Challenge 10 ☆☆☆☆

Welcome to challenge Challenge 10. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

AWS Secrets Manager

The secret is now randomized and stored directly in AWS Secrets Manager. We’re still mounting it to the K8s pod via the CSI driver for AWS though…​ Can you access it?

Answer to solution :

You can solve this challenge by the following steps:

  1. find the secret in AWS Secrets Manager (this is the cheap way, try the other one :) ):

    • Login to the AWS Console with the account with which you created the WrongSecrets setup.

    • Go to AWS Secrets manager

    • Get the data from wrongsecrets2

  2. Find the secret by exec-ing into the POD

    • Make sure you have Kubectl installed as defined in the README.MD & make sure kubectl is configured to send commands to the right cluster.

    • Now do kubectl get pods. Here you see all the Pods active in the namespace you are in, which is for this app normally default (unless otherwise specified by your administrator/trainer).

    • For your instance of the WrongSecrets pod, do kubectl exec -it secret-challenge-<rest of the name of the pod from the prev.step> — /bin/sh.

    • Now examine the data which you can find in /mnt/secrets-store

Access to the Administrator/owner account: If you were able to use the AWS administrator account to access the data, then you can see why this is a bad idea for production. In short, with this account you can change anything within the account, and you can easily exfiltrate any of the secrets.

Last but not least: we could easily exec into the container, to grep the mount with the secret. This has to do with 3 things:

  • we are allowed to do so by means of RBAC, which should not be your normal case in PRD: otherwise everybody of your organization can poke around in the container.

  • we have executables within the container (sh/openssl/etc) which we can execute to setup a shell. Stripping your container from any non-necessary binary can help to reduce attack-surface and make it harder for any attacker that did an RCE in your container to jump to other places within the container to further gain execution.

  • we have exposed the configmap as an ENV. This means that anybody who got to the container runtime within the pod can now dump the secret. We brought the secret close to the consumer, but maybe not close enough yet (e.g. the app only).


0