STRLCPY/wrongsecrets

■ ■ ■ ■ ■ ■

Dockerfile.web

1	1		FROM jeroenwillemsen/wrongsecrets:1.5.4-no-vault
2		-
3	2		ARG argBasedVersion="1.5.4"
4	3		ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
5	4		ARG CTF_ENABLED=false
		skipped 29 lines

■ ■ ■ ■ ■ ■

README.md

		skipped 210 lines
211	211		- [Joss Sparkes @remakingeden](https://github.com/remakingeden)
212	212		- [Tibor Hercz @tiborhercz](https://github.com/tiborhercz)
213	213		- [Filip Chyla @fchyla](https://github.com/fchyla)
	214	+	- [Chris Elbring Jr. @neatzsche](https://github.com/neatzsche)
214	215		- [Dmitry Litosh @Dlitosh](https://github.com/Dlitosh)
215	216		- [Josh Grossman @tghosth](https://github.com/tghosth)
216	217		- [Spyros @northdpole](https://github.com/northdpole)
		skipped 196 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/ChallengeTechnology.java

		skipped 5 lines
6	6
7	7		public enum Tech {
8	8
9		-	GIT("Git"), DOCKER("Docker"), CONFIGMAPS("Configmaps"), SECRETS("Secrets"), VAULT("Vault"), LOGGING("Logging"), TERRAFORM("Terraform"), CSI("CSI-Driver"), CICD("CI/CD"), PASSWORD_MANAGER("Password Manager"), CRYPTOGRAPHY("Cryptography"), BINARY("Binary"), FRONTEND("Front-end"), IAM("IAM privilege escalation");
	9	+	GIT("Git"), DOCKER("Docker"), CONFIGMAPS("Configmaps"), SECRETS("Secrets"), VAULT("Vault"), LOGGING("Logging"), TERRAFORM("Terraform"), CSI("CSI-Driver"), CICD("CI/CD"), PASSWORD_MANAGER("Password Manager"), CRYPTOGRAPHY("Cryptography"), BINARY("Binary"), FRONTEND("Front-end"), IAM("IAM privilege escalation"), WEB3("Web3");
10	10		public final String id;
11	11
12	12		Tech(String id) {
		skipped 9 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge10.java

		skipped 28 lines
29	29		public Challenge10(ScoreCard scoreCard,
30	30		@Value("${secretmountpath}") String filePath,
31	31		@Value("${default_aws_value_challenge_10}") String awsDefaultValue,
	32	+	@Value("${FILENAME_CHALLENGE10}") String fileName,
32	33		RuntimeEnvironment runtimeEnvironment) {
33	34		super(scoreCard, runtimeEnvironment);
34	35		this.awsDefaultValue = awsDefaultValue;
35		-	this.challengeAnswer = getCloudChallenge9and10Value(filePath, "wrongsecret-2");
	36	+	this.challengeAnswer = getCloudChallenge9and10Value(filePath, fileName);
36	37		}
37	38
38	39		@Override
		skipped 38 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge9.java

		skipped 28 lines
29	29		public Challenge9(ScoreCard scoreCard,
30	30		@Value("${secretmountpath}") String filePath,
31	31		@Value("${default_aws_value_challenge_9}") String awsDefaultValue,
	32	+	@Value("${FILENAME_CHALLENGE9}") String fileName,
32	33		RuntimeEnvironment runtimeEnvironment) {
33	34		super(scoreCard, runtimeEnvironment);
34	35		this.awsDefaultValue = awsDefaultValue;
35		-	this.challengeAnswer = getCloudChallenge9and10Value(filePath, "wrongsecret");
	36	+	this.challengeAnswer = getCloudChallenge9and10Value(filePath, fileName);
36	37		}
37	38
38	39		@Override
		skipped 38 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge25.java

1	+	package org.owasp.wrongsecrets.challenges.docker;
2	+
3	+
4	+	import lombok.extern.slf4j.Slf4j;
5	+	import org.bouncycastle.util.encoders.Base64;
6	+	import org.owasp.wrongsecrets.RuntimeEnvironment;
7	+	import org.owasp.wrongsecrets.ScoreCard;
8	+	import org.owasp.wrongsecrets.challenges.Challenge;
9	+	import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
10	+	import org.owasp.wrongsecrets.challenges.Spoiler;
11	+	import org.springframework.core.annotation.Order;
12	+	import org.springframework.stereotype.Component;
13	+	import org.springframework.beans.factory.annotation.Value;
14	+
15	+	import javax.crypto.Cipher;
16	+	import javax.crypto.SecretKey;
17	+	import javax.crypto.spec.GCMParameterSpec;
18	+	import javax.crypto.spec.SecretKeySpec;
19	+	import java.nio.charset.StandardCharsets;
20	+	import java.security.spec.AlgorithmParameterSpec;
21	+	import java.util.List;
22	+
23	+	@Slf4j
24	+	@Component
25	+	@Order(25)
26	+	public class Challenge25 extends Challenge {
27	+	private final String cipherText;
28	+
29	+	public Challenge25(ScoreCard scoreCard, @Value("${challenge25ciphertext}") String cipherText) {
30	+	super(scoreCard);
31	+	this.cipherText = cipherText;
32	+	}
33	+
34	+	@Override
35	+	public boolean canRunInCTFMode() {
36	+	return true;
37	+	}
38	+
39	+	@Override
40	+	public Spoiler spoiler() {
41	+	return new Spoiler(quickDecrypt(cipherText));
42	+	}
43	+
44	+	@Override
45	+	public boolean answerCorrect(String answer) {
46	+	String correctString = quickDecrypt(cipherText);
47	+	return answer.equals(correctString);
48	+	}
49	+
50	+	@Override
51	+	public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
52	+	return List.of(RuntimeEnvironment.Environment.DOCKER);
53	+	}
54	+
55	+	@Override
56	+	public int difficulty() {
57	+	return 2;
58	+	}
59	+
60	+	@Override
61	+	public String getTech() {
62	+	return ChallengeTechnology.Tech.WEB3.id;
63	+	}
64	+
65	+	@Override
66	+	public boolean isLimittedWhenOnlineHosted() {
67	+	return false;
68	+	}
69	+
70	+	private String quickDecrypt(String cipherText) {
71	+	try {
72	+	final Cipher decryptor = Cipher.getInstance("AES/GCM/NoPadding");
73	+	SecretKey decryptKey = new SecretKeySpec("thiszthekeytoday".getBytes(StandardCharsets.UTF_8), "AES");
74	+	AlgorithmParameterSpec gcmIv = new GCMParameterSpec(128, Base64.decode(cipherText), 0, 12);
75	+	decryptor.init(Cipher.DECRYPT_MODE, decryptKey, gcmIv);
76	+	return new String(decryptor.doFinal(Base64.decode(cipherText), 12, Base64.decode(cipherText).length - 12));
77	+	} catch (Exception e) {
78	+	log.warn("Exception with Challenge 25", e);
79	+	return "";
80	+	}
81	+	}
82	+	}
83	+

■ ■ ■ ■ ■ ■

src/main/resources/application.properties

		skipped 14 lines
15	15		default_azure_value=if_you_see_this_please_use_Azure_Setup
16	16		AWS_ROLE_ARN=if_you_see_this_please_use_AWS_Setup
17	17		AWS_WEB_IDENTITY_TOKEN_FILE=if_you_see_this_please_use_AWS_Setup
	18	+	FILENAME_CHALLENGE9=wrongsecret
	19	+	FILENAME_CHALLENGE10=wrongsecret-2
18	20		azure.keyvault.enabled=false
19	21		management.health.azure-key-vault.enabled=false
20	22		azure.keyvault.uri=https://default.vault.localhost
		skipped 21 lines
42	44		keepasspath=/var/tmp/helpers/alibabacreds.kdbx
43	45		canarytokenURLs=http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp
44	46		challenge15ciphertext=qcyRgfXSh0HUKsW/Xb5LnuWt9DgU8tQJfluR66UDDlmMgVWCGEwk1qxKCi4ZvzDwM38xP3nRFqO4SZEgqp8Ul8Ej/lNDbQCgBuszSILVSV6D9eojOMl6zTcNgzUmjW2K3dJKN9LqXOLYezEpEN2gUaYqPu2nVqmUptKTmXGwAnmQH1TIl2MUueRuXpRKe72IMzKenxZHKRsNFp+ebQebS3qzP+Q=
	47	+	challenge25ciphertext=dQMhBe8oLxIdGLcxPanDLS++srED/x05P+Ph9PFZKlL2K42vXi7Vtbh3/N90sGT087W7ARURZg==
45	48		management.endpoint.health.probes.enabled=true
46	49		management.health.livenessState.enabled=true
47	50		management.health.readinessState.enabled=true
		skipped 49 lines

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge24_reason.adoc

1	1		Why copying Specs is a bad idea
2	2
3	3		When you try to implement cryptographic controls, it can be very daunting: there are a lot of details you need to pay attention to.
4		-	By now you know that it is not recommended to copy every primite of an example for your own implementation. In this example we copied the HMAC key from a NIST spec, which anybody could have tried to use in order to brute-force the HMAC key used.
	4	+	By now you know that it is not recommended to copy every primitive of an example for your own implementation. In this example we copied the HMAC key from a NIST spec, which anybody could have tried to use in order to brute-force the HMAC key used.
5	5
6	6		Please note that copying keys from specs/examples does not only hold for HMACs, it holds for any cryptographic operation (signing, encryption, decryption, etc.).
7	7
	8	+	Still need to generate a key? Make sure you use a Secure Random generator and the right library for your runtime to generate the key instead.
	9	+

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge25.adoc

1	+	=== Secrets in smart contracts part 1
2	+
3	+	On public blockchains, everything that is written on-chain is world-readable.
4	+
5	+	In this challenge, you need to read the variable named secret from the contract `0x8b72f7cbAD50620c46219ad676Ad9d3a5A273587` on the Goerli EVM Testnet.
6	+

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge25_hint.adoc

1	+	You can solve this challenge by the following steps:
2	+
3	+	Option 1:
4	+	1. Look under the contract creation transaction on https://goerli.etherscan.io/tx/0x497b71a1fd4c57509bfecc2114ec649387fe669c23a3a7e97961f389444d9561[Etherscan]
5	+	2. Go to state and look at storage.
6	+
7	+	Option 2:
8	+	1. Look under the contract creation transaction on https://goerli.etherscan.io/tx/0x497b71a1fd4c57509bfecc2114ec649387fe669c23a3a7e97961f389444d9561[Etherscan]
9	+	2. Have a look at the input data.
10	+
11	+	Option 3:
12	+	1. Create an Infura key at https://infura.io/[Infura].
13	+	2. Write a simple script with web3js to call the view function on the public string "secret"
14	+
15	+	Option 2:
16	+	1. Create an Infura key at https://infura.io/[Infura].
17	+	2. Read the storage at position 0 for the contract like:
18	+	curl https://goerli.infura.io/v3/${<your-infura-key>} \
19	+	-X POST \
20	+	-H "Content-Type: application/json" \
21	+	-d '{"jsonrpc":"2.0", "method": "eth_getStorageAt", "params": ["0x8b72f7cbAD50620c46219ad676Ad9d3a5A273587", "0x0", "latest"], "id": 1}'
22	+

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge25_reason.adoc

1	+	Why storing secrets on the blockchain is a bad idea
2	+
3	+	You should never commit any secret to the blockchain. All data is public. Especially when a variable is public, it is very easy to read.
4	+
5	+	Still need to use a secret? Make sure it is part of a supporting system (E.g. an external service you create).
6	+

■ ■ ■ ■ ■ ■

src/main/resources/templates/welcome.html

		skipped 91 lines
92	92		<li><a href="https://github.com/remakingeden">Joss Sparkes @remakingeden</a></li>
93	93		<li><a href="https://github.com/tiborhercz">Tibor Hercz @tiborhercz</a></li>
94	94		<li><a href="https://github.com/fchyla">Filip Chyla @fchyla</a></li>
	95	+	<li><a href="https://github.com/neatzsche">Chris Elbring Jr. @neatzsche</a>
95	96		<li><a href="https://github.com/Dlitosh">Dmitry Litosh @Dlitosh</a></li>
96	97		<li><a href="https://github.com/tghosth">Josh Grossman @tghosth</a></li>
97	98		<li><a href="https://github.com/northdpole">Spyros @northdpole</a></li>
		skipped 69 lines

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/challenges/cloud/Challenge10Test.java

		skipped 28 lines
29	29		var secret = "secretvalueWitFile";
30	30		Files.writeString(testFile.toPath(), secret, StandardOpenOption.CREATE, StandardOpenOption.WRITE, StandardOpenOption.TRUNCATE_EXISTING);
31	31
32		-	var challenge = new Challenge10(scoreCard, dir.toString(), "test", runtimeEnvironment);
	32	+	var challenge = new Challenge10(scoreCard, dir.toString(), "test", "wrongsecret-2", runtimeEnvironment);
33	33
34	34		Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isTrue();
35	35		}
36	36
37	37		@Test
38	38		void solveChallenge10WithoutAWSFile(@TempDir Path dir) {
39		-	var challenge = new Challenge10(scoreCard, dir.toString(), "test", runtimeEnvironment);
	39	+	var challenge = new Challenge10(scoreCard, dir.toString(), "test", "wrongsecret-2", runtimeEnvironment);
40	40
41	41		Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isFalse();
42	42		}
		skipped 2 lines
45	45		void whenGCPEnvGCPDocumentationShouldBeReturned() {
46	46		Mockito.when(runtimeEnvironment.getRuntimeEnvironment()).thenReturn(RuntimeEnvironment.Environment.GCP);
47	47
48		-	var challenge = new Challenge10(scoreCard, "", "test", runtimeEnvironment);
	48	+	var challenge = new Challenge10(scoreCard, "", "test", "wrongsecret-2", runtimeEnvironment);
49	49
50	50		Assertions.assertThat(challenge.getExplanation()).isEqualTo("challenge10-gcp");
51	51		}
		skipped 2 lines
54	54		void whenAWSEnvAWSDocumentationShouldBeReturned() {
55	55		Mockito.when(runtimeEnvironment.getRuntimeEnvironment()).thenReturn(RuntimeEnvironment.Environment.AWS);
56	56
57		-	var challenge = new Challenge10(scoreCard, "", "test", runtimeEnvironment);
	57	+	var challenge = new Challenge10(scoreCard, "", "test", "wrongsecret-2", runtimeEnvironment);
58	58
59	59		Assertions.assertThat(challenge.getExplanation()).isEqualTo("challenge10");
60	60		}
		skipped 3 lines

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/challenges/cloud/Challenge9Test.java

		skipped 24 lines
25	25
26	26		@Test
27	27		void solveChallenge9WithoutFile(@TempDir Path dir) {
28		-	var challenge = new Challenge9(scoreCard, dir.toString(), "test", runtimeEnvironment);
	28	+	var challenge = new Challenge9(scoreCard, dir.toString(), "test", "wrongsecret", runtimeEnvironment);
29	29
30	30		Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isFalse();
31	31		}
		skipped 4 lines
36	36		var secret = "secretvalueWitFile";
37	37		Files.writeString(testFile.toPath(), secret);
38	38
39		-	var challenge = new Challenge9(scoreCard, dir.toString(), "test", runtimeEnvironment);
	39	+	var challenge = new Challenge9(scoreCard, dir.toString(), "test", "wrongsecret", runtimeEnvironment);
40	40
41	41		Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isTrue();
42	42		}
		skipped 4 lines
47	47		var secret = "secretvalueWitFile";
48	48		Files.writeString(testFile.toPath(), secret);
49	49
50		-	var challenge = new Challenge9(scoreCard, dir.toString(), "test", runtimeEnvironment);
	50	+	var challenge = new Challenge9(scoreCard, dir.toString(), "test", "wrongsecret", runtimeEnvironment);
51	51
52	52		Assertions.assertThat(challenge.spoiler()).isEqualTo(new Spoiler("secretvalueWitFile"));
53	53		}
		skipped 3 lines

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge25Test.java

1	+	package org.owasp.wrongsecrets.challenges.docker;
2	+
3	+	import org.assertj.core.api.Assertions;
4	+	import org.junit.jupiter.api.Test;
5	+	import org.junit.jupiter.api.extension.ExtendWith;
6	+	import org.mockito.Mock;
7	+	import org.mockito.Mockito;
8	+	import org.mockito.junit.jupiter.MockitoExtension;
9	+	import org.owasp.wrongsecrets.ScoreCard;
10	+
11	+	@ExtendWith(MockitoExtension.class)
12	+	class Challenge25Test {
13	+
14	+	@Mock
15	+	private ScoreCard scoreCard;
16	+
17	+
18	+	@Test
19	+	void rightAnswerShouldSolveChallenge() {
20	+	var challenge = new Challenge25(scoreCard, "dQMhBe8oLxIdGLcxPanDLS++srED/x05P+Ph9PFZKlL2K42vXi7Vtbh3/N90sGT087W7ARURZg==");
21	+	Assertions.assertThat(challenge.solved(challenge.spoiler().solution())).isTrue();
22	+	Mockito.verify(scoreCard).completeChallenge(challenge);
23	+	}
24	+
25	+
26	+
27	+	}
28	+

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetCloudValuesTest.java

		skipped 46 lines
47	47
48	48		@Test
49	49		void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge9() throws Exception {
50		-	var spoil = new Challenge9(new InMemoryScoreCard(1), null, "ACTUAL_ANSWER_CHALLENGE9", new RuntimeEnvironment(RuntimeEnvironment.Environment.HEROKU_DOCKER)).spoiler().solution();
	50	+	var spoil = new Challenge9(new InMemoryScoreCard(1), null, "ACTUAL_ANSWER_CHALLENGE9", "wrongsecret", new RuntimeEnvironment(RuntimeEnvironment.Environment.HEROKU_DOCKER)).spoiler().solution();
51	51		mvc.perform(post("/challenge/9")
52	52		.contentType(MediaType.APPLICATION_FORM_URLENCODED)
53	53		.param("solution", spoil)
		skipped 5 lines
59	59
60	60		@Test
61	61		void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge10() throws Exception {
62		-	var spoil = new Challenge10(new InMemoryScoreCard(1), null, "ACTUAL_ANSWER_CHALLENGE10", new RuntimeEnvironment(RuntimeEnvironment.Environment.HEROKU_DOCKER)).spoiler().solution();
	62	+	var spoil = new Challenge10(new InMemoryScoreCard(1), null, "ACTUAL_ANSWER_CHALLENGE10", "wrongsecret-2", new RuntimeEnvironment(RuntimeEnvironment.Environment.HEROKU_DOCKER)).spoiler().solution();
63	63		mvc.perform(post("/challenge/10")
64	64		.contentType(MediaType.APPLICATION_FORM_URLENCODED)
65	65		.param("solution", spoil)
		skipped 31 lines
97	97		}
98	98
99	99		@Test
100		-	void shouldEnableK8sExercises() throws Exception{
	100	+	void shouldEnableK8sExercises() throws Exception {
101	101		mvc.perform(get("/"))
102	102		.andExpect(status().isOk())
103	103		.andExpect(content().string(containsString("<td> <a href=\"/challenge/5\">Challenge 5</a></td>")))
		skipped 6 lines

Merge pull request #429 from commjoen/configure-secret-names-in-cloud