crash.software
Projects
Pull Requests
Issues
Builds
wrongsecrets
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY wrongsecrets Commits 49f8c5e9
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    .github/scripts/docker-create-and-push.sh
    skipped 86 lines
    87 87  echo "committing changes and new pom file with version ${tag}"
    88 88  git commit -am "Update POM file with new version: ${tag}"
    89 89  git push
    90  -#echo "tagging version"
    91  -#git tag -a $tag -m "${message}"
    92  -#git push --tags
     90 +echo "tagging version"
     91 +git tag -a $tag -m "${message}"
     92 +git push --tags
    93 93   
    94 94  echo "Don't forget to update experiment-bed"
    95 95  echo "git checkout experiment-bed && git merge master --no-edit"
    skipped 9 lines
  • ■ ■ ■ ■ ■ ■
    Dockerfile.web
    1  -FROM jeroenwillemsen/wrongsecrets:challenge21test-no-vault
     1 +FROM jeroenwillemsen/wrongsecrets:1.4.5-no-vault
    2 2   
    3  -ARG argBasedVersion="1.4.4"
     3 +ARG argBasedVersion="1.4.5"
    4 4  ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
    5 5  ENV APP_VERSION=$argBasedVersion
    6 6  ENV K8S_ENV=Heroku(Docker)
    skipped 7 lines
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 5 lines
    6 6   
    7 7  Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
    8 8   
    9  -Can you solve all the 19 challenges?
     9 +Can you solve all the 20 challenges?
    10 10  ![screenshot.png](screenshot.png)
    11 11   
    12 12  ## Support
    skipped 2 lines
    15 15   
    16 16  ## Basic docker exercises
    17 17   
    18  -_Can be used for challenges 1-4, 8, 12-19_
     18 +_Can be used for challenges 1-4, 8, 12-20_
    19 19   
    20 20  For the basic docker exercises you currently require:
    21 21   
    skipped 3 lines
    25 25  You can install it by doing:
    26 26   
    27 27  ```bash
    28  -docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.4-no-vault
     28 +docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.5-no-vault
    29 29  ```
    30 30   
    31 31  Now you can try to find the secrets by means of solving the challenge offered at:
    skipped 11 lines
    43 43  - [localhost:8080/challenge/17](http://localhost:8080/challenge/17)
    44 44  - [localhost:8080/challenge/18](http://localhost:8080/challenge/18)
    45 45  - [localhost:8080/challenge/19](http://localhost:8080/challenge/19)
     46 +- [localhost:8080/challenge/20](http://localhost:8080/challenge/20)
    46 47   
    47 48  Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
    48 49   
    skipped 68 lines
    117 118  - vault [Install from here](https://www.vaultproject.io/downloads),
    118 119  - grep, Cat, and Sed
    119 120   
    120  -Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-19.
     121 +Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-20.
    121 122   
    122 123  When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
    123 124   
    124 125  ## Cloud Challenges
    125 126   
    126  -_Can be used for challenges 1-19_
     127 +_Can be used for challenges 1-20_
    127 128   
    128 129  **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
    129 130  never run this on an account which is related to your production environment or can influence your account-over-arching resources.
    skipped 151 lines
  • ■ ■ ■ ■
    aws/k8s/secret-challenge-vault-deployment.yml
    skipped 36 lines
    37 37   volumeAttributes:
    38 38   secretProviderClass: "wrongsecrets-aws-secretsmanager"
    39 39   containers:
    40  - - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
     40 + - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
    41 41   imagePullPolicy: IfNotPresent
    42 42   ports:
    43 43   - containerPort: 8080
    skipped 31 lines
  • ■ ■ ■ ■
    azure/k8s/secret-challenge-vault-deployment.yml.tpl
    skipped 34 lines
    35 35   volumeAttributes:
    36 36   secretProviderClass: "azure-wrongsecrets-vault"
    37 37   containers:
    38  - - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
     38 + - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
    39 39   imagePullPolicy: IfNotPresent
    40 40   ports:
    41 41   - containerPort: 8080
    skipped 36 lines
  • ■ ■ ■ ■
    gcp/k8s/secret-challenge-vault-deployment.yml.tpl
    skipped 36 lines
    37 37   volumeAttributes:
    38 38   secretProviderClass: "wrongsecrets-gcp-secretsmanager"
    39 39   containers:
    40  - - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
     40 + - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
    41 41   imagePullPolicy: IfNotPresent
    42 42   ports:
    43 43   - containerPort: 8080
    skipped 33 lines
  • ■ ■ ■ ■
    k8s/secret-challenge-deployment.yml
    skipped 27 lines
    28 28   runAsGroup: 2000
    29 29   fsGroup: 2000
    30 30   containers:
    31  - - image: jeroenwillemsen/wrongsecrets:1.4.4-no-vault
     31 + - image: jeroenwillemsen/wrongsecrets:1.4.5-no-vault
    32 32   imagePullPolicy: IfNotPresent
    33 33   ports:
    34 34   - containerPort: 8080
    skipped 23 lines
  • ■ ■ ■ ■
    k8s/secret-challenge-vault-deployment.yml
    skipped 29 lines
    30 30   runAsNonRoot: true
    31 31   serviceAccountName: vault
    32 32   containers:
    33  - - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
     33 + - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
    34 34   imagePullPolicy: IfNotPresent
    35 35   ports:
    36 36   - containerPort: 8080
    skipped 27 lines
  • ■ ■ ■ ■
    pom.xml
    skipped 8 lines
    9 9   </parent>
    10 10   <groupId>org.owasp</groupId>
    11 11   <artifactId>wrongsecrets</artifactId>
    12  - <version>challenge21test-SNAPSHOT</version>
     12 + <version>1.4.5-SNAPSHOT</version>
    13 13   <name>OWASP WrongSecrets</name>
    14 14   <description>Examples with how to not use secrets</description>
    15 15   <url>https://owasp.org/www-project-wrongsecrets/</url>
    skipped 416 lines
  • ■ ■ ■ ■
    src/main/resources/explanations/challenge19.adoc
    1  -=== Obfuscating part 1 the C binary
     1 +=== Obfuscating in binaries part 1: the C binary
    2 2   
    3 3  We need to put a secret in a mobile app! Nobody will notice the secret in our compiled code!
    4 4  This is a misbelief we have often encountered when presenting on mobile security topics.
    skipped 3 lines
  • ■ ■ ■ ■
    src/main/resources/explanations/challenge20.adoc
    1  -=== Obfuscating part 2: the C++ binary
     1 +=== Obfuscating in binaries part 2: the C++ binary
    2 2   
    3 3  Similar like hiding secrets in an application written in C, you end up in a similar situation with C++. Can you find the secret in our binary?
    4 4   
    skipped 2 lines
  • ■ ■ ■ ■
    src/main/resources/explanations/challenge20_hint.adoc
    skipped 8 lines
    9 9  - Allow the Ghidra to analyze the application.
    10 10  - Search for the secret: Go to `Functions` on the left-hand side, select `__Z6secretv()` . Now on the screen on the right-hand side you can see the secret. This is a string in C++, wrapped in another class (`SecretContainer`).
    11 11  - Search for the same secret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `__Z7secret2v()`. On the right hand side, you see the function: now click on the return result of the function at `__ZZ7secret2vE6harder` . Now you can see the result in the Listing view.
    12  - 
     12 +- Alternatively: when you have analyzed the application with Ghirda: do a search for strings in all blocks and see if you can spot the secret ;-).
    13 13   
    14 14  2. Find the secrets with https://www.radare.org[radare2].
    15 15  - Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
    skipped 4 lines
Please wait...
Page is in error, reload to recover