Challenge 7

Welcome to challenge 7. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

A secret hidden in Vault

So now the secret is no longer in K8s or code…​ the developer hopes. If this challenge is enabled & you used the instructions, then you should be able to have the challenge running on K8s/Minikube, and now you can search for the secret. What is the mistake made here? Trufflehog might have been able to help if the entropy was a little larger ;-).

Answer to solution :

You can solve this challenge by the following steps:

  1. Find the Secret in Vault using the logged root token:

    • When you setup the K8s environment, the script tells you the value of the root token as below:

      Key                  Value
      ---                  -----
      token                s.Jqka4lSy8ayQw2LFsvyAgnTI
      token_accessor       HEr9RYa3OcZNDOHeFRXIMYCV
      token_duration       ∞
      token_renewable      false
      token_policies       ["root"]
      identity_policies    []
      policies             ["root"]
    • Use the token to login into Vault exposed at port 8200

    • Take a look around: can you find the location of the secret in the secrets overview?

Why you need to configure your secrets management solution well

Hashicorp Vault is designed to manage secrets. Vault safeguards secrets by having them encrypted and has a lot of security controls involved to secure (access to) the secrets.

Some of these controls can easily be misconfigured or misused. In this challenge we only have (root)tokens to use vault and leak them, even to Git by mistake. These tokens should actually never be the default way of authenticating yourself towards vault. Instead, it is better to enable LDAP or Azure authentication instead.

Next, the secret itself does not have any metadata where it is used for. Which makes it harder to maintain the secret over time.

When using a third party solution, like Hashicorp Vault or any other: make sure you read the documentation well and secure the system. Additionally, do a threatmodel exercise to understand what the risks are of it being used wrongly.