Challenge 14 ☆☆☆☆

Welcome to challenge Challenge 14. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Password Managers

When we showed this project to my friend Kees, he asked us: hey isn’t that the same as having a very weak password on your password manager? Because that’s what my colleague did.

So here it is: the password manager challenge! We have set up a Keepass file in the Docker container where we put secret credentials to Alibabacloud in. Can you get it?

Answer to solution :

You can solve this challenge by the following steps:

Note this challenge requires you to install Keepass(X) on your system to open the kdbx file.

  1. Get the Keepass file from the Docker container and open it.

    • take a look at the Dockerfile to see where the KeePass file has been copied to.

    • Follow the instructions of the Docker documentation to copy the Keepass file from the container’s root to your local filesystem.

    • Open the file using KeepassX. A password prompt will show.

    • First, check the code of Challenge14.java in github to see where the password might be stored. Then open the Application.properties file in the src/resources folder at the target repo and take a look at the property holding the KeePass password.

    • Now, use the password you found to open the Keepass file. The content should allow you to find credentials to Alibaba Cloud. That’s the answer!

  2. Get the Keepass file from the test resources: we were silly enough to put the same file in src/test/resources/alibabacreds.kdbx so you can open that ass well.

    • Check out the project using git and open the file, or get it from Github

    • Open the file using KeepassX. A password prompt will show.

    • First, check the code of Challenge14.java in github to see where the password might be stored. Then open the Application.properties file in the src/resources folder at the target repo and take a look at the property holding the KeePass password.

    • Now, use the password you found to open the Keepass file. The content should allow you to find credentials to Alibaba Cloud. That’s the answer!

Why you need to be careful with password to other secrets

Whether you have a password for an enterprise secretsmanagement system or a password manager: your authentication factors make the difference between a breached system and a secure system.

So in simple terms when you authenticate to your password manager directly: - have a strong password (E.g. a lengthy one!) - use MFA if possible - enable any sort of alerting when a new device and/or IP tries to touch it.

If you use SSO: make sure that the system to which you authenticate caters for the same controls: allow for lengthy strong passwords, MFA, and proper security alerts when something spiffy is going on.