echo "A versatile script to create a docker image for testing. Call this script with no arguments to simply create a local image that you can use to test your changes. For more complex use see the below help section"
echo "tag= Write a custom tag that will be added to the container when it is build locally."
13
13
echo "message= Write a message used for the actual tag-message in git"
skipped 14 lines
28
28
exit
29
29
fi
30
30
}
31
+
32
+
Okteto_redeploy(){
33
+
break_on_tag
34
+
echo "Rebuilding the Okteto environment: https://wrongsecrets-commjoen.cloud.okteto.net/"
35
+
echo "Check if all required binaries are installed"
36
+
source ../../scripts/check-available-commands.sh
37
+
checkCommandsAvailable okteto
38
+
echo "validating okteto k8 deployment to contain the right container with tag "${tag}" (should be part of '$(cat ../../okteto/k8s/secret-challenge-deployment.yml | grep image)')"
39
+
if [[ "$(cat ../../okteto/k8s/secret-challenge-deployment.yml | grep image)" != *"${tag}"* ]]; then
40
+
echo "tag ${tag} in ../../okteto/k8s/secret-challenge-deployment.yml not properly set, aborting"
41
+
exit
42
+
fi
43
+
cd ../../okteto
44
+
okteto destroy
45
+
okteto deploy
46
+
}
47
+
31
48
heroku_check_container() {
32
49
break_on_tag
33
50
echo "validating dockerfile to contain tag "${tag}" (should be part of '$(head -n 1 ../../Dockerfile.web)')"
Don't want to go over the hassle of setting up K8S yourself? visit [https://wrongsecrets-commjoen.cloud.okteto.net](https://wrongsecrets-commjoen.cloud.okteto.net/). Please note that we are using the free Developer version here, so it might take a while for it to respond. Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.
133
+
129
134
## Vault exercises with minikube
130
135
131
-
_Can be used for challenges 1-8, 12-23_
136
+
_Can be used for challenges 1-8, 12-24_
132
137
Make sure you have the following installed:
133
138
134
139
- minikube with docker (or comment out line 8 and work at your own k8s setup),
skipped 13 lines
148
153
149
154
## Cloud Challenges
150
155
151
-
_Can be used for challenges 1-23_
156
+
_Can be used for challenges 1-24_
152
157
153
158
**READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
154
159
never run this on an account which is related to your production environment or can influence your account-over-arching
skipped 215 lines
370
375
containers, try the following:
371
376
372
377
```shell
373
-
docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock jeroenwillemsen/wrongsecrets-desktop:1.5.2
378
+
docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock jeroenwillemsen/wrongsecrets-desktop:latest
374
379
```
375
380
376
381
or use something more configurable:
skipped 9 lines
386
391
-e KEYBOARD=en-us-qwerty \
387
392
-p 3000:3000 \
388
393
-v /var/run/docker.sock:/var/run/docker.sock \
389
-
--shm-size="1gb" \
394
+
--shm-size="2gb" \
390
395
--restart unless-stopped \
391
-
jeroenwillemsen/wrongsecrets-desktop:1.5.2
396
+
jeroenwillemsen/wrongsecrets-desktop:latest
392
397
```
393
398
394
399
And then at [http://localhost:3000](http://localhost:3000).
If you want to host a multi-user setup, you will probably want to share the state file so that everyone can try related challenges. We have provided a starter to easily do so using a Terraform gcs backend.
22
22
23
-
First, create an s3 bucket:
23
+
First, create an storage bucket:
24
24
25
25
1. Navigate to the 'shared-state' directory `cd shared-state`
26
26
2. Change the `project_id` in the `terraform.tfvars` file to your project id
skipped 17 lines
44
44
5. Run `terraform init` (if required, use tfenv to select TF 0.14.0 or higher )
45
45
6. Run `terraform plan`
46
46
7. Run `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the GCP backplane.
47
-
8. When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`
47
+
8. When creation is done, run `gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION`.Noteifiterrorsonamissingplugintosupport`kubectl`,thenrun`gcloudcomponentsinstallgke-gcloud-auth-plugin`and`gcloudcontainerclustersget-credentialswrongsecrets-exercise-cluster`.
return new String(Base64.decode(Hex.decode(Base64.decode("NTYzMjY4MzU1MTMyMzk3NDYyNTc1Njc1NjQ0ODRlNDI2MzMxNDI2ODYzMzM0ZTdhNjQzMjM5Nzk1YTQ1NDY3OTVhNTU0YTY4NWE0NDRkMzA0ZTU2Mzg2Yg=="))));
You can solve this challenge by the following steps:
2
+
3
+
1. Check the status of the configmap in Git
4
+
- Can you see where in git we stored the `secrets-config.yml`? If not, just do a search.
5
+
- Take a look at the `Data` field: what can you find there?
6
+
7
+
PLEASE NOTE: The following options will only work when you have access to the K8s API. In this hosted version of WrongSecrets you do not have that access. When you are running a CTF: ask the organizer for access to the K8s API.
8
+
9
+
10
+
2. Ask nicely using Kubectl:
11
+
- Make sure you have Kubectl installed as defined in the README.MD & make sure kubectl is configured to send commands to the right cluster.
12
+
- Do `kubectl get configmap`. Here you see all the configmaps active in the namespace you are in, which is for this app normally `default` (unless otherwise specified by your administrator/trainer).
13
+
- Now do `kubectl get configmap secrets-file -o Yaml`. Can you see the secret?
14
+
3. Exec into the pod and get the data:
15
+
- Make sure you have Kubectl installed as defined in the README.MD & make sure kubectl is configured to send commands to the right cluster.
16
+
- Do `kubectl get pods`. Here you see all the Pods active in the namespace you are in, which is for this app normally `default` (unless otherwise specified by your administrator/trainer).
17
+
- Now for your instance of the WrongSecrets pod, do `kubectl exec -it secret-challenge-<rest of the name of the pod from the prev.step> -- /bin/sh`.
18
+
- Now do `env | grep SPECIAL_K8S_SECRET` and there is your secret.
19
+
20
+
21
+
Note: `kubectl get <item> -A` gives you an overview of all the items over all the namespaces you have access to. It's important *not* to give people access to every namespace in your cluster, as this might mean leaking important config/items to them.
You can solve this challenge by the following steps:
2
+
3
+
1. Check the status of the secret in Git:
4
+
- Can you see where in git we stored the `secrets-secret.yml`? If not, just do a search.
5
+
- Take a look at the `Data` field: what can you find there?
6
+
7
+
PLEASE NOTE: The following options will only work when you have access to the K8s API. In this hosted version of WrongSecrets you do not have that access. When you are running a CTF: ask the organizer access to the targetted K8s API.
8
+
9
+
2. Ask nicely using Kubectl:
10
+
- Make sure you have Kubectl installed as defined in the README.MD & make sure kubectl is configured to send commands to the right cluster.
11
+
- Now do `kubectl get secrets` . Here you see all the configmaps active in the namespace you are in, which is for this app normally `default` (unless otherwise specified by your administrator/trainer).
12
+
- Now do `kubectl get secret funnystuff -o Yaml` . Can you see the secret?
13
+
3. Exec into the pod and get the data:
14
+
- Make sure you have Kubectl installed as defined in the README.MD & make sure kubectl is configured to send commands to the right cluster.
15
+
- Now do `kubectl get pods`. Here you see all the Pods active in the namespace you are in, which is for this app normally `default` (unless otherwise specified by your administrator/trainer).
16
+
- Now for your instance of the WrongSecrets pod, do `kubectl exec -it secret-challenge-<rest of the name of the pod from the prev.step> -- /bin/sh`.
17
+
- Now do `env | grep SPECIAL_SPECIAL_K8S_SECRET` and there is your secret.
18
+
19
+
20
+
Note: `kubectl get <item> -A` gives you an overview of all the items over all the namespaces you have access to. It's important *not* to give people access to every namespace in your cluster, as this might mean leaking important config/items to them.
You can solve this challenge by the following steps:
2
+
3
+
1. Get the secret from the logging
4
+
- Are you using the docker container? Use `docker logs <containerID>` to get the logs and find the value for challenge8
5
+
- Are you using K8s? Find the Pod (`kubectl get pods | grep secret`) and then do `kubectl logs -f <nameOfThePod>` to get the logs and find the value for challenge 8.
6
+
7
+
PLEASE NOTE: you are running this challenge on a hosted version of WrongSecrets. If you are not hosting it yourself, you might not have accesss to the defined outputs above. When you are running a CTF: ask the organizer access to the logging.