STRLCPY/wrongsecrets

■ ■ ■ ■ ■ ■

.github/scripts/docker-create-and-push.sh

		skipped 95 lines
96	96		echo "git push"
97	97
98	98		#staging (https://arcane-scrubland-42646.herokuapp.com/)
99		-	echo "Completed docker upload for X86, now taking care of heroku, do yourself: update Dockerfile.web, then run 'heroku container:login' 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku' and 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku --arg CANARY_URLS=http://canarytokens.com/feedback/images/traffic/tgy3epux7jm59n0ejb4xv4zg3/submit.aspx,http://canarytokens.com/traffic/cjldn0fsgkz97ufsr92qelimv/post.jsp --app=wrongsecrets' and release both (heroku container:release web --app=wrongsecrets)"
	99	+	echo "Completed docker upload for X86, now taking care of heroku, do yourself: update Dockerfile.web, then run 'heroku container:login'"
	100	+	echo "then for the test container: 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646' and 'heroku container:release web --app arcane-scrubland-42646'"
	101	+	echo "then for the prd container:'heroku container:push --recursive --arg argBasedVersion=${tag}heroku --arg CANARY_URLS=http://canarytokens.com/feedback/images/traffic/tgy3epux7jm59n0ejb4xv4zg3/submit.aspx,http://canarytokens.com/traffic/cjldn0fsgkz97ufsr92qelimv/post.jsp --app=wrongsecrets' and release 'heroku container:release web --app=wrongsecrets'"
100	102		#want to release? do heroku container:release web --app=wrongsecrets
101	103
102	104

■ ■ ■ ■ ■ ■

.github/workflows/minikube-vault-test.yml

		skipped 25 lines
26	26		driver: docker
27	27		kubernetes-version: v1.22.5
28	28		- name: Setup helm
29		-	uses: azure/setup-helm@v2.1
	29	+	uses: azure/setup-helm@v3.0
30	30		id: install
31	31		- name: test script
32	32		run: \|
		skipped 2 lines

■ ■ ■ ■ ■ ■

Dockerfile.web

1		-	FROM jeroenwillemsen/wrongsecrets:1.4.5-no-vault
	1	+	FROM jeroenwillemsen/wrongsecrets:1.4.6-no-vault
2	2
3		-	ARG argBasedVersion="1.4.5"
	3	+	ARG argBasedVersion="1.4.6"
4	4		ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
5	5		ENV APP_VERSION=$argBasedVersion
6	6		ENV K8S_ENV=Heroku(Docker)
		skipped 7 lines

■ ■ ■ ■ ■ ■

README.md

		skipped 5 lines
6	6
7	7		Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
8	8
9		-	Can you solve all the 20 challenges?
	9	+	Can you solve all the 21 challenges?
10	10		![screenshot.png](screenshot.png)
11	11
12	12		## Support
		skipped 8 lines
21	21
22	22		## Basic docker exercises
23	23
24		-	_Can be used for challenges 1-4, 8, 12-20_
	24	+	_Can be used for challenges 1-4, 8, 12-21_
25	25
26	26		For the basic docker exercises you currently require:
27	27
		skipped 3 lines
31	31		You can install it by doing:
32	32
33	33		```bash
34		-	docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.5-no-vault
	34	+	docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.6-no-vault
35	35		```
36	36
37	37		Now you can try to find the secrets by means of solving the challenge offered at:
		skipped 12 lines
50	50		- [localhost:8080/challenge/18](http://localhost:8080/challenge/18)
51	51		- [localhost:8080/challenge/19](http://localhost:8080/challenge/19)
52	52		- [localhost:8080/challenge/20](http://localhost:8080/challenge/20)
	53	+	- [localhost:8080/challenge/21](http://localhost:8080/challenge/21)
53	54
54	55		Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
55	56
		skipped 10 lines
66	67
67	68		## Basic K8s exercise
68	69
69		-	_Can be used for challenges 1-6, 8, 12-19_
	70	+	_Can be used for challenges 1-6, 8, 12-21_
70	71
71	72		### Minikube based
72	73
		skipped 40 lines
113	114
114	115		## Vault exercises with minikube
115	116
116		-	_Can be used for challenges 1-8, 12-19_
	117	+	_Can be used for challenges 1-8, 12-21_
117	118		Make sure you have the following installed:
118	119
119	120		- minikube with docker (or comment out line 8 and work at your own k8s setup),
		skipped 4 lines
124	125		- vault [Install from here](https://www.vaultproject.io/downloads),
125	126		- grep, Cat, and Sed
126	127
127		-	Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-20.
	128	+	Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-21.
128	129
129	130		When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
130	131
131	132		## Cloud Challenges
132	133
133		-	_Can be used for challenges 1-20_
	134	+	_Can be used for challenges 1-21_
134	135
135	136		READ THIS: Given that the exercises below contain IAM privilege escalation exercises,
136	137		never run this on an account which is related to your production environment or can influence your account-over-arching resources.
		skipped 151 lines

■ ■ ■ ■ ■ ■

aws/k8s/secret-challenge-vault-deployment.yml

		skipped 36 lines
37	37		volumeAttributes:
38	38		secretProviderClass: "wrongsecrets-aws-secretsmanager"
39	39		containers:
40		-	- image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
	40	+	- image: jeroenwillemsen/wrongsecrets:1.4.6-k8s-vault
41	41		imagePullPolicy: IfNotPresent
42	42		ports:
43	43		- containerPort: 8080
		skipped 31 lines

■ ■ ■ ■ ■ ■

azure/k8s/secret-challenge-vault-deployment.yml.tpl

		skipped 34 lines
35	35		volumeAttributes:
36	36		secretProviderClass: "azure-wrongsecrets-vault"
37	37		containers:
38		-	- image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
	38	+	- image: jeroenwillemsen/wrongsecrets:1.4.6-k8s-vault
39	39		imagePullPolicy: IfNotPresent
40	40		ports:
41	41		- containerPort: 8080
		skipped 36 lines

■ ■ ■ ■ ■ ■

azure/main.tf

		skipped 2 lines
3	3
4	4		required_providers {
5	5		random = "~> 3.0"
6		-	azurerm = "~> 3.0"
	6	+	azurerm = "~> 3.9"
7	7		http = "~> 2.1"
8	8		}
9	9
		skipped 65 lines

■ ■ ■ ■ ■ ■

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

		skipped 36 lines
37	37		volumeAttributes:
38	38		secretProviderClass: "wrongsecrets-gcp-secretsmanager"
39	39		containers:
40		-	- image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
	40	+	- image: jeroenwillemsen/wrongsecrets:1.4.6-k8s-vault
41	41		imagePullPolicy: IfNotPresent
42	42		ports:
43	43		- containerPort: 8080
		skipped 33 lines

■ ■ ■ ■ ■ ■

k8s/secret-challenge-deployment.yml

		skipped 27 lines
28	28		runAsGroup: 2000
29	29		fsGroup: 2000
30	30		containers:
31		-	- image: jeroenwillemsen/wrongsecrets:1.4.5-no-vault
	31	+	- image: jeroenwillemsen/wrongsecrets:1.4.6-no-vault
32	32		imagePullPolicy: IfNotPresent
33	33		ports:
34	34		- containerPort: 8080
		skipped 23 lines

■ ■ ■ ■ ■ ■

k8s/secret-challenge-vault-deployment.yml

		skipped 29 lines
30	30		runAsNonRoot: true
31	31		serviceAccountName: vault
32	32		containers:
33		-	- image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
	33	+	- image: jeroenwillemsen/wrongsecrets:1.4.6-k8s-vault
34	34		imagePullPolicy: IfNotPresent
35	35		ports:
36	36		- containerPort: 8080
		skipped 27 lines

■ ■ ■ ■ ■ ■

pom.xml

		skipped 3 lines
4	4		<parent>
5	5		<groupId>org.springframework.boot</groupId>
6	6		<artifactId>spring-boot-starter-parent</artifactId>
7		-	<version>2.7.0</version>
	7	+	<version>2.7.1</version>
8	8		<relativePath /> <!-- lookup parent from repository -->
9	9		</parent>
10	10		<groupId>org.owasp</groupId>
11	11		<artifactId>wrongsecrets</artifactId>
12		-	<version>1.4.5-SNAPSHOT</version>
	12	+	<version>1.4.6-SNAPSHOT</version>
13	13		<name>OWASP WrongSecrets</name>
14	14		<description>Examples with how to not use secrets</description>
15	15		<url>https://owasp.org/www-project-wrongsecrets/</url>
		skipped 27 lines
43	43		<maven.compiler.target>18</maven.compiler.target>
44	44		<spring.cloud-version>2021.0.3</spring.cloud-version>
45	45		<lombok.version>1.18.24</lombok.version>
46		-	<aws.sdk.version>2.17.204</aws.sdk.version>
	46	+	<aws.sdk.version>2.17.223</aws.sdk.version>
47	47		<asciidoctorj.version>2.5.4</asciidoctorj.version>
48		-	<jruby.version>9.3.4.0</jruby.version>
	48	+	<jruby.version>9.3.6.0</jruby.version>
49	49		<bootstrap.version>5.1.3</bootstrap.version>
50	50		<github.button.version>2.14.1</github.button.version>
51	51		<gcp.sdk.version>25.4.0</gcp.sdk.version>
		skipped 1 lines
53	53		<thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
54	54		<thymeleaf.layout>3.1.0</thymeleaf.layout>
55	55		<asciidoctor.maven.plugin.version>2.2.2</asciidoctor.maven.plugin.version>
56		-	<azure.keyvault.version>4.4.2</azure.keyvault.version>
57		-	<azure.identity.version>1.5.1</azure.identity.version>
	56	+	<azure.keyvault.version>4.4.3</azure.keyvault.version>
	57	+	<azure.identity.version>1.5.3</azure.identity.version>
58	58		<azure.keyvault.spring.version>2.3.5</azure.keyvault.spring.version>
59		-	<spring.security.version>5.7.1</spring.security.version>
60		-	<cyclonedx.core.version>7.1.4</cyclonedx.core.version>
	59	+	<spring.security.version>5.7.2</spring.security.version>
	60	+	<cyclonedx.core.version>7.1.5</cyclonedx.core.version>
61	61		<KeePassJava2.version>2.1.4</KeePassJava2.version>
62	62		<system-stubs-jupiter.version>2.0.1</system-stubs-jupiter.version>
63	63		<dependency-check-maven.version>7.0.4</dependency-check-maven.version>
		skipped 193 lines
257	257		<dependency>
258	258		<groupId>com.puppycrawl.tools</groupId>
259	259		<artifactId>checkstyle</artifactId>
260		-	<version>10.3</version>
	260	+	<version>10.3.1</version>
261	261		</dependency>
262	262		</dependencies>
263	263		</plugin>
		skipped 168 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/AllControllerAdvice.java

		skipped 18 lines
19	19
20	20		private final List<ChallengeUI> challenges;
21	21		private final String version;
22		-	private RuntimeEnvironment runtimeEnvironment;
	22	+	private final RuntimeEnvironment runtimeEnvironment;
23	23
24	24		public AllControllerAdvice(List<Challenge> challenges, @Value("${APP_VERSION}") String version, RuntimeEnvironment runtimeEnvironment) {
25	25		this.challenges = ChallengeUI.toUI(challenges, runtimeEnvironment);
		skipped 25 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/HerokuWebSecurityConfig.java

		skipped 2 lines
3	3		import org.springframework.context.annotation.Configuration;
4	4		import org.springframework.core.annotation.Order;
5	5		import org.springframework.security.config.annotation.web.builders.HttpSecurity;
6		-	import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
7	6		import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
8	7
9	8		@Configuration
		skipped 11 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/RuntimeEnvironment.java

		skipped 21 lines
22	22		@Component
23	23		public class RuntimeEnvironment {
24	24
25		-	private static Map<Environment, List<Environment>> envToOverlappingEnvs = Map.of(
	25	+	private static final Map<Environment, List<Environment>> envToOverlappingEnvs = Map.of(
26	26		HEROKU_DOCKER, List.of(DOCKER, HEROKU_DOCKER),
27	27		DOCKER, List.of(DOCKER, HEROKU_DOCKER),
28	28		GCP, List.of(DOCKER, K8S, VAULT),
		skipped 13 lines
42	42		}
43	43
44	44		static Environment fromId(String id) {
45		-	return Arrays.asList(Environment.values()).stream().filter(e -> e.id.equalsIgnoreCase(id)).findAny().get();
	45	+	return Arrays.stream(Environment.values()).filter(e -> e.id.equalsIgnoreCase(id)).findAny().get();
46	46		}
47	47		}
48	48
		skipped 19 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/SessionConfiguration.java

		skipped 11 lines
12	12		@Slf4j
13	13		public class SessionConfiguration {
14	14
15		-	private static AtomicInteger numberOfSessions = new AtomicInteger(0);
	15	+	private static final AtomicInteger numberOfSessions = new AtomicInteger(0);
16	16
17	17		@Bean
18	18		public HttpSessionListener httpSessionListener() {
		skipped 18 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/StartupListener.java

		skipped 35 lines
36	36
37	37		private String envsToReadableString() {
38	38		return Arrays.stream(RuntimeEnvironment.Environment.values())
39		-	.map(env -> env.toString())
	39	+	.map(Enum::toString)
40	40		.collect(Collectors.joining(", "));
41	41		}
42	42		}
		skipped 3 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/asciidoc/AsciiDoctorTemplateResolver.java

		skipped 16 lines
17	17		public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
18	18
19	19		private static final String PREFIX = "doc:";
20		-	private TemplateGenerator generator;
	20	+	private final TemplateGenerator generator;
21	21
22	22		public AsciiDoctorTemplateResolver(TemplateGenerator generator) {
23	23		this.generator = generator;
		skipped 18 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/canaries/CanaryCounterImpl.java

		skipped 7 lines
8	8		@Service
9	9		public class CanaryCounterImpl implements CanaryCounter {
10	10
11		-	private static AtomicInteger numberofCanaryCalls = new AtomicInteger(0);
	11	+	private static final AtomicInteger numberofCanaryCalls = new AtomicInteger(0);
12	12
13	13		private static String lastToken;
14	14
		skipped 25 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge11.java

		skipped 42 lines
43	43		private final String azureDefaultValue;
44	44		private final String challengeAnswer;
45	45		private final String projectId;
46		-	private final RuntimeEnvironment runtimeEnvironment;
47	46		private final String azureVaultUri;
48	47		private final String azureWrongSecret3;
49	48
		skipped 16 lines
66	65		this.gcpDefaultValue = gcpDefaultValue;
67	66		this.azureDefaultValue = azureDefaultValue;
68	67		this.projectId = projectId;
69		-	this.runtimeEnvironment = runtimeEnvironment;
70	68		this.azureVaultUri = azureVaultUri;
71	69		this.azureWrongSecret3 = azureWrongSecret3;
72		-	this.challengeAnswer = getChallenge11Value(this.runtimeEnvironment);
	70	+	this.challengeAnswer = getChallenge11Value(runtimeEnvironment);
73	71		}
74	72
75	73		@Override
		skipped 12 lines
88	86
89	87		private String getChallenge11Value(RuntimeEnvironment runtimeEnvironment) {
90	88		if (runtimeEnvironment != null && runtimeEnvironment.getRuntimeEnvironment() != null) {
91		-	switch (runtimeEnvironment.getRuntimeEnvironment()) {
92		-	case AWS:
93		-	return getAWSChallenge11Value();
94		-	case GCP:
95		-	return getGCPChallenge11Value();
96		-	case AZURE:
97		-	return getAzureChallenge11Value();
98		-	default:
99		-	return "please_use_supported_cloud_env";
100		-	}
	89	+	return switch (runtimeEnvironment.getRuntimeEnvironment()) {
	90	+	case AWS -> getAWSChallenge11Value();
	91	+	case GCP -> getGCPChallenge11Value();
	92	+	case AZURE -> getAzureChallenge11Value();
	93	+	default -> "please_use_supported_cloud_env";
	94	+	};
101	95		}
102	96		return "please_use_supported_cloud_env";
103	97		}
		skipped 75 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/BinaryExecutionHelper.java

		skipped 10 lines
11	11		public class BinaryExecutionHelper {
12	12
13	13
14		-	public static String ERROR_EXECUTION = "Error with executing";
	14	+	public static final String ERROR_EXECUTION = "Error with executing";
15	15		private final int challengeNumber;
16	16
17	17		public BinaryExecutionHelper(int challengeNumber) {
18	18		this.challengeNumber = challengeNumber;
19	19		}
20	20
	21	+	public String executeGoCommand(String guess) {
	22	+	try {
	23	+	File execFile = createTempExecutable("wrongsecrets-golang");
	24	+	String result;
	25	+	if (Strings.isNullOrEmpty(guess)) {
	26	+	result = executeCommand(execFile, "spoil");
	27	+	} else {
	28	+	result = executeCommand(execFile, "guess", guess);
	29	+	}
	30	+	log.info("stdout challenge {}: {}", challengeNumber, result);
	31	+
	32	+	deleteFile(execFile);
	33	+	return result;
	34	+	} catch (IOException \| NullPointerException \| InterruptedException e) {
	35	+	log.warn("Error executing:", e);
	36	+	return ERROR_EXECUTION;
	37	+	}
	38	+	}
	39	+
	40	+	public String executeCommand(String guess, String fileName) {
	41	+	if (Strings.isNullOrEmpty((guess))) {
	42	+	guess = "spoil";
	43	+	}
	44	+	try {
	45	+	File execFile = createTempExecutable(fileName);
	46	+	String result = executeCommand(execFile, guess);
	47	+	deleteFile(execFile);
	48	+	log.info("stdout challenge {}: {}", challengeNumber, result);
	49	+	return result;
	50	+	} catch (IOException \| NullPointerException \| InterruptedException e) {
	51	+	log.warn("Error executing:", e);
	52	+	return ERROR_EXECUTION;
	53	+	}
	54	+
	55	+	}
	56	+
	57	+	private String executeCommand(File execFile, String argument, String argument2) throws IOException, InterruptedException {
	58	+	ProcessBuilder ps;
	59	+	if (Strings.isNullOrEmpty(argument2)) {
	60	+	ps = new ProcessBuilder(execFile.getPath(), argument);
	61	+	} else {
	62	+	ps = new ProcessBuilder(execFile.getPath(), argument, argument2);
	63	+	}
	64	+	ps.redirectErrorStream(true);
	65	+	Process pr = ps.start();
	66	+	BufferedReader in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
	67	+	String result = in.readLine();
	68	+	pr.waitFor();
	69	+	return result;
	70	+	}
	71	+
	72	+	private String executeCommand(File execFile, String argument) throws IOException, InterruptedException {
	73	+	return executeCommand(execFile, argument, "");
	74	+	}
	75	+
21	76		private boolean useX86() {
22	77		String systemARch = System.getProperty("os.arch");
23	78		log.info("System arch detected: {}", systemARch);
		skipped 18 lines
42	97		}
43	98
44	99		private File createTempExecutable(String fileName) throws IOException {
45		-	File challengeFile;
46		-	if (useX86()) {
47		-	challengeFile = retrieveFile(fileName);
48		-	if (useLinux()) {
49		-	challengeFile = retrieveFile(fileName + "-linux");
50		-	}
51		-	} else {
52		-	challengeFile = retrieveFile(fileName + "-c-arm");
	100	+	if (useLinux()) {
	101	+	fileName = fileName + "-linux";
	102	+	}
	103	+	if (!useX86()) {
	104	+	fileName = fileName + "-arm";
53	105		}
	106	+	File challengeFile = retrieveFile(fileName);
54	107		//prepare file to execute
55	108		File execFile = File.createTempFile("c-exec-" + fileName, "sh");
56	109		if (!execFile.setExecutable(true)) {
		skipped 12 lines
69	122		return execFile;
70	123		}
71	124
72		-	private String executeCommand(File execFile, String argument) throws IOException, InterruptedException {
73		-	ProcessBuilder ps = new ProcessBuilder(execFile.getPath(), argument);
74		-	ps.redirectErrorStream(true);
75		-	Process pr = ps.start();
76		-	BufferedReader in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
77		-	String result = in.readLine();
78		-	pr.waitFor();
79		-	return result;
80		-	}
81		-
82		-
83		-	public String executeCommand(String guess, String fileName) {
84		-	if (Strings.isNullOrEmpty((guess))) {
85		-	guess = "spoil";
	125	+	private void deleteFile(File execFile) {
	126	+	if (!execFile.delete()) {
	127	+	log.info("Deleting the file {} failed...", execFile.getPath());
86	128		}
87		-	try {
88		-	File execFile = createTempExecutable(fileName);
89		-	String result = executeCommand(execFile, guess);
90		-	if (!execFile.delete()) {
91		-	log.info("Deleting the file {} failed...", execFile.getPath());
92		-	}
93		-	log.info("stdout challenge {}: {}", challengeNumber, result);
94		-	return result;
95		-	} catch (IOException \| NullPointerException \| InterruptedException e) {
96		-	log.warn("Error executing:", e);
97		-	return ERROR_EXECUTION;
98		-	}
99		-
100	129		}
101	130		}
102	131

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java

		skipped 18 lines
19	19		@Order(12)
20	20		public class Challenge12 extends Challenge {
21	21
22		-	private String dockerMountPath;
	22	+	private final String dockerMountPath;
23	23
24	24		public Challenge12(ScoreCard scoreCard, @Value("${challengedockermtpath}") String dockerMountPath) {
25	25		super(scoreCard);
		skipped 29 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge13.java

		skipped 22 lines
23	23		@Order(13)
24	24		public class Challenge13 extends Challenge {
25	25
26		-	private String plainText;
27		-	private String cipherText;
	26	+	private final String plainText;
	27	+	private final String cipherText;
28	28
29	29		@Override
30	30		public Spoiler spoiler() {
		skipped 49 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge21.java

1	+	package org.owasp.wrongsecrets.challenges.docker;
2	+
3	+
4	+	import lombok.extern.slf4j.Slf4j;
5	+	import org.owasp.wrongsecrets.RuntimeEnvironment;
6	+	import org.owasp.wrongsecrets.ScoreCard;
7	+	import org.owasp.wrongsecrets.challenges.Challenge;
8	+	import org.owasp.wrongsecrets.challenges.Spoiler;
9	+	import org.springframework.core.annotation.Order;
10	+	import org.springframework.stereotype.Component;
11	+
12	+	import java.util.List;
13	+
14	+	import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
15	+
16	+	@Component
17	+	@Order(21)
18	+	@Slf4j
19	+	public class Challenge21 extends Challenge {
20	+
21	+	private final BinaryExecutionHelper binaryExecutionHelper;
22	+
23	+	public Challenge21(ScoreCard scoreCard) {
24	+	super(scoreCard);
25	+	this.binaryExecutionHelper = new BinaryExecutionHelper(21);
26	+	}
27	+
28	+
29	+	@Override
30	+	public Spoiler spoiler() {
31	+	return new Spoiler(binaryExecutionHelper.executeGoCommand(""));
32	+	}
33	+
34	+	@Override
35	+	public boolean answerCorrect(String answer) {
36	+	return binaryExecutionHelper.executeGoCommand(answer).equals("This is correct! Congrats!");
37	+	}
38	+
39	+	public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
40	+	return List.of(DOCKER);
41	+	}
42	+	}
43	+

src/main/resources/executables/wrongsecrets-c-arm

Binary file.

src/main/resources/executables/wrongsecrets-c-linux-arm

Binary file.

src/main/resources/executables/wrongsecrets-cplus-arm

Binary file.

src/main/resources/executables/wrongsecrets-cplus-linux-arm

Binary file.

src/main/resources/executables/wrongsecrets-golang

Binary file.

src/main/resources/executables/wrongsecrets-golang-arm

Binary file.

src/main/resources/executables/wrongsecrets-golang-linux

Binary file.

src/main/resources/executables/wrongsecrets-golang-linux-arm

Binary file.

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge21.adoc

1	+	=== Obfuscating part 3: the Go binary
2	+
3	+	Our third language of choice for a compiled application is Go. With the rise of its popularity, we see an increase of secrets hidden inside the binaries. Can you find the secret in our binary?
4	+
5	+	Let's debunk the "secrets are hard to find in native compiled applications" myth for Go: can you find the secret in https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-golang[wrongsecrets-golang] (or https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-golang-arm[wrongsecrets-golang-arm], https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-golang-linux[wrongsecrets-golang-linux])?
6	+

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge21_hint.adoc

1	+	This challenge is specifically looking at a secret in a Go binary
2	+
3	+	This one is a little harder, as we used Cobra to create the CLI, introducing some more overhead.
4	+	You can solve this challenge using the following steps:
5	+
6	+	1. Find the secrets with https://ghidra-sre.org/[Ghidra].
7	+	- Install https://ghidra-sre.org/[Ghidra].
8	+	- Start it with `ghidraRun`.
9	+	- Load the application `wrongsecrets-golang` into ghidra by choosing a new project, then import the file and then doubleclick on it.
10	+	- Allow the Ghidra to analyze the application. Note that this takes much longer as our binary is a lot larger.
11	+	- Go to the data type manager in the bottom left, now filter for `string`, now right-click at `string` as a member of `wrongsecrets-golang` and select `find uses of`.
12	+	- Now filter for known keywords: you should easily be able to find the secret now!
13	+
14	+	2. Find the secrets with https://www.radare.org[radare2].
15	+	- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
16	+	- Launch r2 analysis with `$ r2 -A wrongsecrets-golang`
17	+	- Start a search for the string with `/w secret`
18	+	- Now take the results and look for possible answers, how about `/w his is the secret in Golang` ? You should be able to find the secret now.
19	+

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge21_reason.adoc

1	+	Why Using binaries to hide a secret will only delay an attacker.
2	+
3	+	With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.
4	+
5	+	Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.
6	+
7	+	Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.
8	+

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge19Test.java

		skipped 19 lines
20	20		var challenge = new Challenge19(scoreCard);
21	21
22	22		Assertions.assertThat(challenge.spoiler()).isNotEqualTo(new Spoiler(BinaryExecutionHelper.ERROR_EXECUTION));
	23	+	Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
23	24		}
24	25
25	26		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge20Test.java

		skipped 18 lines
19	19		var challenge = new Challenge20(scoreCard);
20	20
21	21		Assertions.assertThat(challenge.spoiler()).isNotEqualTo(new Spoiler(BinaryExecutionHelper.ERROR_EXECUTION));
	22	+	Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
22	23		}
23	24
24	25		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge21Test.java

1	+	package org.owasp.wrongsecrets.challenges.docker;
2	+
3	+	import org.assertj.core.api.Assertions;
4	+	import org.junit.jupiter.api.Test;
5	+	import org.junit.jupiter.api.extension.ExtendWith;
6	+	import org.mockito.Mock;
7	+	import org.mockito.junit.jupiter.MockitoExtension;
8	+	import org.owasp.wrongsecrets.ScoreCard;
9	+	import org.owasp.wrongsecrets.challenges.Spoiler;
10	+
11	+	@ExtendWith(MockitoExtension.class)
12	+	class Challenge21Test {
13	+
14	+	@Mock
15	+	private ScoreCard scoreCard;
16	+
17	+	@Test
18	+	void spoilerShouldNotCrash() {
19	+	var challenge = new Challenge21(scoreCard);
20	+
21	+	Assertions.assertThat(challenge.spoiler()).isNotEqualTo(new Spoiler(BinaryExecutionHelper.ERROR_EXECUTION));
22	+	Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
23	+	}
24	+
25	+	}
26	+

Merge branch 'master' into experiment-bed