[{"data":1,"prerenderedAt":399},["ShallowReactive",2],{"track-showcase-bits-n-bites-en":3,"track-showcase-human-factor-en":160,"track-showcase-skyfall-en":296},{"id":4,"title":5,"backToProgram":6,"body":7,"description":144,"differentiator":149,"extension":150,"intro":151,"meta":152,"name":153,"navigation":154,"path":155,"seo":156,"stem":157,"tagline":158,"__hash__":159},"tracks\u002Fen\u002Ftracks\u002Fbits-n-bites.md","Bits n Bites: deep dive","Back to the program",{"type":8,"value":9,"toc":143},"minimark",[10,15,19,23,26,29,32,40,74],[11,12,14],"h2",{"id":13},"why-it-matters-in-the-real-world","Why it matters in the real world",[16,17,18],"p",{},"These are not theoretical vulnerabilities. In 2017, Equifax lost 147 million records because a single web framework went unpatched. In 2023, a SQL injection flaw in MOVEit compromised data across more than 2,000 organisations. In 2012, a mass assignment bug on GitHub let an attacker add his own SSH key to any repository. In 2016, Uber's broken access controls exposed 57 million user records. Bits n Bites combines all of these vulnerability classes into a single target, because that is exactly how real applications fail: not through one flaw, but through a chain of them. The track starts the same way a real attacker would, by mining leaked breach data. Knowing how to spot and connect these weaknesses is the difference between shipping secure code and becoming the next incident report.",[11,20,22],{"id":21},"what-youll-hack","What you'll hack",[16,24,25],{},"Your target is Bits n Bites, a mobile delivery app whose API endpoints do nearly everything except protect user data. Before you even touch the app, you will query a leaked Equifax-style dataset in Azure Table Storage and use differential login responses to identify active accounts. From there, the attack chain never stops.",[16,27,28],{},"Boolean-based blind SQL injection on the restaurant search endpoint lets you extract MFA identifiers the UI never shows. Insecure direct object references let you read TOTP secrets belonging to other users. A mass assignment flaw lets you hijack MFA configurations the frontend deliberately hides. Client-side JavaScript reveals hardcoded AES encryption keys. Stored XSS in the driver-vendor chat steals live authentication tokens. And an XML export feature, vulnerable to XXE, becomes a server-side request forgery gadget that reaches the internal financial ledger.",[16,30,31],{},"Each vulnerability feeds the next. You are not running isolated exercises. Across 13 challenges and 5 phases, you are building a single, continuous attack chain from a leaked dataset all the way to the internal ledger that proves the laundering operation exists.",[33,34],"challenge-highlight",{":items":35,":stats":36,"description":37,"eyebrow":38,"title":39},"[{\"title\":\"Equifax-Style Data Recon\",\"tabLabel\":\"Data Recon\",\"description\":\"The attack starts before you touch the app. Query a leaked dataset in Azure Table Storage using OData filters, then cross-reference hits against the platform's login form, which leaks account existence through differential error messages. This is how real attackers weaponise breach data.\",\"type\":\"gif\",\"src\":\"\u002Fcontent\u002Fgif\u002Fbits.gif\"},{\"title\":\"Boolean Blind SQL Injection\",\"tabLabel\":\"SQL Injection\",\"description\":\"The restaurant search endpoint returns results or an empty list depending on an injected boolean condition. No error messages, no timing tricks. Just true or false, one bit at a time, until you have extracted MFA identifiers the API was built to hide. The same pattern behind the MOVEit breach that compromised over 2,000 organisations in 2023.\",\"type\":\"video\",\"src\":\"\u002Fcontent\u002Fvideo\u002Fbits.mp4\"},{\"title\":\"Mass Assignment & MFA Hijack\",\"tabLabel\":\"Mass Assignment\",\"description\":\"The frontend hides the MFA ownership field, but the API accepts it. Send a crafted JSON body with someone else's email and your own MFA settings ID, and the platform reassigns their second factor to you. In 2012, the same class of vulnerability on GitHub let an attacker add his SSH key to any repository.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fbitsnbites\u002Fmail.png\"},{\"title\":\"Stored XSS & XXE Chain\",\"tabLabel\":\"XSS & XXE\",\"description\":\"The driver-vendor chat blocks exact script tags but not case variations. Inject a stored XSS payload that steals the vendor's authentication token from localStorage. Then use that token to access the vendor portal and exploit an XXE vulnerability in the XML export feature, turning it into an SSRF gadget that reaches the internal financial ledger.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fbitsnbites\u002Fxxe-injection.svg\"},{\"title\":\"IDOR & Cryptographic Failures\",\"tabLabel\":\"IDOR & Crypto\",\"description\":\"Change a single ID in the MFA settings endpoint and read another user's TOTP secret. Then find a hardcoded AES key buried in client-side JavaScript and use it to decrypt the driver's email from order receipts. Uber lost 57 million records to broken access controls like these in 2016.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fbitsnbites\u002Fsettings.png\"}]","[\"13 challenges\",\"5 phases\",\"8+ vulnerability types\"]","Chain real-world vulnerabilities across five phases, from Equifax-style data recon to a full XXE-to-SSRF exfiltration chain. Every technique maps to a documented breach.","Challenges","Mobile applications can have the same vulnerabilities",[41,42,43,50,56,62,68],"attack-chain",{},[44,45,47],"attack-step",{"label":46},"Account recon",[16,48,49],{},"Query a leaked Equifax-style dataset stored in Azure Table Storage using OData filters. Then probe the platform's login form with the data you have found.",[44,51,53],{"label":52},"Infiltration",[16,54,55],{},"Create an account, inspect the profile API, and discover hidden settings.",[44,57,59],{"label":58},"Account takeover",[16,60,61],{},"Hijack configurations through mass assignment flaws, reroute authentication codes to yourself, and take full control of a suspect's account.",[44,63,65],{"label":64},"Lateral movement",[16,66,67],{},"Pivot from customer to driver by chaining SQL injection. Use IDOR to steal their TOTP secret, and AES decryption to reveal identifying information about the driver. Then generate TOTP codes and reset their password.",[44,69,71],{"label":70},"Exfiltration",[16,72,73],{},"Exploit an XXE vulnerability in the vendor's XML export feature to trigger server-side request forgery against the internal ledger.",[75,76,77,94,102,110,124,135],"owasp-panel",{},[78,79,81],"owasp-item",{"number":80},"A01",[82,83,84,88,91],"ul",{},[85,86,87],"li",{},"Exploit insecure direct object references to access MFA settings belonging to other users.",[85,89,90],{},"Abuse mass assignment vulnerabilities to overwrite account ownership fields the API was never meant to expose.",[85,92,93],{},"Leverage server-side request forgery through XML external entity injection to reach internal services.",[78,95,97],{"number":96},"A02",[82,98,99],{},[85,100,101],{},"Recover supposedly deleted messages from browser localStorage that the platform forgot to clear, revealing the name of the bank behind the laundering operation.",[78,103,105],{"number":104},"A04",[82,106,107],{},[85,108,109],{},"Recover hardcoded encryption keys left in client-side JavaScript and use them to decrypt protected driver metadata.",[78,111,113],{"number":112},"A05",[82,114,115,118,121],{},[85,116,117],{},"Execute boolean-based blind SQL injection against the restaurant search endpoint. Results appear or vanish depending on injected conditions, leaking data the UI was built to hide.",[85,119,120],{},"Bypass weak sanitisation filters using case-variation payloads to deliver stored XSS through the driver-vendor chat, stealing authentication tokens in real time.",[85,122,123],{},"Craft XXE payloads that turn an XML export feature into a gateway to internal financial ledgers.",[78,125,127],{"number":126},"A07",[82,128,129,132],{},[85,130,131],{},"Enumerate valid accounts by observing how the login flow responds differently to registered and unregistered users.",[85,133,134],{},"Hijack MFA flows by redirecting second-factor challenges to an attacker-controlled account, then use the intercepted codes to reset the target's password and take full control.",[78,136,138],{"number":137},"A08",[82,139,140],{},[85,141,142],{},"Exploit a generic update endpoint that blindly attaches posted objects without validating ownership, enabling full MFA hijacking through a single crafted request.",{"title":144,"searchDepth":145,"depth":145,"links":146},"",2,[147,148],{"id":13,"depth":145,"text":14},{"id":21,"depth":145,"text":22},null,"md","Bits n Bites drops you into the Bits n Bites platform: a slick food delivery app that Sine Nomine suspects is a laundering front. Your cover is a regular customer account. Your mission is to map the financial network from the inside. To do it, you will need to break through broken access control vulnerabilities, exploit injectable endpoints, bypass authentication flows, and trace transaction patterns that no legitimate delivery app should ever produce.",{},"Operation Bits n Bites",true,"\u002Fen\u002Ftracks\u002Fbits-n-bites",{"title":5,"description":144},"en\u002Ftracks\u002Fbits-n-bites","A live money-laundering operation hidden inside a food delivery app: rise through the ranks to find out who's behind the suspicious looking restaurants.","EglKmp_jc_BUNskdOnL4x9yhnK2j8Vfy0wZQ-7EBfQ0",{"id":161,"title":162,"backToProgram":6,"body":163,"description":144,"differentiator":287,"extension":150,"intro":288,"meta":289,"name":290,"navigation":154,"path":291,"seo":292,"stem":293,"tagline":294,"__hash__":295},"tracks\u002Fen\u002Ftracks\u002Fhuman-factor.md","Human Factor: deep dive",{"type":8,"value":164,"toc":283},[165,169,172,176,179,182,194,197,203,235],[11,166,168],{"id":167},"why-it-matters","Why it matters",[16,170,171],{},"The 2020 Twitter hack, in which attackers social-engineered employees via phone calls to gain admin access to accounts belonging to Barack Obama, Elon Musk, and Joe Biden, was not a code vulnerability. It was a people vulnerability. No firewall, no WAF, no SIEM stopped it. In 2018, the event-stream npm package was compromised with a targeted backdoor that reached millions of installations before anyone noticed. Today, AI-powered email assistants introduce a new attack surface: prompt injection payloads hidden in ordinary-looking messages that trick the model into leaking data it was designed to protect. Social engineering remains the most common initial access vector in real breaches precisely because it bypasses every technical control. The Human Factor combines OSINT, supply chain analysis, document weaponisation, and AI prompt injection into a single campaign because that is how modern attacks actually work. Understanding how attackers build and exploit trust across all of these surfaces is no longer optional for developers. It is the gap between a team that ships code and a team that ships security.",[11,173,175],{"id":174},"what-youll-practice","What you'll practice",[16,177,178],{},"The mission is Banco Maximus, a target that believes its technical stack makes it impenetrable. It does not. Your job is to become a recruiter, a colleague, a voice they want to trust.",[16,180,181],{},"You start with open-source intelligence: scraping the Banco Maximus website for org structure, extracting employee names from PDF metadata, and profiling three targets across GitHub, Mastodon, DeviantArt, and Medium. Once your dossiers are complete, you craft a three-message outreach campaign that an AI judge evaluates for psychological effectiveness, and then choose which employee to target.",[16,183,184,185,189,190,193],{},"Mike is the technical path. You analyse a malicious npm package hidden in a software bill of materials, build a convincing phishing lure, and harvest CI\u002FCD pipeline tokens. Aisha is the weaponisation path. You build a macro-enabled document that chains ",[186,187,188],"code",{},"URLDownloadToFile"," into ",[186,191,192],{},"WinExec",", craft the pretext that convinces her to enable macros, and then implement hybrid AES-256 and RSA encryption to lock the exfiltrated data. Koen is the long game. You create geo-tracking links masked behind Calendly invites, cross-reference IP geolocation with known office locations, and craft prompt injection hidden in 1px white text that hijacks an AI email assistant into leaking credentials.",[16,195,196],{},"Every path ends with a choice that tests how far you are willing to push an operation. Three paths, two endings each, six outcomes in total.",[33,198],{":items":199,":stats":200,"description":201,"eyebrow":38,"title":202},"[{\"title\":\"OSINT & Target Profiling\",\"tabLabel\":\"OSINT\",\"description\":\"Scrape the Banco Maximus website for org structure, extract employee names from PDF metadata using tools like `exiftool`, and build dossiers by cross-referencing GitHub repos, Mastodon posts, DeviantArt portfolios, and Medium articles. This is how real red teams map a target before a single email is sent.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fhumanfactor\u002Fosint.png\"},{\"title\":\"Supply Chain Forensics\",\"tabLabel\":\"Supply Chain\",\"description\":\"Analyse a software bill of materials, identify a malicious npm package hidden in the dependency tree, and trace its redirect infrastructure. Then harvest CI\u002FCD job tokens from the compromised developer's pipeline. Inspired by the `event-stream` (2018) and `ua-parser-js` (2021) supply chain attacks that hit millions of downloads.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fhumanfactor\u002Fmike.png\"},{\"title\":\"Document Weaponisation & Encryption\",\"tabLabel\":\"Weaponisation\",\"description\":\"Build a macro-enabled document that calls `URLDownloadToFile` and `WinExec` on open. Craft the social engineering pretext that convinces your target to enable macros. Then implement hybrid AES-256 and RSA encryption for the exfiltrated data, the same key management scheme used by modern ransomware families like LockBit and Conti.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fhumanfactor\u002Faisha.png\"},{\"title\":\"Geo-Tracking & Email Prompt Injection\",\"tabLabel\":\"Prompt Injection\",\"description\":\"Create geo-tracking links masked behind Calendly invites using services like Grabify. Cross-reference IP geolocation with known office locations. Then craft a prompt injection payload hidden in 1px white text inside a business email that manipulates an AI email assistant into leaking credentials to an attacker-controlled mailbox. This is the bleeding edge of social engineering.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fhumanfactor\u002Fkoen.png\"}]","[\"16 challenges\",\"3 branching paths\",\"6 possible endings\"]","Build a full social engineering campaign from OSINT to execution. Every path uses different real-world techniques, and every path ends with a choice that changes the outcome.","Three targets. Three paths. Six endings.",[41,204,205,211,217,223,229],{},[44,206,208],{"label":207},"OSINT recon",[16,209,210],{},"Scrape the Banco Maximus website for org structure, extract employee names from PDF metadata the company forgot to scrub, and profile three targets.",[44,212,214],{"label":213},"Outreach campaign",[16,215,216],{},"Craft a three-message outreach strategy for psychological effectiveness. Each message must use personal details from your dossiers to hook the target with a dream job offer they cannot ignore.",[44,218,220],{"label":219},"Choose your target",[16,221,222],{},"Select one of three employees: Mike (technical, supply chain compromise), Aisha (document weaponisation and ransomware-grade encryption), or Koen (long-game social engineering with AI prompt injection). Each path uses fundamentally different attack techniques.",[44,224,226],{"label":225},"Execute the attack",[16,227,228],{},"One of the targets requires the creation of geo-tracking links masked behind invites, cross-reference IP geolocation with office locations, and craft prompt injection hidden in 1px white text that hijacks an AI email assistant.",[44,230,232],{"label":231},"Final choice",[16,233,234],{},"Each path branches into two endings, six in total. Crash a CI\u002FCD pipeline or watch from the shadows. Lock files with encryption or demand a ransom. Leak data publicly or recruit an insider. How far you go is up to you.",[75,236,237,256,272],{},[78,238,240],{"number":239},"A03",[82,241,242,253],{},[85,243,244,245,248,249,252],{},"Analyse a software bill of materials to identify a malicious npm package with embedded redirect infrastructure, mirroring attacks like ",[186,246,247],{},"event-stream"," (2018) and ",[186,250,251],{},"ua-parser-js"," (2021).",[85,254,255],{},"Harvest CI\u002FCD job tokens from a compromised developer's pipeline configuration to gain persistent access to the build system.",[78,257,258],{"number":112},[82,259,260,269],{},[85,261,262,263,265,266,268],{},"Build macro-based payloads that call ",[186,264,188],{}," and ",[186,267,192],{}," to download and execute remote binaries when a target opens a laced document.",[85,270,271],{},"Craft prompt injection payloads hidden in 1px white text that manipulate AI-powered email assistants into forwarding credentials and personal data to an attacker-controlled mailbox.",[78,273,275],{"number":274},"A06",[82,276,277,280],{},[85,278,279],{},"Extract employee names and roles from PDF metadata that the organisation forgot to scrub before publishing.",[85,281,282],{},"Create geo-tracking links masked behind legitimate Calendly invites and cross-reference IP geolocation with known office locations to map a target's physical environment.",{"title":144,"searchDepth":145,"depth":145,"links":284},[285,286],{"id":167,"depth":145,"text":168},{"id":174,"depth":145,"text":175},"Most security training stops at code. The Human Factor goes further: into the phishing emails, pretexting calls, and whaling campaigns that bypass every technical control. You'll build and execute a full social-engineering attack chain against a target who believes their security stack makes them untouchable.","Every lock has a key. Every key has a person. In The Human Factor, you follow the money trail from Bits n Bites into Banco Maximus, a bank that markets itself as a security-paranoid fintech but places its trust in its staff. Your attack surface is not code, it is habit, ambition, and the basic human need to be helpful. You will run open-source reconnaissance, build target dossiers, craft tailored lures, and execute a full social-engineering campaign that blends classic pretexting with modern techniques like supply chain analysis and AI prompt injection.",{},"The Human Factor","\u002Fen\u002Ftracks\u002Fhuman-factor",{"title":162,"description":144},"en\u002Ftracks\u002Fhuman-factor","No exploit needed, just a convincing story. The Human Factor is where you learn to breach a system by breaching its people.","QsGtgRVzFebG3-E-jjsCw0PmKXdI4j0o4uJNcSGFL5o",{"id":297,"title":298,"backToProgram":6,"body":299,"description":144,"differentiator":390,"extension":150,"intro":391,"meta":392,"name":393,"navigation":154,"path":394,"seo":395,"stem":396,"tagline":397,"__hash__":398},"tracks\u002Fen\u002Ftracks\u002Fskyfall.md","Skyfall: deep dive",{"type":8,"value":300,"toc":386},[301,305,308,312,315,318,321,327,358],[11,302,304],{"id":303},"why-it-hits-hard","Why it hits hard",[16,306,307],{},"Cloud misconfigurations are not edge cases. They are the most common cause of large-scale data breaches in modern infrastructure. Capital One lost 100 million records to an IAM misconfiguration. Misconfigured storage buckets have leaked data from governments, hospitals, and Fortune 500 companies. Skyfall makes you walk the exact path an attacker would, from a misconfigured sign-up flow to full infrastructure compromise, one overlooked default at a time. You run real CLI commands against a live Arceus environment, not a quiz or a simulation. Every command maps to an actual Azure or AWS equivalent. After this track, you will never look at a cloud console the same way again.",[11,309,311],{"id":310},"what-youll-breach","What you'll breach",[16,313,314],{},"Skyfall puts you inside Arceus, a live cloud platform that mirrors the misconfigurations behind real-world breaches like the 2019 Capital One incident, where a single misconfigured IAM role exposed over 100 million customer records in S3.",[16,316,317],{},"You start with a regular sign-up. Within minutes, you discover that the provisioning process has placed you inside ILIAS's production Arceus tenant. From the Arceus Lens log viewer, you find that production monitoring is streaming DEBUG-level output that includes SSH credentials in plain text. Those credentials get you into a deployment VM. A single curl to the metadata service at 169.212.169.212 hands you managed identity tokens. Using the Arceus CLI, you discover a secrets vault, assign VaultReader to your identity, and extract the stored secret. It maps to the DevAI Automation Engine, ILIAS's core AI automation product, whose service principal was granted elevated permissions to keep their pipelines running. You log in as that principal and escalate to directory Owner.",[16,319,320],{},"Then you choose. Clean Exit: delete the prohibited data ILIAS never should have stored, including voice clones, user tracking recordings, and robocopy models. Or trigger Skyfall: strip roles from development and management groups, scale every web app and container to maximum, and watch the projected monthly cost explode.",[33,322],{":items":323,":stats":324,"description":325,"eyebrow":38,"title":326},"[{\"title\":\"Credential Leak in Arceus Lens\",\"tabLabel\":\"Credential Leak\",\"description\":\"ILIAS left their monitoring tool in DEBUG mode. Arceus Lens, the platform's log viewer, is streaming SSH credentials in plain text between routine log entries. Find them before they rotate. Verbose logging leaks like this are behind some of the largest cloud breaches on record.\",\"type\":\"video\",\"src\":\"\u002Fcontent\u002Fvideo\u002Fskyfall\u002Flens.mp4\"},{\"title\":\"Metadata Service Pivot\",\"tabLabel\":\"Metadata Pivot\",\"description\":\"SSH into the deployment VM, then curl to extract managed identity tokens from the instance metadata service. This is the same technique used in the Capital One breach of 2019, where a misconfigured WAF allowed SSRF to the EC2 metadata endpoint and exposed over 100 million records.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fskyfall\u002Fssh.png\"},{\"title\":\"Vault Crack & Role Escalation\",\"tabLabel\":\"Vault Escalation\",\"description\":\"Use the Arceus CLI to discover a secrets vault, assign VaultReader to your managed identity, extract the stored secret, and map it to the DevAI Automation Engine service principal. Then log in as that principal and escalate to directory Owner. This mirrors real IAM privilege escalation chains documented by Rhino Security Labs and others.\",\"type\":\"video\",\"src\":\"\u002Fcontent\u002Fvideo\u002Fskyfall\u002Fterminal.mp4\"},{\"title\":\"The Final Choice\",\"tabLabel\":\"Endings\",\"description\":\"Clean Exit: delete the prohibited data ILIAS should never have stored, from voice clones to user tracking recordings and robocopy models. Or trigger Skyfall: strip roles from every dev and management group, scale all web apps and containers to maximum, and calculate the projected monthly cost catastrophe. Your call.\",\"type\":\"image\",\"src\":\"\u002Fcontent\u002Fimg\u002Fskyfall\u002Foption.png\"}]","[\"7 challenges\",\"Full terminal experience\",\"2 endings\"]","Seven challenges inside Arceus, a fictional cloud platform. Every command you run is a real cloud attack technique.","From sign-up page to infrastructure owner.",[41,328,329,335,341,347,353],{},[44,330,332],{"label":331},"Misconfigured access",[16,333,334],{},"Create a regular account on the platform and discover that the sign-up process places you inside a cloud tenant you were never supposed to reach.",[44,336,338],{"label":337},"Credential extraction",[16,339,340],{},"Open the Arceus Lens log viewer and discover that the production monitoring resource is streaming DEBUG-level output. SSH credentials appear in plain text between routine log entries.",[44,342,344],{"label":343},"Infrastructure pivot",[16,345,346],{},"SSH into the deployment VM with the leaked credentials. Then curl the metadata service at 169.212.169.212 to extract the managed identity's client ID and access token. Use the Arceus CLI to authenticate and discover resources across the environment.",[44,348,350],{"label":349},"Privilege escalation",[16,351,352],{},"Assign the VaultReader role to the VM's managed identity, extract the stored secret, and match it to the DevAI Automation Engine service principal. Log in as that principal and escalate your permissions to directory Owner.",[44,354,355],{"label":231},[16,356,357],{},"Choose your ending. Clean Exit: delete the prohibited data ILIAS should never have stored, including voice clones, user tracking recordings, and robocopy models. Or trigger Skyfall: strip roles from every team, scale all web apps and containers to maximum, and watch the projected monthly cost explode.",[75,359,360,373],{},[78,361,362],{"number":80},[82,363,364,367,370],{},[85,365,366],{},"Discover that a public sign-up flow assigns users to ILIAS's internal Arceus cloud tenant, granting access to infrastructure meant only for employees.",[85,368,369],{},"Query the deployment VM's metadata service to retrieve managed identity tokens for resources the identity was never intended to reach.",[85,371,372],{},"Map a vault secret to the DevAI Automation Engine service principal and escalate from external user to full directory Owner in a single role assignment.",[78,374,375],{"number":96},[82,376,377,380,383],{},[85,378,379],{},"Extract SSH credentials from Arceus Lens debug logs that production monitoring was never configured to suppress.",[85,381,382],{},"Use the Arceus CLI to assign VaultReader to a VM's managed identity, granting yourself access to secrets that include service principal credentials.",[85,384,385],{},"Scale cloud resources to their maximum limits as a demonstration of how unrestricted resource policies enable cost-based denial of service.",{"title":144,"searchDepth":145,"depth":145,"links":387},[388,389],{"id":303,"depth":145,"text":304},{"id":310,"depth":145,"text":311},"Skyfall puts you inside Arceus, a live cloud platform built the way real companies build them: fast, functional, and misconfigured. You will exploit the same IAM drift, credential exposure, and over-permissive roles that took down Capital One. Every command you run maps to a real cloud attack technique. Then you decide how the story ends.","ILIAS is a rapidly growing AI scale-up that made the decisions every engineering team under pressure makes: move fast, ship often, clean up later. In Skyfall, you exploit the consequences. Starting from nothing more than a public-facing sign-up page, you will discover that a simple account places you inside ILIAS's internal Arceus cloud tenant. From there, you will find SSH credentials leaking from Arceus Lens debug logs, pivot through a deployment VM by querying the metadata service, crack open a secrets vault using the Arceus CLI, escalate to full directory ownership through a service principal, and face a final choice: clean up quietly or let the entire environment collapse under runaway costs.",{},"Skyfall - Breach in the Cloud","\u002Fen\u002Ftracks\u002Fskyfall",{"title":298,"description":144},"en\u002Ftracks\u002Fskyfall","A fast-growing AI company with an Arceus cloud environment held together by assumptions. Break in, escalate, and decide how the story ends.","loR6UCWYBEvTP9w1pZhzz7FkO9XUBlpla3SICMpYO_I",1778504767625]