Challenge 15 ☆☆

Welcome to challenge Challenge 15. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Git history

One of the mistakes we often make when we do commit secrets to Git, is trying to get rid of them without rotating the secret. What makes it worse, is that without properly overriding the commit with the secret and/or removing the commit, it will remain in history forever.

So, we kept some AWS access-keys in git as a "mistake", can you find them?

Note: the answer contains one of the 3 aws credential profiles you find in a commit its java comments, but then without the java comment markup as a single line. Alternatively you can just provide the secret access key with we are looking for.

Note-2: Did you know that these are working access keys[1]?! Go to stats when you tried them to find out more!


1. They are not "normal" AWS access keys: they are canary tokens! Though you can do aws sts get-caller-identity with them. When you use them, some of your data (IP/agent) is being logged.
Answer to solution :

You can solve this challenge by the following steps:

  1. Get the secret from older commits using Trufflehog

    • install trufflehog3 by running pip3 install trufflehog3 which requires python3 and pip to be installed

    • run trufflehog3 https://github.com/OWASP/wrongsecrets and take a look at the output: you should find 3 aws_secret_access_key one of them is the solution!

  2. Get the secret by "using the encryption" of the challenge as the encrypted materials are still in the java class (Note this is a more advanced test and requires some java skills).

    • Find the container which is used to offer this challenge to you

    • Extract the ciphertext for Challenge15

    • Clone the project locally and run it locally following the instructions at the Readme.md.

    • Debug the project, by setting a breakpoint at the beginning of the quickDecrypt method

    • Override the cipherText value with the ciphertext you extracted at step 2, and now find the plaintext.

Why you need to clean & rotate secrets

When you have a secret committed to Git by mistake, there will be ways to find it, by hand or with tools.

Therefore, when a secret is committed to Git by mistake:

  • Inform any responsible security authority in the organization

  • Make sure you rotate the secret

  • Optionally- cleanup: either use BFG repo-cleaner, or try to remove the offending commit in another way.

There are many ways to prevent committing a secret, by having a pre-commit hook configured with secret-detection controls for instance.

Note: "hiding" a wrong commit by adding more commits so that it will not show during a PR will just make it worse. At best, you should then squash the offending commit with the deletion commit together, so that the secret is only in your branch.

Note-2: if you pushed a secret, note that all pulling colleagues/bots might have it locally as well.

Note-3: the AWS keys hidden in this project are actual canary tokens. When you use them, then a call is done towards our CanariesController, which can possibly alert systems and/or data that the credentials/canary tokens have been used. The content of the last call to this endpoint can be found at our stats endpoint, for Heroku and Docker setups that is at stats. We creage and manage our canarytokens through Canarytokens.org. Imagine what you can do with Canary tokens in your organization!