RhinoSecurityLabs
diff --git a/‎.github/workflows/docker-terraform-compatibility.yaml‎
Lines changed: 32 additions & 0 deletions b/‎.github/workflows/docker-terraform-compatibility.yaml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎.github/workflows/finish-release.yml‎
Lines changed: 90 additions & 0 deletions b/‎.github/workflows/finish-release.yml‎
Lines changed: 90 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 77 additions & 53 deletions b/‎.github/workflows/release.yml‎
Lines changed: 77 additions & 53 deletions
diff --git a/‎Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 13 additions & 0 deletions b/‎README.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎cloudgoat/scenarios/beanstalk_secrets/README.md‎
Lines changed: 47 additions & 0 deletions b/‎cloudgoat/scenarios/beanstalk_secrets/README.md‎
Lines changed: 47 additions & 0 deletions
@@ -1,3 +1,6 @@
+# This action verifies compatibility between the terraform version used in Dockerfile and scenarios.
+# It also does a test build of the Dockerfile to verify nothing is broken.
+
 name: Docker Terraform validation
 
 on:
@@ -135,3 +138,32 @@ jobs:
           }
           echo "✔️ Success: ${{ matrix.scenario }}"
           echo "::endgroup::"
+
+  verify-docker-build:
+    runs-on: ubuntu-latest
+    steps:
+
+      # Checkout the repository
+      - name: Check out repository
+        uses: actions/checkout@v3
+
+      # Set up Docker Buildx for multi-architecture builds
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      # Build the Docker image for multiple architectures
+      - name: Build Docker Image amd64
+        run: |
+          docker buildx build \
+            --platform linux/amd64 \
+            --file Dockerfile \
+            --tag rhinosecuritylabs/cloudgoat:latest \
+            --load .
+
+      - name: Build Docker Image arm64
+        run: |
+          docker buildx build \
+            --platform linux/arm64 \
+            --file Dockerfile \
+            --tag rhinosecuritylabs/cloudgoat:latest \
+            --load .
@@ -0,0 +1,90 @@
+# Once Release PR merges
+# Tag as release
+# Release
+# Publish
+
+name: Tag and Publish
+
+on:
+  pull_request:
+    types:
+      - closed  # Only trigger when a PR is merged
+    branches:
+      - master  # Only trigger when merged into master
+
+jobs:
+  tag_and_publish:
+    if: startsWith(github.event.pull_request.head.ref, 'release-v')  # Only run for release PRs
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+      contents: write
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install Poetry
+        run: pip install poetry
+
+      - name: Install Dependencies
+        run: poetry install
+
+      - name: Get Version from pyproject.toml
+        id: get_version
+        run: |
+          VERSION=$(poetry version -s)
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Tag the Release
+        run: |
+          git config --global user.name "GitHub Actions"
+          git config --global user.email "actions@github.com"
+          git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
+          git tag "v${{ env.VERSION }}"
+          git push origin "refs/tags/v${{ env.VERSION }}"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ env.VERSION }}
+          name: Release v${{ env.VERSION }}
+          draft: true
+          prerelease: false
+          generate_release_notes: true
+
+      - name: Build package
+        run: poetry build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+      # Set up Docker Buildx for multi-architecture builds
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      # Log in to Docker Hub using secrets
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      # Build and push the Docker image for multiple architectures
+      - name: Build and Push Docker Image
+        run: |
+          VERSION=${{ env.VERSION }}
+          docker buildx build \
+            --platform linux/amd64,linux/arm64 \
+            --file Dockerfile \
+            --tag rhinosecuritylabs/cloudgoat:$VERSION \
+            --tag rhinosecuritylabs/cloudgoat:latest \
+            --push .
@@ -1,58 +1,82 @@
-name: Release
+# This is triggered manually.
+# This will bump the version and open a release pull request
+# Once the PR is accepted finish-release runs.
+
 
-on:
-  push:
-    branches:
-      - main
+name: Release
 
+on: 
+  workflow_dispatch:
+    inputs:
+      SemVer_level:
+        type: choice
+        description: Which SemVer to bump
+        options: 
+        - major
+        - minor
+        - patch
+        default: patch
+      SemVer_version:
+        type: string
+        description: "Specify an exact version (leave empty to auto-bump)"
+        default: ""
+          
 jobs:
-  release:
+  create_release_branch:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Required for versioning
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.10"
-
-      - name: Install Poetry
-        run: pip install poetry
-
-      - name: Install Dependencies
-        run: poetry install
-
-      - name: Run Tests
-        run: poetry run pytest  # Adjust if needed
-
-      - name: Bump Version
-        id: bump_version
-        run: |
-          poetry version patch  # Change to minor/major if needed
-          echo "VERSION=$(poetry version -s)" >> $GITHUB_ENV
-
-      - name: Commit & Tag New Version
-        run: |
-          git config --global user.name "GitHub Actions"
-          git config --global user.email "actions@github.com"
-          git add pyproject.toml
-          git commit -m "chore(release): bump version to $VERSION"
-          git tag "v$VERSION"
-          git push origin main --tags
-
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: v${{ env.VERSION }}
-          name: Release v${{ env.VERSION }}
-          draft: true
-          prerelease: false
-          generate_release_notes: true
-
-      - name: Publish to PyPI
-        env:
-          POETRY_PYPI_TOKEN_PYPI: ${{ secrets.PYPI_API_TOKEN }}
-        run: poetry publish --build
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.10'
+
+    - name: Install poetry
+      run: pip install poetry
+
+    - name: Install dependencies
+      run: poetry install
+
+    - name: Determine Version
+      id: determine_version
+      run: |
+        if [ -n "${{ github.event.inputs.SemVer_version }}" ]; then
+          VERSION=${{ github.event.inputs.SemVer_version }}
+          poetry version "$VERSION"
+        else
+          poetry version ${{ github.event.inputs.SemVer_level }}
+          VERSION=$(poetry version -s)
+        fi
+        sed -i "s/cloudgoat.version=\".*\"/cloudgoat.version=\"$VERSION\"/" Dockerfile
+        echo "VERSION=$VERSION" >> $GITHUB_ENV
+        echo "::set-output name=VERSION::$VERSION"
+
+    - name: Create Release Branch
+      run: |
+        git checkout -b release-v${{ env.VERSION }}
+
+    - name: Commit Version Change
+      run: |
+        git config --global user.name "GitHub Actions"
+        git config --global user.email "actions@github.com"
+        git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
+        git add .
+        git commit -m "chore(release): bump version to ${VERSION}"
+        git push origin release-v${{ env.VERSION }}
+
+    - name: Create Pull Request via CLI
+      run: |
+        gh auth login --with-token <<< "${{ secrets.GITHUB_TOKEN }}"
+        gh pr create \
+          --base master \
+          --head release-v${{ env.VERSION }} \
+          --title "Release v${{ env.VERSION }}" \
+          --body "Automated release PR for version v${{ env.VERSION }}" \
+          --draft=false
+      env:
+        GH_PAT: ${{ secrets.GITHUB_TOKEN }}
+        GH_REPO: ${{ github.repository }}
@@ -1,7 +1,7 @@
 FROM python:3.12-alpine
 
 LABEL maintainer="Rhino Assessment Team <cloudgoat@rhinosecuritylabs.com>"
-LABEL cloudgoat.version="2.0.0"
+LABEL cloudgoat.version="2.0.1"
 
 # Install bash, necessary tools, AWS CLI, and Terraform in a single layer
 RUN apk add --no-cache \
 
@@ -111,6 +111,19 @@ docker run -it -v ~/.aws:/root/.aws/ rhinosecuritylabs/cloudgoat:latest
 <details open>
   <summary><strong>Easy</strong></summary>
 
+---
+
+### beanstalk_secrets (Easy)
+`cloudgoat create beanstalk_secrets`
+
+In this scenario, you are provided with low-privileged AWS credentials that grant limited access to Elastic Beanstalk. Your task is to enumerate the Elastic Beanstalk environment and discover misconfigured environment variables containing secondary credentials. Using these secondary credentials, you can enumerate IAM permissions to eventually create an access key for an administrator user. With these admin privileges, you retrieve the final flag stored in AWS Secrets Manager.
+
+[Visit Scenario Page.](cloudgoat/scenarios/beanstalk_secrets/README.md)  
+
+Contributed by Tyler Ramsbey
+
+---
+
 ### sns_secrets (Easy)
 `cloudgoat create sns_secrets`
 
 
@@ -0,0 +1,47 @@
+# Scenario: beanstalk_secrets
+
+**Size:** Medium
+
+**Difficulty:** Moderate
+
+**Command:** `./cloudgoat.py create beanstalk_secrets`
+
+## Scenario Resources
+
+- 1 VPC
+- 1 Elastic Beanstalk Environment
+- 1 IAM Low-Privilege User
+- 1 IAM Secondary User
+- 1 AWS Secrets Manager Secret
+
+## Scenario Start(s)
+
+1. AWS Access Key and Secret Key for the low-privileged user.
+
+## Scenario Goal(s)
+
+Retrieve the final flag from AWS Secrets Manager by escalating privileges from a low-privileged user to an administrator account.
+
+## Summary
+
+In this scenario, you are provided with low-privileged AWS credentials that grant limited access to Elastic Beanstalk. Your task is to enumerate the Elastic Beanstalk environment and discover misconfigured environment variables containing secondary credentials. Using these secondary credentials, you can enumerate IAM permissions to eventually create an access key for an administrator user. With these admin privileges, you retrieve the final flag stored in AWS Secrets Manager.
+
+## Exploitation Route
+
+
+![Flowcharts](https://github.com/user-attachments/assets/cf16f767-d8b3-436f-9812-c2d06ea0876b)
+
+
+
+## Walkthrough - Elastic Beanstalk Secrets
+
+1. Start by using the provided low-privileged AWS credentials.
+2. Verify access with `aws sts get-caller-identity`.
+3. Enumerate Elastic Beanstalk applications and environments using Pacu’s `beanstalk__enum` module.
+4. Identify the EB environment with misconfigured environment variables that store secondary credentials.
+5. Use the secondary credentials to enumerate IAM resources and permissions.
+6. Discover that you can create an access key for an administrator user using the `iam:CreateAccessKey` permission.
+7. Generate an admin access key and take over the account.
+8. Finally, use the admin privileges to retrieve the final flag from AWS Secrets Manager.
+
+A detailed cheat sheet & walkthrough for this route is available [here](./cheat_sheet.md).