OWASP WrongSecrets

Welcome to challenge Challenge 46. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

HashiCorp Vault Template Injection

Secrets can be retrieved from Vault using the Vault Agent sidecar container, which runs alongside your main application container. This sidecar can inject the secrets into your applications environment. One way to do this, is by means of rendering the secrets as a file. The file can then be picked up by your target application. However, in this case, the developer was unsure if the file was picked up, so instead of exporting the secret as an env-var, he echo-ed them.

Can you find the secret injected into application environment?

This challenge has been disabled.This challenge has been disabled. Click "next" to go to the next challenge.

Answer to solution :

Show hints What's wrong?

This challenge can be solved using the following ways:

Get the data of the sidecar by looking at the files created by Vault Agent sidecar:
1. Run kubectl get pods -A and find secret-challenge-xxx pod name
2. Run kubectl exec secret-challenge-xxx -c secret-challenge -n default — cat vault/secrets/challenge46 where xxx is the rest of the randomly generated pod name to print injected secrets from vault.
Get the data by checking the logs of the Wrongsecrets pod as the echo is being sourced:
1. Run kubectl get pods -A and find secret-challenge-xxx pod name
2. Run kubectl logs secret-challenge-xxx where xxx is the rest of the randomly generated pod name to print the logs including the echo statement.

Note: if you are running this on a hosted environment, where you do not have access to the Kubernetes cluster, ask the organizer of the hosted solution to execute the commands for you and return the results.

Why Vault Template Injection is not always a good idea?

While Vault agent injection via templates can be a convenient way to manage secrets in certain scenarios, there are situations where it might not be the best approach.

Templates might accidentally expose sensitive information in logs or temporary files. If not properly configured, secrets could end up in places where they are accessible by unauthorized users or processes.

Let’s consider an example involving a template injection attack in a scripted language like PHP:

Imagine a scenario where PHP application uses a template with sensitive information
- where template can look like this: $password = "'; system('rm -rf /'); //"
When the template is processed it can become:
- $connection = "password='; system('rm -rf /'); //"

To prevent such issues its crucial to ensure that the values retrieved from Vault are properly validated.

HashiCorp Vault Template Injection

Congratulations!