Join us at the fwd:cloudsec conference as Bishop Fox Cloud Principal Seth Art presents his session, "CloudFox + CloudFoxable: A Powerful Duo for Mastering the Art of Identifying and Exploiting AWS Attack Paths" on Tuesday, June 13 at 9:20 a.m. PT.
CloudFox + CloudFoxable: A Powerful Duo for Mastering the Art of Identifying and Exploiting AWS Attack Paths
CloudFox helps penetration testers and security professionals find exploitable attack paths in cloud infrastructure. However, what if you want to find and exploit services not yet present in your current environment? What if you lack access to an enterprise AWS environment?
Enter CloudFoxable, an intentionally vulnerable AWS environment created specifically to showcase CloudFox’s capabilities and help you find latent attack paths more effectively. Drawing inspiration from CloudGoat, flaws.cloud, and Metasploitable, CloudFoxable provides a wide array of flags and attack paths in a CTF format.
In this talk, we'll demonstrate some of CloudFoxable's CTF challenges that “blur the lines”, including an IAM role that trusts a GitHub repository via OIDC, an SNS topic with an overly permissive resource policy that leads to remote code execution, and an exploit path that leads from a vulnerable AWS OpenSearch domain to a private GitHub repository with the flag.