Cloud Labs and CTF Environments
PurpleCloud - Azure Identity Lab and Firing Range
Generate vulnerable terraform configs for Ad, AzureAD, Storage, managed Identity, etc, with HELK stack. Really great resource.
Generate some labs
cd C:\Git\PurpleCloud\generators
# AD
cd .\ad\
python3 .\ad.py -e 2 -dc -ad downward.spiral -dj -he -au 10 -u entadmin -l centralus
cd ..
# aadjoin with user assigned MI
cd .\aadjoin
python3 .\aadjoin.py -c 5 -u downward.cloud -l "East US" -e 2 -ua contributor -a cloudita
# AzureAD lab It will add some service principal abuse attack primitives to some random resources. First, the --apps 7 will add 7 Azure AD applications (App Registrations) with associated Service Principals (Enterprise Applications). The -aa flag will assign an Application Administrator role randomly to one of the 25 Azure AD users. The -ga flag will assign the Global Administrator role randomly to one of the 7 application SPs. Finally, the -pra flag will assign the Privileged role administrator role randomly to one of the other 7 application SPs.
python3 azure_ad.py -c 25 --upn downward.spiral --apps 7 -aa -ga -pra --groups 3
# managed Id lab - Windows 10 Endpoint with a User Assigned Identity (Owner Role) + System Assigned Identity
python3 managed_identity.py -u downward.spiral -n downward -l eastus -a RTCAdmin -ua owner -saThen from the DC run either BadBlood or something like vulnerable-AD to make it vulnerable
$domain = "downward.spiral"
IEX((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/wazehell/vulnerable-AD/master/vulnad.ps1"));
Invoke-VulnAD -UsersLimit 20 -DomainName $domainGOAD - Game of Active Directory
git clone https://github.com/Orange-Cyberdefense/GOADpwnedlabs - Azure, AWS and GCP - free and Paid
It’s like TryHackMe for cloud. Great labs.
RedTeamLabs - Free Altered Security Azure Labs
From the CARTP certification’s company, awesome free Azure labs.
Read2Own - Red Team Lab - Writeup and Repo
Powershell/Portal Scenario-based lab for pivoting from read-access to takeover
Mandiant - Attack and Detect
Two meaty scenarios, kc1 took me a couple of days.
AzureGoat - Web-based attack vectors
The Goat. Web heavy, some initial access through web app vulnerabilities.
XMGoat - Azure
Terraform based lab with 5 different scenarios
Blog Article with Good Lab - Storage/DynamicGroups
https://blog.improsec.com/tech-blog/read2own
brokenazure.cloud - A cool CTF with good privesc
This ones fun, they host it so you can find your way in through the main url below or deploy it yourself / audit the terraform
Convex - Two-Subscription CTF w/ 3 modules
BadZure - Randomized Lab
Different every time, good for practicing enumeration
pwsh
Install-Module Microsoft.Graph -Scope CurrentUser -Force
git clone https://github.com/mvelazc0/BadZure
cd BadZure
. ./Invoke-BadZure.ps1
# Get Help Menu
Get-Help Invoke-BadZure -Detailed
# Populate a tenant and configure all attack paths with verbose logging
# Note: Authenticate with the new global administrator created in the same directory.
$tenant = ""
Invoke-BadZure -Build -Verbose -TenantId $tenant
# Populate a tenant and configure a random attack path
Invoke-BadZure -Build $RandomAttackPath -TenantId $tenant
# Populate a tenant, configure all attack paths and use a custom password for initial access
Invoke-BadZure -Build -Password Summer2023! -TenantId $tenant
# Populate a tenant, configure a random attack path and provide JWT access tokens for initial access
Invoke-BadZure -Build -RandomAttackPath -Token -TenantId $tenant
# Populate a tenant without attack paths
Invoke-BadZure -Build -NoAttackPaths -TenantId $tenant
# Destroy
Invoke-BadZure -Destroy -Verbose -TenantId $tenantAzureAD - Attack Defense - Companion Piece to BadAzure - Comprehensive Resource w/ attack scenarios and detections
Attack paths and KQL
AWS
CloudGoat - Vulnerable AWS deployment tool
Sadcloud - Vulnerable Env via Terraform
Runs about 10 dollars per 24 hours