Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
8
8
9
-
Can you solve all the 19 challenges?
9
+
Can you solve all the 20 challenges?
10
10
![screenshot.png](screenshot.png)
11
11
12
12
## Support
skipped 2 lines
15
15
16
16
## Basic docker exercises
17
17
18
-
_Can be used for challenges 1-4, 8, 12-19_
18
+
_Can be used for challenges 1-4, 8, 12-20_
19
19
20
20
For the basic docker exercises you currently require:
Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
48
49
skipped 68 lines
117
118
- vault [Install from here](https://www.vaultproject.io/downloads),
118
119
- grep, Cat, and Sed
119
120
120
-
Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-19.
121
+
Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-20.
121
122
122
123
When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
123
124
124
125
## Cloud Challenges
125
126
126
-
_Can be used for challenges 1-19_
127
+
_Can be used for challenges 1-20_
127
128
128
129
**READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
129
130
never run this on an account which is related to your production environment or can influence your account-over-arching resources.
- Load the application `wrongsecrets-c` into ghidra by choosing a new project, then import the file and then doubleclick on it.
9
9
- Allow the Ghidra to analyze the application.
10
10
- Search for the secret: Go to `Functions` on the left-hand side, select `_secret` . Now on the screen on the right-hand side you can see the secret. This is a string in C.
11
-
- Search for the secret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `_secret2`. See that this returns a label on your right-hand side. Now open `Labels` on the left-hand side, select the label returned by `_secret2` (`_secret2.label`) and find the answer in the center. This is a Char array in C.
11
+
- Search for the samesecret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `_secret2`. See that this returns a label on your right-hand side. Now open `Labels` on the left-hand side, select the label returned by `_secret2` (`_secret2.label`) and find the answer in the center. This is a Char array in C.
12
12
13
13
2. Find the secrets with https://www.radare.org[radare2].
14
14
- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
Similar like hiding secrets in an application written in C, you end up in a similar situation with C++. Can you find the secret in our binary?
4
+
5
+
Let's debunk the "secrets are hard to find in native compiled applications" myth for C++: can you find the secret in https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-cplus[wrongsecrets-cplus] (or https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-cplus-arm[wrongsecrets-cplus-arm], https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-cplus-linux[wrongsecrets-cplus-linux])?
This challenge is specifically looking at a secret in a C++ binary
2
+
3
+
You can solve this challenge using the following steps:
4
+
5
+
1. Find the secrets with https://ghidra-sre.org/[Ghidra].
6
+
- Install https://ghidra-sre.org/[Ghidra].
7
+
- Start it whit `ghidraRun`.
8
+
- Load the application `wrongsecrets-cplus` into ghidra by choosing a new project, then import the file and then doubleclick on it.
9
+
- Allow the Ghidra to analyze the application.
10
+
- Search for the secret: Go to `Functions` on the left-hand side, select `__Z6secretv()` . Now on the screen on the right-hand side you can see the secret. This is a string in C++, wrapped in another class (`SecretContainer`).
11
+
- Search for the same secret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `__Z7secret2v()`. On the right hand side, you see the function: now click on the return result of the function at `__ZZ7secret2vE6harder` . Now you can see the result in the Listing view.
12
+
13
+
14
+
2. Find the secrets with https://www.radare.org[radare2].
15
+
- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
16
+
- Launch r2 analysis with `$ r2 -A wrongsecrets-cplus`
17
+
- Use command `pdf @ sym.secret__` to see disassembled output of function which returns secret
18
+
- Use command `pdf @ sym.secret2__` to see disassembled output of function which returns secret2
*Why Using binaries to hide a secret will only delay an attacker.*
2
+
3
+
With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.
4
+
5
+
Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.
6
+
7
+
Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.