (Bridgecrew)
Vulnerable Terraform infrastructure across AWS, Azure, and GCP for IaC security learning.
FreeMulti-cloudIaC
KubeGoat
Intentionally vulnerable Kubernetes cluster for learning container and cluster security.
FreeKubernetesLab App
HackTheBox Cloud Challenges
Dedicated cloud category with realistic AWS/GCP/Azure misconfiguration and exploitation scenarios.
Free TierChallenges
TryHackMe Cloud Rooms
Guided AWS and Azure security rooms covering IAM, S3, Lambda, and common attack vectors.
Free TierGuided

Essential Tools

AWS CLI
Essential tool for interacting with AWS services — enumerate, test, and exploit from the command line.
FreeOfficial
CloudSploit
Open-source cloud security scanner that detects misconfigurations across AWS, Azure, and GCP.
FreeOpen Source
Pacu
AWS exploitation framework for post-compromise enumeration and privilege escalation.
FreeOpen Source
ScoutSuite
Multi-cloud security auditing tool that generates HTML reports of misconfigurations.
FreeOpen Source

Getting Started Tips

💡 Tip: The EC2 instance metadata service (169.254.169.254) is your first move after gaining any foothold — it often leaks IAM credentials.
💡 Tip: Always check for public S3 buckets: `aws s3 ls s3://target-bucket --no-sign-request` works without credentials.
💡 Tip: flaws.cloud is the best starting point — work through all six levels before tackling CTF cloud challenges.
💡 Tip: For Kubernetes: check for open API servers (port 6443/8080), misconfigured RBAC, and secrets mounted as environment variables in pods.