OWASP WrongSecrets

Challenge 7 ☆☆☆☆

Welcome to challenge Challenge 7.

🔍 Your Task

Find the secret hidden in the WrongSecrets repository. This challenge focuses on Vault.

💡 Look for: Configuration files, source code, environment variables, Docker files, or cloud infrastructure related to this challenge.

A secret hidden in Vault

So now the secret is no longer in K8s or code… the developer hopes. If this challenge is enabled & you used the README.md instructions, then you should be able to have the challenge running on K8s/Minikube, and now you can search for the secret. What is the mistake made here? Trufflehog might have been able to help if the entropy was a little larger ;-).

This challenge has been disabled.This challenge has been disabled. Click "next" to go to the next challenge.

🔑 Enter the secret you found: 💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

💡 Show Hints 🔍 What's Wrong?

You can solve this challenge by the following steps:

Find the Secret in Vault using the logged root token:
- When you setup the K8s environment, the script tells you the value of the root token as below:
  Key Value --- ----- token s.Jqka4lSy8ayQw2LFsvyAgnTI token_accessor HEr9RYa3OcZNDOHeFRXIMYCV token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"]
- Use the token to login into Vault exposed at port 8200
- Take a look around: can you find the location of the secret in the secrets overview?

Why you need to configure your secrets management solution well

Hashicorp Vault is designed to manage secrets. Vault safeguards secrets by having them encrypted and has a lot of security controls involved to secure (access to) the secrets.

Some of these controls can easily be misconfigured or misused. In this challenge we only have (root)tokens to use vault and leak them, even to Git by mistake. These tokens should actually never be the default way of authenticating yourself towards vault. Instead, it is better to enable LDAP or Azure authentication instead.

Next, the secret itself does not have any metadata where it is used for. Which makes it harder to maintain the secret over time.

When using a third party solution, like Hashicorp Vault or any other: make sure you read the documentation well and secure the system. Additionally, do a threatmodel exercise to understand what the risks are of it being used wrongly.

⬅️ Previous

🏠 Main Page

Next ➡️

We are running outside a K8s cluster with Vault. Please run this in the K8s cluster as explained in the README.md

There might still be supported challenges after this one. Please try another challenge instead!

🔍 Your Task

A secret hidden in Vault

Congratulations!