Breaching AWS

Course overview, AWS attack methodology, and lab environment setup including tooling and access configuration.

Ethical and legal guidelines for the course labs, scope boundaries, and responsible disclosure expectations.

Discover and access publicly exposed S3 buckets to enumerate objects, extract sensitive data, and map storage attack surface.

Claim dangling DNS records pointing to deprovisioned AWS services such as Elastic Beanstalk and S3 to intercept traffic.

Extract secrets and sensitive data from exposed or misconfigured EBS snapshots by mounting them in a controlled environment.

Abuse AWS Systems Manager Session Manager to enumerate EC2 instances and execute commands without SSH or open inbound ports.

Exploit over-privileged IAM roles and the EC2 Instance Metadata Service (IMDS) to assume roles and abuse SNS for privilege escalation.

Intercept and capture AWS credentials transmitted through misconfigured SNS topic subscriptions and HTTP endpoints.

Exploit a vulnerable Lambda function to achieve remote code execution and extract environment variables containing secrets.

Enumerate accessible DynamoDB tables and exfiltrate records using compromised IAM credentials.

Push a backdoored container image to Elastic Container Registry and trigger its deployment to gain code execution inside ECS or EKS workloads.

Execute phishing attacks targeting AWS IAM Identity Center (SSO) to harvest session tokens and gain access to multiple AWS accounts.

Map permission sets and account assignments across AWS organizations using IAM Identity Center to identify privilege escalation paths.

Enumerate IAM users, roles, and policies, then extract secrets from AWS Secrets Manager and Systems Manager Parameter Store.

Abuse a misconfigured Rancher instance to gain direct access to Kubernetes pods and escalate privileges within the cluster.

Enumerate RDS database instances, obtain connection credentials, connect to the database, and retrieve the final lab flag.