Challenge 1

Welcome to challenge 1. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Centralized hardcoded password

When people write a Proof of Concept, they often start with hardcoded secrets, such as a password in code. What if we forget to remove these hardcoded secrets?

Can you spot the secret we are looking for in code? What about looking for it in the container?

Sometimes the simpler tools are the most effective. Try cloning the repo and use grep to see what you find. It is also possible to find with Git-secrets or Trufflehog. Just dive into the code!

Answer to solution :

Why using code to put secrets in is a bad idea.

You can tell by now that you can easily detect many secrets stored within code. Even when the code is compiled, you can still reverse-engineer it to find the secret. That’s why hardcoded secrets are never a good idea. We often fall for the misconception that if I cannot reverse-engineer it, so can’t an attacker, which is why many people believe that hardcoding in C/C++/Golang is safer than in Java. For those that think this: please decompile an app with tools like Ghidra.

Secrecy of a secret in code is one thing. Another challenge is openness: anyone with access to the code and/or compiled assets can learn the secret. To make it worse: if the developer who hardcoded the secret leaves the organization, he might know the secret as it is still in code! Similarly, when code leaks or the asset leaks, the secret will be compromised, and rotating will be hard. Besides: do you still know where this password is after a few years?