OWASP · commjoen · Apr 25, 2025 · Mar 13, 2025 · Mar 13, 2025 · Mar 14, 2025
@@ -104,3 +104,6 @@ scripts/sort_contibutors/contributors_file.*
 
 #optimizations
 .github/scripts/binary_version.txt
+
+# Cha-llen-ge 5-4 (to avoid detection by scanning tools)
+# Se-cret en-cry-pted : U2FsdGVkX1+p6s7MeffGxSCZ5EcJoNqQD/W6bm9VKwzFmH1XAVpnP4Rcio6uPXYV
@@ -0,0 +1,6 @@
+Host dev
+HostName 127.0.0.1
+User wrongsecrets
+Port 4444
+# Cha-llen-ge 5-5 (to avoid detection by scanning tools)
+# Se-cret en-cry-pted : U2FsdGVkX18Z71msuvueMq5Tyioi7zYt6FJM/z6qJIvXM8q587ZT4ogr49ccs9Mv
@@ -0,0 +1,15 @@
+package org.owasp.wrongsecrets.challenges;
+
+import org.springframework.stereotype.Component;
+
+/** Challenge with a secret in .gitignore */
+@Component
+public class Challenge54 extends FixedAnswerChallenge {
+
+  private final String secret = "(<:GITIGN0RE_SECRET:>)";
+
+  @Override
+  public String getAnswer() {
+    return secret;
+  }
+}
@@ -0,0 +1,15 @@
+package org.owasp.wrongsecrets.challenges;
+
+import org.springframework.stereotype.Component;
+
+/** Challenge with a secret in .ssh */
+@Component
+public class Challenge55 extends FixedAnswerChallenge {
+
+  private final String secret = "(<:SSH_SECRET:>)";
+
+  @Override
+  public String getAnswer() {
+    return secret;
+  }
+}
@@ -0,0 +1,10 @@
+=== Hidden Secret Challenge
+
+Sometimes developers mistakenly add sensitive data or secrets as comments or hidden entries in files.
+
+In this challenge, a developer left behind an encrypted secret in a file comment. This challenge highlights how easy it is to forget critical secrets in accessible file.
+
+Your goal is to find and decrypt this forgotten secret.
+
+==== Note
+The secret is encrypted using AES-256-CBC and base64 format. Use the following passphrase "key_to_decrypt_the_secret" to decrypt it.
@@ -0,0 +1,11 @@
+The secret is hidden within the `.gitignore` file as an AES-256-CBC encrypted, base64-encoded comment.
+
+Follow these steps to decrypt the secret:
+
+1. Locate the encrypted comment in `.gitignore`.
+2. Use OpenSSL to decrypt:
++
+[source,bash]
+----
+echo "<encrypted_base64_secret_here>" | openssl enc -aes-256-cbc -a -d -pass pass:"key_to_decrypt_the_secret"
+----
@@ -0,0 +1,5 @@
+Developers regularly update configuration files like `.gitignore`, occasionally leaving sensitive information behind, such as passwords, tokens, or critical file paths.
+
+Forgotten secrets in public files indicate poor security practices and weak secret management.
+
+This challenge demonstrates the importance of code reviews and ensuring secrets are never accidentally committed or left behind.
@@ -0,0 +1,12 @@
+=== Hidden Secret Challenge
+
+Sometimes developers mistakenly add sensitive data or secrets as comments or hidden entries in files.
+
+In this challenge, a developer left behind an encrypted secret in a file comment. This challenge highlights how easy it is to forget critical secrets in accessible file.
+
+Find and decrypt this forgotten secret.
+
+==== Hint
+The secret is encrypted using AES-256-CBC and base64 format. Use the provided passphrase to decrypt it.
+
+The passphrase is "key_to_decrypt_the_secret".
@@ -0,0 +1,11 @@
+The secret is AES-256-CBC encrypted and base64-encoded in a comment within the `.ssh/config` file.
+
+Decrypt the secret using these steps:
+
+1. Open `.ssh/config` and locate the encrypted secret comment.
+2. Decrypt the encrypted comment using OpenSSL:
++
+[source,bash]
+----
+echo "<encrypted_base64_secret_here>" | openssl enc -aes-256-cbc -a -d -pass pass:"key_to_decrypt_the_secret"
+----
@@ -0,0 +1,7 @@
+=== Risks of sensitive data in SSH configuration files
+
+Developers frequently store SSH connection configurations in `.ssh/config` files. However, this convenience may lead to the accidental inclusion of sensitive information, such as passwords or keys, which could become forgotten over time.
+
+Forgotten secrets indicate inadequate security checks and poor secret management practices.
+
+This challenge emphasizes the importance of secure storage practices and periodic auditing of sensitive configuration files.
@@ -840,3 +840,29 @@ configurations:
       category: *secrets
       ctf:
         enabled: false
+
+    - name: Challenge 54
+      short-name: "challenge-54"
+      sources:
+        - class-name: "org.owasp.wrongsecrets.challenges.Challenge54"
+          explanation: "explanations/challenge54.adoc"
+          hint: "explanations/challenge54_hint.adoc"
+          reason: "explanations/challenge54_reason.adoc"
+          environments: *all_envs
+      difficulty: *easy
+      category: *secrets
+      ctf:
+        enabled: true
+
+    - name: Challenge 55
+      short-name: "challenge-55"
+      sources:
+        - class-name: "org.owasp.wrongsecrets.challenges.Challenge55"
+          explanation: "explanations/challenge55.adoc"
+          hint: "explanations/challenge55_hint.adoc"
+          reason: "explanations/challenge55_reason.adoc"
+          environments: *all_envs
+      difficulty: *easy
+      category: *secrets
+      ctf:
+        enabled: true
@@ -0,0 +1,14 @@
+package org.owasp.wrongsecrets.challenges;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+class Challenge54Test {
+
+  @Test
+  void rightAnswerShouldSolveChallenge() {
+    var challenge = new Challenge54();
+    Assertions.assertThat(challenge.solved("wrong answer")).isFalse();
+    Assertions.assertThat(challenge.solved(challenge.spoiler().solution())).isTrue();
+  }
+}
diff --git a/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge55.java b/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge55.java
@@ -0,0 +1,14 @@
+package org.owasp.wrongsecrets.challenges;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+class Challenge55Test {
+
+  @Test
+  void rightAnswerShouldSolveChallenge() {
+    var challenge = new Challenge55();
+    Assertions.assertThat(challenge.solved("wrong answer")).isFalse();
+    Assertions.assertThat(challenge.solved(challenge.spoiler().solution())).isTrue();
+  }
+}