Skip to main content

HTB BlackSky Cyclone Review

· 8 min read
Jason Ampoloquio, OSCE3
Jason Ampoloquio, OSCE3
CISO, Author of ECE Superbooks

In this post, I’d like to share my experience conducting a cloud security assessment of the HackTheBox BlackSky: Cyclone

After completing BlackSky: Hailstorm last June, I jumped straight into Cyclone to deepen my skill sets in offensive cloud security, specifically within the Azure ecosystem. Unlike AWS, my experience managing and conducting security assessments of Azure infrastructure is limited. So this challenge provided the perfect opportunity to strengthen my Azure penetration testing skills and gain a more in-depth understanding of the platform’s proprietary technologies, services, and potential security weaknesses. Cyclone Badge

Overview

BlackSky: Cyclone is Hack The Box’s middle-tier Azure cloud lab. It's a professionally designed environment that mimics real‑world enterprise Azure infrastructure. It features around 15 resources, 15 flags, and requires complex attack chains to test key Azure vulnerabilities. HTB rates it difficulty 17 (one level above Hailstorm), making it ideal for those with intermediate Azure experience looking to sharpen their skills.

What is BlackSky Labs?

For those unfamiliar, BlackSky Labs is Hack The Box’s advanced lab series explicitly designed for cutting-edge, hands-on cloud security training. Each lab focuses on one of the major cloud platforms delivered in fully isolated environments that mirror real-world enterprise infrastructure. Completing these labs equips security teams with the skills to rapidly identify vulnerabilities, respond to risks with agility, and proactively secure their cloud environments against evolving threats.

BlackSky

BlackSky: Cyclone is an innovative cloud penetration testing lab that takes cloud penetration testing to new heights with an extensive array of Azure misconfigurations, prevalent privilege escalation techniques, and authentic attack paths observed in actual engagements.

Cyclone grants you immersive, hands-on access to an Azure Environment, enabling you to exploit cloud storage, tokens, automation, roles, and other cutting-edge features.

Cyclone Flags

Challenge Overview

Mega Multinational is a global leader in the Freight Logistics industry. They are not cloud native, but are looking to transition more infrastructure to Microsoft Azure, in order to mitigate the perceived risks of hosting their own infrastructure. They have enlisted your services to perform an “assume breach” assessment of their cloud infrastructure, using the external IP address and credentials provided.

Cyclone Introduction

This challenge forces you to immerse yourself in the Azure ecosystem. Throughout the engagement, I spent a lot of time digging through Azure CLI and PowerShell commands, analyzing role assignments and permissions, and trying to make sense of how different services like Logic Apps, Runbooks, Key Vaults, and Storage Accounts interact and connect to one another.

Prerequisites

  • No Azure account required: Unlike AWS Hailstorm, which requires an AWS account setup, Cyclone can be completed entirely within the provided lab environment, no Azure subscription needed.
  • Intermediate Azure knowledge: A solid understanding of Azure pentesting concepts and exploitation methods is highly recommended. This is a CTF-style lab that encourages self-guided exploration rather than step-by-step guidance, so persistence and a problem-solving mindset are essential.
  • Tool familiarity: Comfort with Azure CLI, PowerShell, and common web exploitation techniques used in Azure environments will greatly enhance your experience and efficiency while navigating the lab.

Who is Cyclone For?

This lab is tailored for individuals who already have a solid grasp of cloud penetration testing fundamentals and are looking to deepen their knowledge of the Azure ecosystem. If you’re familiar with concepts like Kerberos-based attacks, on-prem Active Directory exploitation, then Cyclone is a natural progression in your cloud security journey.

Unlike beginner-level labs, Cyclone assumes you’re comfortable navigating Azure’s interfaces, understanding cloud-native attack vectors, and chaining together multiple weaknesses to gain deeper access. You’ll find yourself relying heavily on Azure CLI, PowerShell, and tools like AADInternals to enumerate roles, abuse permissions, extract credentials, and pivot between users, services, and resources within the tenant infrastructure. The lab simulates scenarios you’d likely encounter in real-world Azure assessments, everything from Runbook misconfigurations to token forging and Key Vault abuse, making it a comprehensive and highly practical learning experience.

If you’re serious about building offensive Azure skills that go beyond surface-level enumeration, Cyclone will test both your technical ability and your patience in the best possible way.

What will you gain?

Cyclone teaches you to navigate and exploit Azure environments with deep situational awareness. You’ll gain hands-on experience with techniques such as:

  • Azure AD enumeration and token exploitation
  • Serverless misconfiguration abuse (Logic Apps, Runbooks)
  • Azure Storage and Key Vault compromise
  • Creds or role chaining for privilege escalation
  • Identifying and analyzing insecure DevOps pipelines and automation vectors
  • Exploiting misconfigurations
  • Lateral movement
  • Local privilege escalation

Skills You’ll Need (and Build Along the Way)

You’ll strengthen skills in:

  • Azure enumeration via Azure CLI and Azure PowerShell
  • Azure Active Directory attacks using AADInternals, Mimikatz, o365-attack-toolkit.
  • OS-level enumeration, pivoting, and persistence
  • Understanding Azure services: Logic Apps, Runbooks, Storage, and Container services
  • Mapping attack paths: chaining automation, stolen tokens, and script abuse
  • Building situational awareness in a cloud-native context
  • Setting up a C2 infrastructure
  • Conducting a phishing campaign

What Do You Get After?

Cyclone Cert

Upon completion, you’ll earn the HTB Cloud Offensive Security Specialist – Azure certification along with 40 CPE credits, similar to Hailstorm and Blizzard. This credential is increasingly respected for its real-world relevance in Azure penetration testing roles.

Cyclone vs Hailstorm

FeatureCyclone (Azure)Hailstorm (AWS)
ProviderMicrosoft AzureAmazon Web Services
Difficulty Level17 (Intermediate+)14 (Intermediate)
Main Attack SurfaceAAD, Logic Apps, Runbooks, Tokens, Automation, StorageS3, Lambda, EC2 metadata, Beanstalk, SageMaker, APIs
Tools & TechniquesAzure PowerShell, AADInternals, Mimikatz, o365-attack-toolkitAWS CLI, weirdAAL, ScoutSuite, S3 enumeration

My Overall Experience

I started playing Cyclone about a week after completing Hailstorm. Still fresh from the AWS engagement, I found transitioning to Azure both exciting and challenging. What I appreciated about Cyclone is its assumed breach setup, where players begin with low-priv access, and the objective is to explore, escalate, and eventually compromise the Azure environment of a fictional company, MegaMultinational.

Before diving in, I prepared my attack machine by installing PowerShell Core, Azure CLI, and other essential tools. The lab starts with authenticated enumeration, which feels less like reconnaissance and more like navigating a live corporate environment from the inside. Resources like HackTricks and Cobalt proved to be invaluable guides, helping structure my approach and deepen my understanding of Azure's architecture.

Since Azure is so tightly integrated with Microsoft's ecosystem, many attack paths are similar to what you'd expect in a traditional Windows Active Directory environment. You'll encounter familiar attack vector exploitation with Mimikatz, evil-winrm, and lateral movement strategies.

The most satisfying moment for me came during the "Token Theft" challenge; aside from the final flag, it's the only challenge worth 100 points, and for good reason. It pushes you deep into Azure Key Vault documentation and challenges you to craft a token manually. If this is just an on-prem AD, I could easily perform a Golden-Ticket attack and forge a Kerberos TGT using Mimikatz and Rubeus. The process requires a solid understanding of identity, authentication flow, and the subtleties of Azure's token system.

The final challenge, leading to the last flag, was OG. It's incredibly challenging with many steps, but pulling off the whole attack chain perfectly feels exceptionally rewarding. I did all the steps more than 20 times over two weeks without success. At one point, I reached out to Hack The Box support for a sanity check, only to learn that a recent Azure policy change had affected the original exploit path. After HTB informed me that they updated the lab, I re-did the challenge and finally captured the last flag. The adrenaline rush after seeing my C2 infrastructure working and capturing the victim's inbox was unforgettable.

Overall, Cyclone delivered precisely what I hoped for: a realistic, hands-on Azure pentesting lab that sharpened my understanding of Microsoft's cloud platform and forced me to think creatively. If you're looking to level up your Azure red teaming skills, this is the storm you want to get caught in.

What's Next?

BlackSky Labs

To complete the BlackSky Labs trilogy, my next target is the GCP lab. I’ll admit, I have zero experience managing Google Cloud infrastructure, which makes this an even more exciting challenge. I’m looking forward to exploring GCP from an adversarial perspective, hunting for real-world misconfigurations, and seeing how it stacks up against AWS and Azure in terms of complexity, attack surface, and defensive posture. It’s a completely new territory for me, and that’s exactly what makes it worth doing.

Final Thoughts

BlackSky: Cyclone is a high-quality, enterprise-grade Azure pentest environment that teaches and tests realistic attack paths. It stands out for its DevOps-style attack vectors, the emphasis on scriptable automation exploitation, and minimal reliance on external tooling. If you’ve mastered Hailstorm or have experience with Azure AD and Windows red teaming, Cyclone is a worthy addition to your cloud pentesting journey.

tip

Some challenges work better in a Windows PowerShell environment rather than Kali’s PowerShell Core. While PowerShell Core is convenient and cross-platform, certain Azure modules and legacy cmdlets behave differently or are simply not supported outside a native Windows environment. This becomes especially noticeable when interacting with specific Azure services or running complex scripts. Use a Windows machine to run key exploitation steps.