Merge pull request #92 from commjoen/redo12and8

Added challenge 12 for #43 and reverted challenge 8 for #37

.github/scripts/docker-create-and-push.sh

@@ -9,7 +9,8 @@ fi
 echo "tag supplied: $1"
 echo "tag message: $2"
 echo "buildarg supplied: $3"
-
+echo "generating challenge 12-data"
+openssl rand -base64 32 | tr -d '\n' > yourkey.txt
 echo "tagging version"
 git tag -a $1 -m "$2"
 git push --tags

.gitignore

@@ -53,3 +53,6 @@ aws/.terraform.tfstate.lock.info
 # Templated
 gcp/k8s/secret-volume.yml
 gcp/k8s/secret-challenge-vault-deployment.yml
+
+# Challenge 12 ;-)
+.github/scripts/yourkey.txt

Dockerfile

@@ -13,4 +13,5 @@ RUN echo "$ARG_BASED_PASSWORD"
 RUN echo "$argBasedPassword"
 
 ADD target/wrongsecrets-0.0.2-SNAPSHOT.jar /application.jar
+COPY .github/scripts/ /var/tmp/helpers
 CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) application.jar

README.md

@@ -4,7 +4,7 @@
 
 Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
 
-Can you solve all the 11 challenges?
+Can you solve all the 12 challenges?
 ![screenshot.png](screenshot.png)
 
 ## Support
@@ -13,7 +13,7 @@ Need support? Contact us via [OWASP Slack](https://owasp.slack.com/archives/C02K
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8_
+_Can be used for challenges 1-4, 8, 12_
 
 For the basic docker exercises you currently require:
 
@@ -33,7 +33,7 @@ Now you can try to find the secrets by means of solving the challenge offered at
 - [localhost:8080/challenge/3](http://localhost:8080/challenge/3)
 - [localhost:8080/challenge/4](http://localhost:8080/challenge/4)
 - [localhost:8080/challenge/8](http://localhost:8080/challenge/8)
-
+- [localhost:8080/challenge/12](http://localhost:8080/challenge/12)
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
 
 ### Running these on Heroku
@@ -50,7 +50,7 @@ You can test them out at <a href="https://wrongsecrets.herokuapp.com/" target="_
 
 ## Basic K8s exercise
 
-_Can be used for challenges 1-6, 8_
+_Can be used for challenges 1-6, 8, 12_
 
 ### Minikube based
 
@@ -99,7 +99,7 @@ now you can use the provided IP address and port to further play with the K8s va
 
 ## Vault exercises with minikube
 
-_Can be used for challenges 1-8_
+_Can be used for challenges 1-8, 12_
 Make sure you have the following installed:
 
 - minikube with docker (or comment out line 8 and work at your own k8s setup),
@@ -115,7 +115,7 @@ This will allow you to run challenge 1-8.
 
 ## Cloud Challenges
 
-_Can be used for challenges 1-11_
+_Can be used for challenges 1-12_
 
 ### Running WrongSecrets in AWS
 

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge11.java

@@ -87,9 +87,8 @@ public boolean environmentSupported() {
     }
 
     private String getAWSChallenge11Value() {
-        log.info("Getting credentials from AWS");
         if (!"if_you_see_this_please_use_AWS_Setup".equals(awsRoleArn)) {
-
+            log.info("Getting credentials from AWS");
             try { //based on https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/sts/src/main/java/com/example/sts
                 String webIDentityToken = Files.readString(Paths.get(tokenFileLocation));
                 StsClient stsClient = StsClient.builder()
@@ -125,13 +124,15 @@ private String getAWSChallenge11Value() {
             } catch (IOException e) {
                 log.error("Could not get the web identity token, due to ", e);
             }
+        } else {
+            log.info("Skipping credentials from AWS");
         }
         return awsDefaultValue;
     }
 
     private String getGCPChallenge11Value() {
-        log.info("Getting credentials from GCP");
         if ("gcp".equals(k8sEnvironment)) {
+            log.info("Getting credentials from GCP");
             // Based on https://cloud.google.com/secret-manager/docs/reference/libraries
             try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
                 log.info("Fetching secret form Google Secret Manager...");
@@ -144,6 +145,8 @@ private String getGCPChallenge11Value() {
             } catch (IOException e) {
                 log.error("Could not get the web identity token, due to ", e);
             }
+        } else {
+            log.info("Skipping credentials from GCP");
         }
         return gcpDefaultValue;
     }

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java

@@ -0,0 +1,54 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.ChallengeEnvironment;
+import org.owasp.wrongsecrets.challenges.ChallengeNumber;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+@Slf4j
+@Component
+@ChallengeNumber("12")
+public class Challenge12 extends Challenge {
+
+
+    private String dockerMountPath;
+
+    public Challenge12(ScoreCard scoreCard, @Value("${challengedockermtpath}") String dockerMountPath) {
+        super(scoreCard, ChallengeEnvironment.DOCKER);
+        this.dockerMountPath = dockerMountPath;
+    }
+
+    @Override
+    public Spoiler spoiler() {
+        return new Spoiler(getActualData());
+    }
+
+    @Override
+    public boolean answerCorrect(String answer) {
+        log.info("challenge 12, actualdata: {}, answer: {}", getActualData(), answer);
+        return getActualData().equals(answer);
+    }
+
+    @Override
+    public boolean environmentSupported() {
+        return !"if_you_see_this_please_use_docker_instead".equals(getActualData());
+    }
+
+
+    private String getActualData() {
+        try {
+            return Files.readString(Paths.get(dockerMountPath, "yourkey.txt"));
+        } catch (Exception e) {
+            log.warn("Exception during file reading, defaulting to default without cloud environment");
+            return "if_you_see_this_please_use_docker_instead";
+        }
+    }
+}

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge8.java

@@ -1,33 +1,52 @@
 package org.owasp.wrongsecrets.challenges.docker;
 
 
+import lombok.extern.slf4j.Slf4j;
 import org.owasp.wrongsecrets.ScoreCard;
 import org.owasp.wrongsecrets.challenges.Challenge;
 import org.owasp.wrongsecrets.challenges.ChallengeEnvironment;
 import org.owasp.wrongsecrets.challenges.ChallengeNumber;
 import org.owasp.wrongsecrets.challenges.Spoiler;
 import org.springframework.stereotype.Component;
 
+import java.security.SecureRandom;
+import java.util.Random;
+
+@Slf4j
 @Component
 @ChallengeNumber("8")
 public class Challenge8 extends Challenge {
 
+    private final Random secureRandom = new SecureRandom();
+    private final String alphabet = "0123456789QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm";
+    private String randomValue;
+
     public Challenge8(ScoreCard scoreCard) {
         super(scoreCard, ChallengeEnvironment.DOCKER);
+        randomValue = generateRandomString(10);
+        log.info("Initializing challenge 8 with value {}", randomValue);
     }
 
     @Override
     public Spoiler spoiler() {
-        return new Spoiler(Constants.newKey);
+        return new Spoiler(randomValue);
     }
 
     @Override
     public boolean answerCorrect(String answer) {
-        return Constants.newKey.equals(answer);
+        return randomValue.equals(answer);
     }
 
     @Override
     public boolean environmentSupported() {
         return true;
     }
+
+    private String generateRandomString(int length) {
+        StringBuilder builder = new StringBuilder(length);
+        for (int i = 0; i < length; i++) {
+            builder.append(alphabet.charAt(secureRandom.nextInt(alphabet.length())));
+        }
+        return new String(builder);
+    }
 }

src/main/resources/application.properties

@@ -10,6 +10,7 @@ default_gcp_value=if_you_see_this_please_use_GCP_Setup
 AWS_ROLE_ARN=if_you_see_this_please_use_AWS_Setup
 AWS_WEB_IDENTITY_TOKEN_FILE=if_you_see_this_please_use_AWS_Setup
 secretmountpath=/mnt/secrets-store
+challengedockermtpath=/var/tmp/helpers
 AWS_REGION=if_you_see_this_please_use_AWS_Setup
 GCP_PROJECT_ID=if_you_see_this_please_use_GCP_Setup
 K8S_ENV=Docker

src/main/resources/explanations/challenge12.adoc

@@ -0,0 +1,6 @@
+Challenge 12: Docker COPY and WORKDIR
+Sometimes large parts of the local filesystem are copied over to the container so that they are available in the container for the convenience of the author.
+
+In this challenge, we did some COPY'ing as well and hid a key there. Note that the key changes on every generation of the docker container, so you'd better extract and use it quickly :).
+
+Try https://github.com/deepfence/SecretScanner[*deepfenceio/secretscanning*], `docker inspect` of the image, or just `docker exec` against a running container.

src/main/resources/explanations/challenge8.adoc

@@ -1,4 +1,6 @@
 === Challenge 8: Generating random values
 
-Now, let's randomize the secret... Can you find the answer?
-How can we use this on the next startup ;-)?
+Now, let's randomize the secret at startup... Can you find the answer?
+How can we use this on the next startup ;-)?
+
+Tip: take a look at the logging of the application at startup!

src/main/resources/templates/challenge.html

@@ -37,6 +37,7 @@
                         <a class="dropdown-item" href="/challenge/9">Challenge 9</a>
                         <a class="dropdown-item" href="/challenge/10">Challenge 10</a>
                         <a class="dropdown-item" href="/challenge/11">Challenge 11</a>
+                        <a class="dropdown-item" href="/challenge/12">Challenge 12</a>
                     </ul>
                 </li>
                 <li class="nav-item">
@@ -68,7 +69,7 @@ <h1 class="mt-3" th:text="'Challenge '+${challengeNumber}"/>
                                                                                 value="Reset"/></p>
     </form>
 
-    There are 11 challenges (/challenge/1-11), can you solve them all? <br/>
+    There are 12 challenges (/challenge/1-12), can you solve them all? <br/>
     <div class="row">
         <div th:if="${previouschallenge!=null}" class="col-4">
             <a th:href="'/challenge/'+${previouschallenge}">Previous</a>

src/main/resources/templates/error.html

@@ -37,6 +37,7 @@
                         <a class="dropdown-item" href="/challenge/9">Challenge 9</a>
                         <a class="dropdown-item" href="/challenge/10">Challenge 10</a>
                         <a class="dropdown-item" href="/challenge/11">Challenge 11</a>
+                        <a class="dropdown-item" href="/challenge/12">Challenge 12</a>
                     </ul>
                 </li>
                 <li class="nav-item">

src/main/resources/templates/index.html

@@ -37,6 +37,7 @@
                         <a class="dropdown-item" href="/challenge/9">Challenge 9</a>
                         <a class="dropdown-item" href="/challenge/10">Challenge 10</a>
                         <a class="dropdown-item" href="/challenge/11">Challenge 11</a>
+                        <a class="dropdown-item" href="/challenge/12">Challenge 12</a>
                     </ul>
                 </li>
                 <li class="nav-item">
@@ -84,6 +85,7 @@ <h1 class="display-2">Welcome</h1>
                     10 (requires AWS or GCP)</a><br/>
                 <a href="challenge/11" th:class="${cloud == null}  ? 'disabled' : ''">Challenge
                     11 (requires AWS or GCP)</a><br/>
+                <a href="/challenge/12">Challenge 12 (requires Docker)</a><br/>
             </p>
             <p>Don't want to wait for Vault? here is <a href="spoil-7">the secret :(</a>.</p>
             <p th:text="'You are currently running on the following environment: '+${environment}"></p>

src/main/resources/templates/spoil.html

@@ -8,6 +8,6 @@
 <h1>Spoiling secret</h1>
 <p th:text="${solution}"></p>
 
-There are 11 challenges (/challenge/1-11), can you solve them all?
+There are 12 challenges (/challenge/1-12), can you solve them all?
 </body>
 </html>

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge12Test.java

@@ -0,0 +1,54 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.api.io.TempDir;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.owasp.wrongsecrets.challenges.cloud.Challenge9;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+@ExtendWith(MockitoExtension.class)
+class Challenge12Test {
+
+    @Mock
+    private ScoreCard scoreCard;
+
+    @Test
+    void solveChallenge12WithoutFile(@TempDir Path dir) throws Exception {
+        var challenge = new Challenge12(scoreCard, dir.toString());
+
+        Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isFalse();
+        Assertions.assertThat(challenge.answerCorrect("if_you_see_this_please_use_docker_instead")).isTrue();
+    }
+
+    @Test
+    void solveChallenge12WithMNTFile(@TempDir Path dir) throws Exception {
+        var testFile = new File(dir.toFile(), "yourkey.txt");
+        var secret = "secretvalueWitFile";
+        Files.writeString(testFile.toPath(), secret);
+
+        var challenge = new Challenge12(scoreCard, dir.toString());
+
+        Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isTrue();
+    }
+
+    @Test
+    void spoilShouldReturnCorrectAnswer(@TempDir Path dir) throws IOException {
+        var testFile = new File(dir.toFile(), "yourkey.txt");
+        var secret = "secretvalueWitFile";
+        Files.writeString(testFile.toPath(), secret);
+
+        var challenge = new Challenge12(scoreCard, dir.toString());
+
+        Assertions.assertThat(challenge.spoiler()).isEqualTo(new Spoiler("secretvalueWitFile"));
+    }
+
+}

src/test/resources/application.properties

@@ -1,20 +1,21 @@
 spring.cloud.vault.enabled=false
 aws.paramstore.enabled=false
-password = DefaultLoginPasswordDoNotChange!
-SPECIAL_K8S_SECRET = if_you_see_this_please_use_k8s
-SPECIAL_SPECIAL_K8S_SECRET = if_you_see_this_please_use_k8s
-ARG_BASED_PASSWORD= if_you_see_this_please_use_docker_instead
-DOCKER_ENV_PASSWORD= if_you_see_this_please_use_docker_instead
-vaultpassword = if_you_see_this_please_use_K8S_and_Vault
-vaultpassword.password = if_you_see_this_please_use_K8S_and_Vault
-default_aws_value = if_you_see_this_please_use_AWS_Setup
-default_gcp_value = if_you_see_this_please_use_GCP_Setup
+password=DefaultLoginPasswordDoNotChange!
+SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s
+SPECIAL_SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s
+ARG_BASED_PASSWORD=if_you_see_this_please_use_docker_instead
+DOCKER_ENV_PASSWORD=if_you_see_this_please_use_docker_instead
+vaultpassword=if_you_see_this_please_use_K8S_and_Vault
+vaultpassword.password=if_you_see_this_please_use_K8S_and_Vault
+default_aws_value=if_you_see_this_please_use_AWS_Setup
+default_gcp_value=if_you_see_this_please_use_GCP_Setup
 AWS_REGION=if_you_see_this_please_use_AWS_Setup
-AWS_ROLE_ARN= if_you_see_this_please_use_AWS_Setup
-AWS_WEB_IDENTITY_TOKEN_FILE= if_you_see_this_please_use_AWS_Setup
-GCP_PROJECT_ID= if_you_see_this_please_use_GCP_Setup
-secretmountpath = ${java.io.tmpdir}
-wrongsecretvalue = wrongsecret
+AWS_ROLE_ARN=if_you_see_this_please_use_AWS_Setup
+AWS_WEB_IDENTITY_TOKEN_FILE=if_you_see_this_please_use_AWS_Setup
+GCP_PROJECT_ID=if_you_see_this_please_use_GCP_Setup
+secretmountpath=${java.io.tmpdir}
+challengedockermtpath=${java.io.tmpdir}
+wrongsecretvalue=wrongsecret
 APP_VERSION=0.0.0
 K8S_ENV=test
 #---