OWASP · commjoen · Apr 25, 2025 · Mar 13, 2025 · Mar 13, 2025 · Mar 14, 2025
@@ -104,3 +104,7 @@ scripts/sort_contibutors/contributors_file.*
 
 #optimizations
 .github/scripts/binary_version.txt
+
+# Cha-llen-ge 5-4
+# Se-cret en-cry-pted : D7/KHlnFd5J3IXL+CF+TeLKrO3g99lzbOmLGYhdxxRw=
+# K-E-Y : bef66b7c4dd3e69728107d679b1beeaae20ba974cd84138340025ec3805855fc
@@ -0,0 +1,7 @@
+Host dev
+HostName 127.0.0.1
+User wrongsecrets
+Port 4444
+# Cha-llen-ge 5-5
+# Se-cret en-cry-pted : q+qN7z0Gx8pSAsYnd/vc5G9JNSs/bj52jqScWuRLrj8=
+# K-E-Y : bef66b7c4dd3e69728107d679b1beeaae20ba974cd84138340025ec3805855fc
@@ -0,0 +1,40 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import static org.owasp.wrongsecrets.Challenges.ErrorResponses.DECRYPTION_ERROR;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.util.Base64;
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.wrongsecrets.challenges.FixedAnswerChallenge;
+import org.springframework.stereotype.Component;
+
+/** Challenge with a secret in .gitignore */
+@Component
+@Slf4j
+public class Challenge54 extends FixedAnswerChallenge {
+
+  @Override
+  public String getAnswer() {
+    return decryptAES();
+  }
+
+  private String decryptAES() {
+    final String encryptedSecret = "D7/KHlnFd5J3IXL+CF+TeLKrO3g99lzbOmLGYhdxxRw=";
+    final String passphrase = "key_to_decrypt_the_secret";
+    try {
+      MessageDigest sha = MessageDigest.getInstance("SHA-256");
+      byte[] key = sha.digest(passphrase.getBytes(StandardCharsets.UTF_8));
+      SecretKeySpec secretKey = new SecretKeySpec(key, "AES");
+      Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
+      cipher.init(Cipher.DECRYPT_MODE, secretKey);
+      byte[] encryptedBytes = cipher.doFinal(encryptedSecret.getBytes(StandardCharsets.UTF_8));
+      return Base64.getEncoder().encodeToString(encryptedBytes);
+    } catch (Exception e) {
+      log.warn("Exception with Challenge 54", e);
+      return DECRYPTION_ERROR;
+    }
+  }
+}
@@ -0,0 +1,38 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.util.Base64;
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+import org.owasp.wrongsecrets.challenges.FixedAnswerChallenge;
+import org.springframework.stereotype.Component;
+
+/** Challenge with a secret in .ssh/config */
+@Component
+public class Challenge55 extends FixedAnswerChallenge {
+
+  // Secret clair
+  private static final String encryptedSecret = "q+qN7z0Gx8pSAsYnd/vc5G9JNSs/bj52jqScWuRLrj8=";
+
+  private static final String passphrase = "key_to_decrypt_the_secret";
+
+  private static SecretKeySpec getKeyFromPassphrase(String passphrase) throws Exception {
+    MessageDigest sha = MessageDigest.getInstance("SHA-256");
+    byte[] key = sha.digest(passphrase.getBytes(StandardCharsets.UTF_8));
+    return new SecretKeySpec(key, "AES");
+  }
+
+  public static String encryptAES(String input) throws Exception {
+    SecretKeySpec secretKey = getKeyFromPassphrase(passphrase);
+    Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
+    cipher.init(Cipher.ENCRYPT_MODE, secretKey);
+    byte[] encryptedBytes = cipher.doFinal(input.getBytes(StandardCharsets.UTF_8));
+    return Base64.getEncoder().encodeToString(encryptedBytes);
+  }
+
+  @Override
+  public String getAnswer() {
+    return encryptedSecret;
+  }
+}
@@ -0,0 +1,10 @@
+=== .gitignore Secret Challenge
+
+`.gitignore` files help avoid accidental commit of sensitive or irrelevant data into source control. However, sometimes developers mistakenly add sensitive data or secrets as comments or hidden entries within `.gitignore`.
+
+In this challenge, a developer left behind an encrypted secret in a `.gitignore` file comment. Even though encrypted, it highlights how easy it is to forget critical secrets in accessible locations.
+
+Your goal is to find and decrypt this forgotten secret.
+
+==== Note
+The secret is encrypted using AES-256-ECB and no salt. Use the key found in ".gitignore" to decrypt it.
@@ -0,0 +1,13 @@
+The secret is hidden within the `.gitignore` file as an AES-256-ECB encrypted.
+
+Follow these steps to decrypt the secret:
+
+1. Locate the encrypted comment and the key to decrypt it in `.gitignore`.
+2. Use OpenSSL to decrypt:
++
+[source,bash]
+----
+echo 'encrypted_secret_here' | openssl enc -aes-256-ecb -d \
+  -K key_here \
+  -nosalt -base64
+----
@@ -0,0 +1,8 @@
+=== Why placing secrets in .gitignore is a security risk?
+
+Developers regularly update configuration files like `.gitignore`, occasionally leaving sensitive information behind—such as passwords, tokens, or critical file paths. These secrets, even encrypted, pose risks:
+
+- Attackers could discover and decrypt the secrets.
+- Forgotten secrets in public files indicate poor security practices and weak secret management.
+
+This challenge demonstrates the importance of code reviews and ensuring secrets are never accidentally committed or left behind.
@@ -0,0 +1,10 @@
+=== .ssh Secret Challenge
+
+The SSH configuration file (`.ssh/config`) simplifies SSH connections by storing host-specific configurations. However, this convenience sometimes leads developers to unintentionally expose sensitive details, especially when encrypted secrets or hints are added as comments or extra parameters.
+
+An encrypted secret and the key to decrypt it have been hidden within `.ssh/config` as a comment.
+
+Find and decrypt this forgotten secret.
+
+==== Note
+The secret is encrypted using AES-256-ECB and no salt. Use the key found in ".ssh" directory to decrypt it.
@@ -0,0 +1,13 @@
+The secret is AES-256-CBC encrypted and the key in a comment within the `.ssh/config` file.
+
+Decrypt the secret using these steps:
+
+1. Open `.ssh/config` and locate the encrypted secret comment and the key to decrypt the secret.
+2. Decrypt the encrypted comment using OpenSSL:
++
+[source,bash]
+----
+echo 'encrypted_secret_here' | openssl enc -aes-256-ecb -d \
+  -K key_here \
+  -nosalt -base64
+----
@@ -0,0 +1,7 @@
+=== Risks of sensitive data in SSH configuration files
+
+Developers frequently store SSH connection configurations in `.ssh/config` files. However, this convenience may lead to the accidental inclusion of sensitive information, such as passwords or keys, which could become forgotten over time.
+
+Forgotten secrets indicate inadequate security checks and poor secret management practices.
+
+This challenge emphasizes the importance of secure storage practices and periodic auditing of sensitive configuration files.
@@ -840,3 +840,29 @@ configurations:
       category: *secrets
       ctf:
         enabled: false
+
+    - name: Challenge 54
+      short-name: "challenge-54"
+      sources:
+        - class-name: "org.owasp.wrongsecrets.challenges.Challenge54"
+          explanation: "explanations/challenge54.adoc"
+          hint: "explanations/challenge54_hint.adoc"
+          reason: "explanations/challenge54_reason.adoc"
+          environments: *all_envs
+      difficulty: *normal
+      category: *secrets
+      ctf:
+        enabled: true
+
+    - name: Challenge 55
+      short-name: "challenge-55"
+      sources:
+        - class-name: "org.owasp.wrongsecrets.challenges.Challenge55"
+          explanation: "explanations/challenge55.adoc"
+          hint: "explanations/challenge55_hint.adoc"
+          reason: "explanations/challenge55_reason.adoc"
+          environments: *all_envs
+      difficulty: *normal
+      category: *secrets
+      ctf:
+        enabled: true
@@ -0,0 +1,26 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.api.Test;
+
+class Challenge54Test {
+
+  @Test
+  void rightAnswerShouldSolveChallenge() throws Exception {
+    var challenge = new Challenge54();
+
+    String clearSecret = "(<:GITIGN0RE_SECRET:>)";
+
+    assertThat(challenge.answerCorrect(clearSecret)).isTrue();
+  }
+
+  @Test
+  void incorrectAnswerShouldNotSolveChallenge() throws Exception {
+    var challenge = new Challenge54();
+
+    String wrongSecret = "wrong answer";
+
+    assertThat(challenge.answerCorrect(wrongSecret)).isFalse();
+  }
+}
@@ -0,0 +1,28 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.api.Test;
+
+class Challenge55Test {
+
+  @Test
+  void rightAnswerShouldSolveChallenge() throws Exception {
+    var challenge = new Challenge55();
+
+    String clearSecret = "(<:SSH_SECRET:>)";
+    String encryptedInput = Challenge55.encryptAES(clearSecret);
+
+    assertThat(challenge.answerCorrect(encryptedInput)).isTrue();
+  }
+
+  @Test
+  void incorrectAnswerShouldNotSolveChallenge() throws Exception {
+    var challenge = new Challenge55();
+
+    String wrongSecret = "wrong answer";
+    String encryptedInput = Challenge55.encryptAES(wrongSecret);
+
+    assertThat(challenge.answerCorrect(encryptedInput)).isFalse();
+  }
+}