OWASP WrongSecrets

Welcome to challenge Challenge 11. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

AWS SSM Parameter Store

We’ve now used Parameter Store directly from within the app, but there’s an IAM problem…

Assume the role cant-read-secrets and try some IAM privilege escalation. Don’t cheat using your own roles :)

Here is where tools like ScoutSuite can really help detecting issues with your IAM setup. IAM might provide paths towards privilege escalation. These paths can often be used to create and/or assume other more powerful roles which might actually allow you to (among other things) read the secret.

If you’re stuck, try spotting the error in Terraform.

This challenge has been disabled.This challenge has been disabled. Click "next" to go to the next challenge.

Answer to solution :

What's wrong?

Secrets management is more than secure storage:

As you can tell by now: there are many ways to get to a secret: whether hardcoded, stored in a misconfigured third party solution, or stored correctly, but with the wrong IAM access rights in accounts next to it. You will, by now see, why we say that "your security maturity reflects in your secrets management".

In this specific case, this kind of role assumption should be impossible given the proper configuration, but it’s a good idea to monitor for these events and flag them as suspicious.

Go the main page

We are running outside a properly configured Cloud environment. Please run this in an AWS/Azure/GCP environment as explained in the README.md

There are still supported challenges after this one. Please try another challenge instead!

AWS SSM Parameter Store

Congratulations!