Merge pull request #321 from commjoen/master

Sync up

.github/scripts/docker-create-and-push.sh

@@ -87,9 +87,9 @@ git restore src/main/resources/.bash_history
 echo "committing changes and new pom file with version ${tag}"
 git commit -am "Update POM file with new version: ${tag}"
 git push
-echo "tagging version"
-git tag -a $tag -m "${message}"
-git push --tags
+#echo "tagging version"
+#git tag -a $tag -m "${message}"
+#git push --tags
 
 echo "Don't forget to update experiment-bed"
 echo "git checkout experiment-bed && git merge master --no-edit"

.github/workflows/link_checker.yml

@@ -0,0 +1,32 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Dead Link Checker
+
+on:
+  repository_dispatch:
+  workflow_dispatch:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  linkChecker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Link Checker
+        id: lychee
+        uses: lycheeverse/lychee-action@v1.5.0
+        with:
+          args: --exclude-all-private --exclude-file "config/.lycheeignore" -r 2 './**/*.md' './**/*.html'
+          fail: true
+
+      - name: Create Issue From File
+        if: steps.lychee.outputs.exit_code != 0
+        uses: peter-evans/create-issue-from-file@v4
+        with:
+          title: Link Checker Report
+          content-filepath: ./lychee/out.md
+          labels: report, automated issue

Dockerfile.web

@@ -1,6 +1,6 @@
-FROM jeroenwillemsen/wrongsecrets:1.4.1-no-vault
+FROM jeroenwillemsen/wrongsecrets:1.4.2-no-vault
 
-ARG argBasedVersion="1.4.1"
+ARG argBasedVersion="1.4.2"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ENV APP_VERSION=$argBasedVersion
 ENV K8S_ENV=Heroku(Docker)

README.md

@@ -6,7 +6,7 @@
 
 Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
 
-Can you solve all the 17 challenges?
+Can you solve all the 18 challenges?
 ![screenshot.png](screenshot.png)
 
 ## Support
@@ -21,7 +21,7 @@ We will keep providing updates to this branch, and you can track the status quo
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8, 12-17_
+_Can be used for challenges 1-4, 8, 12-18_
 
 For the basic docker exercises you currently require:
 
@@ -31,7 +31,7 @@ For the basic docker exercises you currently require:
 You can install it by doing:
 
 ```bash
-docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.1-no-vault
+docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.2-no-vault
 ```
 
 Now you can try to find the secrets by means of solving the challenge offered at:
@@ -47,6 +47,7 @@ Now you can try to find the secrets by means of solving the challenge offered at
 - [localhost:8080/challenge/15](http://localhost:8080/challenge/15)
 - [localhost:8080/challenge/16](http://localhost:8080/challenge/16)
 - [localhost:8080/challenge/17](http://localhost:8080/challenge/17)
+- [localhost:8080/challenge/18](http://localhost:8080/challenge/18)
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
 
@@ -63,7 +64,7 @@ You can test them out at [https://wrongsecrets.herokuapp.com/](https://wrongsecr
 
 ## Basic K8s exercise
 
-_Can be used for challenges 1-6, 8, 12-17_
+_Can be used for challenges 1-6, 8, 12-18_
 
 ### Minikube based
 
@@ -110,7 +111,7 @@ now you can use the provided IP address and port to further play with the K8s va
 
 ## Vault exercises with minikube
 
-_Can be used for challenges 1-8, 12-17_
+_Can be used for challenges 1-8, 12-18_
 Make sure you have the following installed:
 
 - minikube with docker (or comment out line 8 and work at your own k8s setup),
@@ -121,13 +122,13 @@ Make sure you have the following installed:
 - vault [Install from here](https://www.vaultproject.io/downloads),
 - grep, Cat, and Sed
 
-Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-17.
+Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-18.
 
 When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
 
 ## Cloud Challenges
 
-_Can be used for challenges 1-17_
+_Can be used for challenges 1-18_
 
 **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises, 
 never run this on an account which is related to your production environment or can influence your account-over-arching resources.

aws/README.md

@@ -35,7 +35,7 @@ The bucket name should be in the output. Please use that to configure the Terraf
 
 ## Installation
 
-The terraform code is loosely based on [this EKS managed Node Group TF example](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/managed_node_groups).
+The terraform code is loosely based on [this EKS managed Node Group TF example](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_managed_node_group).
 
 **Note**: Applying the Terraform means you are creating cloud infrastructure which actually costs you money. The authors are not responsible for any cost coming from following the instructions below.
 

aws/k8s/secret-challenge-vault-deployment.yml

@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.1-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.2-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

azure/README.md

@@ -1,6 +1,6 @@
 # Setup your secrets in Azure
 
-In this setup we integrate the secrets exercise with Azure AKS and let pods consume secrets from an Azure Key Vault. If you want to know more about integrating secrets with AKS, check [this link](https://azure.github.io/secrets-store-csi-driver-provider-azure/getting-started/usage/#provide-identity-to-access-key-vault).
+In this setup we integrate the secrets exercise with Azure AKS and let pods consume secrets from an Azure Key Vault. If you want to know more about integrating secrets with AKS, check [this link](https://github.com/Azure/secrets-store-csi-driver-provider-azure).
 Please make sure that the account in which you run this exercise has either Log Analytics enabled, or is not linked to your current subscriptions and/or DTAP environment.
 
 ## Pre-requisites

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -35,7 +35,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.1-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.2-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

config/.lycheeignore

@@ -0,0 +1,5 @@
+# Ignore all files
+file://.*
+
+# This is used as an example when creating a pull request
+https://github.com/Your_Github_Handle.*

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.1-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.2-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

k8s/secret-challenge-deployment.yml

@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.1-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.2-no-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

k8s/secret-challenge-vault-deployment.yml

@@ -30,7 +30,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.1-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.2-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

pom.xml

@@ -4,12 +4,12 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.6.7</version>
+        <version>2.7.0</version>
         <relativePath /> <!-- lookup parent from repository -->
     </parent>
     <groupId>org.owasp</groupId>
     <artifactId>wrongsecrets</artifactId>
-    <version>1.4.1-SNAPSHOT</version>
+    <version>1.4.2</version>
     <name>OWASP WrongSecrets</name>
     <description>Examples with how to not use secrets</description>
     <url>https://owasp.org/www-project-wrongsecrets/</url>
@@ -41,23 +41,23 @@
     <properties>
         <java.version>18</java.version>
         <maven.compiler.target>18</maven.compiler.target>
-        <spring.cloud-version>2021.0.2</spring.cloud-version>
+        <spring.cloud-version>2021.0.3</spring.cloud-version>
         <lombok.version>1.18.24</lombok.version>
-        <aws.sdk.version>2.17.181</aws.sdk.version>
-        <asciidoctorj.version>2.5.3</asciidoctorj.version>
+        <aws.sdk.version>2.17.204</aws.sdk.version>
+        <asciidoctorj.version>2.5.4</asciidoctorj.version>
         <jruby.version>9.3.4.0</jruby.version>
         <bootstrap.version>5.1.3</bootstrap.version>
         <github.button.version>2.14.1</github.button.version>
-        <gcp.sdk.version>25.2.0</gcp.sdk.version>
+        <gcp.sdk.version>25.4.0</gcp.sdk.version>
         <thymeleaf-spring5.version>3.0.15.RELEASE</thymeleaf-spring5.version>
         <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
         <thymeleaf.layout>3.1.0</thymeleaf.layout>
         <asciidoctor.maven.plugin.version>2.2.2</asciidoctor.maven.plugin.version>
-        <azure.keyvault.version>4.4.1</azure.keyvault.version>
-        <azure.identity.version>1.5.0</azure.identity.version>
+        <azure.keyvault.version>4.4.2</azure.keyvault.version>
+        <azure.identity.version>1.5.1</azure.identity.version>
         <azure.keyvault.spring.version>2.3.5</azure.keyvault.spring.version>
-        <spring.security.version>5.6.3</spring.security.version>
-        <cyclonedx.core.version>7.1.3</cyclonedx.core.version>
+        <spring.security.version>5.7.1</spring.security.version>
+        <cyclonedx.core.version>7.1.4</cyclonedx.core.version>
         <KeePassJava2.version>2.1.4</KeePassJava2.version>
         <system-stubs-jupiter.version>2.0.1</system-stubs-jupiter.version>
         <dependency-check-maven.version>7.0.4</dependency-check-maven.version>
@@ -257,7 +257,7 @@
                         <dependency>
                             <groupId>com.puppycrawl.tools</groupId>
                             <artifactId>checkstyle</artifactId>
-                            <version>10.2</version>
+                            <version>10.3</version>
                         </dependency>
                     </dependencies>
                 </plugin>
@@ -328,7 +328,7 @@
             <plugin>
                 <groupId>org.cyclonedx</groupId>
                 <artifactId>cyclonedx-maven-plugin</artifactId>
-                <version>2.6.0</version>
+                <version>2.7.0</version>
                 <executions>
                     <execution>
                         <phase>install</phase>

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge18.java

@@ -0,0 +1,68 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.crypto.codec.Hex;
+import org.springframework.stereotype.Component;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+import java.util.List;
+
+import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
+
+@Component
+@Order(18)
+@Slf4j
+public class Challenge18 extends Challenge {
+
+    private final String hashPassword;
+    private final String md5Hash = "MD5";
+    private final String sha1Hash = "SHA1";
+
+    public Challenge18(ScoreCard scoreCard, @Value("aHVudGVyMg==") String hashPassword) {
+        super(scoreCard);
+        this.hashPassword = hashPassword;
+    }
+
+    private String base64Decode(String base64) {
+        byte[] decodedBytes = Base64.getDecoder().decode(base64);
+        return new String(decodedBytes);
+    }
+
+
+    private String calculateHash(String hash, String input) {
+        try {
+            if (md5Hash.equals(hash) || sha1Hash.equals(hash)) {
+                var md = MessageDigest.getInstance(hash);
+                return new String(Hex.encode(md.digest(input.getBytes(StandardCharsets.UTF_8))));
+            }
+        } catch (NoSuchAlgorithmException e) {
+            log.warn("Exception thrown when calculating hash", e);
+        }
+        return "No Hash Selected";
+    }
+
+    @Override
+    public Spoiler spoiler() {
+        return new Spoiler(base64Decode(hashPassword));
+    }
+
+    @Override
+    public boolean answerCorrect(String answer) {
+        return calculateHash(md5Hash, base64Decode(hashPassword)).equals(calculateHash(md5Hash, answer))
+            || calculateHash(sha1Hash, base64Decode(hashPassword)).equals(calculateHash(sha1Hash, answer));
+    }
+
+    public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
+        return List.of(DOCKER);
+    }
+}

src/main/resources/explanations/challenge18.adoc

@@ -0,0 +1,9 @@
+=== Bad hashing
+
+This developer has their password stored on their computer. They are no idiot, though, they have hashed it twice using the same systems many of the biggest companies in the world use. Just with a little less seasoning. Nobody is going to be able to crack this...
+
+The first hash is `2ab96390c7dbe3439de74d0c9b0b1767` and the second hash is `F3BBBD66A63D4BF1747940578EC3D0103530E21D`
+
+Despite many large companies using these hashes, is there a way beat the system? 
+
+Cracking either hash will give you the correct answer. As an extra challenge, try cracking both.

src/main/resources/explanations/challenge18_hint.adoc

@@ -0,0 +1,20 @@
+This challenge is specifically looking at MD5 and SHA1 hashes without salting. Are these un-crackable?
+
+You can solve this challenge using the following steps:
+
+1. For the first hash (MD5):
+- Use a tool such as Hashcat:
+- Install https://hashcat.net/hashcat/[Hashcat]
+- Download the https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt[rockyou.txt password list]
+- Run Hashcat on the hash `hashcat -m 0 "2ab96390c7dbe3439de74d0c9b0b1767" /path/to/file/rockyou.txt` 
+
+2. For the second hash (SHA1):
+- Use a tool such as Hashcat:
+- Install https://hashcat.net/hashcat/[Hashcat]
+- Download the https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt[rockyou.txt password list]
+- Run Hashcat on the hash `hashcat -m 100 "F3BBBD66A63D4BF1747940578EC3D0103530E21D" /path/to/file/rockyou.txt` 
+
+3. For either of the hashes:
+- Use an online hash cracking service to do the heavy lifting for you:
+- Visit `https://crackstation.net/`
+- Enter the hash and click "Crack Hashes"

src/main/resources/explanations/challenge18_reason.adoc

@@ -0,0 +1,7 @@
+*Why MD5 and SHA1 hashing alone are not enough.*
+
+MD5 and SHA1 hash are no longer considered safe to store passwords on their own. Speed is what makes MD5 and SHA1 hashes so useful, but it is also their downfall. It only takes a few minutes to hash thousands of passwords; this also means that it only takes minutes to hash thousands of common passwords and use these hashes to compare against a hash that has been obtained.
+
+Companies try different techniques to harden MD5 and SHA1 hashes, such as "salting" them. This is the process of adding additional characters to the password that only the person/company that should be decrypting knows. Unfortunately this is not enough either with the rise of GPU and ASIC based computations. Therefore, companies using these techniques can better migrate to https://en.wikipedia.org/wiki/Argon2[Argon2] or https://en.wikipedia.org/wiki/Balloon_hashing[Balloon hashing].
+
+As a user you often have no choice in how your passwords are stored; the only thing you can do in this case is try to make your password longer and more complex. A password SHA1 that is 7 characters long with upper and lowercase characters will take roughly a minute or 5 to brute force on a proper GPU, whereas one with 25 characters will take much longer.