Merge pull request #1521 from OWASP/updatechallenge48

Update challenge48 to have both solutions in 1

README.md

@@ -15,7 +15,7 @@
 
 Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to _not_ store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.
 
-Can you solve all the 46 challenges?
+Can you solve all the 48 challenges?
 
 Try some of them on [our Heroku demo environment](https://wrongsecrets.herokuapp.com/).
 
@@ -151,7 +151,7 @@ If you want to host WrongSecrets on Railway, you can do so by deploying [this on
 
 ## Basic K8s exercise
 
-_Can be used for challenges 1-6, 8, 12-43_
+_Can be used for challenges 1-6, 8, 12-43, 48_
 
 ### Minikube based
 
@@ -192,6 +192,7 @@ now you can use the provided IP address and port to further play with the K8s va
 -   [localhost:8080/challenge/challenge-5](http://localhost:8080/challenge/challenge-5)
 -   [localhost:8080/challenge/challenge-6](http://localhost:8080/challenge/challenge-6)
 -   [localhost:8080/challenge/challenge-33](http://localhost:8080/challenge/challenge-33)
+-   [localhost:8080/challenge/challenge-48](http://localhost:8080/challenge/challenge-48)
 
 ### k8s based
 
@@ -221,10 +222,11 @@ now you can use the provided IP address and port to further play with the K8s va
 -   [localhost:8080/challenge/challenge-5](http://localhost:8080/challenge/challenge-5)
 -   [localhost:8080/challenge/challenge-6](http://localhost:8080/challenge/challenge-6)
 -   [localhost:8080/challenge/challenge-33](http://localhost:8080/challenge/challenge-33)
+-   [localhost:8080/challenge/challenge-48](http://localhost:8080/challenge/challenge-48)
 
 ## Vault exercises with minikube
 
-_Can be used for challenges 1-8, 12-46_
+_Can be used for challenges 1-8, 12-48_
 Make sure you have the following installed:
 
 -   minikube with docker (or comment out line 8 and work at your own k8s setup),
@@ -235,14 +237,14 @@ Make sure you have the following installed:
 -   vault [Install from here](https://www.vaultproject.io/downloads),
 -   grep, Cat, and Sed
 
-Run `./k8s-vault-minikube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-46.
+Run `./k8s-vault-minikube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-48.
 
 When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`.
 This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
 
 ## Cloud Challenges
 
-_Can be used for challenges 1-46_
+_Can be used for challenges 1-48_
 
 **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
 never run this on an account which is related to your production environment or can influence your account-over-arching
@@ -305,14 +307,14 @@ Contributors:
 - [Marcin Nowak @drnow4u](https://www.github.com/drnow4u)
 - [Rodolfo Cabral Neves @roddas](https://www.github.com/roddas)
 - [Osama Magdy @osamamagdy](https://www.github.com/osamamagdy)
+- [Shubham Patel @Shubham-Patel07](https://www.github.com/Shubham-Patel07)
 - [Divyanshu Dev @Novice-expert](https://www.github.com/Novice-expert)
 - [Tibor Hercz @tiborhercz](https://www.github.com/tiborhercz)
 - [za @za](https://www.github.com/za)
 - [Chris Elbring Jr. @neatzsche](https://www.github.com/neatzsche)
 - [Diamond Rivero @diamant3](https://www.github.com/diamant3)
 - [Norbert Wolniak @nwolniak](https://www.github.com/nwolniak)
 - [Adarsh A @adarsh-a-tw](https://www.github.com/adarsh-a-tw)
-- [Shubham Patel @Shubham-Patel07](https://www.github.com/Shubham-Patel07)
 - [Filip Chyla @fchyla](https://www.github.com/fchyla)
 - [Turjo Chowdhury @turjoc120](https://www.github.com/turjoc120)
 - [Vineeth Jagadeesh @djvinnie](https://www.github.com/djvinnie)

src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge48.java

@@ -9,6 +9,7 @@ public class Challenge48 extends FixedAnswerChallenge {
 
   private final String sealedSecret;
 
+  /** This challenges is about how to misuse sealed secrets */
   public Challenge48(@Value("${SEALED_SECRET_ANSWER}") String sealedSecret) {
     this.sealedSecret = sealedSecret;
   }

src/main/resources/explanations/challenge48_hint.adoc

@@ -2,12 +2,17 @@ This challenge can be solved using the following ways:
 
 - Decrypt the sealed secret using the accessible private key found in the repository:
   1. Clone the repository containing the challenge files.
-  2. Locate the `sealed-db-credentials.yaml` file in the repository.
+  2. Locate the `sealed-challenge48.json` file in the repository.
   3. Find the unencrypted private key file named `main.key` in the repository.
   4. Use the `kubeseal` tool to decrypt the sealed secret:
      ``
-     kubeseal --recovery-unseal --recovery-private-key main.key < sealed-challenge48.json > unsealed-secret.yaml
+     kubeseal --recovery-unseal --recovery-private-key k8s/main.key < k8s/sealed-challenge48.json > unsealed-secret.yaml
      ``
   5. `unsealed-secret.yaml` is unsealed secret is base64 encoded, we need to decode it and the resulting text will be the answer.
 
+- Get access to the secret directly:
+  1. with access to the cluster, do `kubectl get secret challenge48secret -o yaml`
+  2. decode the secret.
+
+
 Note: Ensure you have a valid Kubernetes configuration and access to a Kubernetes cluster. If you are running this on a hosted environment where you do not have direct access to the Kubernetes cluster, ask the organizer of the hosted solution to execute the commands for you and return the results.

src/main/resources/explanations/challenge48_reason.adoc

@@ -15,3 +15,10 @@ Let's consider an example:
 
 To prevent such issues, it is crucial to ensure that private keys are stored securely and separately from the encrypted data.
 Always follow best practices for secret management and avoid exposing sensitive information in your repositories.
+
+*Food for thought on sealed secrets*
+Sealed secrets have some issues even when you keep the private key away from the repository.
+1.  If you don't configure RBAC or ABAC correctly, anyone can still access the secret when they can access the cluster.
+2. Sealed secrets are a type of hardcoded secret, which makes auditing difficult. Who or what accessed a secret, and from where?
+3. If you're going to rotate your sealing key, you'll need to rotate all of your secrets encrypted with said key -  potentially across dozens of repositories (as to why: see the git history challenge). How will you find them? And how do you identify which secrets were encrypted with what key? How do you make the previous version of a secret securely accessible?
+4. Sealed secrets can be subject to offline attacks, the viability of which depends on what you used to encrypt the secrets. Can you think of improper encryption schemes?

src/test/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge48Test.java

@@ -0,0 +1,21 @@
+package org.owasp.wrongsecrets.challenges.kubernetes;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.api.Test;
+
+public class Challenge48Test {
+
+  @Test
+  void spoilerShouldGiveAnswer() {
+    var challenge = new Challenge48("answer");
+    assertThat(challenge.spoiler().solution()).isEqualTo("answer");
+    assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
+  }
+
+  @Test
+  void incorrectAnswerShouldNotSolveChallenge() {
+    var challenge = new Challenge48("answer");
+    assertThat(challenge.answerCorrect("wrong answer")).isFalse();
+  }
+}