In this session, we’ll walk through a real-world attack scenario targeting a misconfigured Kubernetes cluster with HashiCorp Vault deployed for secrets management. The attack begins externally—with Shodan reconnaissance—demonstrating how Vault, Consul, and Nomad instances are often unintentionally exposed on the internet. From there, we pivot into the Kubernetes environment, gaining access through an exposed dashboard or pod and abusing misconfigured policies, insecure token handling, and overly permissive access to exfiltrate secrets such as cloud credentials.
We’ll draw from a structured Kubernetes security learning path to simulate each stage of the attack chain:
External discovery using Shodan dorks to identify exposed HashiCorp services
Privilege escalation using service account tokens and Vault API misuse
Secrets extraction from Vault’s AWS secrets engine
Terraform state secrets misuse and token leakage
Defensive hardening using Vault auth methods, short-lived tokens, namespace scoping, and Kubernetes RBAC and network policies
To empower defenders, we’ll also share a practical method to automate exposure monitoring using the Shodan API. This script allows security teams to detect when their Vault or related infrastructure becomes exposed—helping to close the gap between discovery and response.
Whether you're just starting your cloud security journey or actively defending production clusters, this talk offers an actionable blueprint for identifying risks, simulating real-world threats, and implementing security best practices for modern secrets management.