echo "Completed docker upload for X86, now taking care of heroku, do yourself: update Dockerfile.web, then run 'heroku container:login' 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku' and 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku --arg CANARY_URLS=http://canarytokens.com/feedback/images/traffic/tgy3epux7jm59n0ejb4xv4zg3/submit.aspx,http://canarytokens.com/traffic/cjldn0fsgkz97ufsr92qelimv/post.jsp --app=wrongsecrets' and release both (heroku container:release web --app=wrongsecrets)"
99
+
echo "Completed docker upload for X86, now taking care of heroku, do yourself: update Dockerfile.web, then run 'heroku container:login'"
100
+
echo "then for the test container: 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646' and 'heroku container:release web --app arcane-scrubland-42646'"
101
+
echo "then for the prd container:'heroku container:push --recursive --arg argBasedVersion=${tag}heroku --arg CANARY_URLS=http://canarytokens.com/feedback/images/traffic/tgy3epux7jm59n0ejb4xv4zg3/submit.aspx,http://canarytokens.com/traffic/cjldn0fsgkz97ufsr92qelimv/post.jsp --app=wrongsecrets' and release 'heroku container:release web --app=wrongsecrets'"
100
102
#want to release? do heroku container:release web --app=wrongsecrets
Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
8
8
9
-
Can you solve all the 20 challenges?
9
+
Can you solve all the 21 challenges?
10
10
![screenshot.png](screenshot.png)
11
11
12
12
## Support
skipped 8 lines
21
21
22
22
## Basic docker exercises
23
23
24
-
_Can be used for challenges 1-4, 8, 12-20_
24
+
_Can be used for challenges 1-4, 8, 12-21_
25
25
26
26
For the basic docker exercises you currently require:
27
27
skipped 3 lines
31
31
You can install it by doing:
32
32
33
33
```bash
34
-
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.5-no-vault
34
+
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.6-no-vault
35
35
```
36
36
37
37
Now you can try to find the secrets by means of solving the challenge offered at:
Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
55
56
skipped 10 lines
66
67
67
68
## Basic K8s exercise
68
69
69
-
_Can be used for challenges 1-6, 8, 12-19_
70
+
_Can be used for challenges 1-6, 8, 12-21_
70
71
71
72
### Minikube based
72
73
skipped 40 lines
113
114
114
115
## Vault exercises with minikube
115
116
116
-
_Can be used for challenges 1-8, 12-19_
117
+
_Can be used for challenges 1-8, 12-21_
117
118
Make sure you have the following installed:
118
119
119
120
- minikube with docker (or comment out line 8 and work at your own k8s setup),
skipped 4 lines
124
125
- vault [Install from here](https://www.vaultproject.io/downloads),
125
126
- grep, Cat, and Sed
126
127
127
-
Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-20.
128
+
Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-21.
128
129
129
130
When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
130
131
131
132
## Cloud Challenges
132
133
133
-
_Can be used for challenges 1-20_
134
+
_Can be used for challenges 1-21_
134
135
135
136
**READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
136
137
never run this on an account which is related to your production environment or can influence your account-over-arching resources.
Our third language of choice for a compiled application is Go. With the rise of its popularity, we see an increase of secrets hidden inside the binaries. Can you find the secret in our binary?
4
+
5
+
Let's debunk the "secrets are hard to find in native compiled applications" myth for Go: can you find the secret in https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-golang[wrongsecrets-golang] (or https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-golang-arm[wrongsecrets-golang-arm], https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-golang-linux[wrongsecrets-golang-linux])?
This challenge is specifically looking at a secret in a Go binary
2
+
3
+
This one is a little harder, as we used Cobra to create the CLI, introducing some more overhead.
4
+
You can solve this challenge using the following steps:
5
+
6
+
1. Find the secrets with https://ghidra-sre.org/[Ghidra].
7
+
- Install https://ghidra-sre.org/[Ghidra].
8
+
- Start it with `ghidraRun`.
9
+
- Load the application `wrongsecrets-golang` into ghidra by choosing a new project, then import the file and then doubleclick on it.
10
+
- Allow the Ghidra to analyze the application. Note that this takes much longer as our binary is a lot larger.
11
+
- Go to the data type manager in the bottom left, now filter for `string`, now right-click at `string` as a member of `wrongsecrets-golang` and select `find uses of`.
12
+
- Now filter for known keywords: you should easily be able to find the secret now!
13
+
14
+
2. Find the secrets with https://www.radare.org[radare2].
15
+
- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
16
+
- Launch r2 analysis with `$ r2 -A wrongsecrets-golang`
17
+
- Start a search for the string with `/w secret`
18
+
- Now take the results and look for possible answers, how about `/w his is the secret in Golang` ? You should be able to find the secret now.
*Why Using binaries to hide a secret will only delay an attacker.*
2
+
3
+
With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.
4
+
5
+
Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.
6
+
7
+
Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.