Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
8
8
9
-
Can you solve all the 20 challenges?
9
+
Can you solve all the 21 challenges?
10
10
![screenshot.png](screenshot.png)
11
11
12
12
## Support
skipped 2 lines
15
15
16
16
## Basic docker exercises
17
17
18
-
_Can be used for challenges 1-4, 8, 12-20_
18
+
_Can be used for challenges 1-4, 8, 12-21_
19
19
20
20
For the basic docker exercises you currently require:
21
21
skipped 3 lines
25
25
You can install it by doing:
26
26
27
27
```bash
28
-
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.5-no-vault
28
+
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.6-no-vault
29
29
```
30
30
31
31
Now you can try to find the secrets by means of solving the challenge offered at:
Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
49
50
skipped 10 lines
60
61
61
62
## Basic K8s exercise
62
63
63
-
_Can be used for challenges 1-6, 8, 12-19_
64
+
_Can be used for challenges 1-6, 8, 12-21_
64
65
65
66
### Minikube based
66
67
skipped 40 lines
107
108
108
109
## Vault exercises with minikube
109
110
110
-
_Can be used for challenges 1-8, 12-19_
111
+
_Can be used for challenges 1-8, 12-21_
111
112
Make sure you have the following installed:
112
113
113
114
- minikube with docker (or comment out line 8 and work at your own k8s setup),
skipped 4 lines
118
119
- vault [Install from here](https://www.vaultproject.io/downloads),
119
120
- grep, Cat, and Sed
120
121
121
-
Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-20.
122
+
Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-21.
122
123
123
124
When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
124
125
125
126
## Cloud Challenges
126
127
127
-
_Can be used for challenges 1-20_
128
+
_Can be used for challenges 1-21_
128
129
129
130
**READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
130
131
never run this on an account which is related to your production environment or can influence your account-over-arching resources.