Lab Challenges

A documented record of hands-on security labs, CTF challenges, and research write-ups across offensive security, cloud misconfiguration, networking, and systems. Labs marked ↗ open on Hashnode

---

Cloud Security & CTF Labs

A curated collection of hands-on cloud security labs focused on AWS, Azure, IAM, serverless security, and misconfiguration exploitation.

CloudGoat Labs

• IAM Privilege Escalation by Policy Rollback
• Vulnerable Lambda – Serverless Privilege Escalation

AWS Misconfiguration Labs

• AWS S3 Enumeration & Credential Exposure
• Flaws AWS Challenge

Azure Setup Labs

• Azure Key Vault & Always Encrypted
• Azure Monitor,Microsoft Defender for cloud, Enable Just-In Time Access in VMs, Microsoft Sentinel
• Azure Network Security Groups and Application Security Groups
• Azure Role Based Access Control
• Azure Firewall

---

Low-Level & Reverse Engineering

Binary analysis, crackme challenges, and low-level exploitation work.

• Solving a Simple Crackme — C Keygen & objdump Analysis ↗ — Reverse engineer 101-crackme using objdump to understand the password validation logic, then write a C program to generate valid passwords. Covers x86-64 assembly analysis, control flow, and keygen development.

---

Network Security and Configuration labs

This section contains a number of networking write-ups focused on the OSI model, TCP/IP, use of packet tracer, wireshark, & tcpdump to learn various networking concepts

Network Configuration & Routing

• Build a Switch and Router Network — Packet Tracer — Configure a Cisco router and switch with dual-stack IPv4/IPv6, implement IOS security hardening, and verify routing between subnets.
• Packet Tracer WLAN Configuration — Configure a home wireless router with WPA2-PSK and an enterprise WLC with two WLANs — one WPA2-Personal, one WPA2-Enterprise with RADIUS (802.1x) authentication. Includes VLAN interface setup, DHCP scoping, and SNMP integration.
• VLANs and Secure Switch Configuration — VLAN segmentation (management, native, parking lot), 802.1Q trunking with DTP disabled, port security (sticky MAC, violation modes, aging), DHCP snooping with Option 82 troubleshooting, and PortFast + BPDU guard on access ports.
• Configuring Site-to-Site IPsec VPNs — Full IPsec VPN configuration between two Cisco routers across an untrusted transit network. Covers interesting traffic ACLs, ISAKMP Phase 1 (AES-256, DH Group 2, pre-shared keys), Phase 2 (transform set, crypto map), interface binding, and tunnel verification.

Network Analysis

• Examining TCP/IP & OSI Models In Action
• Using Wireshark to examine Network Traffic
• HTB Academy: Introduction to Network Traffic Analysis — tcpdump and Wireshark across five lab scenarios: traffic baselining, packet filtering, file extraction from HTTP, live incident analysis (Netcat shell detection), and RDP decryption using a recovered RSA key. Includes full incident analysis workflow and module completion certificate.

TryHackMe

• DNS In Detail — DNS hierarchy (TLD, SLD, subdomains), record types (A, AAAA, CNAME, MX, TXT), full lookup flow from client to authoritative server, TTL caching, DNSSEC, and practical nslookup queries.

SMB Enumeration

• Scanning for SMB Vulnerabilities with enum4linux ↗ — Use enum4linux to enumerate SMB shares, users, and vulnerabilities. Part of the Cisco Ethical Hacker course network exploitation module.

---

🔍 OSINT & Reconnaissance

Passive and active reconnaissance using open-source intelligence tools.

• OSINT Tools: SpiderFoot, Recon-ng & the OSINT Framework — Username enumeration with WhatsMyName, automated footprinting with SpiderFoot, and structured modular recon with Recon-ng. Covers passive vs active scanning trade-offs.

---

Operating System walkthroughs

Hands-on labs covering Windows and Linux internals from both an administrative and security perspective.

Windows Internals

• TryHackMe: Windows Fundamentals 2 — MSConfig, UAC, Computer Management, System Information, Resource Monitor, command-line tools, and the Windows Registry. Covers the security relevance of each — scheduled task persistence, registry Run keys, WMI abuse, and UAC bypass surface.

Linux Internals

---

💀 HackTheBox

Active labs and machine writeups from HackTheBox. Full exploitation chains with tools, methodology, and lessons learned.

Starting Point

• Appointment — SQL Injection ↗ — SQL injection against a web application login. Covers SQLi syntax, authentication bypass, and database-backed web app enumeration.
• Bike — Node.js SSTI & Sandbox Escape ↗ — Server-Side Template Injection in Handlebars, sandbox escape via process.mainModule, remote code execution chain.
• Responder — NTLM Poisoning & Password Cracking ↗ — NTLM hash capture via LLMNR/NBT-NS poisoning with Responder, offline cracking with Hashcat. Active Directory authentication attack chain.
• Three — AWS S3 Misconfiguration ↗ — Cloud misconfiguration exploitation via exposed S3 bucket. Covers cloud enumeration, credential exposure, and web shell upload.
• Funnel — SSH Tunneling & FTP Anonymous Auth ↗ — Anonymous FTP authentication exposing cleartext credentials, SSH local port forwarding to pivot into internal services.
• Pennyworth — Jenkins RCE ↗ — Misconfigured Jenkins instance with default credentials leading to remote code execution via Groovy script console.
• Vaccine — PostgreSQL SQLi & sudo Abuse ↗ — FTP enumeration, hash cracking, PostgreSQL SQL injection to RCE, privilege escalation via misconfigured sudo binary.

---

Each lab includes the problem statement, exploitation path, tools used, security impact, and defensive lessons learned.