You've gained access to a pod in the staging environment. To beat this challenge, you'll have to spread throughout the cluster and escalate privileges. Can you reach the flag? Good luck! Kubernetes environment, goal is to get details in the kube-system. We can start by enumerating…
We have got intelligence that one our developers at Ack-Me Corp is working on a weekend side-project where he is vibe coding an internal knowledge-base chatbot for our company, where he put all of our customer records and sensitive data inside it. Your mission, if you choose to accept it…
I participated in HackTheBox's first defensive-focused CTF event this week with my team Kapital, ending with a 4th place finish (and only seconds away from that 3rd place podium finish). In this CTF the main challenge I worked on was The Enduring Echo, a DFIR challenge where we…
As an APT group targeting Azure, you've discovered a web app that creates admin users, but they are heavily restricted. To gain initial access, you've created a malicious OAuth app in your tenant and now seek to deploy it into the victim's tenant. Can…
This is my writeup for July's challenge of Wiz's Cloud Security Championship. They plan to release a CTF challenge for each month of the year, each created by one of their own researchers. You can find my previous solves below: Perimeter Leak - Wiz Cloud CTF…
Over the weekend I spent time working on the Cloud Village CTF put on this year at Defcon 33. While you needed to be present physically to be eligible for any prizing if you were to place in the top 3, the challenges (outside of one) were available to complete…
This is my writeup for June's challenge of Wiz's Cloud Security Championship. They plan to release a CTF challenge for each month of the year, each created by one of their own researchers. We're provided with a shell on an EC2 instance to begin.…
In Part 1 I wrote about enterprise IdPs (Azure AD, Okta, etc.) and how suspicious sign-in behavior can present itself. Now we turn to the cloud accounts themselves, which have their own native identities and access mechanisms in AWS, Azure, and GCP. Each cloud has its own primitives (AWS IAM…
