Challenge 13 ☆☆☆

Welcome to challenge Challenge 13. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Github Forkable actions

When you want to manage secrets in your CI/CD pipeline, you should always wonder: who can have a look at them? Can you find the secret using the Github action?

Note: this challenge is a "bad crypto" challenge at the same time, but a little less easy that way.

Answer to solution :

You can solve this challenge by the following steps:

  1. Exfiltrate the secret using Github Actions. Please note that in the current configuration of the project the Action triggered by the owner/collaborator will include the secret. It will not if you try doing it using forks. Let’s discuss the steps:

    • Login to Github with your own account.

    • Go to and select Get the challenge code 13

    • Have a look at its latest run by one of the owners or collaborators.

    • Take the last attempt of the run, where the secret is base64 encoded. Copy the base64 encoded result and decode it somewhere twice.

    • Enter the decoded solution as an answer.

Why you need to be careful with CI/CD and secrets

When using CI/CD tooling, you often need to let the tooling (e.g. runner/agent that executes a job) use a secret to authenticate to a secondary service. Exfiltrating these secrets can become quite interesting. There are various ways to do this:

  • run a CI/CD tool in debug mode, or request more env vars, which, in turn, might be readable to everybody who has access to the build(log)

  • use exfiltration techniques such as the ones useful in this challenge to get the secret, which might be readable to everybody who has access to the build(log)

  • Use your access rights as an admin/maintainer of a repository or project to get the secrets.

Thus, it is vital that you:

  • Limit who has access to the job runs/job configuration/actual secrets

  • Log all actions of the system and alert on any exfiltration actions

  • Make sure that you have no long-living secrets in your CI/CD setup

Want to know more? Check the resources at the resources on the home page of the app.

Why Crypto is still very hard

As you can tell from the Challenge13 source code: we selected a pre-defined IV. We did this to ensure we would end up with the same ciphertext every time. One could argue that this is a bad instance of Convergent Encryption. This convergent encryption has a benefit: you can now tell whether a secret has changed if you have a fixed key and IV. However, this will get you into trouble if secrets are too short. You will end up with a collision when trying to find the plaintext by encrypting various plaintext pieces hoping to end up with the same ciphertext.