Challenges

Clear
All 96 Web 10 Pwn 7 Crypto 7 Forensics 7 Rev 6 Misc 7 OSINT 6 network 7 Mobile 10 Cloud 10 web3 10 Linux 9
Cloud Easy

EC2 IMDS Credential Theft via SSRF

An EC2 web app has an SSRF vulnerability. Use it to reach the Instance Metadata Service (169.254.169.254) and steal IAM role credentials. Decode the flag hidden in the Token field.

150 pts
Cloud Easy

Exposed S3 Bucket

acmecorp-backup-dev has public-read ACL. Anyone can list objects and download them without credentials. Enumerate the bucket, find flag.b64, download and decode it.

100 pts
Cloud Medium

CloudFormation Secrets Exposure

infra.yaml was committed to a public repo. It contains hardcoded parameter defaults and a UserData bootstrap script with a multi-encoded BOOTSTRAP_TOKEN variable.

250 pts
Cloud Medium

IAM Privilege Escalation

The 'developer' IAM user has iam:CreatePolicyVersion. Use it to inject an Allow:* statement into the AdminPolicy, escalate to full admin, then read the flag from SSM.

250 pts
Cloud Medium

Lambda SSRF → IMDS

A Lambda function fetches any user-supplied URL with no validation. SSRF it to 169.254.169.254 to steal the execution role's temporary credentials, then use them to read an SSM flag.

300 pts
Cloud Hard

Azure AD JWT Claim Abuse

A captured Azure AD Bearer token contains a custom claim with a nested encoded value. Decode the JWT payload (base64url) and extract the flag from the x_internal_token claim.

400 pts
Cloud Hard

Container Escape via Privileged Pod

A 'debug' pod runs with privileged:true and mounts the host filesystem at /host-root. From inside the container, read /host-root/root/.flag_cld7 to escape the container boundary.

400 pts
Cloud Hard

Kubernetes RBAC Misconfiguration

dev-sa has a ClusterRoleBinding granting it read access to all secrets cluster-wide. Use it to read a ConfigMap (XOR key) and a Secret (encoded payload) from the prod namespace, then combine them.

350 pts
Cloud Insane

GCP Service Account Key Leak

A GCP SA key was committed to a public repo then 'deleted' — but git history is permanent. Recover the key, authenticate to GCP, and read the flag from a GCS bucket.

450 pts
Cloud Insane

Terraform State File Exposure

terraform.tfstate was stored in a public S3 bucket. It contains all resource attribute values including a 3-layer encoded SSM parameter. Parse, identify, and decode it.

500 pts