MCPcopy
hub / github.com/RhinoSecurityLabs/cloudgoat

github.com/RhinoSecurityLabs/cloudgoat @v2.5.0 sqlite

repository ↗ · DeepWiki ↗ · release v2.5.0 ↗
3,043 symbols 8,787 edges 146 files 1,136 documented · 37%
README

CloudGoat (☁️🐐)

Rhino PyPI GitHub license PRs Welcome

CloudGoat is Rhino Security Labs' "Vulnerable by Design" cloud deployment tool.

Quick reference

CloudGoat 2.0 is here!

CloudGoat is Rhino Security Labs' "Vulnerable by Design" cloud deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios. Each scenario is composed of cloud resources arranged together to create a structured learning experience. Some scenarios are easy, some are hard, and many offer multiple paths to victory. As the attacker, it is your mission to explore the environment, identify vulnerabilities, and exploit your way to the scenario's goal(s).

Below are our main goals for CloudGoat:

  • Focused, Curated, High-Quality Learning Experiences - Each of CloudGoat’s scenarios should provide the opportunity for experimentation, exploration, and building hands-on cloud security skills.
  • Good Documentation - We've done our best to ensure that CloudGoat’s scenarios are well-documented and easy to understand and evaluate in terms of difficulty, content, structure, and skills-required.
  • Easy to Install and Use - We understand that CloudGoat is a means to an end - learning and practicing cloud security penetration testing. Therefore, we aim to keep things simple, straightforward, and reliable.
  • Modularity - Each scenario is a standalone learning environment with a clear goal (or set of goals), and CloudGoat is able to start up, reset, or shut down each scenario independently.
  • Expandability - CloudGoat’s core components (python app and scenarios) are designed to permit easy and independent expansion - by us or the community.

Before you proceed, please take note of these warnings!

Warning #1: CloudGoat creates intentionally vulnerable resources into your account. DO NOT deploy CloudGoat in a production environment or alongside any sensitive resources.

Warning #2: CloudGoat can only manage resources it creates. If you create any resources yourself in the course of a scenario, you should remove them manually before running the destroy command.

Requirements

  • Linux or MacOS. Windows is not officially supported.
  • Argument tab-completion requires bash 4.2+ (Linux, or OSX with some difficulty).
  • Python3.9+ is required.
  • Terraform >= 1.5.0 installed and in your $PATH.
  • The AWS CLI installed and in your $PATH, and an AWS account with sufficient privileges to create and destroy resources.
  • The AZ CLI installed and in your $PATH, and an Azure account with sufficient privileges to create and destroy resources.
  • jq

Linux

sudo apt install terraform awscli azure-cli jq -y

Mac

brew install terraform awscli azure-cli jq

Quick Start

To install CloudGoat, make sure your system meets the requirements above, and then run the following commands:

pipx install cloudgoat

You may also want to run some quick configuration commands - it'll save you some time later:

Configure for AWS - tell CloudGoat which AWS profile to use.

cloudgoat config aws

Configure for Azure - tell CloudGoat which Azure subscription to use.

cloudgoat config azure

Log in to Azure - CloudGoat uses the active az account.

az login

Configure whitelist

cloudgoat config whitelist --auto

Now, at your command, CloudGoat can create an instance of a scenario in the cloud. When the environment is ready, a new folder will be created in the project base directory named after the scenario and with a unique scenario ID appended. Inside this folder will be a file called start.txt, which will contain all of the resources you'll need to begin the scenario, though these are also printed to your console when the create command completes. Sometimes an SSH keypair named cloudgoat/cloudgoat.pub will be created as well.

Note: Don't delete or modify the scenario instance folder or the files inside, as this could prevent CloudGoat from being able to manage your scenario's resources.

As you work through the scenario, feel free to refer to the scenario's readme if you need direction. If you get stuck, there are cheat sheets linked at the bottom of each route's walkthrough.

When you are finished with the scenario, delete any resources you created yourself (remember: CloudGoat can only manage resources it creates) and then run the destroy command. It's always a good idea to take a quick glance at your web-console afterwards - just in case something didn't get deleted.

You can read the full documentation for CloudGoat's commands here in the Usage Guide section.

How to use CloudGoat's Docker image

Try in PWD

Option 1: Run with default entrypoint

docker run -it rhinosecuritylabs/cloudgoat:latest

Option 2: Run with AWS config and credentials

Warning: Running this command will mount your local AWS configuration files into the Docker container when it is launched. This means that any user with access to the container will have access to your host computer's AWS credentials.

docker run -it -v ~/.aws:/root/.aws/ rhinosecuritylabs/cloudgoat:latest

Scenarios Available

(Grouped by Difficulty)

Easy


iam_enum_basics (Easy)

cloudgoat create iam_enum_basics

In this scenario, you start with the access keys for a low-level IAM user named Bob. Your task is to perform thorough IAM enumeration using the AWS CLI. By investigating managed policies, inline policies, group memberships, and assumable roles, you will uncover five distinct flags.

Visit Scenario Page.

Contributed by Tyler Ramsbey


data_secrets (Easy)

cloudgoat create data_secrets

In this scenario, you start with an IAM user with limited permissions. Your task is to identify a misconfigured EC2 instance leaking credentials in its User Data, allowing you to gain SSH access. From there, you must pivot by exploiting the Instance Metadata Service (IMDS) to steal a role, enumerate Lambda functions to find hidden environment variables, and finally compromise a user with access to the scenario's objective: a secret stored in AWS Secrets Manager.

Visit Scenario Page.

Contributed by Tyler Ramsbey


beanstalk_secrets (Easy)

cloudgoat create beanstalk_secrets

In this scenario, you are provided with low-privileged AWS credentials that grant limited access to Elastic Beanstalk. Your task is to enumerate the Elastic Beanstalk environment and discover misconfigured environment variables containing secondary credentials. Using these secondary credentials, you can enumerate IAM permissions to eventually create an access key for an administrator user. With these admin privileges, you retrieve the final flag stored in AWS Secrets Manager.

Visit Scenario Page.

Contributed by Tyler Ramsbey


sns_secrets (Easy)

cloudgoat create sns_secrets

In this scenario, you start with basic access to an AWS account. You need to enumerate your privileges, discover an SNS Topic you can subscribe to, retrieve a leaked API Key, and finally use the API Key to access an API Gateway for the final flag.

Visit Scenario Page.

Contributed by Tyler Ramsbey


iam_privesc_by_key_rotation (Easy)

cloudgoat create iam_privesc_by_key_rotation

Exploit insecure IAM permissions to escalate your access. Start with a role that manages other users' credentials and find a weakness in the setup to access the "admin" role. Using the admin role, retrieve the flag from Secrets Manager.

Visit Scenario Page.

Contributed by Infrasec.sh


iam_privesc_by_rollback (Easy)

cloudgoat create iam_privesc_by_rollback

Starting with a highly-limited IAM user, the attacker is able to review previous IAM policy versions and restore one which allows full admin privileges, resulting in a privilege escalation exploit.

Visit Scenario Page.


lambda_privesc (Easy)

cloudgoat create lambda_privesc

Starting as the IAM user Chris, the attacker discovers that they can assume a role that has full Lambda access and pass role permissions. The attacker can then perform privilege escalation using these new permissions to obtain full admin privileges.

Note: This scenario may require you to create some AWS resources, and because CloudGoat can only manage resources it creates, you should remove them manually before running ./cloudgoat destroy.

Visit Scenario Page.


sqs_flag_shop (Easy)

cloudgoat create sqs_flag_shop

First, start with the SHOP page where you can buy FLAG. The website has a number of pages, and you can see that the source code is exposed. Attackers analyze the code to find vulnerabilities and use their privileges to purchase FLAG.

Visit Scenario Page.

Medium

static (Medium)

cloudgoat create static

In this scenario, you act as an external attacker visiting a corporate portal. By analyzing the web application, you identify that it loads critical JavaScript libraries from a public S3 bucket. You must discover a misconfiguration in the bucket's permissions, perform a "Supply Chain Attack" by overwriting the library with malicious code, and wait for an internal administrator bot to log in. Your goal is to capture the bot's credentials and exfiltrate them back to the bucket.

[Visit Scenario Page.](c

Core symbols most depended-on inside this repo

e
called by 760
cloudgoat/scenarios/aws/vulnerable_cognito/assets/app/static/aws-sdk.js
append
called by 255
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda1_src/dateutil/parser/_parser.py
append
called by 237
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda2_src/dateutil/parser/_parser.py
_
called by 124
cloudgoat/scenarios/aws/vulnerable_cognito/assets/app/static/aws-sdk.js
get
called by 110
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda1_src/dateutil/tz/tz.py
a
called by 108
cloudgoat/scenarios/aws/vulnerable_cognito/assets/app/static/aws-sdk.js
split
called by 104
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda1_src/dateutil/parser/_parser.py
replace
called by 101
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda1_src/dateutil/rrule.py

Shape

Method 1,718
Function 922
Class 360
Route 42
Struct 1

Languages

Python97%
TypeScript3%
Go1%

Modules by API surface

cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda2_src/click/core.py140 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda1_src/click/core.py140 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda2_src/sqlite_utils/db.py123 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda1_src/sqlite_utils/db.py123 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda2_src/dateutil/tz/tz.py100 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda1_src/dateutil/tz/tz.py100 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda2_src/click/types.py79 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda1_src/click/types.py79 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda2_src/six.py75 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda1_src/six.py75 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda2_src/dateutil/parser/_parser.py69 symbols
cloudgoat/scenarios/aws/vulnerable_lambda/terraform/lambda_source_code/policy_applier_lambda1_src/dateutil/parser/_parser.py69 symbols

Dependencies from manifests, versioned

babel-eslint10.0.2 · 1×
eslint5.16.0 · 1×
eslint-config-airbnb-base13.1.0 · 1×
eslint-plugin-babel5.3.0 · 1×
eslint-plugin-import2.17.3 · 1×
express4.19.2 · 1×
needle3.3.1 · 1×
nodemon1.19.1 · 1×
npm-check-updates3.1.11 · 1×

Datastores touched

cloudgoatDatabase · 1 repos

For agents

$ claude mcp add cloudgoat \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact