Wiz: The Ultimate Cloud Security Championship
Feel free to reachout on LinkedIn or any of my socials in case you need help with the challenge.
Loose resource policies enable the attacker to perform unauthenticated data exfiltration from S3 bucket. The attacker is able to collect and develop all the resource arn’s via publicly available endpoints.
Exploiting Race condition to gain access to the web app as admin
Exploiting Race condition to gain access to the web app as admin
Moving laterally and abusing secret creation for creating a secret of type service account token to get privileged users token. Then abuse the proxy and status to proxy the requests to authenticate with the kube-apiserver itself for getting cluster admin role and leaking secrets and all the information.
Exploiting race condition to get sensitive information using terraform statefile-rce vulnerability.
Using OSINT tools to deep dive into enumeration and exploiting misconfigured services to gain access to restricited endpoints.
Step-by-step attack chain abusing Azure Graph API with OAuth client credentials, dynamic group rules, and guest invitations to exfiltrate blob storage data. Includes defensive gaps, mitigations, and security best practices.
End-to-end CTF write-up: sniff PostgreSQL creds with tcpdump, gain RCE via COPY FROM PROGRAM, escalate with sudo, and break out to host using /proc/sys/kernel/core_pattern. Includes detection & mitigations.
Cloud Security CTF Writeup: Exploiting AWS IMDSv2, SSRF, and Spring Boot Actuator misconfigurations to access restricted S3 buckets.