{"componentChunkName":"component---src-templates-project-template-js","path":"/projects/l33tpwn-cloud-pentest-training-platform-2025-overhaul","result":{"data":{"project":{"title":"l33tpwn — Cloud Pentest Training Platform (2025 Overhaul)","slug":"l33tpwn-cloud-pentest-training-platform-2025-overhaul","description":"A ground-up rebuild of l33tPWN into a hosted, browser-based cybersecurity training platform (l33tpwn.com), in the style of HackTheBox / TryHackMe. Each student gets a private AWS lab — a Kali attack box, an optional Kali Purple blue-team/SOC box (Suricata IPS + Wazuh), and on-demand vulnerable target VMs from a 48-target catalog — all running in the browser via noVNC in ~90s. Added a leet/l33tpwn CLI (~30 verbs across student and operator faces), keyless shell access via AWS SSM Session Manager, guided walkthroughs, and EventBridge-driven idle teardown.","caseStudy":"## The problem\n\nThe original l33tPWN (2019) proved you could run an ethical-hacking lab entirely in the\nbrowser. But \"learn to attack\" is only half the picture, the infrastructure was dated, and\noperating cohorts by hand didn't scale. The 2025 overhaul rebuilds l33tpwn (l33tpwn.com) into\na hosted training platform in the spirit of HackTheBox / TryHackMe — adding a blue-team\ndimension, a real CLI, and proper multi-tenant operations.\n\n## The approach\n\nEach student signs in and gets their **own private AWS lab**: a Kali attack box, an optional\n**Kali Purple** blue-team / SOC box (Suricata IPS + Wazuh), and on-demand vulnerable target\nVMs from a 48-target catalog — all in the browser via **noVNC** in about 90 seconds. Guided\nwalkthroughs (recon → exploitation → privesc → post-exploitation → defense) sit alongside the\ndesktop with copy-to-terminal buttons.\n\n## Architecture\n\nThe platform is AWS-native. A `leet` / `l33tpwn` **CLI** (~30 verbs, Python/Click) exposes two\nfaces from one binary — a student face (login, start/stop machines, open noVNC, connect, run\nwalkthroughs) and an operator `ops` face (per-student lifecycle, DynamoDB backup/restore, Caddy\nproxy routes, Lambda logs, cost telemetry).\n\n- **Compute:** EC2 from custom AMIs — a Kali XFCE attack box with a noVNC/websockify clipboard\n  bridge, a Kali Purple defense box, and 48 imported target VMs.\n- **Provisioning:** per-student VPCs built by Lambda behind API Gateway; **DynamoDB** holds AMI\n  and user state; **Cognito** for auth.\n- **Access:** keyless shell via **AWS SSM Session Manager** (no SSH key, no inbound port 22),\n  landing in a per-student tmux session.\n- **Delivery:** a single Caddy reverse proxy fronts every student's noVNC session by host;\n  static SPA + walkthroughs + the CLI wheel served from S3/CloudFront.\n- **Cost control:** EventBridge sweeps idle instances nightly; EBS state is preserved across\n  stop/start for cheap resume.\n\n## Validation\n\nA full lifecycle sweep validated **48/48 targets** starting and stopping cleanly (start ~92–216s,\nstop ~10–45s) — the kind of end-to-end check that separates a demo from something you can put\nstudents on.\n","gallery":[],"date_start":"2025","date_end":null,"hours":null,"client":null,"tags":["security","cloud","aws","training"],"outcomes":["Per-student isolated AWS labs (Kali + Kali Purple + 48 targets) in-browser via noVNC","leet CLI with ~30 verbs across a student face and an operator (ops) face","Keyless shell via AWS SSM Session Manager; SOC/IPS via Kali Purple (Suricata + Wazuh)","Validated 48/48 target start+stop lifecycle sweep"],"tech_stack":["Python","AWS Lambda","DynamoDB","EC2 / SSM","Terraform","Cognito","CloudFront"],"links":[{"label":"Live","url":"https://l33tpwn.com"}],"image":{"childImageSharp":{"fluid":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='400'%20height='229'%20viewBox='0%200%20400%20229'%20preserveAspectRatio='none'%3e%3cpath%20d='M26%203l-2%203c-4%202-7%206-5%209%201%203%201%203-1%203h6c10%200%2015%200%2015%203l2%202%202-2-2-1%201-1v-1c-1%200-2-1-1-4%200-3%200-4-3-6l-4-3-1-1c0-1-1-2-3-2l-4%201m309%2011v7h47V8h-47v6M168%2038l17%2016c3%200%200-5-5-8l-5-4%205-1c5%200%206%200%206-2s-1-2-9-2l-9%201m24%2011l-4%209%206%203%209-19-3-2c-3%200-3%200-8%209m13-1l6%207%206%205-6-1c-6%200-6%200-6%202s5%203%2014%203c6%200%205-2-2-8-12-10-12-10-12-8m69%203v1l1%202-2-1-2-1v1l1%202%201%201v5c1%204%201%204-3%205-4%202-8%201-14-4-8-9-25-5-24%205l4%206%201%202c-2%202-1%203%202%204l3%201%201%201%201-1c0-2%206-8%208-8%201%200%201-1-1-1l-2-2h3l4%201v1c-3%200-1%202%205%205l7%203%205-3c6-2%208-3%203-2h-2l2-1c2-2%202-2%202-7s0-5%202-6c3-1%204-3%202-3-1%201-4-2-6-5%200-1-1-2-2-1m11%206l-1%2011v7l7%203c7%204%209%206%205%208-2%202-3%201-8-1s-7-2-13%200l-3-1%202-1c2%200%202%200%200-1h-4c-3%202-14%204-17%202l-6-1c-7%201-16-2-14-6%200-2%200-2-3-2-4%200-6%202-8%206%200%202-2%202-4%203-8%200-11%2011-4%2013v3c-2%203%200%2011%204%2014%203%202%203%203%202%204s-1%201-1-1c-1-2-5-4-7-3-1%201%202%206%205%206l3%202c1%202%2016%2010%2021%2011s7%208%203%2014c-1%204-1%205%204%205s5-1%203-6c-1-5-1-11%201-12l6%202a69%2069%200%200022%209l6%202c1%202%208%205%2016%208l13%206%2014-6%2016-6c2%200%202-1%202-6v-6l6-2c7-3%207-3%205%204l-1%203%2024-11-6-3c-6-2-7-4-4-9l1-6v-9c-3%200-2-2%200-6%202-5%203-6%200-6l-1-2c0-3-2-4-3-1%200%203-2%201-2-2%200-2%200-3-1-2l-1-1%201-2%201-2c0-2%200-2%202-1%204%201%205%201%205-1%200-4-7-7-10-4v-5l-1-7-2-2c-1-4-3-3-3%201l-1%208%201%206%201%203h-1c-2-2-6-2-6%201l1%203%201%204c1%204%201%204-1%203-2%200-2-1%200%206%200%202%200%202-3%203l-2%202%203%206%201%205c-2%200-6-10-5-10h-4l-2%202c2%201%209%2012%208%2013l-18-8-10%203c-11%205-10%205-21%200l-14-6-4-2v2c0%202%201%203%207%205l7%203%202%2010%204%2012c1%203-1%205-3%205-3-1-4-3-1-3s1-3-2-3-12-13-12-17c0-2-1-2-7%200-6%203-5%201%201-2%205-2%205-4%201-8l-3-3%205-3%205-3%205%202%206%202%207-3c7-4%207-4%201-6l-4-2%202-2c2-1%203-3%202-3-1-2%205%200%208%203%202%201%202%202%201%202v2l-1%201c-2-1-1%201%201%204v3h2c0%202-1%202-5%202h-4l-1%203c-3%202-2%203%201%204%205%202%2013%200%2011-4%200-1%201-2%203-2%204-1%207-11%204-13-2-2-2-3%201-3l2%201c-1%205%201%2010%203%208v-9l11-3c5%200%206%206%201%207-2%200-5%204-5%205%201%202%207%202%208%200%201-3%201-3-1-3-2-1-2-1%200-1l3-3c1-2%201-2-1-5-3-2-5-2-12%200-4%202-9%201-11-2l-2-1c-2%200-2-1-2-8v-8l-16-7-17-7-1%205m1%207l1%2010%2011%206c18%208%2018%208%2018-6v-7l-4-1-15-7-11-5v10m7-1v6h1c2%200%201%202%200%203-2%200%201%204%204%204l2%201%2010%202v-4l-1-1-1-2c-2-2-2-2%200-2%201%201%202%201%202-1-1-1-5-4-5-2l-2-2h-4l-2-2h-4m-23%2024c-10%203-10%203-7%206%202%204%207%206%2012%203l3-2-4-2c-5-1-6-4-3-3l2-1v-1h-3m-77%2014c-6%2011-6%2010-2%2011%203%201%203%201%207-9%205-8%205-9%203-10-3-2-4-1-8%208m10%204l-5%2010%203%201%203%201c1%200%209-18%208-19-3-3-4-2-9%207M13%20139v6h52v-13H13v7m54-6l-1%206%201%206h60v-12l-30-1-30%201m171%2019c-3%202-2%204%200%205%206%204%2019%203%2018-1%200-2-1-3-6-2-5%200-6%200-8-2s-2-2-4%200'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","aspectRatio":1.7543859649122806,"src":"/static/91bff2a1c467f9c3a1585b8c1213d612/ee604/l33tpwn-modern.png","srcSet":"/static/91bff2a1c467f9c3a1585b8c1213d612/69585/l33tpwn-modern.png 200w,\n/static/91bff2a1c467f9c3a1585b8c1213d612/497c6/l33tpwn-modern.png 400w,\n/static/91bff2a1c467f9c3a1585b8c1213d612/ee604/l33tpwn-modern.png 800w","srcWebp":"/static/91bff2a1c467f9c3a1585b8c1213d612/58556/l33tpwn-modern.webp","srcSetWebp":"/static/91bff2a1c467f9c3a1585b8c1213d612/61e93/l33tpwn-modern.webp 200w,\n/static/91bff2a1c467f9c3a1585b8c1213d612/1f5c5/l33tpwn-modern.webp 400w,\n/static/91bff2a1c467f9c3a1585b8c1213d612/58556/l33tpwn-modern.webp 800w","sizes":"(max-width: 800px) 100vw, 800px"}}},"stack_icons":[{"name":"Python","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'%3e%3cpath%20d='M1%201v22c2%202%2020%201%2022-1s3-22%201-21H1'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","width":24,"height":24,"src":"/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/6d1ba/python.png","srcSet":"/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/6d1ba/python.png 1x,\n/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/a9c35/python.png 1.5x,\n/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/559c9/python.png 2x","srcWebp":"/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/f8bad/python.webp","srcSetWebp":"/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/f8bad/python.webp 1x,\n/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/f81b6/python.webp 1.5x,\n/static/64d0f7b1b208f14bd8dd5134b3ed7ff5/804d1/python.webp 2x"}}}},{"name":"Lambda","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'/%3e","width":24,"height":24,"src":"/static/9ebd18b0cc4dd6f7e2988a7efc840b92/6d1ba/lambda.png","srcSet":"/static/9ebd18b0cc4dd6f7e2988a7efc840b92/6d1ba/lambda.png 1x,\n/static/9ebd18b0cc4dd6f7e2988a7efc840b92/a9c35/lambda.png 1.5x,\n/static/9ebd18b0cc4dd6f7e2988a7efc840b92/559c9/lambda.png 2x","srcWebp":"/static/9ebd18b0cc4dd6f7e2988a7efc840b92/f8bad/lambda.webp","srcSetWebp":"/static/9ebd18b0cc4dd6f7e2988a7efc840b92/f8bad/lambda.webp 1x,\n/static/9ebd18b0cc4dd6f7e2988a7efc840b92/f81b6/lambda.webp 1.5x,\n/static/9ebd18b0cc4dd6f7e2988a7efc840b92/804d1/lambda.webp 2x"}}}},{"name":"DynamoDB","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'%3e%3cpath%20d='M0%2012v12h25V12l-1-9v3l-3-3c-3-3-3-3-12-3H0v12m8-8c-2%201-3%201-3%208%200%208%201%2011%203%208l5-1%203%201h-3c-5%202-6%202-3%202%205%200%207-2%207-5l2-6c2-2%202-2%201-3l-1-1c0-2-1-2-7-3H8'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","width":20,"height":20,"src":"/static/82defa6954b6e11e8d81c1bc0e0e5106/dba72/dynamodb.png","srcSet":"/static/82defa6954b6e11e8d81c1bc0e0e5106/dba72/dynamodb.png 1x","srcWebp":"/static/82defa6954b6e11e8d81c1bc0e0e5106/e3c56/dynamodb.webp","srcSetWebp":"/static/82defa6954b6e11e8d81c1bc0e0e5106/e3c56/dynamodb.webp 1x"}}}},{"name":"CloudFront","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'%3e%3cpath%20d='M0%2012v12h25V0H0v12m10-8c-3%200-6%205-6%209%200%203%200%203%201%201s1-2%202-1v3c-2%201-2%201%200%203%205%204%2014%201%2014-4%201-8-3-12-11-11'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","width":20,"height":20,"src":"/static/4bb94a6eb8d1ac90af884aeb9c8e3344/dba72/cloudfront.png","srcSet":"/static/4bb94a6eb8d1ac90af884aeb9c8e3344/dba72/cloudfront.png 1x","srcWebp":"/static/4bb94a6eb8d1ac90af884aeb9c8e3344/e3c56/cloudfront.webp","srcSetWebp":"/static/4bb94a6eb8d1ac90af884aeb9c8e3344/e3c56/cloudfront.webp 1x"}}}},{"name":"Terraform","icon":{"childImageSharp":{"fixed":{"tracedSVG":"data:image/svg+xml,%3csvg%20xmlns='http://www.w3.org/2000/svg'%20width='24'%20height='24'%20viewBox='0%200%2024%2024'%20preserveAspectRatio='none'%3e%3cpath%20d='M1%201v22c2%202%2020%201%2022-1s3-22%201-21H1'%20fill='%23d3d3d3'%20fill-rule='evenodd'/%3e%3c/svg%3e","width":24,"height":24,"src":"/static/eea7a02c320f7f79a47022d745471610/6d1ba/terraform.png","srcSet":"/static/eea7a02c320f7f79a47022d745471610/6d1ba/terraform.png 1x,\n/static/eea7a02c320f7f79a47022d745471610/a9c35/terraform.png 1.5x,\n/static/eea7a02c320f7f79a47022d745471610/559c9/terraform.png 2x","srcWebp":"/static/eea7a02c320f7f79a47022d745471610/f8bad/terraform.webp","srcSetWebp":"/static/eea7a02c320f7f79a47022d745471610/f8bad/terraform.webp 1x,\n/static/eea7a02c320f7f79a47022d745471610/f81b6/terraform.webp 1.5x,\n/static/eea7a02c320f7f79a47022d745471610/804d1/terraform.webp 2x"}}}}]}},"pageContext":{"slug":"l33tpwn-cloud-pentest-training-platform-2025-overhaul"}},"staticQueryHashes":["3724428426"]}