During the year 2023, I was a Cloud Security lecturer at FIAP. Long story short, It was an amazing experience.
However, when we got to the more “red-team” parts of the course, I had trouble finding educational resources. I wanted a pentesting lab that would allow my students to exploit real-world misconfigurations, without the usual CTF-like guessing games or weird cryptography shenanigans.
So, after looking around and not finding something to my tastes… I decided to create one! It is fully available here:
https://github.com/lacioffi/GCP-pentest-lab
The challenges are centered around finding and exploiting exposed data, collecting additional information after initial access, and then using cloud-native resources (such as the GCP CLI) and more traiditonal ones (such as SSH) to pivot, enumerate and escalate privileges inside the environment.
The user starts the lab as a visitor of the company’s website, and can end as the cloud account administrator through exploiting a series of misconfigurations.
The laboratory is made in GCP and uses Terraform for provisioning. This makes the environment fully reproducible and easy to install. If anything weird happens, you can just nuke the entire environment with a few Terraform commands and create a new one. The installation shouldn’t take more than 10 minutes the first time.
I also made a talk about this lab at H2HC 2023‘s Cloud Village. The slides are available in the link below, in portuguese. They contain additional details about some design decisions, a partial walkthrough and other behind the scenes infos.
https://docs.google.com/presentation/d/13-cm35cxB1M8XyAyLQvVTW1H_wJWh-SZhCTTHU-hTAU/edit?usp=sharing