echo "A versatile script to create a docker image for testing. Call this script with no arguments to simply create a local image that you can use to test your changes. For more complex use see the below help section"
Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
10
10
11
-
Can you solve all the 21 challenges?
11
+
Can you solve all the 22 challenges?
12
12
![screenshot.png](screenshot.png)
13
13
14
14
## Support
skipped 2 lines
17
17
18
18
## Basic docker exercises
19
19
20
-
_Can be used for challenges 1-4, 8, 12-21_
20
+
_Can be used for challenges 1-4, 8, 12-22_
21
21
22
22
For the basic docker exercises you currently require:
Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
52
53
skipped 10 lines
63
64
64
65
## Basic K8s exercise
65
66
66
-
_Can be used for challenges 1-6, 8, 12-21_
67
+
_Can be used for challenges 1-6, 8, 12-22_
67
68
68
69
### Minikube based
69
70
skipped 40 lines
110
111
111
112
## Vault exercises with minikube
112
113
113
-
_Can be used for challenges 1-8, 12-21_
114
+
_Can be used for challenges 1-8, 12-22_
114
115
Make sure you have the following installed:
115
116
116
117
- minikube with docker (or comment out line 8 and work at your own k8s setup),
skipped 4 lines
121
122
- vault [Install from here](https://www.vaultproject.io/downloads),
122
123
- grep, Cat, and Sed
123
124
124
-
Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-21.
125
+
Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-22.
125
126
126
127
When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
127
128
128
129
## Cloud Challenges
129
130
130
-
_Can be used for challenges 1-21_
131
+
_Can be used for challenges 1-22_
131
132
132
133
**READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
133
134
never run this on an account which is related to your production environment or can influence your account-over-arching resources.
skipped 13 lines
147
148
### Running Challenge15 in your own cloud only
148
149
149
150
When you want to include your own Canarytokens for your cloud-deployment, do the following:
151
+
150
152
1. Fork the project.
151
153
2. Make sure you use the [GCP ingress](/gcp/k8s-vault-gcp-ingress-start.sh) or [AWS ingress](aws/k8s-aws-alb-script.sh) scripts to generate an ingress for your project.
152
154
3. Go to [canarytokens.org](https://canarytokens.org/generate) and select `AWS Keys`, in the webHook URL field add `<your-domain-created-at-step1>/canaries/tokencallback`.
Our third language of choice for a compiled application is Go. With the rise of its popularity, we see an increase of secrets hidden inside the binaries. Can you find the secret in our binary?
Similar like hiding secrets in an application written in C, you can do this in Rust. Ghidra is not that good at analysing Rust by default, though... Can you find the secret in our binary?
4
+
5
+
Let's debunk the "secrets are hard to find in native compiled applications" myth for Rust: can you find the secret in https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-rust[wrongsecrets-rust] (or https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-rust-arm[wrongsecrets-rust-arm], https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-rust-linux[wrongsecrets-rust-linux])?
This challenge is specifically looking at a secret in a Rust binary based on a https://doc.rust-lang.org/cargo/reference/profiles.html#release[release profile].
2
+
3
+
You can solve this challenge using the following steps:
4
+
5
+
1. Find the secrets with https://ghidra-sre.org/[Ghidra].
6
+
- Install https://ghidra-sre.org/[Ghidra].
7
+
- Start it whit `ghidraRun`.
8
+
- Load the application `wrongsecrets-rust` into ghidra by choosing a new project, then import the file and then doubleclick on it.
9
+
- Allow the Ghidra to analyze the application.
10
+
- Now import https://gist.github.com/str4d/e541f4c28e2bca80d222434ac1a204f4[demangle script] and run it via the Ghidra Script manager to demangle the functions.
11
+
- Find the `main` function in the `rust` namespace
12
+
- Find the argument that needs to be compared (in our example that is `local_80` as defined in `std::env::args((env *)&local_80);`)
13
+
- Find where the argument is compared (in our example that is `iVar1 = __stubs::_memcmp(local_80,puVar2,0x3b);`)
14
+
- Now search the input it is compared to (`puVar2`) its value. Can you find the secret?
15
+
- Alternatively: Go to the data type manager in the bottom left, now filter for `string`, now right-click at `string` as a member of `wrongsecrets-rust` and select `find uses of`. Then, filter for known keywords: you should easily be able to find the secret now!
16
+
17
+
2. Find the secrets with https://www.radare.org[radare2].
18
+
- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
19
+
- Launch r2 analysis with `$ r2 -AAA wrongsecrets-rust`
20
+
- Print the entrypoint `s sym.rust::main::h66ace6a84e548891` and then `pdf`. (not the default `main`!)
21
+
- Find the argument that needs to be compared with `pdf | grep memcmp` (in our example that is `r12`).
22
+
- Try to find how this argument is prepared. Can you spot the secret?
23
+
- Alternatively: after launching radare2, run `iz | grep secret` and find the string.
*Why Using binaries to hide a secret will only delay an attacker.*
2
+
3
+
With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.
4
+
5
+
Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.
6
+
7
+
Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.