Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
8
8
9
-
Can you solve all the 19 challenges?
9
+
Can you solve all the 20 challenges?
10
10
![screenshot.png](screenshot.png)
11
11
12
12
## Support
skipped 2 lines
15
15
16
16
## Basic docker exercises
17
17
18
-
_Can be used for challenges 1-4, 8, 12-19_
18
+
_Can be used for challenges 1-4, 8, 12-20_
19
19
20
20
For the basic docker exercises you currently require:
21
21
skipped 3 lines
25
25
You can install it by doing:
26
26
27
27
```bash
28
-
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.4-no-vault
28
+
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.5-no-vault
29
29
```
30
30
31
31
Now you can try to find the secrets by means of solving the challenge offered at:
Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
48
49
skipped 68 lines
117
118
- vault [Install from here](https://www.vaultproject.io/downloads),
118
119
- grep, Cat, and Sed
119
120
120
-
Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-19.
121
+
Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-20.
121
122
122
123
When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
123
124
124
125
## Cloud Challenges
125
126
126
-
_Can be used for challenges 1-19_
127
+
_Can be used for challenges 1-20_
127
128
128
129
**READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
129
130
never run this on an account which is related to your production environment or can influence your account-over-arching resources.
- Search for the secret: Go to `Functions` on the left-hand side, select `__Z6secretv()` . Now on the screen on the right-hand side you can see the secret. This is a string in C++, wrapped in another class (`SecretContainer`).
11
11
- Search for the same secret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `__Z7secret2v()`. On the right hand side, you see the function: now click on the return result of the function at `__ZZ7secret2vE6harder` . Now you can see the result in the Listing view.
12
-
12
+
- Alternatively: when you have analyzed the application with Ghirda: do a search for strings in all blocks and see if you can spot the secret ;-).
13
13
14
14
2. Find the secrets with https://www.radare.org[radare2].
15
15
- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`