rewanthtammana

---
rule_files:
  - loki.all.rules.yml

tests:
  - interval: 1m
    input_series:
      - series: 'cortex_ring_members{container="service",   job="zj88t-prometheus/workload-zj88t/0", name="service", namespace="loki", node="ip-10-6-2-178.eu-central-1.compute.internal",  pod="loki-service-676b8c897b-rq298", provider="aws", service_priority="highest", state="Unhealthy"}'
        values: "0+0x20 1+0x160"  # 1 unhealthy value after 20 minutes
      - series: 'loki_panic_total{app="loki-service", container="service",    job="zj88t-prometheus/workload-zj88t/0", namespace="loki", node="ip-10-6-2-178.eu-central-1.compute.internal",  pod="loki-service-676b8c897b-rq29", provider="aws", service_priority="highest"}'

rewanthtammana

groups:
  - name: loki
    rules:
      # Rules inspired from loki-mixins - https://github.com/grafana/loki/blob/main/production/loki-mixin-compiled/alerts.yaml
      - alert: LokiRequestErrors
        annotations:
          description: This alert checks that we have less than 10% errors on Loki requests.
        expr: |
          100 * sum(rate(loki_request_duration_seconds_count{status_code=~"5.."}[1m])) by (namespace, job, route)
            /

rewanthtammana

#!/bin/bash
cd ~/environment
wget https://workshops.devax.academy/security-for-developers/module2/files/pipeline.zip
unzip pipeline.zip -d pipeline
cd ~/environment/pipeline/
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
cp config.yaml.sample config.yaml
cdk bootstrap

rewanthtammana

Keybase proof

I hereby claim:

• I am rewanthtammana on github.
• I am rewanthtammana (https://keybase.io/rewanthtammana) on keybase.
• I have a public key ASBECZndiO7ez7E4uTEa78vuaJgllZBNEMfY4MvFY9V-rAo

To claim this, I am signing this object:

rewanthtammana

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# Don't log requests for health & few other non-sensitive endpoints 
- level: None
  nonResourceURLs:
  - "/healthz*"
  - "/readyz*"
  - "/livez*"
  - "/logs"

rewanthtammana

# lsb_release -a
# /etc/apt/sources.list for squeeze

deb http://archive.debian.org/debian squeeze main
deb http://archive.debian.org/debian squeeze-lts main

# also edit /etc/resolv.conf with google's DNS and comment the provided DNS.

rewanthtammana

# lsb_release -a
# /etc/apt/sources.list for squeeze

deb http://archive.debian.org/debian squeeze main
deb http://archive.debian.org/debian squeeze-lts main

rewanthtammana

const plugin_version = '2018-1000-1000'
const plugin_name    = '888-block-all'

// 本插件用于测试拦截效果
// 
// 这个插件的逻辑是，不管请求是否正常，一律拦截
// 若要开启这个插件，请先删除下面的 throw :-)
// throw new Error("本插件会拦截所有操作，为了防止误操作，请请删掉这一行")

'use strict'

rewanthtammana

const plugin_version = '2018-1000-1000'
const plugin_name = '888-block-all'

// This plugin is used to test the interception effect
// 
// The logic of this plugin is that it will be intercepted regardless of whether the request is normal or not.
// To open this plugin, first remove the following throw :-)
// Throw new Error ("This plugin will block all operations, in order to prevent misuse, please delete this line")

'use strict'

rewanthtammana

Hints given - I don't like HTTP but I like table tennis.
Table tennis is also called as ping pong. This means the data is transmitted in ping packets. So, our data is in ICMP packets.

Add a filter in wireshark, ip.proto=="icmp" and you will get all the icmp packets.

You can also see that there is a data value in the ICMP packets. There are so many data packets and I used tshark to automate extration stuff but the results were not of any use.
Then I observed the size of data in each packet varies, they are of different sizes like 48 bytes and 2 bytes. 
You can clearly see that the 48 byte packets are trash data. So, I manually written all the 2 bytes values on the paper and then decoded that value which gave me the flag.

Flag - hackim18{'51mpL3st_Ch4ll3ng3_s0lv3d'}