crash.software
Projects
Pull Requests
Issues
Builds
wrongsecrets
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY wrongsecrets Commits 4076b201
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    HELP.md
    1 1  # Getting Started
    2 2   
     3 +Please consult the [readme](./README.md), [Contributing](./CONTRIBUTING.md), [Code of Conduct](./CODE_OF_CONDUCT.md), our [ctf instructions](./ctf-instructions.md) and our [Wiki](https://github.com/OWASP/wrongsecrets/wiki) when you are getting started.
     4 + 
    3 5  ### Reference Documentation
    4 6  For further reference, please consider the following sections:
    5 7   
    skipped 4 lines
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 308 lines
    309 309   
    310 310  We have 3 ways of playing CTFs:
    311 311   
    312  -- The quick "let's play"-approach based on our own Heroku domain [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com), which we documente for you here.
     312 +- The quick "let's play"-approach based on our own Heroku domain [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com) or our Okteto domain [https://wrongsecrets-ctf-commjoen.cloud.okteto.net/](https://wrongsecrets-ctf-commjoen.cloud.okteto.net/), which we documented for you here.
    313 313  - A more extended approach documented in [ctf-instructions.md](/ctf-instructions.md).
    314 314  - A fully customizable CTF setup where every player gets its own virtual instance of WrongSecrets and a virtual instance of the wrongsecrets-desktop, so they all can play hassle-free. For this you have to use [the WrongSecrets CTF Party setup](https://github.com/OWASP/wrongsecrets-ctf-party).
    315 315   
    skipped 2 lines
    318 318  Want to use CTFD to play a CTF based on the free Heroku wrongsecrets-ctf instance together with CTFD? You can!
    319 319   
    320 320  NOTE: CTFD support now works based on the [Juiceshop CTF CLI](https://github.com/juice-shop/juice-shop-ctf).
    321  -NOTE-II: [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com) (temporary down based on lack of oss credits) is based on a free heroku instance, which takes time to warm up.
    322  -Initial creation of the zip file for CTFD requires you to visit [https://wrongsecrets-ctf.herokuapp.com/api/Challenges](https://wrongsecrets-ctf.herokuapp.com/api/Challenges) once before executing the steps below.
     321 +NOTE-II: [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com) (temporary down based on lack of oss credits) is based on Heroku and has limited capacity. Alternatively you can use our Okteto setup at [https://wrongsecrets-ctf-commjoen.cloud.okteto.net/](https://wrongsecrets-ctf-commjoen.cloud.okteto.net/), which uses a free tier and needs some time to warm up. However, the Okteto environment does have more resources & supports the kubernetes challenges, unlike our Heroku setup that only supports the Docker challenges.
     322 +Initial creation of the zip file for CTFD requires you to visit [https://wrongsecrets-ctf.herokuapp.com/api/Challenges](https://wrongsecrets-ctf.herokuapp.com/api/Challenges) or [https://wrongsecrets-ctf-commjoen.cloud.okteto.net/](https://wrongsecrets-ctf-commjoen.cloud.okteto.net/) once before executing the steps below.
    323 323   
    324 324  Follow the following steps:
    325 325   
    326 326  ```shell
    327 327   npm install -g [email protected]
    328  - juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'TRwzkRJnHOTckssAeyJbysWgP!Qc2T', feel free to enable hints. We do not support snippets or links/urls to code or hints.
     328 + juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com (or https://wrongsecrets-ctf-commjoen.cloud.okteto.net/) as domain. No trailing slash! The key is 'TRwzkRJnHOTckssAeyJbysWgP!Qc2T', feel free to enable hints. We do not support snippets or links/urls to code or hints.
    329 329   docker run -p 8001:8000 -it ctfd/ctfd:3.4.3
    330 330  ```
    331 331   
    332 332  Now visit the CTFD instance at [http://localhost:8001](http://localhost:8001) and setup your CTF.
    333 333  Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command.
    334  -Game on using [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com)!
     334 +Game on using [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com) or [https://wrongsecrets-ctf-commjoen.cloud.okteto.net/](https://wrongsecrets-ctf-commjoen.cloud.okteto.net/)!
    335 335  Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.
    336 336   
    337 337  ## FBCTF Support (Experimental!)
    skipped 142 lines
  • ■ ■ ■ ■
    SECURITY.md
    skipped 13 lines
    14 14   
    15 15  Please use Slack to report a vulnerability in the [#project-wrongsecrets](https://owasp.slack.com/archives/C02KQ7D9XHR) channel. You can register for the OWASP Slack [here](https://owasp.org/slack/invite). Given this is a p0wnable app, we do not have any bug bounty or rewards for you ;-).
    16 16   
    17  -Given the project is ran by volunteers, we intend to respond within a week.
     17 +Given the project is run by volunteers, we intend to respond within a week.
    18 18   
  • ■ ■ ■ ■ ■
    config/.lycheeignore
    skipped 2 lines
    3 3   
    4 4  # This is used as an example when creating a pull request
    5 5  https://github.com/Your_Github_Handle.*
    6  -https://wrongsecrets-ctf.herokuapp.com/api/Challenges
     6 +# Heroku is not guaranteed to be up
     7 +https://wrongsecrets-ctf.herokuapp.com/
    7 8  https://wrongsecrets.herokuapp.com
     9 +# Okteto is not guaranteed to be up
    8 10  https://wrongsecrets-commjoen.cloud.okteto.net/
     11 +https://wrongsecrets-ctf-commjoen.cloud.okteto.net/
    9 12  https://wrongsecrets.fly.dev/
    10 13  https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d
     14 +# Twitter its API does not like us
    11 15  https://twitter.com/intent/tweet?*
    12 16   
  • ■ ■ ■ ■ ■ ■
    okteto/k8s/secret-challenge-ctf-deployment.yml
     1 +apiVersion: apps/v1
     2 +kind: Deployment
     3 +metadata:
     4 + labels:
     5 + app: secret-challenge-ctf
     6 + name: secret-challenge-ctf
     7 + namespace: $OKTETO_NAMESPACE
     8 +spec:
     9 + progressDeadlineSeconds: 600
     10 + replicas: 1
     11 + revisionHistoryLimit: 10
     12 + selector:
     13 + matchLabels:
     14 + app: secret-challenge-ctf
     15 + strategy:
     16 + rollingUpdate:
     17 + maxSurge: 25%
     18 + maxUnavailable: 25%
     19 + type: RollingUpdate
     20 + template:
     21 + metadata:
     22 + labels:
     23 + app: secret-challenge-ctf
     24 + name: secret-challenge-ctf
     25 + spec:
     26 + securityContext:
     27 + runAsUser: 2000
     28 + runAsGroup: 2000
     29 + fsGroup: 2000
     30 + containers:
     31 + - image: jeroenwillemsen/wrongsecrets:1.5.14-no-vault
     32 + name: secret-challenge-ctf
     33 + imagePullPolicy: IfNotPresent
     34 + securityContext:
     35 + allowPrivilegeEscalation: false
     36 + readOnlyRootFilesystem: true
     37 + runAsNonRoot: true
     38 + capabilities:
     39 + drop:
     40 + - ALL
     41 + seccompProfile:
     42 + type: RuntimeDefault
     43 + ports:
     44 + - containerPort: 8080
     45 + protocol: TCP
     46 + readinessProbe:
     47 + httpGet:
     48 + path: "/actuator/health/readiness"
     49 + port: 8080
     50 + initialDelaySeconds: 30
     51 + timeoutSeconds: 5
     52 + periodSeconds: 5
     53 + failureThreshold: 8
     54 + livenessProbe:
     55 + httpGet:
     56 + path: "/actuator/health/liveness"
     57 + port: 8080
     58 + initialDelaySeconds: 35
     59 + timeoutSeconds: 30
     60 + periodSeconds: 40
     61 + failureThreshold: 5
     62 + resources:
     63 + requests:
     64 + memory: "512Mi"
     65 + cpu: "200m"
     66 + ephemeral-storage: "1Gi"
     67 + limits:
     68 + memory: "512Mi"
     69 + cpu: "1000m"
     70 + ephemeral-storage: "2Gi"
     71 + volumeMounts:
     72 + - name: "ephemeral"
     73 + mountPath: "/tmp"
     74 + terminationMessagePath: /dev/termination-log
     75 + terminationMessagePolicy: File
     76 + env:
     77 + - name: ctf_enabled
     78 + value: "true"
     79 + - name: hints_enabled
     80 + value: "false"
     81 + - name: ctf_key
     82 + value: TRwzkRJnHOTckssAeyJbysWgP!Qc2T
     83 + - name: vaultpassword
     84 + value: if_you_see_this_please_use_K8S_and_Vault
     85 + - name: default_aws_value_challenge_9
     86 + value: if_you_see_this_please_use_AWS_Setup
     87 + - name: default_aws_value_challenge_10
     88 + value: if_you_see_this_please_use
     89 + - name: default_aws_value_challenge_11
     90 + value: if_you_see_this_please_use
     91 + - name: canarytokenURLs
     92 + value: "https://canarytokens.org/history?token=cs07k832u9t1u4npowbvsw4mb&auth=7f75f2b2a4207c91fbc1ea59f7a495eb"
     93 + - name: challenge15ciphertext
     94 + value: "k9+HuPXEiFD6efujS5h1lOL1xgAC2OIgE2alg9JweUDy8k2SHUoG6I9FOhM1mgPKIUlyPWvROo+2T5p4qrAnuPYC/xAzVjGDUoN4eIXdXn+gwcYmL+Be8TodjXUt9U3g1/B9O2wyVZTT9Q839FaDHeBR4Og="
     95 + - name: challenge_acht_ctf_host_value
     96 + value: "not set"
     97 + - name: K8S_ENV
     98 + value: Okteto(k8s)
     99 + - name: SPECIAL_K8S_SECRET
     100 + valueFrom:
     101 + configMapKeyRef:
     102 + name: secrets-file
     103 + key: funny.entry
     104 + - name: SPECIAL_SPECIAL_K8S_SECRET
     105 + valueFrom:
     106 + secretKeyRef:
     107 + name: funnystuff
     108 + key: funnier
     109 + volumes:
     110 + - name: "ephemeral"
     111 + emptyDir: {}
     112 + dnsPolicy: ClusterFirst
     113 + restartPolicy: Always
     114 + schedulerName: default-scheduler
     115 + terminationGracePeriodSeconds: 30
     116 + 
  • ■ ■ ■ ■ ■ ■
    okteto/k8s/secret-challenge-deployment.yml
    skipped 73 lines
    74 74   terminationMessagePath: /dev/termination-log
    75 75   terminationMessagePolicy: File
    76 76   env:
     77 + - name: canarytokenURLs
     78 + value: "https://canarytokens.org/history?token=n0cnd92mavmv1m61tjmyj9of5&auth=6519be82ef910868529091527c3edb3f"
     79 + - name: challenge15ciphertext
     80 + value: "k9+HuPXEiFD6efujS5h1lOL1xgAC2OIgE2alg9Jwe0qQlT+RGDJH/otpFgUzixTbCndwPW3HOqOCQYY844MgxM0N+RRbclS1bpJnYd7BT2aj8v4iA9xR8DwAjU0tt2n84PFKN4vNKjyNATETwPE1GQKBTIi1"
    77 81   - name: K8S_ENV
    78 82   value: Okteto(k8s)
    79 83   - name: SPECIAL_K8S_SECRET
    skipped 17 lines
  • ■ ■ ■ ■ ■ ■
    okteto/k8s/secrets-service-ctf.yml
     1 +apiVersion: v1
     2 +kind: Service
     3 +metadata:
     4 + name: wrongsecrets-ctf
     5 +spec:
     6 + type: LoadBalancer
     7 + ports:
     8 + - name: http
     9 + port: 8080
     10 + selector:
     11 + app: secret-challenge-ctf
     12 + 
Please wait...
Page is in error, reload to recover