STRLCPY/wrongsecrets

■ ■ ■ ■ ■ ■

.github/scripts/docker-create-and-push.sh

		skipped 86 lines
87	87		echo "committing changes and new pom file with version ${tag}"
88	88		git commit -am "Update POM file with new version: ${tag}"
89	89		git push
90		-	echo "tagging version"
91		-	git tag -a $tag -m "${message}"
92		-	git push --tags
	90	+	#echo "tagging version"
	91	+	#git tag -a $tag -m "${message}"
	92	+	#git push --tags
93	93
94	94		echo "Don't forget to update experiment-bed"
95	95		echo "git checkout experiment-bed && git merge master --no-edit"
		skipped 7 lines

■ ■ ■ ■ ■ ■

Dockerfile

		skipped 17 lines
18	18		COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar /application.jar
19	19		COPY --chown=wrongsecrets .github/scripts/ /var/tmp/helpers
20	20		COPY --chown=wrongsecrets src/main/resources/.bash_history /home/wrongsecrets/
21		-	COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-c /home/wrongsecrets/
22		-	COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-c-arm /home/wrongsecrets/
23		-	COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-c-linux /home/wrongsecrets/
	21	+	COPY --chown=wrongsecrets src/main/resources/executables/ /home/wrongsecrets/
24	22		COPY --chown=wrongsecrets src/test/resources/alibabacreds.kdbx /var/tmp/helpers
25	23		USER wrongsecrets
26	24		CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) /application.jar
		skipped 1 lines

■ ■ ■ ■ ■ ■

Dockerfile.web

1		-	FROM jeroenwillemsen/wrongsecrets:1.4.4-no-vault
	1	+	FROM jeroenwillemsen/wrongsecrets:challenge20test2-no-vault
2	2
3	3		ARG argBasedVersion="1.4.4"
4	4		ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
		skipped 9 lines

■ ■ ■ ■ ■ ■

README.md

		skipped 5 lines
6	6
7	7		Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
8	8
9		-	Can you solve all the 19 challenges?
	9	+	Can you solve all the 20 challenges?
10	10		![screenshot.png](screenshot.png)
11	11
12	12		## Support
		skipped 2 lines
15	15
16	16		## Basic docker exercises
17	17
18		-	_Can be used for challenges 1-4, 8, 12-19_
	18	+	_Can be used for challenges 1-4, 8, 12-20_
19	19
20	20		For the basic docker exercises you currently require:
21	21
		skipped 21 lines
43	43		- [localhost:8080/challenge/17](http://localhost:8080/challenge/17)
44	44		- [localhost:8080/challenge/18](http://localhost:8080/challenge/18)
45	45		- [localhost:8080/challenge/19](http://localhost:8080/challenge/19)
	46	+	- [localhost:8080/challenge/20](http://localhost:8080/challenge/20)
46	47
47	48		Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
48	49
		skipped 68 lines
117	118		- vault [Install from here](https://www.vaultproject.io/downloads),
118	119		- grep, Cat, and Sed
119	120
120		-	Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-19.
	121	+	Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-20.
121	122
122	123		When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
123	124
124	125		## Cloud Challenges
125	126
126		-	_Can be used for challenges 1-19_
	127	+	_Can be used for challenges 1-20_
127	128
128	129		READ THIS: Given that the exercises below contain IAM privilege escalation exercises,
129	130		never run this on an account which is related to your production environment or can influence your account-over-arching resources.
		skipped 151 lines

■ ■ ■ ■ ■ ■

pom.xml

		skipped 8 lines
9	9		</parent>
10	10		<groupId>org.owasp</groupId>
11	11		<artifactId>wrongsecrets</artifactId>
12		-	<version>1.4.4-SNAPSHOT</version>
	12	+	<version>challenge20test2-SNAPSHOT</version>
13	13		<name>OWASP WrongSecrets</name>
14	14		<description>Examples with how to not use secrets</description>
15	15		<url>https://owasp.org/www-project-wrongsecrets/</url>
		skipped 416 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/BinaryExecutionHelper.java

1	+	package org.owasp.wrongsecrets.challenges.docker;
2	+
3	+	import com.google.common.base.Strings;
4	+	import lombok.extern.slf4j.Slf4j;
5	+	import org.apache.commons.io.FileUtils;
6	+	import org.springframework.util.ResourceUtils;
7	+
8	+	import java.io.*;
9	+
10	+	@Slf4j
11	+	public class BinaryExecutionHelper {
12	+
13	+
14	+	public static String ERROR_EXECUTION = "Error with executing";
15	+	private final int challengeNumber;
16	+
17	+	public BinaryExecutionHelper(int challengeNumber) {
18	+	this.challengeNumber = challengeNumber;
19	+	}
20	+
21	+	private boolean useX86() {
22	+	String systemARch = System.getProperty("os.arch");
23	+	log.info("System arch detected: {}", systemARch);
24	+	return systemARch.contains("amd64") \|\| systemARch.contains("x86");
25	+	}
26	+
27	+	private boolean useLinux() {
28	+	String systemARch = System.getProperty("os.arch");
29	+	log.info("System arch detected: {}", systemARch);
30	+	return systemARch.contains("amd64");
31	+	}
32	+
33	+	private File retrieveFile(String location) {
34	+	try {
35	+	log.info("First looking at location:'classpath:executables/{}'", location);
36	+	return ResourceUtils.getFile("classpath:executables/" + location);
37	+	} catch (FileNotFoundException e) {
38	+	log.debug("exception finding file", e);
39	+	log.info("You might be running this in a docker container, trying alternative path: '/home/wrongsecrets/{}'", location);
40	+	return new File("/home/wrongsecrets/" + location);
41	+	}
42	+	}
43	+
44	+	private File createTempExecutable(String fileName) throws IOException {
45	+	File challengeFile;
46	+	if (useX86()) {
47	+	challengeFile = retrieveFile(fileName);
48	+	if (useLinux()) {
49	+	challengeFile = retrieveFile(fileName + "-linux");
50	+	}
51	+	} else {
52	+	challengeFile = retrieveFile(fileName + "-c-arm");
53	+	}
54	+	//prepare file to execute
55	+	File execFile = File.createTempFile("c-exec-" + fileName, "sh");
56	+	if (!execFile.setExecutable(true)) {
57	+	log.info("setting the file {} executable failed... rest can be ignored", execFile.getPath());
58	+	}
59	+	OutputStream os = new FileOutputStream(execFile.getPath());
60	+	ByteArrayInputStream is = new ByteArrayInputStream(FileUtils.readFileToByteArray(challengeFile));
61	+	byte[] b = new byte[2048];
62	+	int length;
63	+	while ((length = is.read(b)) != -1) {
64	+	os.write(b, 0, length);
65	+	}
66	+	is.close();
67	+	os.close();
68	+
69	+	return execFile;
70	+	}
71	+
72	+	private String executeCommand(File execFile, String argument) throws IOException, InterruptedException {
73	+	ProcessBuilder ps = new ProcessBuilder(execFile.getPath(), argument);
74	+	ps.redirectErrorStream(true);
75	+	Process pr = ps.start();
76	+	BufferedReader in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
77	+	String result = in.readLine();
78	+	pr.waitFor();
79	+	return result;
80	+	}
81	+
82	+
83	+	public String executeCommand(String guess, String fileName) {
84	+	if (Strings.isNullOrEmpty((guess))) {
85	+	guess = "spoil";
86	+	}
87	+	try {
88	+	File execFile = createTempExecutable(fileName);
89	+	String result = executeCommand(execFile, guess);
90	+	if (!execFile.delete()) {
91	+	log.info("Deleting the file {} failed...", execFile.getPath());
92	+	}
93	+	log.info("stdout challenge {}: {}", challengeNumber, result);
94	+	return result;
95	+	} catch (IOException \| NullPointerException \| InterruptedException e) {
96	+	log.warn("Error executing:", e);
97	+	return ERROR_EXECUTION;
98	+	}
99	+
100	+	}
101	+	}
102	+

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge19.java

1	1		package org.owasp.wrongsecrets.challenges.docker;
2	2
3	3
4		-	import com.google.common.base.Strings;
5	4		import lombok.extern.slf4j.Slf4j;
6		-	import org.apache.commons.io.FileUtils;
7	5		import org.owasp.wrongsecrets.RuntimeEnvironment;
8	6		import org.owasp.wrongsecrets.ScoreCard;
9	7		import org.owasp.wrongsecrets.challenges.Challenge;
10	8		import org.owasp.wrongsecrets.challenges.Spoiler;
11	9		import org.springframework.core.annotation.Order;
12	10		import org.springframework.stereotype.Component;
13		-	import org.springframework.util.ResourceUtils;
14	11
15		-	import java.io.*;
16	12		import java.util.List;
17	13
18	14		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
		skipped 3 lines
22	18		@Slf4j
23	19		public class Challenge19 extends Challenge {
24	20
25		-	public static String ERROR_EXECUTION = "Error with executing";
	21	+	private final BinaryExecutionHelper binaryExecutionHelper;
26	22
27	23		public Challenge19(ScoreCard scoreCard) {
28	24		super(scoreCard);
	25	+	this.binaryExecutionHelper = new BinaryExecutionHelper(19);
29	26		}
30	27
31	28
32	29		@Override
33	30		public Spoiler spoiler() {
34		-	return new Spoiler(executeCommand(""));
	31	+	return new Spoiler(binaryExecutionHelper.executeCommand("", "wrongsecrets-c"));
35	32		}
36	33
37	34		@Override
38	35		public boolean answerCorrect(String answer) {
39		-	return executeCommand(answer).equals("This is correct! Congrats!");
	36	+	return binaryExecutionHelper.executeCommand(answer, "wrongsecrets-c").equals("This is correct! Congrats!");
40	37		}
41	38
42	39		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
43	40		return List.of(DOCKER);
44		-	}
45		-
46		-
47		-	private boolean useX86() {
48		-	String systemARch = System.getProperty("os.arch");
49		-	log.info("System arch detected: {}", systemARch);
50		-	return systemARch.contains("amd64") \|\| systemARch.contains("x86");
51		-	}
52		-
53		-	private boolean useLinux() {
54		-	String systemARch = System.getProperty("os.arch");
55		-	log.info("System arch detected: {}", systemARch);
56		-	return systemARch.contains("amd64");
57		-	}
58		-
59		-	private File retrieveFile(String location) {
60		-	try {
61		-	log.info("First looking at location:'classpath:executables/{}'", location);
62		-	return ResourceUtils.getFile("classpath:executables/" + location);
63		-	} catch (FileNotFoundException e) {
64		-	log.debug("exception finding file", e);
65		-	log.info("You might be running this in a docker container, trying alternative path: '/home/wrongsecrets/{}'", location);
66		-	return new File("/home/wrongsecrets/" + location);
67		-	}
68		-	}
69		-
70		-	private File createTempExecutable() throws IOException {
71		-	File challengeFile;
72		-	if (useX86()) {
73		-	challengeFile = retrieveFile("wrongsecrets-c");
74		-	if (useLinux()) {
75		-	challengeFile = retrieveFile("wrongsecrets-c-linux");
76		-	}
77		-	} else {
78		-	challengeFile = retrieveFile("wrongsecrets-c-arm");
79		-	}
80		-	//prepare file to execute
81		-	File execFile = File.createTempFile("c-exec-challenge19", "sh");
82		-	if (!execFile.setExecutable(true)) {
83		-	log.info("setting the file {} executable failed... rest can be ignored", execFile.getPath());
84		-	}
85		-	OutputStream os = new FileOutputStream(execFile.getPath());
86		-	ByteArrayInputStream is = new ByteArrayInputStream(FileUtils.readFileToByteArray(challengeFile));
87		-	byte[] b = new byte[2048];
88		-	int length;
89		-	while ((length = is.read(b)) != -1) {
90		-	os.write(b, 0, length);
91		-	}
92		-	is.close();
93		-	os.close();
94		-
95		-	return execFile;
96		-	}
97		-
98		-	private String executeCommand(File execFile, String argument) throws IOException, InterruptedException {
99		-	ProcessBuilder ps = new ProcessBuilder(execFile.getPath(), argument);
100		-	ps.redirectErrorStream(true);
101		-	Process pr = ps.start();
102		-	BufferedReader in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
103		-	String result = in.readLine();
104		-	pr.waitFor();
105		-	return result;
106		-	}
107		-
108		-
109		-	private String executeCommand(String guess) {
110		-	if (Strings.isNullOrEmpty((guess))) {
111		-	guess = "spoil";
112		-	}
113		-	try {
114		-	File execFile = createTempExecutable();
115		-	String result = executeCommand(execFile, guess);
116		-	if (!execFile.delete()) {
117		-	log.info("Deleting the file {} failed...", execFile.getPath());
118		-	}
119		-	log.info("stdout challenge 19: {}", result);
120		-	return result;
121		-	} catch (IOException \| NullPointerException \| InterruptedException e) {
122		-	log.warn("Error executing:", e);
123		-	return ERROR_EXECUTION;
124		-	}
125		-
126	41		}
127	42		}
128	43

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge20.java

1	+	package org.owasp.wrongsecrets.challenges.docker;
2	+
3	+
4	+	import lombok.extern.slf4j.Slf4j;
5	+	import org.owasp.wrongsecrets.RuntimeEnvironment;
6	+	import org.owasp.wrongsecrets.ScoreCard;
7	+	import org.owasp.wrongsecrets.challenges.Challenge;
8	+	import org.owasp.wrongsecrets.challenges.Spoiler;
9	+	import org.springframework.core.annotation.Order;
10	+	import org.springframework.stereotype.Component;
11	+
12	+	import java.util.List;
13	+
14	+	import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
15	+
16	+	@Component
17	+	@Order(20)
18	+	@Slf4j
19	+	public class Challenge20 extends Challenge {
20	+
21	+	private final BinaryExecutionHelper binaryExecutionHelper;
22	+
23	+	public Challenge20(ScoreCard scoreCard) {
24	+	super(scoreCard);
25	+	this.binaryExecutionHelper = new BinaryExecutionHelper(20);
26	+	}
27	+
28	+
29	+	@Override
30	+	public Spoiler spoiler() {
31	+	return new Spoiler(binaryExecutionHelper.executeCommand("", "wrongsecrets-cplus"));
32	+	}
33	+
34	+	@Override
35	+	public boolean answerCorrect(String answer) {
36	+	return binaryExecutionHelper.executeCommand(answer, "wrongsecrets-cplus").equals("This is correct! Congrats!");
37	+	}
38	+
39	+	public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
40	+	return List.of(DOCKER);
41	+	}
42	+	}
43	+

src/main/resources/executables/wrongsecrets-cplus

Binary file.

src/main/resources/executables/wrongsecrets-cplus-arm

Binary file.

src/main/resources/executables/wrongsecrets-cplus-linux

Binary file.

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge19_hint.adoc

		skipped 7 lines
8	8		- Load the application `wrongsecrets-c` into ghidra by choosing a new project, then import the file and then doubleclick on it.
9	9		- Allow the Ghidra to analyze the application.
10	10		- Search for the secret: Go to `Functions` on the left-hand side, select `_secret` . Now on the screen on the right-hand side you can see the secret. This is a string in C.
11		-	- Search for the secret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `_secret2`. See that this returns a label on your right-hand side. Now open `Labels` on the left-hand side, select the label returned by `_secret2` (`_secret2.label`) and find the answer in the center. This is a Char array in C.
	11	+	- Search for the same secret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `_secret2`. See that this returns a label on your right-hand side. Now open `Labels` on the left-hand side, select the label returned by `_secret2` (`_secret2.label`) and find the answer in the center. This is a Char array in C.
12	12
13	13		2. Find the secrets with https://www.radare.org[radare2].
14	14		- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
		skipped 5 lines

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge20.adoc

1	+	=== Obfuscating part 2: the C++ binary
2	+
3	+	Similar like hiding secrets in an application written in C, you end up in a similar situation with C++. Can you find the secret in our binary?
4	+
5	+	Let's debunk the "secrets are hard to find in native compiled applications" myth for C++: can you find the secret in https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-cplus[wrongsecrets-cplus] (or https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-cplus-arm[wrongsecrets-cplus-arm], https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-cplus-linux[wrongsecrets-cplus-linux])?
6	+

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge20_hint.adoc

1	+	This challenge is specifically looking at a secret in a C++ binary
2	+
3	+	You can solve this challenge using the following steps:
4	+
5	+	1. Find the secrets with https://ghidra-sre.org/[Ghidra].
6	+	- Install https://ghidra-sre.org/[Ghidra].
7	+	- Start it whit `ghidraRun`.
8	+	- Load the application `wrongsecrets-cplus` into ghidra by choosing a new project, then import the file and then doubleclick on it.
9	+	- Allow the Ghidra to analyze the application.
10	+	- Search for the secret: Go to `Functions` on the left-hand side, select `__Z6secretv()` . Now on the screen on the right-hand side you can see the secret. This is a string in C++, wrapped in another class (`SecretContainer`).
11	+	- Search for the same secret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `__Z7secret2v()`. On the right hand side, you see the function: now click on the return result of the function at `__ZZ7secret2vE6harder` . Now you can see the result in the Listing view.
12	+
13	+
14	+	2. Find the secrets with https://www.radare.org[radare2].
15	+	- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
16	+	- Launch r2 analysis with `$ r2 -A wrongsecrets-cplus`
17	+	- Use command `pdf @ sym.secret__` to see disassembled output of function which returns secret
18	+	- Use command `pdf @ sym.secret2__` to see disassembled output of function which returns secret2
19	+

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge20_reason.adoc

1	+	Why Using binaries to hide a secret will only delay an attacker.
2	+
3	+	With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.
4	+
5	+	Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.
6	+
7	+	Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.
8	+

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge19Test.java

		skipped 18 lines
19	19		void spoilerShouldNotCrash() {
20	20		var challenge = new Challenge19(scoreCard);
21	21
22		-	Assertions.assertThat(challenge.spoiler()).isNotEqualTo(new Spoiler(Challenge19.ERROR_EXECUTION));
	22	+	Assertions.assertThat(challenge.spoiler()).isNotEqualTo(new Spoiler(BinaryExecutionHelper.ERROR_EXECUTION));
23	23		}
24	24
25	25		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge20Test.java

1	+	package org.owasp.wrongsecrets.challenges.docker;
2	+
3	+	import org.assertj.core.api.Assertions;
4	+	import org.junit.jupiter.api.Test;
5	+	import org.junit.jupiter.api.extension.ExtendWith;
6	+	import org.mockito.Mock;
7	+	import org.mockito.junit.jupiter.MockitoExtension;
8	+	import org.owasp.wrongsecrets.ScoreCard;
9	+	import org.owasp.wrongsecrets.challenges.Spoiler;
10	+
11	+	@ExtendWith(MockitoExtension.class)
12	+	class Challenge20Test {
13	+
14	+	@Mock
15	+	private ScoreCard scoreCard;
16	+
17	+	@Test
18	+	void spoilerShouldNotCrash() {
19	+	var challenge = new Challenge20(scoreCard);
20	+
21	+	Assertions.assertThat(challenge.spoiler()).isNotEqualTo(new Spoiler(BinaryExecutionHelper.ERROR_EXECUTION));
22	+	}
23	+
24	+	}
25	+

Merge pull request #326 from commjoen/challenge20