Challenge 8 ☆☆

Welcome to challenge 8. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Generating random values

Now, let’s randomize the secret at startup…​ Can you find the answer? How can we use this on the next startup ;-)?

Tip: take a look at the logging of the application at startup!

Answer to solution :

You can solve this challenge by the following steps:

  1. Get the secret from the logging

    • Are you using the docker container? Use docker logs <containerID> to get the logs and find the value for challenge8

    • Are you using K8s? Find the Pod (kubectl get pods | grep secret) and then do kubectl logs -f <nameOfThePod> to get the logs and find the value for challenge 8.

PLEASE NOTE: you are running this challenge on a hosted version of WrongSecrets. If you are not hosting it yourself, you might not have access to the defined outputs above. When you are running a CTF: ask the organizer access to the logging.

What to look out for when using random secrets at startup

Using a random secret at startup might work if the secret does not need to be consumed by other systems than the system holding/generating the secret itself. Otherwise, you will need some sort of synchronisation mechanism.

The mechanism used here in this challenge, can be observed in various other systems, such as Jenkins for instance, where we used to see the admin password of Jenkins in the logs on first boot.

Though nothing might be necessarily wrong with this approach, there are a few things you need to pay attention to:

  • anybody with access to the logs, now has access to this secret. So be careful where you send your logs off to, and be careful who you allow to read the logs in your production system.

  • if the system does not restart for a very long time, the secret becomes stale. If you have to reboot often, so will the secret be rotated.

  • the moment you start persisting the secret, you will often end up with challenges like the ones you faced in this app.