TROOPERS20 Training Teaser: Attack And Defence In AWS: Chaining Vulnerabilities To Go Beyond The OWASP Top 10

Attackers are everywhere. They are now on the cloud too! Attacking the most popular cloud provider – AWS, requires the knowledge of how different services are setup, what defences do we need to bypass, what service attributes can be abused, where can information be leaked, how do I escalate privileges, what about monitoring solutions that may be present in the environment and so on! We try to answer these questions in our intense, hands-on scenario driven training on attacking and subsequently defending against the attacks on AWS.

As an attacker or defender, if you have ever asked any of the following questions, this training is for you:

  • Is there a process to attacking the cloud or do we go after the services as and when they are discovered?
  • Is SSRF the only vulnerability to access the metadata service on EC2?
  • How do I use stolen AWS secret keys to attack further?
  • How do I hide cover my tracks in AWS environment?
  • If I canโ€™t see a service due to security group, can I still attack it?
  • How do I create better wordlists to discover and exploit S3 buckets that have uncommon names?
  • Can I impersonate other users within AWS?
  • Is there a way to extract secrets from AWS Lambda?
  • How do I prevent credential compromise in AWS?
  • How can I be sure there is no attacker already within my cloud infrastructure?
  • How do I enumerate and move between accounts that are part of AWS organisations?

As part of the training, students will learn to enumerate, exploit and pivot across AWS. The training is created using real world attacks and exploit scenarios and news worthy AWS data breaches that stole the headlines the last couple of years.

The training will teach you the tools and techniques to find vulnerabilities across common services, uncommon endpoints and chain them to perform post exploitation within AWS truly going beyond the OWASP Top 10.

We will end the two day training with a fun CTF that will pickle your brains and allow you to compete for flags with the others ๐Ÿ™‚

As fun reading and to get some context on the kind of bugs we find and have included in the training, please see our AWS related posts on

What do I need to know to get the most out of the training?

The pre-requisites are very minimal. The way our training is designed, a basic understanding of the following concepts can get you up and running through the exercises in no time

  1. Familiarity with the AWS console – The console is very intuitive and can be used by folks who have never seen it before;
  2. Familiarity with Security Testing Basics like XSS, SQL Injection etc. – We will be using multiple common security weaknesses to provide us with a foothold into AWS;
  3. Some experience with using tools like nmap and Burp – We will be sparingly using these tools and even when we are, the steps are all documented ๐Ÿ™‚
  4. Comfortable with having used a terminal program like cmd or bash. We will be running some commands over SSH and bash. Again, this is documented!
  5. Basics of HTTP and JavaScript – If you know how to view source and search through web pages, you are already setup;
  6. Basics of networking – If you know to ping and find your IP address using the command line, you are good to follow what’s happening in class.

What software or hardware would I need?

This can be answered in many ways, however the following setup in our experience works as a baseline. Please note, these are mandatory things to consider for the training

  1. A laptop running a modern OS Windows 10/Linux/OSX;
  2. You need to be an administrator on this machine;
  3. At least 8 GB RAM and 30 to 40 GB of disk space free – we will be running a virtual machine;
  4. Virtual box any version above 5.2.3X will do;
  5. Ability to connect to the Internet over wireless;
  6. Most important – A working AWS account activated for payments – Login into AWS > Go to Services > EC2. If you don’t see any errors, you should be good to go!

How is the training delivered?

  • This training is delivered by 2 trainers with several years of experience between them in breaking apps running on desktops, mobile phones, services running on the network and of course testing (breaking) apps and servers on the cloud.
  • We have multiple scenarios created for the training. Each student will get their own private environment to attack and play that will be setup using our setup scripts.
  • The training will have documentation in the form of gitbooks created with markdown and hosted online during the training.
  • This documentation (in PDF and ebook formats) along with all the scripts and VMs will be provided to the students as part of the training.

This sounds very cool! What do I do next?

You are right! It’s way cooler when you are doing the training with us. Sign up for the training here.

We are very excited to deliver this training as it has never before seen content and lots of hands on exercises. Hoping to see you in the training room!

Riyaz Walikar & Bharath.