Merge branch 'master' into experiment-bed

OWASP · Jun 18, 2022 · aab9d9d · aab9d9d
2 parents 7df3281 + ed8f9da
commit aab9d9d
Show file tree

Hide file tree

Showing 19 changed files with 219 additions and 18 deletions.
diff --git a/.github/scripts/docker-create-and-push.sh b/.github/scripts/docker-create-and-push.sh
@@ -87,9 +87,9 @@ git restore src/main/resources/.bash_history
 echo "committing changes and new pom file with version ${tag}"
 git commit -am "Update POM file with new version: ${tag}"
 git push
-#echo "tagging version"
-#git tag -a $tag -m "${message}"
-#git push --tags
+echo "tagging version"
+git tag -a $tag -m "${message}"
+git push --tags
 
 echo "Don't forget to update experiment-bed"
 echo "git checkout experiment-bed && git merge master --no-edit"

diff --git a/Dockerfile b/Dockerfile
@@ -18,6 +18,9 @@ RUN useradd -u 2000 -m wrongsecrets
 COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar /application.jar
 COPY --chown=wrongsecrets .github/scripts/ /var/tmp/helpers
 COPY --chown=wrongsecrets src/main/resources/.bash_history /home/wrongsecrets/
+COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-c /home/wrongsecrets/
+COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-c-arm /home/wrongsecrets/
+COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-c-linux /home/wrongsecrets/
 COPY --chown=wrongsecrets src/test/resources/alibabacreds.kdbx /var/tmp/helpers
 USER wrongsecrets
 CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) /application.jar
diff --git a/Dockerfile.web b/Dockerfile.web
@@ -1,6 +1,6 @@
-FROM jeroenwillemsen/wrongsecrets:1.4.2-no-vault
+FROM jeroenwillemsen/wrongsecrets:1.4.4-no-vault
 
-ARG argBasedVersion="1.4.2"
+ARG argBasedVersion="1.4.4"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ENV APP_VERSION=$argBasedVersion
 ENV K8S_ENV=Heroku(Docker)

diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@ We will keep providing updates to this branch, and you can track the status quo
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8, 12-18_
+_Can be used for challenges 1-4, 8, 12-19_
 
 For the basic docker exercises you currently require:
 
@@ -31,7 +31,7 @@ For the basic docker exercises you currently require:
 You can install it by doing:
 
 ```bash
-docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.2-no-vault
+docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.4-no-vault
 ```
 
 Now you can try to find the secrets by means of solving the challenge offered at:
@@ -48,6 +48,7 @@ Now you can try to find the secrets by means of solving the challenge offered at
 - [localhost:8080/challenge/16](http://localhost:8080/challenge/16)
 - [localhost:8080/challenge/17](http://localhost:8080/challenge/17)
 - [localhost:8080/challenge/18](http://localhost:8080/challenge/18)
+- [localhost:8080/challenge/18](http://localhost:8080/challenge/19)
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
 
@@ -64,7 +65,7 @@ You can test them out at [https://wrongsecrets.herokuapp.com/](https://wrongsecr
 
 ## Basic K8s exercise
 
-_Can be used for challenges 1-6, 8, 12-18_
+_Can be used for challenges 1-6, 8, 12-19_
 
 ### Minikube based
 
@@ -111,7 +112,7 @@ now you can use the provided IP address and port to further play with the K8s va
 
 ## Vault exercises with minikube
 
-_Can be used for challenges 1-8, 12-18_
+_Can be used for challenges 1-8, 12-19_
 Make sure you have the following installed:
 
 - minikube with docker (or comment out line 8 and work at your own k8s setup),
@@ -128,7 +129,7 @@ When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the
 
 ## Cloud Challenges
 
-_Can be used for challenges 1-18_
+_Can be used for challenges 1-19_
 
 **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises, 
 never run this on an account which is related to your production environment or can influence your account-over-arching resources.
@@ -175,6 +176,7 @@ Top contributors:
 
 - [Nanne Baars @nbaars](https://github.com/nbaars)
 - [Marcin Nowak @MarcinNowak-codes](https://github.com/MarcinNowak-codes)
+- [Joss Sparkes @remakingeden](https://github.com/remakingeden)
 - [Tibor Hercz @tiborhercz](https://github.com/tiborhercz)
 - [Filip Chyla @fchyla](https://github.com/fchyla)
 - [Dmitry Litosh @Dlitosh](https://github.com/Dlitosh)
@@ -183,7 +185,7 @@ Top contributors:
 - [Mike Woudenberg @mikewoudenberg](https://github.com/mikewoudenberg)
 - [Ruben Kruiver @RubenAtBinx](https://github.com/RubenAtBinx)
 - [Finn @f3rn0s](https://github.com/f3rn0s)
-- [Joss Sparkes @remakingeden](https://github.com/remakingeden)
+- [Alex Bender @alex-bender](https://github.com/alex-bender)
 
 Testers:
 
@@ -270,3 +272,14 @@ Follow the steps below on adding a challenge:
 4. Don't forget to add `@Order` annotation to your challenge ;-).
 
 If you want to move existing cloud challenges to another cloud: extend Challenge classes in the `org.owasp.wrongsecrets.challenges.cloud` package and make sure you add the required Terraform in a folder with the separate cloud identified. Make sure that the environment is added to `org.owasp.wrongsecrets.RuntimeEnvironment`. Collaborate with the others at the project to get your container running so you can test at the cloud account.
+
+
+## Further reading on secrets management
+
+Want to learn more? Checkout the sources below:
+
+- [Blog: 10 Pointers on Secrets Management](https://dev.to/commjoen/secure-deployment-10-pointers-on-secrets-management-187j)
+- [OWASP SAMM on Secret Management](https://owaspsamm.org/model/implementation/secure-deployment/stream-b/)
+- [The secret detection topic at Github](https://github.com/topics/secrets-detection)
+- [OWASP Secretsmanagement Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Secrets_Management_CheatSheet.md)
+- [OpenCRE on secrets management](https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F&trk=flagship-messaging-web&messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==&lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w==)
diff --git a/aws/k8s/secret-challenge-vault-deployment.yml b/aws/k8s/secret-challenge-vault-deployment.yml
@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.2-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

diff --git a/azure/k8s/secret-challenge-vault-deployment.yml.tpl b/azure/k8s/secret-challenge-vault-deployment.yml.tpl
@@ -35,7 +35,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.2-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

diff --git a/gcp/k8s/secret-challenge-vault-deployment.yml.tpl b/gcp/k8s/secret-challenge-vault-deployment.yml.tpl
@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.2-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

diff --git a/k8s/secret-challenge-deployment.yml b/k8s/secret-challenge-deployment.yml
@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.2-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.4-no-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

diff --git a/k8s/secret-challenge-vault-deployment.yml b/k8s/secret-challenge-vault-deployment.yml
@@ -30,7 +30,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.2-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

diff --git a/pom.xml b/pom.xml
@@ -9,7 +9,7 @@
     </parent>
     <groupId>org.owasp</groupId>
     <artifactId>wrongsecrets</artifactId>
-    <version>1.4.2</version>
+    <version>1.4.4-SNAPSHOT</version>
     <name>OWASP WrongSecrets</name>
     <description>Examples with how to not use secrets</description>
     <url>https://owasp.org/www-project-wrongsecrets/</url>

diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge19.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge19.java
@@ -0,0 +1,127 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+
+import com.google.common.base.Strings;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.io.FileUtils;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+import org.springframework.util.ResourceUtils;
+
+import java.io.*;
+import java.util.List;
+
+import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
+
+@Component
+@Order(19)
+@Slf4j
+public class Challenge19 extends Challenge {
+
+    public static String ERROR_EXECUTION = "Error with executing";
+
+    public Challenge19(ScoreCard scoreCard) {
+        super(scoreCard);
+    }
+
+
+    @Override
+    public Spoiler spoiler() {
+        return new Spoiler(executeCommand(""));
+    }
+
+    @Override
+    public boolean answerCorrect(String answer) {
+        return executeCommand(answer).equals("This is correct! Congrats!");
+    }
+
+    public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
+        return List.of(DOCKER);
+    }
+
+
+    private boolean useX86() {
+        String systemARch = System.getProperty("os.arch");
+        log.info("System arch detected: {}", systemARch);
+        return systemARch.contains("amd64") || systemARch.contains("x86");
+    }
+
+    private boolean useLinux() {
+        String systemARch = System.getProperty("os.arch");
+        log.info("System arch detected: {}", systemARch);
+        return systemARch.contains("amd64");
+    }
+
+    private File retrieveFile(String location) {
+        try {
+            log.info("First looking at location:'classpath:executables/{}'", location);
+            return ResourceUtils.getFile("classpath:executables/" + location);
+        } catch (FileNotFoundException e) {
+            log.debug("exception finding file", e);
+            log.info("You might be running this in a docker container, trying alternative path: '/home/wrongsecrets/{}'", location);
+            return new File("/home/wrongsecrets/" + location);
+        }
+    }
+
+    private File createTempExecutable() throws IOException {
+        File challengeFile;
+        if (useX86()) {
+            challengeFile = retrieveFile("wrongsecrets-c");
+            if (useLinux()) {
+                challengeFile = retrieveFile("wrongsecrets-c-linux");
+            }
+        } else {
+            challengeFile = retrieveFile("wrongsecrets-c-arm");
+        }
+        //prepare file to execute
+        File execFile = File.createTempFile("c-exec-challenge19", "sh");
+        if (!execFile.setExecutable(true)) {
+            log.info("setting the file {} executable failed... rest can be ignored", execFile.getPath());
+        }
+        OutputStream os = new FileOutputStream(execFile.getPath());
+        ByteArrayInputStream is = new ByteArrayInputStream(FileUtils.readFileToByteArray(challengeFile));
+        byte[] b = new byte[2048];
+        int length;
+        while ((length = is.read(b)) != -1) {
+            os.write(b, 0, length);
+        }
+        is.close();
+        os.close();
+
+        return execFile;
+    }
+
+    private String executeCommand(File execFile, String argument) throws IOException, InterruptedException {
+        ProcessBuilder ps = new ProcessBuilder(execFile.getPath(), argument);
+        ps.redirectErrorStream(true);
+        Process pr = ps.start();
+        BufferedReader in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
+        String result = in.readLine();
+        pr.waitFor();
+        return result;
+    }
+
+
+    private String executeCommand(String guess) {
+        if (Strings.isNullOrEmpty((guess))) {
+            guess = "spoil";
+        }
+        try {
+            File execFile = createTempExecutable();
+            String result = executeCommand(execFile, guess);
+            if (!execFile.delete()) {
+                log.info("Deleting the file {} failed...", execFile.getPath());
+            }
+            log.info("stdout challenge 19: {}", result);
+            return result;
+        } catch (IOException | NullPointerException | InterruptedException e) {
+            log.warn("Error executing:", e);
+            return ERROR_EXECUTION;
+        }
+
+    }
+}
diff --git a/src/main/resources/executables/wrongsecrets-c b/src/main/resources/executables/wrongsecrets-c
diff --git a/src/main/resources/executables/wrongsecrets-c-arm b/src/main/resources/executables/wrongsecrets-c-arm
diff --git a/src/main/resources/executables/wrongsecrets-c-linux b/src/main/resources/executables/wrongsecrets-c-linux
diff --git a/src/main/resources/explanations/challenge19.adoc b/src/main/resources/explanations/challenge19.adoc
@@ -0,0 +1,6 @@
+=== Obfuscating part 1 the C binary
+
+We need to put a secret in a mobile app! Nobody will notice the secret in our compiled code!
+This is a misbelief we have often encountered when presenting on mobile security topics.
+
+Let's debunk this myth for C: can you find the secret in https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-c[wrongsecrets-c] (or https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-c-arm[wrongsecrets-c-arm], https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-c-linux[wrongsecrets-c-linux])?
diff --git a/src/main/resources/explanations/challenge19_hint.adoc b/src/main/resources/explanations/challenge19_hint.adoc
@@ -0,0 +1,18 @@
+This challenge is specifically looking at a secret in a C binary
+
+You can solve this challenge using the following steps:
+
+1. Find the secrets with https://ghidra-sre.org/[Ghidra].
+- Install https://ghidra-sre.org/[Ghidra].
+- Start it whit `ghidraRun`.
+- Load the application `wrongsecrets-c` into ghidra by choosing a new project, then import the file and then doubleclick on it.
+- Allow the Ghidra to analyze the application.
+- Search for the secret: Go to `Functions` on the left-hand side, select `_secret` . Now on the screen on the right-hand side you can see the secret. This is a string in C.
+- Search for the secret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `_secret2`. See that this returns a label on your right-hand side. Now open `Labels` on the left-hand side, select the label returned by `_secret2` (`_secret2.label`) and find the answer in the center. This is a Char array in C.
+
+2. Find the secrets with https://www.radare.org[radare2].
+- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
+- Launch r2 analysis with `$ r2 -A wrongsecrets-c`
+- Filter functions by term `secret` using afl: `afl~secret`, get the list of functions
+- Use command `pdf @ sym._secret` to see disassembled output of function which returns secret
+- Use command `pdf @ sym._secret2` to see disassembled output of function which returns secret2
diff --git a/src/main/resources/explanations/challenge19_reason.adoc b/src/main/resources/explanations/challenge19_reason.adoc
@@ -0,0 +1,7 @@
+*Why Using binaries to hide a secret will only delay an attacker.*
+
+With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.
+
+Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.
+
+Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.
diff --git a/src/main/resources/templates/welcome.html b/src/main/resources/templates/welcome.html
@@ -76,14 +76,15 @@
                     <ul>
                         <li><a href="https://github.com/nbaars">Nanne Baars @nbaars</a></li>
                         <li><a href="https://github.com/MarcinNowak-codes">Marcin Nowak @MarcinNowak-codes</a></li>
+                        <li><a href="https://github.com/remakingeden">Joss Sparkes @remakingeden</a></li>
                         <li><a href="https://github.com/tiborhercz">Tibor Hercz @tiborhercz</a></li>
                         <li><a href="https://github.com/fchyla">Filip Chyla @fchyla</a></li>
                         <li><a href="https://github.com/Dlitosh">Dmitry Litosh @Dlitosh</a></li>
                         <li><a href="https://github.com/tghosth">Josh Grossman @tghosth</a></li>
                         <li><a href="https://github.com/northdpole">Spyros @northdpole</a></li>
                         <li><a href="https://github.com/mikewoudenberg">Mike Woudenberg @mikewoudenberg</a></li>
                         <li><a href="https://github.com/RubenAtBinx">Ruben Kruiver @RubenAtBinx</a></li>
-                        <li><a href="https://github.com/remakingeden">Joss Sparkes @remakingeden</a></li>
+                        <li><a href="https://github.com/alex-bender">Alex Bender @alex-bender</a></li>
                         <li><a href="https://github.com/f3rn0s">Finn @f3rn0s</a></li>
                     </ul>
                     Testers:
@@ -112,6 +113,7 @@
                         <li><a
                             href="https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Secrets_Management_CheatSheet.md">OWASP
                             Secretsmanagement Cheatsheet</a></li>
+                        <li><a href="https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F&trk=flagship-messaging-web&messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==&lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w==">Open CRE on Secrets Management</a></li>
                     </ul>
                 </div>
             </div>

diff --git a/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge19Test.java b/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge19Test.java
@@ -0,0 +1,25 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+
+@ExtendWith(MockitoExtension.class)
+class Challenge19Test {
+
+    @Mock
+    private ScoreCard scoreCard;
+
+    @Test
+    void spoilerShouldNotCrash() {
+        var challenge = new Challenge19(scoreCard);
+
+        Assertions.assertThat(challenge.spoiler()).isNotEqualTo(new Spoiler(Challenge19.ERROR_EXECUTION));
+    }
+
+}