Finalize vault setup and extra user

OWASP · Jan 14, 2024 · 0dcd518 · 0dcd518
1 parent 7c1ee26
commit 0dcd518
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 4 deletions.
diff --git a/k8s-vault-minkube-start.sh b/k8s-vault-minkube-start.sh
@@ -45,7 +45,7 @@ else
   helm repo add hashicorp https://helm.releases.hashicorp.com
 fi
 kubectl create ns vault
-helm upgrade --install vault hashicorp/vault --version 0.23.0 --namespace vault --values k8s/helm-vault-values.yml
+helm upgrade --install vault hashicorp/vault --version 0.27.0 --namespace vault --values k8s/helm-vault-values.yml
 
 isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running)
 while [[ $isvaultrunning != *"vault-0"* ]]; do echo "waiting for Vault1" && sleep 2 && isvaultrunning=$(kubectl get pods -n vault --field-selector=status.phase=Running); done
@@ -87,17 +87,17 @@ kubectl exec vault-0 -n vault -- vault kv put secret/wrongsecret aaaauser."$(ope
 echo "Oepsi metadata"
 kubectl exec vault-0 -n vault -- vault kv metadata put -mount=secret -custom-metadata=secret="$(openssl rand -base64 16)" wrongsecret
 
-
 echo "Enable k8s auth"
 kubectl exec vault-0 -n vault -- vault auth enable kubernetes
 
 echo "Writing k8s auth config"
-
 kubectl exec vault-0 -n vault -- /bin/sh -c 'vault write auth/kubernetes/config \
         token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
         kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
         kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
 
+kubectl exec vault-0 -n vault -- vault audit enable file file_path=stdout
+
 echo "Writing policy for secret-challenge"
 kubectl exec vault-0 -n vault -- /bin/sh -c 'vault policy write secret-challenge - <<EOF
 path "secret/data/secret-challenge" {
@@ -109,11 +109,38 @@ path "secret/metadata/wrongsecret" {
 path "secret/subkeys/wrongsecret" {
   capabilities = ["read", "list" ]
 }
+path "secret/data/wrongsecret" {
+  capabilities = ["read", "list" ]
+}
 path "secret/data/application" {
   capabilities = ["read"]
 }
 EOF'
 
+kubectl exec vault-0 -n vault -- /bin/sh -c 'vault policy write standard_sre - <<EOF
+path "secret/data/secret-challenge" {
+  capabilities = ["list"]
+}
+path "secret/" {
+  capabilities = ["list"]
+}
+path "secret/*" {
+  capabilities = ["list"]
+}
+path "secret/*/subkeys/"{
+capabilities = ["list", "read"]
+}
+path "secret/*/subkeys/*"{
+capabilities = ["list", "read"]
+}
+path "secret/metadata/*"{
+capabilities = ["list", "read"]
+}
+EOF'
+
+kubectl exec vault-0 -n vault -- vault auth enable userpass
+kubectl exec vault-0 -n vault -- vault write auth/userpass/users/helper password=foo policies=standard_sre
+
 echo "Write secrets for secret-challenge"
 kubectl exec vault-0 -n vault -- vault write auth/kubernetes/role/secret-challenge \
         bound_service_account_names=vault \

diff --git a/scripts/install-vault.sh b/scripts/install-vault.sh
@@ -11,7 +11,7 @@ if [ $? == 0 ]; then
   echo "Vault ns is already there"
 else
   kubectl create ns vault
-  helm upgrade --install vault hashicorp/vault --version 0.23.0 --namespace vault --values ../k8s/helm-vault-values.yml
+  helm upgrade --install vault hashicorp/vault --version 0.27.0 --namespace vault --values ../k8s/helm-vault-values.yml
 fi
 
 
@@ -75,11 +75,38 @@ path "secret/metadata/wrongsecret" {
 path "secret/subkeys/wrongsecret" {
   capabilities = ["read", "list" ]
 }
+path "secret/data/wrongsecret" {
+  capabilities = ["read", "list" ]
+}
 path "secret/data/application" {
   capabilities = ["read"]
 }
 EOF'
 
+kubectl exec vault-0 -n vault -- /bin/sh -c 'vault policy write standard_sre - <<EOF
+path "secret/data/secret-challenge" {
+  capabilities = ["list"]
+}
+path "secret/" {
+  capabilities = ["list"]
+}
+path "secret/*" {
+  capabilities = ["list"]
+}
+path "secret/*/subkeys/"{
+capabilities = ["list", "read"]
+}
+path "secret/*/subkeys/*"{
+capabilities = ["list", "read"]
+}
+path "secret/metadata/*"{
+capabilities = ["list", "read"]
+}
+EOF'
+
+kubectl exec vault-0 -n vault -- vault auth enable userpass
+kubectl exec vault-0 -n vault -- vault write auth/userpass/users/helper password=foo policies=standard_sre
+
 echo "Write secrets for secret-challenge"
 kubectl exec vault-0 -n vault -- vault write auth/kubernetes/role/secret-challenge \
   bound_service_account_names=vault \

diff --git a/src/main/resources/explanations/challenge44_hint.adoc b/src/main/resources/explanations/challenge44_hint.adoc
@@ -20,3 +20,8 @@ This challenge can be solved using the following steps:
 
 -  Use the token to login into Vault exposed at port 8200
 -  Take a look around: can you find the location of the secret in the secrets overview?
+
+3. Find the secret as the SRE member
+- go to the vault web interface
+- login with in with username "helper" and password "foo"
+- find the actual secret.
diff --git a/src/main/resources/explanations/challenge45_hint.adoc b/src/main/resources/explanations/challenge45_hint.adoc
@@ -20,3 +20,8 @@ This challenge can be solved using the following steps:
 
 -  Use the token to login into Vault exposed at port 8200
 -  Take a look around: can you find the location of the secret in the secrets overview?
+
+3. Find the secret as the SRE member
+- go to the vault web interface
+- login with in with username "helper" and password "foo"
+- find the actual secret.