← all projects

l33tpwn — Cloud Pentest Training Platform (2025 Overhaul)

  • 2025 – Present
securitycloudawstraining

A ground-up rebuild of l33tPWN into a hosted, browser-based cybersecurity training platform (l33tpwn.com), in the style of HackTheBox / TryHackMe. Each student gets a private AWS lab — a Kali attack box, an optional Kali Purple blue-team/SOC box (Suricata IPS + Wazuh), and on-demand vulnerable target VMs from a 48-target catalog — all running in the browser via noVNC in ~90s. Added a leet/l33tpwn CLI (~30 verbs across student and operator faces), keyless shell access via AWS SSM Session Manager, guided walkthroughs, and EventBridge-driven idle teardown.

The problem

The original l33tPWN (2019) proved you could run an ethical-hacking lab entirely in the browser. But "learn to attack" is only half the picture, the infrastructure was dated, and operating cohorts by hand didn't scale. The 2025 overhaul rebuilds l33tpwn (l33tpwn.com) into a hosted training platform in the spirit of HackTheBox / TryHackMe — adding a blue-team dimension, a real CLI, and proper multi-tenant operations.

The approach

Each student signs in and gets their own private AWS lab: a Kali attack box, an optional Kali Purple blue-team / SOC box (Suricata IPS + Wazuh), and on-demand vulnerable target VMs from a 48-target catalog — all in the browser via noVNC in about 90 seconds. Guided walkthroughs (recon → exploitation → privesc → post-exploitation → defense) sit alongside the desktop with copy-to-terminal buttons.

Architecture

The platform is AWS-native. A leet / l33tpwn CLI (~30 verbs, Python/Click) exposes two faces from one binary — a student face (login, start/stop machines, open noVNC, connect, run walkthroughs) and an operator ops face (per-student lifecycle, DynamoDB backup/restore, Caddy proxy routes, Lambda logs, cost telemetry).

  • Compute: EC2 from custom AMIs — a Kali XFCE attack box with a noVNC/websockify clipboard bridge, a Kali Purple defense box, and 48 imported target VMs.
  • Provisioning: per-student VPCs built by Lambda behind API Gateway; DynamoDB holds AMI and user state; Cognito for auth.
  • Access: keyless shell via AWS SSM Session Manager (no SSH key, no inbound port 22), landing in a per-student tmux session.
  • Delivery: a single Caddy reverse proxy fronts every student's noVNC session by host; static SPA + walkthroughs + the CLI wheel served from S3/CloudFront.
  • Cost control: EventBridge sweeps idle instances nightly; EBS state is preserved across stop/start for cheap resume.

Validation

A full lifecycle sweep validated 48/48 targets starting and stopping cleanly (start ~92–216s, stop ~10–45s) — the kind of end-to-end check that separates a demo from something you can put students on.

Outcomes

  • Per-student isolated AWS labs (Kali + Kali Purple + 48 targets) in-browser via noVNC
  • leet CLI with ~30 verbs across a student face and an operator (ops) face
  • Keyless shell via AWS SSM Session Manager; SOC/IPS via Kali Purple (Suricata + Wazuh)
  • Validated 48/48 target start+stop lifecycle sweep

Tech Stack

Python
Lambda
DynamoDB
CloudFront
Terraform
view live
back to projects

Copyright © 2026 Nishant Tiwari All Rights Reserved