SSH keys can be found in the cg-keystore-s3-bucket-cgixxx S3 bucket.
An attacker can take advantage of this to SSH into the EC2 instance, and then access another private S3 bucket.
Furthermore, there was a text file left behind which contains login credentials for an RDS database.
Finally, the attacker can use these credentials to access the RDB database and acquire the Super-secret-passcode stored in the database.
When the attacker discovers a web application hosted behind a secured load balancer, they visited the secret admin URL upon reviewing the contents of the load balancer and finds out the web application is vulnerable to remote command execution.
As the web application is ran on the root user, the attacker can exploit this vulnerability to run any command. The rest of this attack scenario is similar to the McDuck’s scenario.