Certified Defensive Security Analyst by Academy. Get started now!
Stacked is an insane difficulty Linux machine that focuses on LocalStack / AWS exploitation. Initial access is obtained by exploiting a Cross-Site Scripting vulnerability in a web form, redirecting the client to an internal mail system where details about a LocalStack implementation are disclosed. An interactive shell on the LocalStack container is gained by exploiting [CVE-2021-32090](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32090). After escalating privileges in the container via a command injection vulnerability in the `docker create` command that is automatically triggered whenever a lambda function is executed, a new container with a mapping to the host file system can be created, resulting in `root` access to the host.