Challenge 15 ☆☆

Welcome to challenge Challenge 15. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Git history

One of the mistakes we often make when we do commit secrets to Git, is trying to get rid of them without rotating the secret. What makes it worse, is that without properly overriding the commit with the secret and/or removing the commit, it will remain in history forever.

So, we kept some AWS access-keys in git as a "mistake", can you find them?

Note: the answer contains one of the 3 aws credential profiles you find in a commit its java comments, but then without the java comment markup as a single line. Alternatively you can just provide the secret access key with we are looking for.

Note-2: Did you know that these are working access keys[1]?! Go to stats when you tried them to find out more!


1. They are not "normal" AWS access keys: they are canary tokens! Though you can do aws sts get-caller-identity with them. When you use them, some of your data (IP/agent) is being logged.
Answer to solution :

Why you need to clean & rotate secrets

When you have a secret committed to Git by mistake, there will be ways to find it, by hand or with tools.

Therefore, when a secret is committed to Git by mistake:

  • Inform any responsible security authority in the organization

  • Make sure you rotate the secret

  • Optionally- cleanup: either use BFG repo-cleaner, or try to remove the offending commit in another way.

There are many ways to prevent committing a secret, by having a pre-commit hook configured with secret-detection controls for instance.

Note: "hiding" a wrong commit by adding more commits so that it will not show during a PR will just make it worse. At best, you should then squash the offending commit with the deletion commit together, so that the secret is only in your branch.

Note-2: if you pushed a secret, note that all pulling colleagues/bots might have it locally as well.

Note-3: the AWS keys hidden in this project are actual canary tokens. When you use them, then a call is done towards our CanariesController, which can possibly alert systems and/or data that the credentials/canary tokens have been used. The content of the last call to this endpoint can be found at our stats endpoint, for Heroku and Docker setups that is at stats. We creage and manage our canarytokens through Canarytokens.org. Imagine what you can do with Canary tokens in your organization!