Links

AWS - Elastic Beanstalk Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Elastic Beanstalk

Amazon Elastic Beanstalk provides a simplified platform for deploying, managing, and scaling web applications and services. It supports a variety of programming languages and frameworks, such as Java, .NET, PHP, Node.js, Python, Ruby, and Go, as well as Docker containers. The service is compatible with widely-used servers including Apache, Nginx, Passenger, and IIS.
Elastic Beanstalk provides a simple and flexible way to deploy your applications to the AWS cloud, without the need to worry about the underlying infrastructure. It automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring, allowing you to focus on writing and deploying your code.
The infrastructure created by Elastic Beanstalk is managed by Autoscaling Groups in EC2 (with a load balancer). Which means that at the end of the day, if you compromise the host, you should know about about EC2:
Moreover, if Docker is used, it’s possible to use ECS.

Application & Environments

In AWS Elastic Beanstalk, the concepts of an "application" and an "environment" serve different purposes and have distinct roles in the deployment process.

Application

  • An application in Elastic Beanstalk is a logical container for your application's source code, environments, and configurations. It groups together different versions of your application code and allows you to manage them as a single entity.
  • When you create an application, you provide a name and description, but no resources are provisioned at this stage. it is simply a way to organize and manage your code and related resources.
  • You can have multiple application versions within an application. Each version corresponds to a specific release of your code, which can be deployed to one or more environments.

Environment

  • An environment is a provisioned instance of your application running on AWS infrastructure. It is where your application code is deployed and executed. Elastic Beanstalk provisions the necessary resources (e.g., EC2 instances, load balancers, auto-scaling groups, databases) based on the environment configuration.
  • Each environment runs a single version of your application, and you can have multiple environments for different purposes, such as development, testing, staging, and production.
  • When you create an environment, you choose a platform (e.g., Java, .NET, Node.js, etc.) and an environment type (e.g., web server or worker). You can also customize the environment configuration to control various aspects of the infrastructure and application settings.

2 types of Environments

  1. 1.
    Web Server Environment: It is designed to host and serve web applications and APIs. These applications typically handle incoming HTTP/HTTPS requests. The web server environment provisions resources such as EC2 instances, load balancers, and auto-scaling groups to handle incoming traffic, manage capacity, and ensure the application's high availability.
  2. 2.
    Worker Environment: It is designed to process background tasks, which are often time-consuming or resource-intensive operations that don't require immediate responses to clients. The worker environment provisions resources like EC2 instances and auto-scaling groups, but it doesn't have a load balancer since it doesn't handle HTTP/HTTPS requests directly. Instead, it consumes tasks from an Amazon Simple Queue Service (SQS) queue, which acts as a buffer between the worker environment and the tasks it processes.

Security

When creating an App in Beanstalk there are 3 very important security options to choose:
By default metadata version 1 is disabled:

Exposure

Beanstalk data is stored in a S3 bucket with the following name: elasticbeanstalk-<region>-<acc-id>(if it was created in the AWS console). Inside this bucket you will find the uploaded source code of the application.
The URL of the created webpage is http://<webapp-name>-env.<random>.<region>.elasticbeanstalk.com/
If you get read access over the bucket, you can read the source code and even find sensitive credentials on it
if you get write access over the bucket, you could modify the source code to compromise the IAM role the application is using next time it's executed.

Enumeration

# Find S3 bucket
ACCOUNT_NUMBER=<account_number>
for r in us-east-1 us-east-2 us-west-1 us-west-2 ap-south-1 ap-south-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ca-central-1 eu-central-1 eu-central-2 eu-west-1 eu-west-2 eu-west-3 eu-north-1 sa-east-1 af-south-1 ap-east-1 eu-south-1 eu-south-2 me-south-1 me-central-1; do aws s3 ls elasticbeanstalk-$r-$ACCOUNT_NUMBER 2>/dev/null && echo "Found in: elasticbeanstalk-$r-$ACCOUNT_NUMBER"; done
# Get apps and URLs
aws elasticbeanstalk describe-applications # List apps
aws elasticbeanstalk describe-application-versions # Get apps & bucket name with source code
aws elasticbeanstalk describe-environments # List envs
aws elasticbeanstalk describe-environments | grep -E "EndpointURL|CNAME"
aws elasticbeanstalk describe-configuration-settings --application-name <app_name> --environment-name <env_name>
aws elasticbeanstalk describe-environment-resources --environment-name <env_name> # Get env info such as SQS used queues
aws elasticbeanstalk describe-instances-health --environment-name <env_name> # Get the instances of an environment
# Get events
aws elasticbeanstalk describe-events

Unauthenticated Access

Persistence

Privesc

Post Exploitation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: