Challenges

Clear
All 138 Web 14 Pwn 11 Crypto 11 Forensics 11 Rev 10 Misc 11 OSINT 10 network 11 Mobile 14 Cloud 14 web3 12 Linux 9
Cloud Easy

Docker Registry Exposure

A private Docker registry is exposed on port 5000 without authentication (registry v2 API). Enumerate repositories, pull a suspicious image tagged 'internal/debug:latest', and find the flag embedded in an environment variable set in one of the image layers.

200 pts
Cloud Easy

EC2 IMDS Credential Theft via SSRF

An EC2 web app has an SSRF vulnerability. Use it to reach the Instance Metadata Service (169.254.169.254) and steal IAM role credentials. Decode the flag hidden in the Token field.

150 pts
Cloud Easy

Exposed S3 Bucket

acmecorp-backup-dev has public-read ACL. Anyone can list objects and download them without credentials. Enumerate the bucket, find flag.b64, download and decode it.

100 pts
Cloud Medium

AWS Secrets Manager via Misconfigured Role

An EC2 instance profile has secretsmanager:GetSecretValue allowed on '*' instead of specific ARNs. Assume the role (credentials are in the provided config) and enumerate all secrets. One secret named /prod/internal/ctf-flag contains the flag. The challenge tests least-privilege awareness.

300 pts
Cloud Medium

Azure Storage SAS Token Abuse

A SAS (Shared Access Signature) token was leaked in a JavaScript file on a public website. The token grants List+Read on the 'backups' container of an Azure Storage account. Use the token to list blobs and download flag.txt from the container.

300 pts
Cloud Medium

CloudFormation Secrets Exposure

infra.yaml was committed to a public repo. It contains hardcoded parameter defaults and a UserData bootstrap script with a multi-encoded BOOTSTRAP_TOKEN variable.

250 pts
Cloud Medium

IAM Privilege Escalation

The 'developer' IAM user has iam:CreatePolicyVersion. Use it to inject an Allow:* statement into the AdminPolicy, escalate to full admin, then read the flag from SSM.

250 pts
Cloud Medium

Lambda SSRF → IMDS

A Lambda function fetches any user-supplied URL with no validation. SSRF it to 169.254.169.254 to steal the execution role's temporary credentials, then use them to read an SSM flag.

300 pts
Cloud Hard

Azure AD JWT Claim Abuse

A captured Azure AD Bearer token contains a custom claim with a nested encoded value. Decode the JWT payload (base64url) and extract the flag from the x_internal_token claim.

400 pts
Cloud Hard

Container Escape via Privileged Pod

A 'debug' pod runs with privileged:true and mounts the host filesystem at /host-root. From inside the container, read /host-root/root/.flag_cld7 to escape the container boundary.

400 pts
Cloud Hard

GitHub Actions Secret Exfiltration

A public GitHub repository has a misconfigured Actions workflow: it's triggered by pull_request_target (not pull_request) and checks out the PR branch code without restrictions. Fork the repo, submit a PR that modifies the workflow to exfiltrate secrets to a webhook, and retrieve the CI_FLAG secret.

450 pts
Cloud Hard

Kubernetes RBAC Misconfiguration

dev-sa has a ClusterRoleBinding granting it read access to all secrets cluster-wide. Use it to read a ConfigMap (XOR key) and a Secret (encoded payload) from the prod namespace, then combine them.

350 pts
Cloud Insane

GCP Service Account Key Leak

A GCP SA key was committed to a public repo then 'deleted' — but git history is permanent. Recover the key, authenticate to GCP, and read the flag from a GCS bucket.

450 pts
Cloud Insane

Terraform State File Exposure

terraform.tfstate was stored in a public S3 bucket. It contains all resource attribute values including a 3-layer encoded SSM parameter. Parse, identify, and decode it.

500 pts