Merge branch 'master' into experiment-bed

OWASP · Jun 24, 2022 · 0a51edb · 0a51edb
2 parents a253d5b + 78d8239
commit 0a51edb
Show file tree

Hide file tree

Showing 22 changed files with 220 additions and 109 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -18,9 +18,7 @@ RUN useradd -u 2000 -m wrongsecrets
 COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar /application.jar
 COPY --chown=wrongsecrets .github/scripts/ /var/tmp/helpers
 COPY --chown=wrongsecrets src/main/resources/.bash_history /home/wrongsecrets/
-COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-c /home/wrongsecrets/
-COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-c-arm /home/wrongsecrets/
-COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-c-linux /home/wrongsecrets/
+COPY --chown=wrongsecrets src/main/resources/executables/ /home/wrongsecrets/
 COPY --chown=wrongsecrets src/test/resources/alibabacreds.kdbx /var/tmp/helpers
 USER wrongsecrets
 CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) /application.jar
diff --git a/Dockerfile.web b/Dockerfile.web
@@ -1,6 +1,6 @@
-FROM jeroenwillemsen/wrongsecrets:1.4.4-no-vault
+FROM jeroenwillemsen/wrongsecrets:1.4.5-no-vault
 
-ARG argBasedVersion="1.4.4"
+ARG argBasedVersion="1.4.5"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ENV APP_VERSION=$argBasedVersion
 ENV K8S_ENV=Heroku(Docker)

diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 
 Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
 
-Can you solve all the 18 challenges?
+Can you solve all the 20 challenges?
 ![screenshot.png](screenshot.png)
 
 ## Support
@@ -21,7 +21,7 @@ We will keep providing updates to this branch, and you can track the status quo
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8, 12-19_
+_Can be used for challenges 1-4, 8, 12-20_
 
 For the basic docker exercises you currently require:
 
@@ -31,7 +31,7 @@ For the basic docker exercises you currently require:
 You can install it by doing:
 
 ```bash
-docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.4-no-vault
+docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.5-no-vault
 ```
 
 Now you can try to find the secrets by means of solving the challenge offered at:
@@ -48,7 +48,8 @@ Now you can try to find the secrets by means of solving the challenge offered at
 - [localhost:8080/challenge/16](http://localhost:8080/challenge/16)
 - [localhost:8080/challenge/17](http://localhost:8080/challenge/17)
 - [localhost:8080/challenge/18](http://localhost:8080/challenge/18)
-- [localhost:8080/challenge/18](http://localhost:8080/challenge/19)
+- [localhost:8080/challenge/19](http://localhost:8080/challenge/19)
+- [localhost:8080/challenge/20](http://localhost:8080/challenge/20)
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
 
@@ -123,13 +124,13 @@ Make sure you have the following installed:
 - vault [Install from here](https://www.vaultproject.io/downloads),
 - grep, Cat, and Sed
 
-Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-18.
+Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-20.
 
 When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
 
 ## Cloud Challenges
 
-_Can be used for challenges 1-19_
+_Can be used for challenges 1-20_
 
 **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises, 
 never run this on an account which is related to your production environment or can influence your account-over-arching resources.

diff --git a/aws/k8s/secret-challenge-vault-deployment.yml b/aws/k8s/secret-challenge-vault-deployment.yml
@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

diff --git a/azure/k8s/secret-challenge-vault-deployment.yml.tpl b/azure/k8s/secret-challenge-vault-deployment.yml.tpl
@@ -35,7 +35,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

diff --git a/gcp/k8s/secret-challenge-vault-deployment.yml.tpl b/gcp/k8s/secret-challenge-vault-deployment.yml.tpl
@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

diff --git a/k8s/secret-challenge-deployment.yml b/k8s/secret-challenge-deployment.yml
@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.4-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.5-no-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

diff --git a/k8s/secret-challenge-vault-deployment.yml b/k8s/secret-challenge-vault-deployment.yml
@@ -30,7 +30,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

diff --git a/pom.xml b/pom.xml
@@ -9,7 +9,7 @@
     </parent>
     <groupId>org.owasp</groupId>
     <artifactId>wrongsecrets</artifactId>
-    <version>1.4.4-SNAPSHOT</version>
+    <version>1.4.5-SNAPSHOT</version>
     <name>OWASP WrongSecrets</name>
     <description>Examples with how to not use secrets</description>
     <url>https://owasp.org/www-project-wrongsecrets/</url>

diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/BinaryExecutionHelper.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/BinaryExecutionHelper.java
@@ -0,0 +1,101 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import com.google.common.base.Strings;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.io.FileUtils;
+import org.springframework.util.ResourceUtils;
+
+import java.io.*;
+
+@Slf4j
+public class BinaryExecutionHelper {
+
+
+    public static String ERROR_EXECUTION = "Error with executing";
+    private final int challengeNumber;
+
+    public BinaryExecutionHelper(int challengeNumber) {
+        this.challengeNumber = challengeNumber;
+    }
+
+    private boolean useX86() {
+        String systemARch = System.getProperty("os.arch");
+        log.info("System arch detected: {}", systemARch);
+        return systemARch.contains("amd64") || systemARch.contains("x86");
+    }
+
+    private boolean useLinux() {
+        String systemARch = System.getProperty("os.arch");
+        log.info("System arch detected: {}", systemARch);
+        return systemARch.contains("amd64");
+    }
+
+    private File retrieveFile(String location) {
+        try {
+            log.info("First looking at location:'classpath:executables/{}'", location);
+            return ResourceUtils.getFile("classpath:executables/" + location);
+        } catch (FileNotFoundException e) {
+            log.debug("exception finding file", e);
+            log.info("You might be running this in a docker container, trying alternative path: '/home/wrongsecrets/{}'", location);
+            return new File("/home/wrongsecrets/" + location);
+        }
+    }
+
+    private File createTempExecutable(String fileName) throws IOException {
+        File challengeFile;
+        if (useX86()) {
+            challengeFile = retrieveFile(fileName);
+            if (useLinux()) {
+                challengeFile = retrieveFile(fileName + "-linux");
+            }
+        } else {
+            challengeFile = retrieveFile(fileName + "-c-arm");
+        }
+        //prepare file to execute
+        File execFile = File.createTempFile("c-exec-" + fileName, "sh");
+        if (!execFile.setExecutable(true)) {
+            log.info("setting the file {} executable failed... rest can be ignored", execFile.getPath());
+        }
+        OutputStream os = new FileOutputStream(execFile.getPath());
+        ByteArrayInputStream is = new ByteArrayInputStream(FileUtils.readFileToByteArray(challengeFile));
+        byte[] b = new byte[2048];
+        int length;
+        while ((length = is.read(b)) != -1) {
+            os.write(b, 0, length);
+        }
+        is.close();
+        os.close();
+
+        return execFile;
+    }
+
+    private String executeCommand(File execFile, String argument) throws IOException, InterruptedException {
+        ProcessBuilder ps = new ProcessBuilder(execFile.getPath(), argument);
+        ps.redirectErrorStream(true);
+        Process pr = ps.start();
+        BufferedReader in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
+        String result = in.readLine();
+        pr.waitFor();
+        return result;
+    }
+
+
+    public String executeCommand(String guess, String fileName) {
+        if (Strings.isNullOrEmpty((guess))) {
+            guess = "spoil";
+        }
+        try {
+            File execFile = createTempExecutable(fileName);
+            String result = executeCommand(execFile, guess);
+            if (!execFile.delete()) {
+                log.info("Deleting the file {} failed...", execFile.getPath());
+            }
+            log.info("stdout challenge {}: {}", challengeNumber, result);
+            return result;
+        } catch (IOException | NullPointerException | InterruptedException e) {
+            log.warn("Error executing:", e);
+            return ERROR_EXECUTION;
+        }
+
+    }
+}
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge19.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge19.java
@@ -1,18 +1,14 @@
 package org.owasp.wrongsecrets.challenges.docker;
 
 
-import com.google.common.base.Strings;
 import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.io.FileUtils;
 import org.owasp.wrongsecrets.RuntimeEnvironment;
 import org.owasp.wrongsecrets.ScoreCard;
 import org.owasp.wrongsecrets.challenges.Challenge;
 import org.owasp.wrongsecrets.challenges.Spoiler;
 import org.springframework.core.annotation.Order;
 import org.springframework.stereotype.Component;
-import org.springframework.util.ResourceUtils;
 
-import java.io.*;
 import java.util.List;
 
 import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
@@ -22,106 +18,25 @@
 @Slf4j
 public class Challenge19 extends Challenge {
 
-    public static String ERROR_EXECUTION = "Error with executing";
+    private final BinaryExecutionHelper binaryExecutionHelper;
 
     public Challenge19(ScoreCard scoreCard) {
         super(scoreCard);
+        this.binaryExecutionHelper = new BinaryExecutionHelper(19);
     }
 
 
     @Override
     public Spoiler spoiler() {
-        return new Spoiler(executeCommand(""));
+        return new Spoiler(binaryExecutionHelper.executeCommand("", "wrongsecrets-c"));
     }
 
     @Override
     public boolean answerCorrect(String answer) {
-        return executeCommand(answer).equals("This is correct! Congrats!");
+        return binaryExecutionHelper.executeCommand(answer, "wrongsecrets-c").equals("This is correct! Congrats!");
     }
 
     public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
         return List.of(DOCKER);
     }
-
-
-    private boolean useX86() {
-        String systemARch = System.getProperty("os.arch");
-        log.info("System arch detected: {}", systemARch);
-        return systemARch.contains("amd64") || systemARch.contains("x86");
-    }
-
-    private boolean useLinux() {
-        String systemARch = System.getProperty("os.arch");
-        log.info("System arch detected: {}", systemARch);
-        return systemARch.contains("amd64");
-    }
-
-    private File retrieveFile(String location) {
-        try {
-            log.info("First looking at location:'classpath:executables/{}'", location);
-            return ResourceUtils.getFile("classpath:executables/" + location);
-        } catch (FileNotFoundException e) {
-            log.debug("exception finding file", e);
-            log.info("You might be running this in a docker container, trying alternative path: '/home/wrongsecrets/{}'", location);
-            return new File("/home/wrongsecrets/" + location);
-        }
-    }
-
-    private File createTempExecutable() throws IOException {
-        File challengeFile;
-        if (useX86()) {
-            challengeFile = retrieveFile("wrongsecrets-c");
-            if (useLinux()) {
-                challengeFile = retrieveFile("wrongsecrets-c-linux");
-            }
-        } else {
-            challengeFile = retrieveFile("wrongsecrets-c-arm");
-        }
-        //prepare file to execute
-        File execFile = File.createTempFile("c-exec-challenge19", "sh");
-        if (!execFile.setExecutable(true)) {
-            log.info("setting the file {} executable failed... rest can be ignored", execFile.getPath());
-        }
-        OutputStream os = new FileOutputStream(execFile.getPath());
-        ByteArrayInputStream is = new ByteArrayInputStream(FileUtils.readFileToByteArray(challengeFile));
-        byte[] b = new byte[2048];
-        int length;
-        while ((length = is.read(b)) != -1) {
-            os.write(b, 0, length);
-        }
-        is.close();
-        os.close();
-
-        return execFile;
-    }
-
-    private String executeCommand(File execFile, String argument) throws IOException, InterruptedException {
-        ProcessBuilder ps = new ProcessBuilder(execFile.getPath(), argument);
-        ps.redirectErrorStream(true);
-        Process pr = ps.start();
-        BufferedReader in = new BufferedReader(new InputStreamReader(pr.getInputStream()));
-        String result = in.readLine();
-        pr.waitFor();
-        return result;
-    }
-
-
-    private String executeCommand(String guess) {
-        if (Strings.isNullOrEmpty((guess))) {
-            guess = "spoil";
-        }
-        try {
-            File execFile = createTempExecutable();
-            String result = executeCommand(execFile, guess);
-            if (!execFile.delete()) {
-                log.info("Deleting the file {} failed...", execFile.getPath());
-            }
-            log.info("stdout challenge 19: {}", result);
-            return result;
-        } catch (IOException | NullPointerException | InterruptedException e) {
-            log.warn("Error executing:", e);
-            return ERROR_EXECUTION;
-        }
-
-    }
 }