https://hack.com.cy/writeups/cloudgoat/beanstalk_secrets/Recent content on Hacking BlogHugoenhttps://hack.com.cy/writeups/cloudgoat/beanstalk_secrets/beanstalk_secrets/Thu, 21 Aug 2025 00:00:00 +0000https://hack.com.cy/writeups/cloudgoat/beanstalk_secrets/beanstalk_secrets/<h1 id="initial-access--credentials">Initial Access / Credentials</h1> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">initial_low_priv_credentials</span> <span class="o">=</span> Access Key: AKIA<span class="o">[</span>REDACTED-CTF<span class="o">]</span> </span></span><span class="line"><span class="cl">Secret Key: <span class="o">[</span>REDACTED-CTF<span class="o">]</span> </span></span></code></pre></div><h2 id="awc-cli-profile-creation">AWC CLI profile creation</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">aws configure --profile low_priv </span></span><span class="line"><span class="cl">AWS Access Key ID <span class="o">[</span>None<span class="o">]</span>: AKIA<span class="o">[</span>REDACTED-CTF<span class="o">]</span> </span></span><span class="line"><span class="cl">AWS Secret Access Key <span class="o">[</span>None<span class="o">]</span>: <span class="o">[</span>REDACTED-CTF<span class="o">]</span> </span></span><span class="line"><span class="cl">Default region name <span class="o">[</span>None<span class="o">]</span>: us-east-1 </span></span><span class="line"><span class="cl">Default output format <span class="o">[</span>None<span class="o">]</span>: json </span></span></code></pre></div><blockquote> <p>Created an aws profile with the credentials given</p> </blockquote> <h2 id="enumeration-with--low_priv-credentials">Enumeration with <code>low_priv</code> credentials</h2> <p><strong>whoami</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">└─$ aws sts get-caller-identity --profile low_priv </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;UserId&#34;</span>: <span class="s2">&#34;AIDAUGVOUJQINCWVIJQHB&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Account&#34;</span>: <span class="s2">&#34;289202785296&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Arn&#34;</span>: <span class="s2">&#34;arn:aws:iam::289202785296:user/cgid9oc3krm0fl_low_priv_user&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><blockquote> <p>Gives us the username</p> </blockquote> <h2 id="iam-enumeration-with-pacu-what-privileges-do-our-user-have">IAM Enumeration with pacu (What Privileges do our user have?)</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Pacu <span class="o">(</span>low_priv:imported-low_priv<span class="o">)</span> &gt; run iam__bruteforce_permissions --region us-east-1 </span></span></code></pre></div><blockquote> <p>Used the <strong>iam_bruteforce_permissions</strong> module from pacu</p>