Kubernetes ephemeral container to extract secret cached by subprocess

[bendehaan]

Context

• What should the challenge scenario be like? We're interfacing with a secrets mgmt system to keep our secret safe, but we don't want to make a network call every time we use the secret. We've built an abstraction to handle interfacing with the system, and for performance reasons, we're caching the secret in memory using a spawned subprocess (or in memory). Using an appropriate container with debugging tools (jmap?), we can extract the secret from the subprocess/the heap!

• What should the participant learn from completing the challenge? Being able to exec in prod can harm even relatively safe secrets. Also, be careful with debug modes 🤡

• For what category would the challenge be? (e.g. Docker, K8s, binary) K8s

Did you encounter this in real life? Could you tell us more about the scenario?

I had to attach a debug ephemeral container to a running one, which had multiple debugging tools installed.

If the challenge request is approved, would you be willing to submit a PR?

Yes

[commjoen]

As agreed: we can start off with a gdb debugable process that generates a random secret and reads it upon next read, whcih you can capture with a debug container.