flAWS 2

2018.12.07

RSS feed

In February, 2017, I released the flAWS challenge, flaws.cloud. I was running security for a company at the time and built it to teach my devops team about the issues in AWS that I was worried about, and as a personal challenge, I created it in such a way that anyone in the world could play and learn from it.

I now do independent AWS security consulting and there is only so much I can fix and teach at a time. So to help further train people, I’m proud to announce a new set of challenges, flAWS 2!

Try it out at flaws2.cloud

I’m always focused on helping defenders, but the original flAWS got the most attention from attackers it seemed. For flAWS 2, I really wanted to ensure that defenders learned not only the techniques that attackers could use against them, but also learn key skills like log analysis and how to assess accounts (something I do a lot of). So this time around there are two tracks, one for attackers and one for defenders, for the same environment.

The original flAWS showed people the ease with which public S3 buckets could be found, and although it had other important levels to teach other key concepts, a large number of people seemed to not discover it had more, thinking it was just a whole set of challenges about S3 buckets. This time it skips the S3 bucket issues and instead you’ll exploit serverless (Lambda) and containers (ECS with Fargate).

Thank you Maxime Leblanc who wrote about many of the ideas used in this challenge in his post Privilege escalation in the Cloud: From SSRF to Global Account Administrator. He also created DVCA, a vulnerable cloud infrastructure to deploy in your own environment. For those looking for other AWS hacking challenges, there is also CloudGoat from Rhino Security Labs.

flAWS 1 and 2 stand-out as being always on challenges, running out of someone else’s (my own) account. This does limit some of the attacks possible, as I found in looking at the logs of the original flAWS that people will try everything they can to break the game or otherwise abuse any access they are given. So I tried my best to teach as many concepts as I could, but there is still much more to learn!