Skip to content
Home » Instructions


Getting Started

  1. Download the challenge file, this is typically a yaml CloudFormation template, zip file or txt file.
  2. Follow the challenge instructions.
  3. Create a user called pentesting-admin, with full administrator privileges. This user can be reused for multiple challenges.
  4. Use region us-west-2 for launching resources (unless otherwise stated). CloudFormation templates have been tested in the us-west-2 region (unless otherwise stated), other regions are NOT supported by may work for some challenges. (Always attempt challenges in a separate sandbox cloud account and never use a production or business account).
  5. Many challenges will create a user called pentesting-user, after its created set access keys and/or enable console login for this user, then switch to this user. (Do not cheat and try to complete the challenge as pentesting-admin).
  6. Look for a challenge flag, this will be an md5 hash, unless otherwise stated, for example some challenges have an access key ID as the hash.
  7. Challenges are designed around common cloud misconfigurations, security “vulnerabilities”, and security features. Typical pentesting techniques will not apply to most challenges, and will not the primary method of finding the flag on any challenge.
  8. After completing a challenge, remove any files from any s3 buckets it has created, delete any CloudFormation stacks, manually remove any resource not removed by deleting the stack.
  9. Hints and solutions will not be given by our support team, however if you feel there is a bug please report that to use.
  10. Read and abide by the challenge rules at all times. If you are not sure if something is allowed, ask first.

Challenge Rules

  1. You must abide by the CloudProvider’s ToS and Rules regarding penetration testing at all times, even if it means a challenge cannot be solved. Including but not limited to the rules on this URL
  2. The scope of resources You can pentest are resources launched within Your own Cloud Providers account, unless otherwise stated in the challenge.
  3. Do NOT try to pentest, hack, enumerate, fuzz, etc Our website or any of Our resources. Your interaction with Our cloud resources is limited to downloading files from our S3 bucket, unless otherwise stated in the challenge.
  4. Challenges are designed to be solved mainly with regular API calls.
  5. Most AWS challenges are tested in and designed to be run in the us-west-2 region.
  6. Brute forcing, password cracking, fuzzing, port scanning, and other repetitive penetration testing methods are strictly prohibited and not required for any challenges.
  7. DNS Zone walking, any type of Denial of Service (DoS) attack or simulation, port flooding, protocol flooding, request flooding (both login and API), and network stress testing are strictly prohibited.
  8. A web scanner IS allowed for challenges which include an EC2, or similar, instance hosted within Your Cloud Provider account.
  9. If You are not sure if a certain technique is allowed contact us prior to trying it.
  10. Cheating is not allowed, We reserve the right to remove points and/or badges if We suspect You of cheating.
  11. Credentials cannot be shared.
  12. There is a strict limit of 1 account per person. If we suspect You have created 1 or more additional accounts We will suspend or terminate all accounts associated with You including the original one. If You need assistance logging in, You agree to contact Us and not create another account.
  13. Challenge template files, scripts, etc may not be modified (expect to improve security as you see fit).
  14. After creating resources as pentesting-admin switch to pentesting-user to complete the challenge, without modifying any resources (expect to improve security as you see fit) or adding any additional permissions to pentesting-user.
  15. pentesting-user should be deleted after each challenge and before starting another challenge.
  16. Flags may not be shared or posted publicly.
  17. Walk-throughs, hints, spoilers may be given privately or posted publicly 1 month after a challenge has gone live. Sharing of hints, etc before this is strictly prohibited.