AWS - Elastic Beanstalk Enum
Reading time: 7 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Elastic Beanstalk
Amazon Elastic Beanstalk provides a simplified platform for deploying, managing, and scaling web applications and services. It supports a variety of programming languages and frameworks, such as Java, .NET, PHP, Node.js, Python, Ruby, and Go, as well as Docker containers. The service is compatible with widely-used servers including Apache, Nginx, Passenger, and IIS.
Elastic Beanstalk provides a simple and flexible way to deploy your applications to the AWS cloud, without the need to worry about the underlying infrastructure. It automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring, allowing you to focus on writing and deploying your code.
The infrastructure created by Elastic Beanstalk is managed by Autoscaling Groups in EC2 (with a load balancer). Which means that at the end of the day, if you compromise the host, you should know about about EC2:
AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum
Moreover, if Docker is used, itβs possible to use ECS.
Application & Environments
In AWS Elastic Beanstalk, the concepts of an "application" and an "environment" serve different purposes and have distinct roles in the deployment process.
Application
- An application in Elastic Beanstalk is a logical container for your application's source code, environments, and configurations. It groups together different versions of your application code and allows you to manage them as a single entity.
- When you create an application, you provide a name and description, but no resources are provisioned at this stage. it is simply a way to organize and manage your code and related resources.
- You can have multiple application versions within an application. Each version corresponds to a specific release of your code, which can be deployed to one or more environments.
Environment
- An environment is a provisioned instance of your application running on AWS infrastructure. It is where your application code is deployed and executed. Elastic Beanstalk provisions the necessary resources (e.g., EC2 instances, load balancers, auto-scaling groups, databases) based on the environment configuration.
- Each environment runs a single version of your application, and you can have multiple environments for different purposes, such as development, testing, staging, and production.
- When you create an environment, you choose a platform (e.g., Java, .NET, Node.js, etc.) and an environment type (e.g., web server or worker). You can also customize the environment configuration to control various aspects of the infrastructure and application settings.
2 types of Environments
- Web Server Environment: It is designed to host and serve web applications and APIs. These applications typically handle incoming HTTP/HTTPS requests. The web server environment provisions resources such as EC2 instances, load balancers, and auto-scaling groups to handle incoming traffic, manage capacity, and ensure the application's high availability.
- Worker Environment: It is designed to process background tasks, which are often time-consuming or resource-intensive operations that don't require immediate responses to clients. The worker environment provisions resources like EC2 instances and auto-scaling groups, but it doesn't have a load balancer since it doesn't handle HTTP/HTTPS requests directly. Instead, it consumes tasks from an Amazon Simple Queue Service (SQS) queue, which acts as a buffer between the worker environment and the tasks it processes.
Security
When creating an App in Beanstalk there are 3 very important security options to choose:
- EC2 key pair: This will be the SSH key that will be able to access the EC2 instances running the app
- IAM instance profile: This is the instance profile that the instances will have (IAM privileges)
- The autogenerated role is called
aws-elasticbeanstalk-ec2-role
and has some interesting access over all ECS, all SQS, DynamoDB elasticbeanstalk and elasticbeanstalk S3 using the AWS managed policies: AWSElasticBeanstalkWebTier, AWSElasticBeanstalkMulticontainerDocker, AWSElasticBeanstalkWorkerTier.
- The autogenerated role is called
- Service role: This is the role that the AWS service will use to perform all the needed actions. Afaik, a regular AWS user cannot access that role.
- This role generated by AWS is called
aws-elasticbeanstalk-service-role
and uses the AWS managed policies AWSElasticBeanstalkEnhancedHealth and AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy
- This role generated by AWS is called
By default metadata version 1 is disabled:
Exposure
Beanstalk data is stored in a S3 bucket with the following name: elasticbeanstalk-<region>-<acc-id>
(if it was created in the AWS console). Inside this bucket you will find the uploaded source code of the application.
The URL of the created webpage is http://<webapp-name>-env.<random>.<region>.elasticbeanstalk.com/
warning
If you get read access over the bucket, you can read the source code and even find sensitive credentials on it
if you get write access over the bucket, you could modify the source code to compromise the IAM role the application is using next time it's executed.
Enumeration
# Find S3 bucket
ACCOUNT_NUMBER=<account_number>
for r in us-east-1 us-east-2 us-west-1 us-west-2 ap-south-1 ap-south-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ca-central-1 eu-central-1 eu-central-2 eu-west-1 eu-west-2 eu-west-3 eu-north-1 sa-east-1 af-south-1 ap-east-1 eu-south-1 eu-south-2 me-south-1 me-central-1; do aws s3 ls elasticbeanstalk-$r-$ACCOUNT_NUMBER 2>/dev/null && echo "Found in: elasticbeanstalk-$r-$ACCOUNT_NUMBER"; done
# Get apps and URLs
aws elasticbeanstalk describe-applications # List apps
aws elasticbeanstalk describe-application-versions # Get apps & bucket name with source code
aws elasticbeanstalk describe-environments # List envs
aws elasticbeanstalk describe-environments | grep -E "EndpointURL|CNAME"
aws elasticbeanstalk describe-configuration-settings --application-name <app_name> --environment-name <env_name>
aws elasticbeanstalk describe-environment-resources --environment-name <env_name> # Get env info such as SQS used queues
aws elasticbeanstalk describe-instances-health --environment-name <env_name> # Get the instances of an environment
# Get events
aws elasticbeanstalk describe-events
Unauthenticated Access
AWS - Elastic Beanstalk Unauthenticated Enum
Persistence
AWS - Elastic Beanstalk Persistence
Privesc
AWS - Elastic Beanstalk Privesc
Post Exploitation
AWS - Elastic Beanstalk Post Exploitation
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.