-
-
Notifications
You must be signed in to change notification settings - Fork 367
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1654 from OWASP/web-dotnetchallenge
Challenge50: dotnet
- Loading branch information
Showing
20 changed files
with
307 additions
and
153 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
39 changes: 39 additions & 0 deletions
39
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge50.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
package org.owasp.wrongsecrets.challenges.docker; | ||
|
||
import com.google.api.client.util.Strings; | ||
import lombok.extern.slf4j.Slf4j; | ||
import org.owasp.wrongsecrets.challenges.Challenge; | ||
import org.owasp.wrongsecrets.challenges.Spoiler; | ||
import org.owasp.wrongsecrets.challenges.docker.binaryexecution.BinaryExecutionHelper; | ||
import org.owasp.wrongsecrets.challenges.docker.binaryexecution.MuslDetectorImpl; | ||
import org.springframework.stereotype.Component; | ||
|
||
/** challenge about dotnet binaries. Please download them from the wrongsecrets-binaries release. */ | ||
@Slf4j | ||
@Component | ||
public class Challenge50 implements Challenge { | ||
private final BinaryExecutionHelper binaryExecutionHelper; | ||
private String correctAnswer; | ||
|
||
public Challenge50() { | ||
this.binaryExecutionHelper = new BinaryExecutionHelper(50, new MuslDetectorImpl()); | ||
} | ||
|
||
/** {@inheritDoc} */ | ||
@Override | ||
public Spoiler spoiler() { | ||
if (Strings.isNullOrEmpty(correctAnswer)) { | ||
this.correctAnswer = binaryExecutionHelper.executeCommand("", "wrongsecrets-dotnet"); | ||
} | ||
return new Spoiler(correctAnswer); | ||
} | ||
|
||
/** {@inheritDoc} */ | ||
@Override | ||
public boolean answerCorrect(String answer) { | ||
if (Strings.isNullOrEmpty(correctAnswer)) { | ||
this.correctAnswer = binaryExecutionHelper.executeCommand("", "wrongsecrets-dotnet"); | ||
} | ||
return correctAnswer.equals(answer); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
=== Hiding in binaries revisited: .NET self contained runtime | ||
|
||
It is super easy to find a secret in a DLL, but when you are on MacOS or Linux it is much harder. So I am sure we can keep one there right? | ||
|
||
Show us that we should not do that! Can you find the secret in https://github.com/OWASP/wrongsecrets-binaries/releases/download/0.1.0/wrongsecrets-dotnet[wrongsecrets-dotnet] (or https://github.com/OWASP/wrongsecrets-binaries/releases/download/0.1.0/wrongsecrets-dotnet-arm[wrongsecrets-dotnet-arm], https://github.com/OWASP/wrongsecrets-binaries/releases/download/0.1.0/wrongsecrets-dotnet-linux[wrongsecrets-dotnet-linux])? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
This challenge is specifically looking at a secret in a .NET8 binary | ||
|
||
You can solve this challenge using the following alternative solutions: | ||
|
||
1. Find the secrets with ILSpy. | ||
- obtain the wrongsecrets-dotnet-<platform> binary, for this you can: | ||
- retrieve it from the Docker image | ||
- download it from the https://github.com/OWASP/wrongsecrets-binaries/releases[Wrongsecrets Binaries] | ||
- Install .NET8 and .NET8 SDK | ||
- Install https://github.com/icsharpcode/ILSpy/tree/master/ICSharpCode.ILSpyCmd[ilspycmd] | ||
- Install `sfextract`: `dotnet tool install -g sfextract` | ||
- Unpack the self-contained binary: `sfextract wrongsecrets-dotnet -o \./tmp`. | ||
- Go to the tmp folder and do `ilspycmd dotnetproject.dll` to decompile the dll and find the secret. | ||
Don't want to install the tools? check the https://github.com/OWASP/wrongsecrets/tree/master?tab=readme-ov-file#want-to-play-but-are-not-allowed-to-install-the-tools[WrongSecrets Desktop container]! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
*Why Using binaries to hide a secret will only delay an attacker.* | ||
|
||
With beautiful free Reverse engineering applications like ILSpy, not a lot of things remain safe. Anyone who can load the executable in such tools can easily do reconnaissance and find secrets within your binary. | ||
|
||
Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed. | ||
|
||
Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server. |
Oops, something went wrong.