Wiz Cloud Security Championship - CTF Writeups

My writeups for the Wiz Cloud Security Championship: a year of hands-on, real-world cloud security challenges, each crafted by a Wiz researcher. One new challenge dropped every month from June 2025 through May 2026.

Challenges and original scenarios by Wiz Research. Writeups and analysis by Mark LaCore. Play the live challenges at cloudsecuritychampionship.com.

11 of 12 challenges written up
1
June 2025 10 pts Cloud Security / SSRF

Perimeter Leak

Chaining Spring Boot Actuator exposure, a method- and header-forwarding SSRF proxy, IMDSv2 credential theft, and offline S3 pre-signed URLs to bypass a VPC-bound AWS data perimeter.

Read Writeup
2
July 2025 20 pts Cloud Security / Container Escape

Contain Me If You Can

A no-kernel-exploit container escape: sniff a plaintext Postgres credential, get superuser RCE via COPY FROM PROGRAM, abuse passwordless sudo, and mount the host disk to read the flag.

Read Writeup
3
August 2025 10 pts Azure / OAuth

Breaking The Barriers

Azure OAuth privilege escalation: abusing an Entra ID misconfiguration to cross a tenant trust boundary and escalate access.

Read Writeup
4
September 2025 20 pts Web / OSINT

Needle in a Haystack

Client-side validation bypass and API exploitation, plus a little OSINT, to surface a secret hidden in plain sight.

Read Writeup
5
October 2025 30 pts Kubernetes

Game of Pods

Kubernetes privilege escalation chaining SSRF, path traversal, and the nodes/proxy subresource to take over the cluster.

Read Writeup
6
November 2025 10 pts Reverse Engineering

Malware Busters!

Reverse engineering a Go malware sample: UPX unpacking, XOR config decryption, and AES-CBC C2 protocol analysis.

Read Writeup
7
December 2025 20 pts Terraform / IaC

State of Affairs

Terraform state poisoning via race conditions and malicious providers, turning infrastructure-as-code into remote code execution.

Read Writeup
8
January 2026 30 pts Web / Race Condition

Confession Booth

A race-condition privilege escalation in a Go web application, exploiting a time-of-check to time-of-use gap.

Read Writeup
9
February 2026 20 pts Supply Chain / IR

Trust Issues

Incident response on a compromised GitHub Actions runner, tracing a trojanized pytest supply chain attack and Fernet-encrypted exfil.

Read Writeup
10
March 2026 20 pts AWS / Multi-Service

Happy Birthday

A multi-service AWS chain: S3 account-ID enumeration with s3recon, an SNS StringLike bypass, and an os.path.join path traversal in Lambda.

Read Writeup
11
April 2026 30 pts Kubernetes / Networking

Split Horizon

Joining a flannel VXLAN overlay from a low-privilege bastion to reach a Service that was never meant to be reachable.

Read Writeup
12
May 2026 TBA

Mystery Challenge

The grand finale of the championship. Details to be announced - writeup coming soon.

Writeup coming soon View Challenge

Want more? Browse every CTF writeup on the site, or buy me a beer if these saved you some time.

All CTF Writeups Tip Jar