From 1dc00adccfca8e23d9bca08daebe89918b39a205 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 29 Mar 2022 22:28:41 +0200 Subject: [PATCH] #189 add temporal instructions for using canary tokens in own account --- README.md | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 0f41646fb..0aa3b21dd 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ - + # OWASP WrongSecrets [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this&url=https://github.com/commjoen/wrongsecrets&hashtags=secretsmanagement,secrets,hunting,p0wnableapp,OWASP,WrongSecrets) @@ -6,7 +6,7 @@ Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques. -Can you solve all the 14 challenges? +Can you solve all the 15 challenges? ![screenshot.png](screenshot.png) ## Support @@ -15,7 +15,7 @@ Need support? Contact us via [OWASP Slack](https://owasp.slack.com/archives/C02K ## Basic docker exercises -_Can be used for challenges 1-4, 8, 12-14_ +_Can be used for challenges 1-4, 8, 12-15_ For the basic docker exercises you currently require: @@ -38,7 +38,8 @@ Now you can try to find the secrets by means of solving the challenge offered at - [localhost:8080/challenge/12](http://localhost:8080/challenge/12) - [localhost:8080/challenge/13](http://localhost:8080/challenge/13) - [localhost:8080/challenge/14](http://localhost:8080/challenge/14) - +- [localhost:8080/challenge/15](http://localhost:8080/challenge/15) +- Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-). ### Running these on Heroku @@ -54,7 +55,7 @@ You can test them out at [https://wrongsecrets.herokuapp.com/](https://wrongsecr ## Basic K8s exercise -_Can be used for challenges 1-6, 8, 12-14_ +_Can be used for challenges 1-6, 8, 12-15_ ### Minikube based @@ -101,7 +102,7 @@ now you can use the provided IP address and port to further play with the K8s va ## Vault exercises with minikube -_Can be used for challenges 1-8, 12-14_ +_Can be used for challenges 1-8, 12-15_ Make sure you have the following installed: - minikube with docker (or comment out line 8 and work at your own k8s setup), @@ -112,13 +113,13 @@ Make sure you have the following installed: - vault [Install from here](https://www.vaultproject.io/downloads), - grep, Cat, and Sed -Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at . This will allow you to run challenges 1-8, 12-14. +Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at . This will allow you to run challenges 1-8, 12-15. When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret. ## Cloud Challenges -_Can be used for challenges 1-14_ +_Can be used for challenges 1-15_ **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises, never run this on an account which is related to your production environment or can influence your account-over-arching resources. @@ -135,6 +136,18 @@ Follow the steps in [the README in the GCP subfolder](gcp/README.md). Follow the steps in [the README in the Azure subfolder](azure/README.md). +### Running Challenge15 in your own cloud only + +When you want to include your own Canarytokens for your cloud-deployment, do the following: +1. Fork the project. +2. Make sure you use the [GCP ingress](/gcp/k8s-vault-gcp-ingress-start.sh) or [AWS ingress](aws/k8s-aws-alb-script.sh) scripts to generate an ingress for your project. +3. Go to [canarytokens.org](https://canarytokens.org/generate) and select `AWS Keys`, in the webHook URL field add `/canaries/tokencallback`. +4. Encrypt the received credentials so that [Challenge15](/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge15.java) can decrypt them again. +5. Commit the unencrypted and encrypted materials to Git and then commit again without the decrypted materials. +6. Adapt the hints of Challenge 15 in your fork to point to your fork. +7. Create a container and push it to your registry +8. Override the K8s definition files for either [AWS](/aws/k8s/secret-challenge-vault-deployment.yml) or [GCP](/gcp/k8s/secret-challenge-vault-deployment.yml.tpl). + ## Do you want to play without guidance? Each challenge has a `Show hints` button and a `What's wrong?` button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise. Therefore, you can manipulate them by overriding the following settings in your env: